You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Not necessarily meant to be followed step by step, although it is recommended. Some steps are valid during all levels, others give way to better alternatives further on.
Level 1: Don't save your passwords on plaintext or in some "cloud" service like Lastpass and don't save logins on your phone or web browser. Use KeePassX or KeePassXC (and I mean the one with an X) and remember one good main password (must have lowercase, uppercase, numbers and symbols, be longer than 8 characters and be change bimonthly), then use the password manager's option to generate different passwords for each account you have and keep the password database on a USB stick. Other password manager is kpcli which works on the command line and is just a minimalist perl script (this is the best option).
Level 2: Remove file extensions from sensitive files such as .kdb for KeePass password databases, rename it, and keep it in encrypted folders to make it hard to sift through your disk. Better yet, keep it all in a USB stick and with backups only to a third drive disconnected from any network.
Level 3: Use Searx instead of Google when in need to search on the web. You can get search engine plugins for your browser from here.
Level 4: Use your web browser with javascript, cookies and any telemetry (like "pocket", geolocation, and WebRTC) disabled and reduce the browser fingerprinting. Enable javascript and cookies only on selected sites. GNU IceCat is the best option.
Level 5: Replace your e-mail provider with a more safe, more appropriate provider. A good option is Tutanota, another alternative is cock.li.
Level 6: Use an e-mail client that can block web beacons (tracking pixels). Thunderbird is easy and has a plugin for this. Mailx, Mutt or Alpine are better options.
Level 7 Use RSS for news from sites you trust and to order your podcasts instead of Youtube (although Youtube has an RSS feed for their channels too, for now). Liferea is easy and a great application for RSS feeds, newsboat and newsbeuter are command line options.
Level 8 Use Peertube for podcasts instead of Youtube.
Level 9: Use Mastodon or install Pleroma (GNU Social) instead of non-publicly auditable social networks known to sell private information.
Level 10: Choose IRC instead of non-publicly auditable chat networks. A good and easy IRC application is Hexchat, other options are irssi and WeeChat. You can use BitlBee to access other chat networks through an IRC client if you need.
Level 11: Use GNU/Linux on your computers, preferably free from "systemd". PCLinuxOS is an easy first choice, Devuan is a better option. Stay away from something called BSD.
Level 12: Install LineageOS on your phone and use F-Droid without gapps (Google app store), with IceCatMobile for web browser, KeePassDroid, AFWall+ and Android IMSI-Catcher Detector. Use Yalp Store or Aptoide (or download from apkmirror/apkpure) in combination with microG if you need a gapps app.
Cautionary Level
Level 13: Delete any metadata from files you share on the internet. ExifTool is the best tool.
Level 14: Avoid using your real name online and avoid giving away any personal information, if possible log into sites using donated passwords and accounts from BugMeNot.
Level 15: Use The Random Identity Generator (rig) to generate different online personas when you need to create accounts. Don't reuse usernames, email addresses, etc, for different sites and don't mention your other identities to avoid contamination.
Level 16: Anonymize your writting style for any text and document you upload with anti-stylometry software like Anonymouth.
Level 17: Encrypt your e-mails with GnuPG when possible. Thunderbird has the Enigmail plugin for this, you can script the use of GPG on Mutt and Mailx.
Medium Level Security
Level 18: Uninstall network facing services like Avahi (Bonjour), CUPS (replace with Line Printer if needed), Telnet, the R-tools (rlogin, rsh, rcp, rwho, rexec), fingerd, RPC services (D-Bus and rpcbind) and uninstall services if unused like ssh/web/ftp/mail. Also disable IPMI on BIOS.
Level 19: Use YaCy with collaborative database disabled when in need to search on the web.
Level 20: Use the Tor Browser to navigate the internet through Tor.
Level 21: Use Firejail or Bubblewrap to sandbox your applications.
Level 22: Use an OpenNIC provider known to not save logs together with DNSCrypt to prevent DNS Leaking.
Level 23: Use Uncomplicated Firewall ("ufw") to block inbound AND outbound network traffic, permitting only what you need. The graphical version ("Gufw") is beginner-friendly.
Level 25: Use a source based distro, preferably without crypto libraries on its package manager (no Python), and tweak the installation files to use the minimum required dependencies. Gentoo is one option, CRUX is another and it is easy, see this link.
High Level Security
Level 26: Use a command line web browser like links2 and only browse web pages without javascript or cookies when possible.
Level 27: Set a tight configuration for iptables on each port open and drop packets for everything. Use nftables on newer kernels.
Level 28: Use qmail for your own e-mail server. Exim and cmail are other options.
Level 29: Use Squid for caching websites.
Level 30: Set BIND9 for caching all DNS queries on your local DNS server.
Level 31: Use port forwarding and a port knocker on your router or server if you have services running, and unregister your reverse dns records.
Level 32: Use Arpalert/ArpON (for Man-In-The-Middle -MITM- Detection), zapret (for Deep Packet Inspection -DPI- Block and Circumvention), and Suricata/Snort (for Network Intrusion Detection).
Level 33: Compile the kernel yourself and add only necessary features and selected modules. Enable KASLR and Capabilities on kernel configuration.
Level 34: When possible give your applications a separate user account and use chattr, sudo, chroot, fakeroot, ulimit and quota with them.
Level 35: Use Lynis to audit your system.
Level 36: Use a complete host intrusion detection framework like Tiger, which can work with Samhain (for integrity check), Unhide/Chkrootkit/rkhunter (for rootkit detection), ClamAV/Linux Malware Detect and a system logger like sysklogd.
Level 37: Use RSBAC (for RBAC) with AppArmor (for filesystem ACL).
Physical Access Counter-Measures
Level 38: Set a BIOS password (DON'T FORGET THIS PASSWORD!).
Level 39: Use USBGuard (to prevent Juice Jacking).
Level 40: Use disk encryption with cryptsetup (dm-crypt), saving the key on a separate USB that you keep with yourself at all times.
Level 41: Move your boot partition to a USB and encrypt it with cryptboot. Use the option on Libreboot too.
Costly Counter-Measures
Level 42: Buy a separate camera and microphone and physically remove any camera and microphone from your computer.
Level 43: Buy a VPS in a non-extradition, privacy friendly country outside the Five Eyes under a different name and with a good way of not getting traced by payments, set all outgoing traffic through it, then set up your own VPN server so you can audit all the traffic.
Level 44: Buy a phone with Replicant and libre firmware. Tehnoetic sells an S3 phone with Replicant and only libre firmware enabled, so far is the best option.
Level 45: Buy a router compatible with LibreCMC and install LibreCMC, keep it up to date, give it a strong password, set to monitor all traffic, and use previous techniques such as caching, port-forwarding, etc.
Level 46: Buy a computer compatible with the Libreboot firmware and the Linux-libre kernel, then install both or buy it preinstalled. Thinkpads model x200, t400 and t500 are the best options. Remember to check a compatible Wi-Fi card and physically remove cables connecting cameras and microphones.
Deterrent Counter-Measures
Level 47: Learn to hack yourself first.
Level 48: Use only libre software (software "free as in freedom").
Level 49: Reduce the amount of software installed in your computer.
Level 50: Opt for text-based programs with less library dependencies than their GUI counterparts.
