I haven’t run antivirus software on my main computer. I haven’t for decades. When I admit that out loud, I tend to get the same look people reserve for “I don’t wear a seatbelt” or “I don’t wash my hands.” The horror. The recklessness. The sheer digital nudity of it all.

But what I do instead is simpler, quieter, and far more reliable than a subscription: I pause. I think before I click. I treat the internet the way I treat the physical world—full of useful places, full of ordinary people, and full of a corners where it’s best not to wander with my wallet open and my eyes shut.

Every day, someone is paid very well to convince us that the internet is a flaming wasteland of lurking threats. Viruses! Malware! Hackers! Identity thieves! Foreign adversaries! Teenagers in hoodies! And, somehow, the same cultural soup that produces “microchips in vaccines” also produces “install this app and you’ll be safe.” The details don’t even matter. The feeling does.

It’s brilliant marketing. Manufacture anxiety, then sell relief. Make digital security feel so technical, so arcane, so beyond ordinary comprehension that we accept a permanent background process eating resources, interrupting our flow, flashing warnings about a PDF like it just spotted a tiger in the kitchen. The pitch is never really about protection; it’s about outsourcing responsibility. It tells us the problem is “out there,” when the most consistent vulnerability is usually much closer to home: between the chair and the keyboard.

That isn’t an insult. It’s a reality of being human. We get tired. We rush. We skim. We want the convenient path to be the safe one, and the modern internet is designed to make that assumption expensive.

What actually keeps me safe online isn’t a sacred piece of software. It’s boring habits practiced consistently. I don’t click the random link in the email that lands with manufactured urgency and a slightly-off tone. I don’t log in through a page that looks “almost right” while the URL tells a different story. I don’t hand my passwords to a site that feels wrong in the same way I don’t hand my house keys to a stranger who says they’re “from the locksmith company.” I don’t plug unknown USB drives into my machines, and I don’t treat “it’s from a friend” as proof of safety when I know that friend is exactly the kind of person who would accidentally forward a digital grenade with a smiley face.

Even when I go somewhere sketchy on purpose—because sometimes I do—I do it with eyes open. I assume risk, I keep boundaries, I know what “the worst” looks like, and I know what my next steps are if something goes sideways. None of this is elite cybersecurity wizardry. It’s the digital version of noticing when a street is poorly lit and deciding not to take out my phone and count cash.

Somewhere along the way, we were trained to believe common sense isn’t enough. That thinking first is quaint. That clicking first is normal. That our judgment is such a lost cause we need algorithmic babysitters to protect us from being ourselves.

To be clear, there are environments where traditional antivirus makes sense. If we’re managing a household full of mixed devices, if we’re responsible for less technical family members, if we’re working in higher-risk contexts, if we’re installing a lot of unknown software, layered defences can be reasonable. The problem isn’t that protective tools exist. The problem is the story that tools can replace literacy, and the business incentives that quietly prefer us dependent.

Because dependence is profitable. And panic is a renewable resource.

I do use a VPN sometimes. Because privacy isn’t really about hiding from criminals; it’s about limiting what legitimate institutions can casually collect, store, sell, subpoena, leak, merge, and weaponise.

Our ISPs have incentives to monetise what we do. Advertisers have incentives to infer who we are. Data brokers have incentives to package our lives into a commodity. Governments have incentives to watch first and justify later. In that context, a VPN isn’t a magic cloak—it’s a small boundary. It reduces one stream of visibility. It forces at least a little friction into a system designed for effortless extraction.

But the best VPN still can’t save us from doxxing ourselves.

It’s almost funny, in a bleak way: some people fear microchips in vaccines tracking everything about us while we voluntarily broadcast far more precise tracking data every day. We post under real names. We share our location in real time. We upload photos that reveal where we live, what we drive, where we work, who we spend time with, what we buy, what we believe, what we’re insecure about, and what buttons can be pressed to get a reaction. We link accounts across platforms as if separate identities are suspicious rather than sane. We answer “security questions” with real answers that are discoverable in ten minutes of casual scrolling.

Then we buy privacy tools and pretend that cancels out the behavioural leak, like wearing a mask while carrying a sign with our name and address. Technology can reduce exposure, but it can’t undo over-sharing. It can’t unsay what we said, unpost what we posted, untag what we tagged, or unconnect what we eagerly connected.

This is the part the privacy industry doesn’t like to emphasise, because it’s not as sellable as an app: real privacy is mostly intentionality. It’s choosing separate usernames when we don’t need continuity. It’s not turning our home, our routine, and our relationships into public breadcrumbs. It’s remembering that “fun” quizzes and harmless little prompts are often just structured data collection with confetti on top. It’s accepting, soberly, that every click, like, comment, purchase, and search query becomes a puzzle piece in someone else’s model of who we are and how we can be nudged.

We don’t live in the internet we wish existed. We live in the one that exists. So the question isn’t whether we should be safe. The question is whether we’re willing to behave like safety is our job.

Because it’s easier, always, to install something that promises to protect us from our own judgment than it is to develop better judgment. It’s easier to pay a service that claims to anonymise our browsing than it is to browse with restraint and awareness. It’s easier to trust that technology will solve problems created by technology than it is to change how we use it.

And that ease is not an accident. The digital economy depends on thoughtless consumption. Interfaces are designed to bypass critical thinking. Notifications are calibrated to manufacture urgency. “Just click” is the religion, and attention is the tithe.

Security companies, privacy services, the whole protection marketplace—much of it profits from our digital illiteracy. Not necessarily through malice, but through structure. The system doesn’t need villains when incentives do the work.

So we end up with a choice that looks technical but isn’t. We can engage thoughtfully or consume mindlessly. We can learn how the systems work or let them work on us. We can take responsibility for our behaviour or outsource it to corporations whose business model quietly benefits when we remain a little scared and a little clueless.

The internet isn’t inherently dangerous. It’s predictably dangerous. The threats are familiar, the patterns repeat, and most disasters happen because warning signs were visible and we were trained to ignore them.

If we taught pattern recognition instead of selling fear, a lot of this industry would shrink overnight. If digital literacy were treated as essential competence rather than specialist knowledge, we’d be harder to exploit. If we remembered that our smartphones are tracking devices that occasionally make phone calls, and that many “social” platforms are surveillance businesses that occasionally show us our friends, we’d make different choices without needing to be shouted at by pop-ups.

The most secure computer is the one operated by someone who knows what they’re doing. The most private internet experience belongs to someone who shares intentionally instead of accidentally.

Our brains are still the best antivirus we’ve got. Our attention is still a better firewall than any checkbox. And the best VPN, most days, is simply refusing to broadcast our location, interests, and intentions to anyone who asks—especially when they ask nicely.

Our computers don’t need protection from the internet nearly as much as we need protection from the companies convincing us that they do.