Google's infrastructure touches a massive share of all web traffic. Search, email, DNS, analytics, fonts, reCAPTCHA, Android. It runs underneath almost everything. And most people who search how to degoogle end up reading the same recycled list: switch to ProtonMail, install DuckDuckGo, maybe try Firefox. Those are fine starting points. They also leave the majority of actual exposure completely untouched.
Quick Summary TLDR
Quick Summary TLDR
- 1Going beyond surface-level Google alternatives means addressing four layers: device OS (GrapheneOS), browser isolation (antidetect + mobile proxies), account compartmentalization (non-VoIP numbers + clean IPs), and network privacy (no-KYC eSIMs).
- 2Any single layer on its own still leaks data - the value is in stacking them together for a practical privacy setup that works even for people who still need Google for certain tasks.
- 3GrapheneOS runs on Pixel 6-9 hardware, strips Google services by default, and provides sandboxed Play Services so apps still function without system-level privileges.
- 4A no-KYC eSIM purchased with cryptocurrency breaks the carrier-identity link that persists even on GrapheneOS with a VPN, since the carrier never sees a government-issued ID.
The real problem is not which apps someone uses. It is the network layer sitting underneath all of it. An ISP still sees every connection. A carrier still pins a real identity to a SIM card. Browser fingerprints persist across sessions even with cookies wiped clean - research from Texas A&M and Johns Hopkins presented at WWW 2025 confirmed that fingerprinting is actively used for ad tracking and user identification, not just passively collected. And for anyone who needs a Google account for work, or has to open a shared Google Doc, or depends on a specific Android app, there is no mainstream guidance on how to keep that account running without leaking personal data into it.
This guide covers the full stack: phone OS, email, browser fingerprinting, proxy infrastructure, SIM-level privacy, and how to compartmentalize Google accounts when quitting entirely is not realistic.
Why Most Degoogle Guides Fail at the Network Layer
Switching from Gmail to Tuta does not change the fact that a home IP address gets logged on every service visited. Replacing Google Maps with OsmAnd does not stop a carrier from triangulating location via cell towers around the clock. These app-by-app replacements treat symptoms. The infrastructure underneath - the part that actually exposes identity - stays completely intact.
What typical guides miss:
- ISP correlation. Even with a VPN, if an ISP-assigned IP connects to a VPN endpoint at predictable times every day, traffic analysis can correlate sessions. Residential and datacenter VPN IPs are also increasingly flagged by platforms.
- SIM identity. Privacy International reports that 155+ countries now enforce mandatory SIM card registration, tying every tower ping, SMS verification, and data session to a government-issued ID.
- Browser fingerprinting. Canvas, WebGL, audio context, screen resolution, installed fonts, timezone. A browser fingerprint can be unique among millions of users even without a single cookie present. The EFF's Surveillance Self-Defense guide explains that fingerprints gather hardware and software attributes - fonts, GPU, timezone - creating a unique persistent identifier that survives cache and cookie clearing. A 2024 large-scale measurement study found that roughly 80-90% of browser fingerprints were unique across datasets of millions of users.
- Compartmentalization. There is almost no guidance on how to create a Google account that is not linked to a real identity when Google demands phone verification and actively flags VPN IPs during signup.
Replacing apps is step one of maybe seven. Most guides stop there.
| Privacy Layer | Typical Degoogle Guide | Full-Stack Approach |
|---|---|---|
| ProtonMail / Tuta | Same, plus aliasing with SimpleLogin | |
| Search | DuckDuckGo / Brave Search | Same |
| Phone OS | Mentioned briefly | GrapheneOS with sandboxed Play Services |
| Browser Fingerprint | Firefox + uBlock | Antidetect browser with mobile proxy |
| Account Creation | "Just don't use Google" | Compartmentalized accounts via non-VoIP SMS + clean IP |
| Network Layer | VPN recommendation | No-KYC eSIM + mobile proxy rotation |
| SIM Privacy | Not addressed | eSIM with no identity verification |
Device and App Layer
Step 1: How to Degoogle Your Phone with GrapheneOS
For anyone serious about how to degoogle their phone, GrapheneOS is the direct answer. It runs on Pixel hardware (Pixel 6 through Pixel 9 series as of early 2026), strips out all Google services by default, and offers sandboxed Google Play Services as an optional install. That sandboxing means apps requiring Play Services can still function - they run as regular apps inside the standard Android sandbox without system-level privileges, not as deeply integrated system components the way stock Android handles them.