Level 51: Support the GPL license as to prevent proprietary license wrapping (as with BSD/MIT/Apache licenses) by which you would lose critical updates and further features. GPLv3 also prevents tivoization, a hardware level lockout method.
Level 52: Deduplicate efforts and converge strategies to achieve a "tight base system" in common (use the koan "if is not strictly necessary it should be strictly optional, but still optional"), and that means making things modular and avoiding unnecessary dependencies instead of trusting "crypto libraries" like in Python.
Exit Level Security
Level 53: Abandon "cloud computing" and traditional, non-publicly auditable, data mined networks and erase your online persona. Use exclusively peer-to-peer services with specific protocols instead of all-in-one networks. Use IRC for live chat, e-mail for direct contact, and NNTP for newsgroups (per topic forums, what "social media" should be). IRC, e-mail and torrent services are available inside i2p, as it is NNTPChan. Tor can serve as an outproxy for i2p to reach the regular web.
Level 54: Abandon the Internet. Participate in local mesh networks and collaborate with global scale meshnet projects like gternet.
Most reported data breaches are caused by the use of weak, default or stolen passwords (according to this Verizon report).
Use long, strong and unique passwords, manage them in a secure password manager, enable 2-factor authentication, keep on top of breaches and take care while logging into your accounts.
Security
Priority
Details and Hints
Use a Strong Password
Recommended
If your password is too short, or contains dictionary words, places or names- then it can be easily cracked through brute force, or guessed by someone. The easiest way to make a strong password, is by making it long (12+ characters)- consider using a 'passphrase', made up of many words. Alternatively, use a password generator to create a long, strong random password. Have a play with HowSecureIsMyPassword.net, to get an idea of how quickly common passwords can be cracked. Read more about creating strong passwords: securityinabox.org
Don't reuse Passwords
Recommended
If someone was to reuse a password, and one site they had an account with suffered a leak, then a criminal could easily gain unauthorized access to their other accounts. This is usually done through large-scale automated login requests, and it is called Credential Stuffing. Unfortunately this is all too common, but it's simple to protect against- use a different password for each of your online accounts
Use a Secure Password Manager
Recommended
For most people it is going to be near-impossible to remember hundreds of strong and unique passwords. A password manager is an application that generates, stores and auto-fills your login credentials for you. All your passwords will be encrypted against 1 master passwords (which you must remember, and it should be very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on, your passwords can be auto-filled. A good all-rounder is BitWarden, or see Recommended Password Managers
Avoid sharing passwords
Recommended
While there may be times that you need to share access to an account with another person, you should generally avoid doing this because it makes it easier for the account to become compromised. If you absolutely do need to share a password for example when working on a team with a shared account this should be done via features built into a password manager.
Enable 2-Factor Authentication
Recommended
2FA is where you must provide both something you know (a password) and something you have (such as a code on your phone) to log in. This means that if anyone has got your password (e.g. through phishing, malware or a data breach), they will no be able to log into your account. It's easy to get started, download an authenticator app onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next time you log in on a new device, you will be prompted for the code that displays in the app on your phone (it works without internet, and the code usually changes every 30-seconds)
Keep Backup Codes Safe
Recommended
When you enable multi-factor authentication, you will usually be given several codes that you can use if your 2FA method is lost, broken or unavailable. Keep these codes somewhere safe to prevent loss or unauthorised access. You should store these on paper or in a safe place on disk (e.g. in offline storage or in an encrypted file/drive). Don't store these in your Password Manager as 2FA sources and passwords and should be kept separately.
Sign up for Breach Alerts
Optional
After a website suffers a significant data breach, the leaked data often ends up on the internet. There are several websites that collect these leaked records, and allow you to search your email address to check if you are in any of their lists. Firefox Monitor, Have i been pwned and DeHashed allow you to sign up for monitoring, where they will notify you if your email address appears in any new data sets. It is useful to know as soon as possible when this happens, so that you can change your passwords for the affected accounts. Have i been pwned also has domain-wide notification, where you can receive alerts if any email addresses under your entire domain appear (useful if you use aliases for anonymous forwarding)
Shield your Password/ PIN
Optional
When typing your password in public places, ensure you are not in direct line of site of a CCTV camera and that no one is able to see over your shoulder. Cover your password or pin code while you type, and do not reveal any plain text passwords on screen
Update Critical Passwords Periodically
Optional
Database leaks and breaches are common, and it is likely that several of your passwords are already somewhere online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing that all your passwords are long, strong and unique, there is no need to do this too often- annually should be sufficient. Enforcing mandatory password changes within organisations is no longer recommended, as it encourages colleagues to select weaker passwords
Don’t save your password in browsers
Optional
Most modern browsers offer to save your credentials when you log into a site. Don’t allow this, as they are not always encrypted, hence could allow someone to gain access into your accounts. Instead use a dedicated password manager to store (and auto-fill) your passwords
Avoid logging in on someone else’s device
Optional
Avoid logging on other people's computer, since you can't be sure their system is clean. Be especially cautious of public machines, as malware and tracking is more common here. Using someone else's device is especially dangerous with critical accounts like online banking. When using someone else's machine, ensure that you're in a private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request browser to not save your credentials, cookies and browsing history.
Avoid password hints
Optional
Some sites allow you to set password hints. Often it is very easy to guess answers. In cases where password hints are mandatory use random answers and record them in password manager (Name of the first school: 6D-02-8B-!a-E8-8F-81)
Never answer online security questions truthfully
Optional
If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide real answers. It is a trivial task for hackers to find out this information online or through social engineering. Instead, create a fictitious answer, and store it inside your password manager. Using real-words is better than random characters, explained here
Don’t use a 4-digit PIN
Optional
Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin. Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code)
Avoid using SMS for 2FA
Optional
When enabling multi-factor authentication, opt for app-based codes or a hardware token, if supported. SMS is susceptible to a number of common threats, such as SIM-swapping and interception. There's also no guarantee of how securely your phone number will be stored, or what else it will be used for. From a practical point of view, SMS will only work when you have signal, and can be slow. If a website or service requires the usage of a SMS number for recovery consider purchasing a second pre-paid phone number only used for account recovery for these instances.
Avoid using your PM to Generate OTPs
Advanced
Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a dedicated authenticator app on your phone or laptop
Avoid Face Unlock
Advanced
Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot of your face with a stored hash. It may be very convenient, but there are numerous ways to fool it and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your password- there are likely photos of your face on the internet, and videos recorded by surveillance cameras
Watch out for Keyloggers
Advanced
A hardware keylogger is a physical device planted between your keyboard and the USB port, which intercepts all key strokes, and sometimes relays data to a remote server. It gives a hacker access to everything typed, including passwords. The best way to stay protected, is just by checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard or auto-filled by a password manager can not be intercepted by a hardware keylogger, so if you are on a public computer, consider typing passwords with the on-screen keyboard
Consider a Hardware Token
Advanced
A U2F/ FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service, in to verify your identity, instead of entering a OTP from your authenticator. SoloKey and NitroKey are examples of such keys. They bring with them several security benefits, since the browser communicates directly with the device and cannot be fooled as to which host is requesting authentication, because the TLS certificate is checked. This post is a good explanation of the security of using FIDO U2F tokens. Of course it is important to store the physical key somewhere safe, or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled
Consider Offline Password Manager
Advanced
For increased security, an encrypted offline password manager will give you full control over your data. KeePass is a popular choice, with lots of plugins and community forks with additional compatibility and functionality. Popular clients include: KeePassXC (desktop), KeePassDX (Android) and StrongBox (iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up, and store it securely
Consider Unique Usernames
Advanced
Having different passwords for each account is a good first step, but if you also use a unique username, email or phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest method for multiple emails, is using auto-generated aliases for anonymous mail forwarding. This is where [anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see Mail Alias Providers). Usernames are easier, since you can use your password manager to generate, store and auto-fill these. Virtual phone numbers can be generated through your VOIP provider
Most websites on the internet will use some form of tracking, often to gain insight into their users behaviour and preferences. This data can be incredibly detailed, and so is extremely valuable to corporations, governments and intellectual property thieves. Data breaches and leaks are common, and deanonymizing users web activity is often a trivial task
There are two primary methods of tracking; stateful (cookie-based), and stateless (fingerprint-based). Cookies are small pieces of information, stored in your browser with a unique ID that is used to identify you. Browser fingerprinting is a highly accurate way to identify and track users wherever they go online. The information collected is quite comprehensive, and often includes browser details, OS, screen resolution, supported fonts, plugins, time zone, language and font preferences, and even hardware configurations.
This section outlines the steps you can take, to be better protected from threats, minimise online tracking and improve privacy. A summarized shorter version of this list can be found here
Security
Priority
Details and Hints
Block Ads
Recommended
Using an ad-blocker can help improve your privacy, by blocking the trackers that ads implement. uBlock Origin is a very efficient and open source browser addon, developed by Raymond Hill. When 3rd-party ads are displayed on a webpage, they have the ability to track you, gathering personal information about you and your habits, which can then be sold, or used to show you more targeted ads, and some ads are plain malicious or fake. Blocking ads also makes pages load faster, uses less data and provides a less cluttered experience
Ensure Website is Legitimate
Basic
It may sound obvious, but when you logging into any online accounts, double check the URL is correct. Storing commonly visited sites in your bookmarks is a good way to ensure the URL is easy to find. When visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects, on-site spam and pop-ups. You can also check a website using a tool, such as: Virus Total URL Scanner, IsLegitSite, Google Safe Browsing Status if you are unsure
Watch out for Browser Malware
Basic
Your system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects, adware etc. You can usually stay protected, just by: ignoring pop-ups, be wary of what your clicking, don't proceed to a website if your browser warns you it may be malicious. Common signs of browser malware include: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons, significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal explain signs of browser malware, how browsers get infected and how to remove browser malware
Use a Privacy-Respecting Browser
Recommended
Firefox (with a few tweaks) and Brave are secure, private-respecting browsers. Both are fast, open source, user-friendly and available on all major operating systems. Your browser has access to everything that you do online, so if possible, avoid Google Chrome, Edge and Safari as (without correct configuration) all three of them, collect usage data, call home and allow for invasive tracking. Firefox requires a few changes to achieve optimal security, for example - arkenfox or 12byte's user.js configs. See more: Privacy Browsers
Use a Private Search Engine
Recommended
Using a privacy-preserving, non-tracking search engine, will reduce risk that your search terms are not logged, or used against you. Consider DuckDuckGo, Qwant, or SearX (self-hosted). Google implements some incredibly invasive tracking policies, and have a history of displaying biased search results. Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect their privacy. It is recommended to update your browsers default search to a privacy-respecting search engine
Remove Unnecessary Browser Addons
Recommended
Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions. Websites can see which extensions you have installed, and may use this to enhance your fingerprint, to more accurately identify/ track you. Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while
Keep Browser Up-to-date
Recommended
Browser vulnerabilities are constantly being discovered and patched, so it’s important to keep it up to date, to avoid a zero-day exploit. You can see which browser version your using here, or follow this guide for instructions on how to update. Some browsers will auto-update to the latest stable version
Check for HTTPS
Recommended
If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. HTTPS-Everywhere (developed by the EFF) used to be a brower extension/addon that automatically enabled HTTPS on websites, but as of 2022 is now deprecated. In their accouncement article the EFF explain that most browsers now integrate such protections. Additionally, it provides instructions for Firefox, Chrome, Edge and Safari browsers on how to enable their HTTPS secure protections.
Use DNS-over-HTTPS
Recommended
Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and manipulation of DNS data through man-in-the-middle attacks. Whereas DNS-over-HTTPS performs DNS resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. A popular option is Cloudflare's 1.1.1.1, or compare providers- it is simple to enable in-browser. Note that DoH comes with it's own issues, mostly preventing web filtering
Multi-Session Containers
Recommended
Compartmentalisation is really important to keep different aspects of your browsing separate. For example, using different profiles for work, general browsing, social media, online shopping etc will reduce the number associations that data brokers can link back to you. One option is to make use of Firefox Containers which is designed exactly for this purpose. As mentioned in #127, it's possible to use compartmentalize websites without containers, as done in @arkenfox's user.js. Alternatively, you could use different browsers for different tasks (Brave, Firefox, Tor etc). For Chromium-based browsers, you can create and use Profiles, or an extension such as SessionBox, however this addon is not open source
Use Incognito
Recommended
When using someone else's machine, ensure that you're in a private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will prevent browser history, cookies and some data being saved, but is not fool-proof- you can still be tracked
Understand Your Browser Fingerprint
Recommended
Browser Fingerprinting is an incredibly accurate method of tracking, where a website identifies you based on your device information, including: browser and OS versions, headers, time zone, installed fonts, plugins and applications and sometimes device hardware among other data points. You can view your fingerprint at amiunique.org- The aim is to be as un-unique as possible
Manage Cookies
Recommended
Clearing cookies regularly is one step you can take to help reduce websites from tracking you. Cookies may also store your session token, which if captured, would allow someone to access your accounts without credentials (often called Session Hijacking). To mitigate this you should clear cookies often. Self Destructing Cookies is a browser addon, which will kill cookies when you close the browser
Block Third-Party Cookies
Recommended
Third-party cookies placed on your device by a website other than the one you’re visiting. This poses a privacy risk, as a 3rd entity can collect data from your current session. This guide explains how you can disable 3rd-party cookies, and you can check here ensure this worked
Block Third-Party Trackers
Recommended
Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in the background. Privacy Badger, DuckDuckGo Privacy Essentials, uBlock Origin and uMatrix (advanced) are all very effective, open source tracker-blockers available for all major browsers. Alternatively you can block trackers at the network level, with something like Pi-Hole (on your home server) or Diversion (Asus routers running Merlin firmware. Some VPNs offer basic tracking blocking (such as TrackStop on PerfectPrivacy)
Beware of Redirects
Optional
While some redirects are harmless, others, such as Unvalidated redirects are used in phishing attacks, it can make a malicious link seem legitimate. If you are unsure about a redirect URL, you can check where it forwards to with a tool like RedirectDetective. It is also recommended to disable redirects in your browser settings.