Installation takes about 20 minutes using the web installer at grapheneos.org. Requirements are a USB-C cable and a supported Pixel.
Key settings after install:
- Enable auto-reboot after 18 hours of inactivity (this wipes encryption keys from memory)
- Use per-app network permissions to block internet access for apps that do not need it
- Set up separate user profiles - one for daily use, one for any Google-dependent apps
The separate profiles matter more than most people realize. Each profile on GrapheneOS runs as its own isolated environment with independent app data, storage, and network state. Running a sandboxed Google account in Profile 2 while keeping Profile 1 completely Google-free is real compartmentalization at the OS level. Few people bother setting this up, and it is a missed opportunity.
For a deeper walkthrough on pairing GrapheneOS with privacy-focused mobile infrastructure, see the dedicated guide: GrapheneOS Privacy Stack: eSIM + Proxy + SMS.
Step 2: Google Alternatives That Actually Cover the Gaps
Google alternatives that hold up for daily use in 2026:
Email: ProtonMail or Tuta (formerly Tutanota). Pair either one with SimpleLogin or addy.io for per-service email aliases. Every new account signup gets a unique alias. If one leaks, burn it without affecting anything else.
Cloud storage: Proton Drive, Tresorit, or self-hosted Nextcloud. Proton Drive integrates cleanly for anyone already on ProtonMail.
Search: Brave Search has improved noticeably over the past year. SearXNG instances work well for anyone comfortable self-hosting, though maintaining an instance is its own project.
Maps: OsmAnd for offline use, Organic Maps for a cleaner interface. Neither phones home.
Browser: Brave or hardened Firefox on desktop. Vanadium (Chromium-based, hardened) ships with GrapheneOS. GrapheneOS recommends Chromium-based browsers over Firefox on Android due to significantly stronger sandboxing and site isolation.
Docs/Sheets: CryptPad for collaborative editing. It is not as polished as Google Docs - it probably covers about a third of the features. But it is end-to-end encrypted.
None of these are perfect. OsmAnd routing gets questionable in rural areas, and CryptPad's formatting options will frustrate anyone used to Google Docs. But for anyone trying to meaningfully upgrade their privacy, these are the working replacements as of 2026.
Account and Browser Layer
Step 3: Compartmentalized Google Accounts (When You Can't Fully Quit)
This is where most guides go silent. Some people need a Google account. A workplace runs Google Workspace. An Android app only distributes through the Play Store. A client insists on Google Meet. Reality does not always allow a clean break.
The approach is compartmentalization: a Google account that functions but is not tied to a real identity.
The challenge: Google's signup flow in 2026 almost always demands SMS verification, and it flags datacenter VPN IPs, Tor exit nodes, and VoIP numbers aggressively. Accounts created over datacenter IPs face a much higher chance of hitting an immediate phone verification wall or getting suspended within 48 hours compared to those created on mobile connections.
What works:
-
Use a non-VoIP phone number for SMS verification. Real SIM-based numbers from actual carrier infrastructure pass Google's checks consistently. VoidMob's SMS verification service provides US numbers on real SIM cards - not VoIP lines that get flagged.
-
Create the account while connected through a mobile proxy instead of a datacenter VPN. Mobile IPs rotate through carrier pools and look identical to normal phone traffic. Google sees a residential mobile connection rather than a suspicious server. VoidMob's dedicated mobile proxies run on real carrier hardware with configurable p0f fingerprints, so the TCP/IP signature matches the device type the browser profile is spoofing.
-
Use an antidetect browser (Multilogin, GoLogin, or AdsPower) to generate a consistent browser fingerprint for that specific account. Same canvas hash, same WebGL renderer, same timezone every single session. Run VoidMob's fingerprint test to verify the fingerprint is consistent and does not leak the real device underneath.
-
Never log into this account from a personal device, a home IP, or the same browser profile used for anything else.
Terms of Service
Creating accounts with false identity information may violate platform terms of service. Compartmentalization here means limiting data exposure by using a secondary account with minimal personal information - not fabricating identities for deceptive purposes.
Step 4: Browser Isolation with Antidetect Browsers and Mobile Proxies
Even with a clean Google account, the browser itself is a tracking surface. Standard browsers - even Firefox with privacy extensions - still leak a browser fingerprint that can be correlated across sessions and sites.