Do Not Sign Into Your Browser
Optional
Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across devices. However this not only allows for further data collection, but also increases attack surface through providing another avenue for a malicious actor to get hold of personal information. For Chrome users, you can get around forced sign-in by navigating to chrome://flags and disabling the account-consistency flag. If you still need to sync bookmarks + browser data between devices, there are open source alternatives, such as xBrowserSync
Disallow Prediction Services
Optional
Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill. If this is enabled then data is sent to Google (or your default search engine) with every keypress, rather than when you hit enter. You may wish to disable this to reduce the amount of data collected
Avoid G Translate for Webpages
Optional
When you visit a web page written in a foreign language, you may be prompted to install the Google Translate extension. Be aware that Google collects all data (including input fields), along with details of the current user. Instead use a translation service that is not linked to your browser
Disable Web Notifications
Optional
Browser push notifications are a common method for criminals to encourage you to click their link, since it is easy to spoof the source. Be aware of this, and for instructions on disabling browser notifications, see this article
Disable Automatic Downloads
Optional
Drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated by disabling auto file downloads, and be cautious of websites which prompt you to download files unexpectedly
Disallow Access to Sensors
Optional
Mobile websites can tap into your device sensors without asking. If you grant these permissions to your browser once, then all websites are able to use these capabilities, without permission or notification, take a look at the sensor-js study for more. The best solution is to not grant any permissions to your browser, and to use a privacy browser such as Firefox Focus (Android / iOS) or DuckDuckGo (Android / iOS)
Disallow Location
Optional
Location Services lets sites ask for your physical location to improve your experience. This should be disabled in settings (see how). Note that there are still other methods of determining your approximate location (IP address, time zone, device info, DNS etc)
Disallow Camera/ Microphone access
Optional
Check browser settings to ensure that no websites are granted access to webcam or microphone. It may also be beneficial to use physical protection such as a webcam cover and microphone blocker
Disable Browser Password Saves
Optional
Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed. Chrome does protect this data behind your Windows credentials, but these can be simple to obtain thanks to password reset utilities such as Offline NT Password and Registry Editor. Instead use a password manager
Disable Browser Autofill
Optional
Turn off autofill for any confidential or personal details. This feature was designed to make online shopping and general browsing more convenient, but storing this sensitive information (names, addresses, card details, search terms etc) can be extremely harmful if your browser is compromised in any way. Instead, if essential, consider using your password manager's Notes feature to store and fill your data
Protect from Exfil Attack
Optional
The CSS Exfiltrate attack is a where credentials and other sensitive details can be snagged with just pure CSS, meaning even blocking JavaScript cannot prevent it, read more this article by Mike Gualtieri. You can stay protected, with the CSS Exfil Protection plugin (for Chrome and Firefox) which sanitizes and blocks any CSS rules which may be designed to steal data. Check out the CSS Exfil Vulnerability Tester to see if you could be susceptible.
Deactivate ActiveX
Optional
ActiveX is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly used by legitimate sites any more, but since it gives plugins intimate access rights, and can be dangerous, therefore you should disable it (see how)
Disable WebRTC
Optional
WebRTC allows high-quality audio/video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak, especially if you are not using a proxy or VPN. In Firefox WebRTC can be disabled, by searching for, and disabling media.peerconnection.enabled in about:config. For other browsers, the WebRTC-Leak-Prevent extension can be installed. uBlockOrigin also allows WebRTC to be disabled. To learn more, check out this guide
Spoof HTML5 Canvas Sig
Optional
Canvas Fingerprinting allows websites to identify and track users very accurately though exploiting the rendering capabilities of the Canvas Element. You can use the Canvas-Fingerprint-Blocker extension to spoof your fingerprint or use Tor - Check if you are susceptible here
Spoof User Agent
Optional
The user agent is a string of text, telling the website what device, browser and version you are using. It is used in part to generate your fingerprint, so switching user agent periodically is one small step you can take to become less unique. You can switch user agent manually in the Development tools, or use an extension like Chameleon (Firefox) or User-Agent Switcher (Chrome)
Disregard DNT
Optional
Do Not Track is a HTTP header, supported by all major browsers, once enabled is intended to flag to a website that you do not wish to be tracked. Enabling Do Not Track has very limited impact, since many websites do not respect or follow this. Since it is rarely used, it may also add to your signature, making you more unique, and therefore actually easier to track
Prevent HSTS Tracking
Optional
HTTP Strict Transport Security (HSTS) was designed to help secure websites, by preventing HTTPS downgrading attacks. However privacy concerns have been raised, as it allowed site operators to plant super-cookies, and continue to track users in incognito. It can be disabled by visiting chrome://net-internals/#hsts in Chromium-based browsers, or following this guide for Firefox, and this guide for other browsers
Prevent Automatic Browser Connections
Optional
Even when you are not using your browser, it may call home to report on usage activity, analytics and diagnostics. You may wish to disable some of this, which can be done through the settings, see instructions for: Firefox, Chrome, Brave
Enable 1st-Party Isolation
Optional
First party isolation means that all identifier sources and browser state are scoped (isolated) using the URL bar domain, this can greatly reduce tracking. In Firefox (under network.cookie.cookieBehavior), it is now possible to block cross-site and social media trackers, and isolate remaining cookies. Alternatively, to enable/disable with 1-click, see the First Party Isolation add-on
Strip Tracking Params from URLs
Advanced
Websites often append additional GET paramaters to URLs that you click, to identify information like source/ referrer. You can sanitize manually, or use an extensions like ClearUrls (for Chrome / Firefox) or SearchLinkFix (for Chrome / Firefox) to strip tracking data from URLs automatically in the background
First Launch Security
Advanced
After installing a web browser, the first time you launch it (prior to configuring it's privacy settings), most browsers will call home (send a request to Microsoft, Apple, Google or other developer) and send over your device details (as outlined in this journal article). Therefore, after installing a browser, you should first disable your internet connection, then launch it and go into settings and configure privacy options, before reenabling your internet connectivity. This does not apply to all browsers, in this article Brave claims to be the on of the only browser to call out to a single, controlled TLD exclusively
Use The Tor Browser
Advanced
The Tor Project provides a browser that encrypts and routes your traffic through multiple nodes, keeping users safe from interception and tracking. The main drawbacks are speed and user experience, as well as the possibility of DNS leaks from other programs. There are also security threats specific to Tor to be aware of, such as malicious exit nodes (see #19) but generally Tor is one of the more secure browser options for anonymity on the web
Disable JavaScript
Advanced
Many modern web apps are JavaScript-based, so disabling it will greatly decrease your browsing experience. But if you really want to go all out, then it will really reduce your attack surface, mitigate a lot of client-side tracking and JavaScript malware
Nearly 50 years since the first email was sent, it's still very much a big part of our day-to-day life, and will continue to be for the near future. So considering how much trust we put in them, it’s surprising how fundamentally insecure this infrastructure is. Email-related fraud is on the up, and without taking basic measures you could be at risk.
If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised (through password resets), therefore email security is paramount for your digital safety.
The big companies providing "free" email service, don't have a good reputation for respecting users privacy: Gmail was caught giving third parties full access to user emails and also tracking all of your purchases. Yahoo was also caught scanning emails in real-time for US surveillance agencies Advertisers were granted access to Yahoo and AOL users messages to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
Security
Priority
Details and Hints
Have more than one email address
Recommended
Consider using a different email address for security-critical communications from trivial mail such as newsletters. This compartmentalization could reduce amount of damage caused by a data breach, and also make it easier to recover a compromised account
Keep Email Address Private
Recommended
Do not share your primary email publicly, as mail addresses are often the starting point for most phishing attacks
Keep your Account Secure
Recommended
Use a long and unique password, enable 2FA and be careful while logging in. Your email account provides an easy entry point to all your other online accounts for an attacker
Disable Automatic Loading of Remote Content
Recommended
Email messages can contain remote content such as images or stylesheets, often automatically loaded from the server. You should disable this, as it exposes your IP address and device information, and is often used for tracking. For more info, see this article
Use Plaintext
Optional
There are two main types of emails on the internet: plaintext and HTML. The former is strongly preferred for privacy & security as HTML messages often include identifiers in links and inline images, which can collext usage and personal data. There's also numerous risks of remote code execution targetting the HTML parser of your mail client, which can not be exploited if you are using plaintext. For more info, as well as setup instructions for your mail provider, see UsePlaintext.email.
Don’t connect third-party apps to your email account
Optional
If you give a third-party app or plug-in (such as Unroll.me, Boomerang, SaneBox etc) full access to your inbox, they effectively have full unhindered access to all your emails and their contents, which poses significant security and privacy risks
Don't Share Sensitive Data via Email
Optional
Emails are very easily intercepted. Further to this you can’t be sure of how secure your recipient's environment is. Therefore emails cannot be considered safe for exchanging confidential information, unless it is encrypted.
Consider Switching to a Secure Mail Provider
Optional
Secure and reputable email providers such as ProtonMail and Tutanota allow for end-to-end encryption, full privacy as well as more security-focused features. Unlike typical email providers, your mailbox cannot be read by anyone but you, since all messages are encrypted. Providers such as Google, Microsoft and Yahoo scan messages for advertising, analytics and law enforcement purposes, but this poses a serious security threat
Use Smart Key
Advanced
OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. Therefore, you should take great care to keep your private keys safe. One method of doing so, is to use a USB Smart Key to sign or decrypt messages, allowing you to do so without your private key leaving the USB device. Devices which support this include NitroKey, YubiKey 5 (See Yubico Neo), Smart Card (See guide), OnlyKey
Use Aliasing / Anonymous Forwarding
Advanced
Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. Effectively allowing you to use a different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that alias and determine which company leaked your email address. More importantly, you do not need to reveal your real email address to any company. Anonaddy and SimpleLogin are open source anonymous email forwarding service allowing you to create unlimited email aliases, with a free plan
Subaddressing
Optional
An alternative to aliasing is subaddressing, where anything after the + symbol is omitted during mail delivery, for example you the address [email protected] denotes the same delivery address as [email protected]. This was defined in RCF-5233, and supported by most major mail providers (inc Gmail, YahooMail, Outlook, FastMail and ProtonMail). It enables you to keep track of who shared/ leaked your email address, but unlike aliasing it will not protect against your real address being revealed
Use a Custom Domain
Advanced
Using a custom domain, means that even you are not dependent on the address assigned my your mail provider. So you can easily switch providers in the future and do not need to worry about a service being discontinued
Sync with a client for backup
Advanced
Further to the above, to avoid loosing temporary or permanent access to your emails during an unplanned event (such as an outage or account lock). Thunderbird can sync/ backup messages from multiple accounts via IMAP and store locally on your primary device
Be Careful with Mail Signatures
Advanced
You do not know how secure of an email environment the recipient of your message may have. There are several extensions (such as ZoomInfo) that automatically crawl messages, and create a detailed database of contact information based upon email signitures, and sometimes message content. If you send an email to someone who has something like this enabled, then you are unknowingly entering your details into this database
Be Careful with Auto-Replies
Advanced
Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all too often people reveal too much information- which can be used in social engineering and targeted attacks
Choose the Right Mail Protocol
Advanced
Do not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security.
Self-Hosting
Advanced
Self-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is critical yet requires strong networking knowledge - read more. That being said, if you run your own mail server, you will have full control over your emails. Mail-in-a-box and docker-mailserver are ready-to-deploy correctly-configured mail servers that provide a good starting point
Always use TLS Ports
Advanced
There are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely supported so should always be used instead of plaintext email ports. By default, the ports are: POP3= 995, IMAP=993 and SMTP= 465
DNS Availability
Advanced
For self-hosted mail servers, to prevent DNS problems impacting availability- use at least 2 MX records, with secondary and tertiary MX records for redundancy when the primary MX record fails
Prevent DDoS and Brute Force Attacks
Advanced
For self-hosted mail servers (specifically SMTP), limit your total number of simultaneous connections, and maximum connection rate to reduce the impact of attempted bot attacks
Maintain IP Blacklist
Advanced
For self-hosted mail servers, you can improve spam filters and harden security, through maintaining an up-to-date local IP blacklist and a spam URI realtime block lists to filter out malicious hyperlinks. You may also want to activate a reverse DNS lookup system
End-to-end encryption is a system of communication where messages are encrypted on your device and not decrypted until they reach the intend recipient. This ensures that any actor who intercepts traffic cannot read the message contents, nor can the anybody with access to the central servers where data is stored. Note that if an app is not completely open source, the extent to which the encryption is implemented cannot be verified, and it should not be trusted.
Use only Open Source Messaging Platforms
Recommended
If code is open source then it can be independently examined and audited by anyone qualified to do so, to ensure that there are no backdoors, vulnerabilities, or other security issues. Therefore propriety applications should not be trusted for communicating sensitive information. In open source echosystems, bugs are raised transparently and are usually fixed quickly, and version histories can show who added what, and when. When downloading a pre-built package, you can verify that it has not been tampered with by doing a hash check and comparing the digital signatures. It's important to note that, no piece of software is totally bug free, and hence never truly secure or private- being open source, is in no way a guarantee that something is safe
Use a "Trustworthy" Messaging Platform
Recommended
When selecting an encrypted messaging app, ensure it's fully open source. It should be stable and actively maintained. Ideally it should be backed by reputable developers or at least be fully clear where funding originates from and/ or what their revenue model is. It should have undergone an independent code audit, with results publicly published
Check Security Settings
Recommended
Enable security settings, including contact verification, security notifications and encryption. Disable optional non-security features such as read receipt, last online and typing notification. If the app supports cloud sync either for backup or for access through a desktop or web app companion, this increases the attack surface and so should be disabled
Ensure your Recipients Environment is Secure
Recommended
Your conversation can only be as secure as the weakest link. Often the easiest way to infiltrate a communications channel, is to target the individual or node with the least protection. They may not even be aware that their environment has been compromised, leading to sensitive information being captured by an adversary. The best solution to this is to educate and inform the participants in your conversation, about good security practices. Focus on secure authentication, device encryption, network security and malware prevention
Disable Cloud Services
Recommended
Some mobile messaging apps offer a web or desktop companion. This not only increases attack surface, but it has been linked to several critical security issues, and should therefore be avoided, if possible. Some messaging apps also offer a cloud backup feature. Again there a serious security issues with many of these implementations, for example WhatsApp backups are not encrypted not encrypted by default and when enabled the key still remains in control of WhatsApp, and so with this feature available, you chat history may be breached. Again, where possible this should be disabled.