Antidetect browsers (Multilogin, GoLogin, AdsPower) solve this by letting each browser profile run with its own isolated fingerprint: canvas hash, WebGL renderer, audio context, timezone, screen resolution, language headers, and fonts. Each profile looks like a completely different device to every website visited. The FingerprintJS browser fingerprinting guide covers the six main techniques - canvas, font, audio, WebGL fingerprinting, and more - that platforms use to link sessions across browser restarts and cookie clears. The Multilogin guide on anti-detect browsers covers how isolated profiles prevent account linking in practice.
The proxy layer matters just as much as the fingerprint. A browser profile spoofing an iPhone in Los Angeles while connecting from a datacenter IP in Frankfurt is an obvious mismatch. Platforms check for this. Mobile proxies solve it by routing traffic through real carrier connections - the IP's ASN, geolocation, and connection type all match what a real mobile user would produce.
For anyone running multiple compartmentalized accounts - whether for work, research, or operational separation - the combination of antidetect browser profiles with dedicated mobile proxies is the current standard. The multi-account setup is covered in detail here: Best Mobile Proxy for Instagram: Multi-Account Guide.
Network Layer
Step 5: eSIMs for Network-Level Privacy
Most degoogle guides ignore the carrier layer entirely. Even on GrapheneOS with a VPN, the carrier still knows: the device's IMEI, real-time location via cell tower triangulation, call/SMS metadata, and the subscriber's identity through SIM registration.
A no-KYC eSIM breaks that link. Purchased with cryptocurrency, activated without identity verification, and used on a device that has no other SIM tying it to a real name. The carrier sees a data connection. They do not see a person.
Practical setup:
- Use a no-KYC eSIM for mobile data on the GrapheneOS device. VoidMob's eSIM service offers global coverage with no identity verification and crypto payment.
- Keep Wi-Fi off when using the eSIM for sensitive tasks. Wi-Fi probe requests can leak MAC addresses and previously connected network names even before connecting.
- Combine the eSIM data connection with a VLESS/Xray proxy for an additional encryption layer that is resistant to DPI (deep packet inspection). A full walkthrough is available here: Bypass VPN Blocks: VLESS Mobile Proxy Setup Guide.
The eSIM layer is especially relevant for anyone in a country with mandatory SIM registration. If the local carrier requires a passport scan to activate a SIM, routing mobile data through a no-KYC eSIM from an offshore provider sidesteps that requirement entirely.
Step 6: DNS and Connection Hygiene
A commonly overlooked leak vector: DNS. Even users running a VPN or proxy often have DNS queries resolving through Google (8.8.8.8) or their ISP's default resolver. Those DNS logs create a complete browsing history tied to the source IP. As Cloudflare explains, DNS is effectively the internet's phonebook - every domain lookup is a logged event that reveals browsing intent.
Fixes:
- On GrapheneOS, set Private DNS to a provider like dns.quad9.net or dns.adguard.com. This forces DNS-over-TLS for all connections system-wide.
- On desktop, configure the antidetect browser to use DNS-over-HTTPS through the proxy tunnel, not the system resolver. Most antidetect browsers support per-profile DNS settings.
- Verify there are no DNS leaks by running a test through the proxy connection. Run a location consistency test through your proxy to check for ASN mismatches between your IP and DNS resolver - this is a common fingerprinting signal that platforms use to flag suspicious traffic.
Carrier-native DNS - where the DNS resolver matches the mobile carrier's own infrastructure - is one of the reasons mobile proxies are harder to detect than datacenter VPNs. The DNS and IP come from the same provider, which is exactly what platforms expect to see from a real phone.
Putting It All Together
Each layer in this guide addresses a different exposure surface:
| Layer | What It Protects | Tool |
|---|---|---|
| Phone OS | App-level tracking, Google system integration | GrapheneOS |
| App replacements | Email, search, maps, docs | ProtonMail, Brave Search, CryptPad, OsmAnd |
| Account compartmentalization | Google account identity separation | Non-VoIP SMS + mobile proxy + antidetect browser |
| Browser isolation | Fingerprint tracking across sessions | Antidetect browser + dedicated mobile proxy |
| Network privacy | ISP and carrier-level surveillance | No-KYC eSIM + VLESS/Xray |
| DNS hygiene | Browsing history via DNS logs | Private DNS / DNS-over-TLS / carrier-native DNS |
For most people, the practical starting point is GrapheneOS + ProtonMail + Brave Search. That covers the basics. From there, adding a no-KYC eSIM and a mobile proxy for account compartmentalization addresses the layers that app-swap guides never touch.