Secure Group Chats
Recommended
That the risk of compromise will rise exponentially, the more participants are in a group, as the attack surface increases. There is also a higher chance that an adversary lurking among the members can go unnoticed. Periodically check that all participants are legitimate, and ensure only trusted members have admin privileges. It may sometimes be worth only sharing sensitive information within smaller groups. Note that with some messengers, not all group chats are encrypted (especially if one recipient is on an older version)
Create a Safe Environment for Communication
Recommended
There are several stages where your digital communications could be monitored or intercepted. This includes: Your or your participants device, your ISP, national gateway or government logging, the messaging provider, the servers. You can help protect from these risks by: paying attention to your surroundings, keeping your devices up-to-date, avoiding malware, watching out for phishing attacks, relying on trustworthy services, creating strong passwords and second-factor authentication, using encryption and helping those with whom you communicate do the same. If you are concerned about your communications being intercepted, consider using a reputable VPN provider, or routing traffic through Tor
Agree on a Communication Plan
Optional
In certain situations (such as attending a protest, communicating with a source or traveling to a risky location), it may be worth making a communication plan. This should include primary and backup methods of securely getting in hold with each other, (in order to avoid falling back on insecure technologies). You may wish to include procedures to implement in potential situations, e.g. to signal for help or assistance
Strip Meta-Data from Media
Optional
Metadata is "Data about Data" or additional information attached to a file or transaction. When you send a photo, audio recording, video or document you may be revealing more than you intended to, or leaking your location. For example Exif data attached to images typically includes: Device name and model, author, time & date taken, GPS location (latitude & longitude) and photography information. In order to protect privacy, you should remove this data before uploading and file or media item. Some apps strip this information out automatically, but they may be logging it before doing so
Defang URLs
Optional
Sending links via WhatsApp, Slack, Apple Messenger, Wire, Facebook and other services can unintentionally expose your personal information. This is because, when a thumbnail or preview is generated- it happens on the client-side, and therefore causes your IP, user-agent, device info to be logged. This broadcasts to the website owner that you are discussing that website. One way around this, is to defang your URLs (e.g. https://www.example.com --> hxxps://www[.]example[.]com), using a VPN will also help protect your IP
Verify your Recipient
Optional
Your communication is only as secure as it's weakest link- Always ensure you are talking to the intended recipient, and that they have not been compromised. One method for doing so is to use an app which supports contact verification. This is a powerful feature that enables users to trust the destination, and ensure the conversation has not been hijacked. It usually takes the form of comparing fingerprint codes, even over a phone call or in real life via scanning a QR code. If you believe you may be targeted, use a secure messenger that provides reliable indicators of compromise, where both parties will be notified if there have been any changes
Enable Ephemeral Messages
Optional
You cannot always rely on the physical security of your device. Self-destructing messages is a really neat feature the causes your messages to automatically delete after a set amount of time. This means that if your device is lost, stolen or seized, an adversary will only have access to the most recent communications. Unlike remote erase, disappearing messages does not require your device to be remotely accessible or have signal. You are able to vary this time frame from weeks all the way down to just a few seconds, depending on your threat model. Without disappearing messages enabled, you should periodically delete conversation history, in case your device is breached
Avoid SMS
Optional
SMS may be convenient, but it's not secure. It is susceptible to threats, such as interception, sim swapping, manipulation and malware. If you must use SMS, then you should encrypt messages before sending. One option is to use Silence, an Android app that provides end-to-end encryption for SMS
Watch out for Trackers
Optional
A tracker is a piece of software meant to collect data about you or your usages. Be wary of messaging applications with trackers, as the detailed usage statistics they collect are often very evasive, and can sometimes reveal your identity as well as personal information that you would otherwise not intend to share. You can check how many, and which trackers a given app uses, by searching it in Exodus Privacy
Consider Jurisdiction
Advanced
The jurisdictions where the organisation is based, and data is hosted should also be taken into account. As in some territories, organisations are forced to comply with local government regulations, which can require them to keep logs of all users interactions and metadata, or hand over encryption keys. Where possible, avoid Five Eyes and other International Cooperatives, and countries with poor respect for user privacy such as China, Russia, Singapore and Malaysia.
Use an Anonymous Platform
Advanced
If you believe you may be targeted, you should opt for an anonymous messaging platform that does not require a phone number, or any other personally identifiable information to sign up or use. Even using false or temporary information (such as a burner sim, VOIP number, temporary or forwarding email address, made-up details etc) cannot be grantee anonymity, and may put you at risk. As well as this you should download the app over Tor, outside of Google Play / Apple App Store, create an anonymous identity, only run the app while connected through Tor and ideally sandbox it to prevent data leaks (using a separate profile, virtual machine or even a secondary device)
Ensure Forward Secrecy is Supported
Advanced
Opt for a platform that implements forward secrecy. This is where your app generates a new encryption key for every message. It means that if your adversary has obtained the private encryption key from one party, they will not be able to use it to decrypt any previously captured messages
Consider a Decentralized Platform
Advanced
If all data flows through a central provider, you have to trust them with your data and meta-data. You cannot verify that the system running is authentic without back doors, and they may be subject to local laws, court orders or censorship, and if that provider ceases to operate, the entire network will be unavailable for that duration. Whereas with a decentralized system, there are no central servers to compromise, and no single point of failure. It cannot be raided, shut down, or forced to turn over data. Some decentralized platforms also route traffic through the Tor network, which provides an additional layer of anonymity and security.
Online communities have existed since the invention of the internet, and give people around the world the opportunity to connect, communicate and share. Although these networks are a great way to promote social interaction and bring people together, that have a dark side - there are some serious Privacy Concerns with Social Networking Services, and these social networking sites are owned by private corporations, and that they make their money by collecting data about individuals and selling that data on, often to third party advertisers.
Secure your account, lock down your privacy settings, but know that even after doing so, all data intentionally and non-intentionally uploaded is effectively public. If possible, avoid using conventional social media networks.
Security
Priority
Details and Hints
Secure your Account
Recommended
Social media profiles get stolen or taken over all too often. To protect your account: use a unique and strong password, and enable 2-factor authentication. See the Authentication section for more tips
Check Privacy Settings
Recommended
Most social networks allow you to control your privacy settings. Ensure that you are comfortable with what data you are currently exposing and to whom. But remember, privacy settings are only meant to protect you from other members of the social network- they do not shield you or your data from the owners of the network. See how to set privacy settings, with this guide
Think of All Interactions as Public
Recommended
There are still numerous methods of viewing a users 'private' content across many social networks. Therefore, before uploading, posting or commenting on anything, think "Would I mind if this was totally public?"
Think of All Interactions as Permanent
Recommended
Pretty much every post, comment, photo etc is being continuously backed up by a myriad of third-party services, who archive this data and make it indexable and publicly available almost forever. Sites like Ceddit, and /r/undelete, Politwoops, The Way Back Machine allow anyone to search through deleted posts, websites and media. Therefore it's important to not unintentially reveal too much information, and to consider what the implications would be if it were to go 'viral'
Don't Reveal too Much
Recommended
Profile information creates a goldmine of info for hackers, the kind of data that helps them personalize phishing scams. Avoid sharing too much detail (DoB, Hometown, School etc)
Be Careful what you Upload
Recommended
Status updates, comments, check-ins and media can unintentionally reveal a lot more than you intended them to (such as location, preferences, contacts/ relationships etc). This is especially relevant to photos and videos, which may show things in the background (documents, road names/ signs, credit cards, electronic devices), even more so when there are multiple images uploaded
Don't Share Email or Phone Number
Recommended
Posting your real email address or mobile number, gives hackers, trolls and spammers more munition to use against you, and can also allow seperate alliases, profiles or data points to be connected
Don't Grant Unnecessary Permissions
Recommended
By default many of the popular social networking apps will ask for permission to access your contacts, call log, location, messaging history etc.. If they don’t need this access, don’t grant it. For Android users, check out Bouncer - an app that gives you the ability to grant permissions temporarily
Be Careful of 3rd-Party Integrations
Recommended
Avoid signing up for accounts using a Social Network login, revoke access to social apps you no longer use, see instructions for: Facebook, Twitter, Insta and LinkedIn
Avoid Publishing Geo Data while still Onsite
Recommended
If you plan to share any content that reveals a location (such as 'checking in', sharing photos, or status updates that reveal your location), then wait until you have left that place. This is particularly important when you are taking a trip, at a restaurant, campus, hotel/ resort, public building or airport- as it may alert the wrong people to your exact whereabouts
Remove metadata before uploading media
Optional
Most smartphones and some cameras automatically attach a comprehensive set of additional data (called EXIF data) to each photograph. This usually includes things like time, date, location, camera model, user etc. It can reveal a lot more data than you intended to share. Remove this data before uploading. You can remove meta data without any special software, use a CLI tool, or a desktop tool like EXIF Tage Remover
Implement Image Cloaking
Advanced
Tools like Fawkes can be used to very subtly, slightly change the structure of faces within photos in a way that is imperceptible by humans, but will prevent facial recognition systems from being able to recognize a given face. This can help prevent facial recognition search engines (such as PimEyes, Kairos, Amazon Rekognition etc) from linking your photos with your online profiles, identity or other photos
Consider Spoofing GPS in home visinity
Advanced
Even if you yourself never use social media, strip geo-data from all media and disable device radios- there is always going to be others who are not as careful, and could reveal your location. For example, if you have guests, family members or visitors to your home residence, their device will likley be recording GPS and logging data. One method around this, is to use an SDR to spoof GPS signals, causing all devices in the visinity to believe they are in a different, pre-defined location
Consider False Information
Advanced
If you just want to read, and do not intend on posting too much- consider using an alias name, and false contact details. Remember that there are still methods of tracing your account back to you, but this could mitigate a lot of threats. Consider using separate accounts/identities, or maybe different pseudonyms, for different campaigns and activities. Don't link accounts in any way- don't comment on / liking inter-account posts, avoid logging in from the same IP and use different passwords (so the accounts cannot be linked in the case of a data breach)
Don’t have any social media accounts
Advanced
Social media is fundamentally un-private, so for maximum online security and privacy, avoid using any mainstream social networks
This section covers how you connect your devices to the internet securely, including configuring your router and setting up a VPN.
Security
Priority
Details and Hints
Use a VPN
Recommended
Use a reputable, paid-for VPN. This can help protect sites you visit logging your real IP, reduce the amount of data your ISP can collect and increase protection on public WiFi. However VPNs alone do not make you anonymous or stop tracking, it's important to understand their limitations. ProtonVPN and Mullvad may be good options for many, but for an unbiased comparison, see: That One Privacy Site. Select a service with a good reputation, that does not keep logs, and is not in the 5-eyes jurisdiction
Change your Router Password
Recommended
After getting a new router, change the password. Default router passwords are publicly available (see default-password.info), meaning anyone within proximity would be able to connect. See here, for a guide on changing router password
Use WPA2, and a strong password
Recommended
There are different authentication protocols for connecting to WiFi. Currently the most secure is options are WPA2 and WPA3 (on newer routers). WEP and WPA are moderately easy to crack. Ensure it is strong: 12+ alpha-numeric characters, avoiding dictionary words. You can set this within your routers admin panel
Keep router firmware up-to-date
Recommended
Manufacturers release firmware updates that fix security vulnerabilities, implement new standards and sometimes add features/ improve the performance your router. It's important to have the latest firmware installed, to avoid a malicious actor exploiting an un-patched vulnerability. You can usually do this by navigating to 192.168.0.1 or 192.168.1.1, entering the admin credentials (on the back of you of your router, not your WiFi password!), and follow the instructions, see: Asus, D-Link, Linksys (older models), NetGear and TP-Link. Some newer routers update automatically
Implement a Network-Wide VPN
Optional
If you configure your VPN on your router, firewall or home server, then traffic from all devices will be encrypted and routed through it, without needing individual VPN apps. This reduces the chance: of IP leaks, VPN app crashes, and provides VPN access to devices which don't support VPN clients (TV's, Smart Hubs, IoT devices etc)
Protect against DNS leaks
Optional
When using a VPN, it is extremely important to exclusively use the DNS server of your VPN provider or secure service. For OpenVPN, you can add: block-outside-dns to your config file (which will have the extension .ovn or .conf). If you are unable to do this, then see this article for further instructions. You can check for leaks, using a DNS Leak Test
Use DNS-over-HTTPS which performs DNS resolution via the HTTPS protocol, encrypting data between you and your DNS resolver. Although DoH is not perfect, it does remove the need for trust - see Cloudflare's 1.1.1.1 Docs for more details
Avoid the free router from your ISP
Optional
Typically they’re manufactured cheaply in bulk in China, with insecure propriety firmware that doesn't recieve regular security updates. Consider an open source router (such as Turris MOX) or a comercial router with secure firmware
Whitelist MAC Addresses
Optional
You can whitelist MAC addresses in your router settings, disallowing any unknown devices to immediately connect to your network, even if they know your credentials. Note that a malicious actor may be able to bypass this, by cloning their address to appear the same as one of your trusted devices, but it will add an extra step
Change the Router’s Local IP Address
Optional
It is possible for a malicious script in your web browser, to exploit a cross site scripting vulnerability, accessing known-vulnerable routers at their local IP address and tampering with them (known as CSRF Attack). Updating your routers local IP address, so that it is not the default (usually 192.168.0.1 or similar), can help protect you from some of these automated attacks
Don't Reveal Personal Info in SSID
Optional
You should update your network name, choosing an SSID that does not identify you, include your flat number / address, and does not specify the device brand/ model. It may be beneficial to avoid something very unique, as services like Wigle's WiFi map can link an SSID directly back to your home address. This may also slightly aid in deterring an opportunistic attacker, as it indicates the router is being conscientiously administered. See, how to update SSID
Opt-Out Router Listings
Optional
WiFi SSIDs are scanned, logged and then published on various websites (such as Wiggle WiFi SSID Map), which is a serious privacy concern for some. You can opt-out of many of these listings, by adding _nomap to the end of your SSID (WiFi network name)
Hide your SSID
Optional
Your routers Service Set Identifier is simply the network name. If it is not visible, it may receive less abuse. However understand that finding hidden networks is a trivial task (e.g. with Kismet). See, how to hide SSID