Every layer in this guide is available today, off the shelf. The reason most privacy setups have gaps is not cost or complexity - it is that nobody laid out how the pieces connect.
Common Issues and Quick Fixes
GrapheneOS apps crash after disabling network access. Some apps fail silently when they cannot reach Play Services for license checks or telemetry. Move those apps into the sandboxed Google profile (Profile 2) where Play Services is installed, rather than granting network access in the clean profile.
Google Account Suspended After Creation
Almost always an IP problem. Datacenter and VPN IPs trigger Google's fraud detection during signup. Create the account through a mobile proxy with a sticky session, and keep the same IP for the first few days of activity. Logging in from a completely different IP range within 24 hours of creation is a common suspension trigger.
Fingerprint Test Shows Inconsistencies
If the antidetect browser profile is set to spoof an iPhone but the proxy's p0f TCP/IP fingerprint reports Linux, platforms can detect the mismatch. Make sure the proxy fingerprint matches the device type configured in the browser profile. Run the fingerprint test through the proxy to verify everything aligns.
DNS leaking through the proxy connection. Check whether the browser or system is falling back to the default resolver instead of routing DNS through the tunnel. On GrapheneOS, confirm Private DNS is set to a non-Google provider. On desktop, verify per-profile DNS settings in the antidetect browser - some default to system DNS even when a proxy is configured.
eSIM not activating or showing no data connection. Confirm the device supports eSIM (all Pixel 6+ models do). Check that the eSIM profile was downloaded correctly in Settings > Network & Internet > SIMs. If the connection drops intermittently, the carrier may be throttling - switching APN settings or toggling airplane mode can force a fresh connection.
FAQ
1Is degoogling realistic for someone who uses Google for work?
Yes, but the approach changes. Full degoogling means replacing every Google service. Partial degoogling - which is what most people actually need - means compartmentalizing. Keep a Google account for work in an isolated browser profile with a dedicated mobile proxy, and run everything personal through privacy-focused alternatives. The two never overlap.
2Does GrapheneOS break banking apps?
Most banking apps work through sandboxed Google Play Services. GrapheneOS's compatibility layer handles Play Integrity checks well enough for the majority of banks. A small number of apps may still fail - running those in a dedicated profile with Play Services installed usually resolves it.
3Can I use a free VPN instead of a mobile proxy?
Free VPNs use datacenter IPs shared across thousands of users. Those IP ranges are heavily flagged by Google, Meta, and most major platforms. A mobile proxy uses real carrier IPs from 4G/5G infrastructure - platforms treat them with the same trust level as regular phone traffic. The difference in detection rates is significant.
4How often do non-VoIP numbers get flagged?
Non-VoIP numbers from real SIM cards pass platform verification consistently because they are indistinguishable from standard consumer mobile lines at the carrier level. VoIP numbers face high rejection rates on WhatsApp, Telegram, and Discord because platforms actively detect and block number ranges associated with VoIP providers.
5Do I need all six layers to get meaningful privacy?
No. Each layer adds protection independently. GrapheneOS plus ProtonMail plus Brave Search is a strong starting point that most people can set up in an afternoon. Adding a no-KYC eSIM addresses carrier-level tracking. Mobile proxies and antidetect browsers matter most for people running compartmentalized accounts or operating in environments with aggressive surveillance.
6What about CalyxOS or LineageOS instead of GrapheneOS?
GrapheneOS has the strongest security model of the three. It is the only one with a proper sandboxed Google Play compatibility layer, verified boot with locked bootloader support, and hardened memory allocator. CalyxOS uses microG, which runs with broader system privileges. LineageOS requires an unlocked bootloader, which weakens the device's hardware security guarantees.
Build a Full-Stack Privacy Setup
VoidMob provides the infrastructure layer that most privacy guides skip - non-VoIP SMS verification, dedicated mobile proxies with configurable p0f fingerprints, and no-KYC eSIMs with crypto payment. All managed from one dashboard.