Disable WPS
Optional
Wi-FI Protected Setup provides an easier method to connect, without entering a long WiFi password, it often involves a physical button on your router, entering an 8-digit PIN, or tapping an NFC. It may be convenient, but WPS introduces a series of major security issues, allowing an attacker to bypass the password, and gain easy access into your network. See, how to disable WPS
Disable UPnP
Optional
Universal Plug and Play allows applications to automatically forward a port on your router, saving you the hassle of forwarding ports manually. However, it has a long history of serious security issues, and so it is recommended to turn this feature off. See, how to disable UPnP
Use a Guest Network for Guests
Optional
Do not grant access to your primary WiFi network to visitors, as it enables them to interact with other devices on the network (such as printers, IoT/ smart home devices, network-attached storage/ servers etc). Even if it is someone you trust, you cannot guarantee that their device has not been compromised in some way. Some routers offer the ability to enable a separate 'guest' network, which provides isolation and is able to expire after a given time frame. For a more comprehensive network, the same outcome can be achieved using a VLAN and separate access point. See, how to enable guest network
Change your Router's Default IP
Optional
Modifying your router admin panels default IP address will makes it more difficult for malicious scripts in your web browser targeting local IP addresses, as well as adding an extra step for local network hackers
Kill unused processes and services on your router
Optional
Services like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. In general, any service that’s not used should be disabled to reduce attack surface
Don't have Open Ports
Optional
Close any open ports on your router that are not needed. Open ports provide an easy entrance for hackers. You can use a port scanner (such as AngryIP), or a web service
Disable Unused Remote Access Protocols
Optional
When protocols such as PING, Telnet, SSH, UPnP and HNAP etc are enabled, they allow your router to be probed from anywhere in the world, and so should be disabled if not in use. Instead of setting their relevant ports to 'closed', set them to 'stealth' so that no response is given to unsolicited external communications that may come from attackers probing your network
Disable Cloud-Based Management
Optional
You should treat your routers admin panel with the upmost care, as considerable damage can be caused if an attacker is able to gain access. You should take great care when accessing this page, ensuring you always log out, or considering Incognito mode. Most routers offer a 'remote access' feature, allowing you to access the admin web interface from anywhere in the world, using your username and password. This greatly increases attack surface, and opens your network up to a host of threats, and should therefore be disabled. You could also take it a step further, disable the admin interface over WiFi, meaning the settings can only be modified when using a direct Ethernet connection. Note that disabling cloud management may not be possible on some modern mesh-based routers
Manage Range Correctly
Optional
It's common to want to pump your routers range to the max, and often this is necessary, especially if you live in a large house, or desire coverage in outdoor spaces. But if you reside in a smaller flat, and have neighbors close by, your attack surface is increased when your WiFi network can be picked up across the street. It maybe worth carefully configuring your networks, and device antennas to provide coverage only within your operating area/ apartment. One method of doing so, it to utilize the 5-GHz band, which provides a faster link speed, but a lesser range, and is easily blocked by thick walls
Route all traffic through Tor
Advanced
VPNs have their weaknesses - you are simply moving your trust from your ISP/ mobile carrier to a VPN provider - Tor is much more anonymous. For increased security, route all your internet traffic through the Tor network. On Linux you can use TorSocks or Privoxy, for Windows you can use Whonix, and on OSX follow this instructions, for Kali see TorGhost. Alternatively, you can use OnionPi to use Tor for all your connected devices, by configuring a Raspberry Pi to be a Tor Hotspot. Though see also potential drawbacks.
Disable WiFi on all Devices
Advanced
Connecting to even a secure WiFi network increases your attack surface. Disabling your home WiFi and connect each device via Ethernet, and turning off WiFi on your phone and using a USB-C/ Lightening to Ethernet cable will protect against WiFi exploits, as Edward Snowden says here.
Smart phones have revolutionized so many aspects of life and brought the world to our fingertips. For many of us, smart phones are our primary means of communication, entertainment and access to knowledge. But while they've brought convenience to whole new level, there's some ugly things going on behind the screen.
Geo-tracking is used to trace our every move, and we have little control over who has this data- your phone is even able to track your location without GPS. Over the years numerous reports that surfaced, outlining ways in which your phone's mic can eavesdrop, and the camera can watch you- all without your knowledge or consent. And then there's the malicious apps, lack of security patches and potential/ likely backdoors.
Using a smart phone generates a lot of data about you- from information you intentionally share, to data silently generated from your actions. It can be scary to see what Google, Microsoft, Apple and Facebook know about us- sometimes they know more than our closest family. It's hard to comprehend what your data will reveal, especially in conjunction with other data.
This data is used for far more than just advertising - more often it's used to rate people for finance, insurance and employment. Targeted ads can even be used for fine-grained surveillance (see ADINT)
More of us are concerned about how governments use collect and use our smart phone data, and rightly so, federal agencies often request our data from Google, Facebook, Apple, Microsoft, Amazon, and other tech companies. Sometimes requests are made in bulk, returning detailed information on everybody within a certain geo-fence, often for innocent people. And this doesn't include all of the internet traffic that intelligence agencies around the world have unhindered access to.
Security
Priority
Details and Hints
Encrypt your Device
Recommended
In order to keep your data safe from physical access, use file encryption. To enable, for Android: Settings --> Security --> Encryption, or for iOS: Settings --> TouchID & Passcode --> Data Protection. This will mean if your device is lost or stolen, no one will have access to your data
Turn off connectivity features that aren’t being used
Recommended
When you're not using WiFi, Bluetooth, NFC etc, turn those features off. There are several common threats that utilise these features
Keep app count to a minimum
Recommended
Uninstall apps that you don’t need or use regularly. As apps often run in the background, slowing your device down, but also collecting data.
App Permissions
Recommended
Don’t grant apps permissions that they don’t need. For Android, Bouncer is an app that allows you you to grant temporary/ 1-off permissions.
Only install Apps from official source
Recommended
Applications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them less likely to be malicious. Avoid downloading .apk or .ipa files from unverified source, unless you know it is safe. Also check the reviews, and app info before downloading a new application.
Be Careful of Phone Charging Threats
Optional
Juice Jacking is when hackers use public charging stations to install malware on your smartphone or tablet through a compromised USB port. You can mitigate this, either by using a power bank or AC wall charger, or by using a simple data blocker device (See USB Condom or PortaPow Blocker)
Set up a mobile carrier PIN
Recommended
SIM hijacking is when a hacker is able to get your mobile number transferred to their sim (often through social engineering your mobile carrier). This then allows them to receive 2FA SMS codes (enabling them to access your secure accounts, such as banking), reset passwords, or to pose as you. The easiest way to protect against this is to set up a PIN through your mobile provider, thus disallowing anyone without this PIN to make any changes to your account. This varies between cell providers, so consult your mobile carrier for setup instructions. Using a non-SMS based 2FA method will reduce the damage, Read more about the sim swap scam.
Opt-out of Caller ID Listings
Optional
When one of your friends or colleagues has your number in their contacts, and also has a caller ID app, then your Name, Phone Number and any other saved contact details will be uploaded. To keep your details private, you can unlist it here: TrueCaller, CallApp, SyncMe, cia-app, Hiya. Note that it is possible to opt-out, even before your number has been added, and this will prevent your details being uploaded in the future.
Use Offline Maps
Optional
One of potential for data leaks is your map app which has access to your precise location, e.g. Google Maps which collects plenty of private data. Consider using an offline maps app, such as OsmAnd or Organic Maps
Opt-out of personalized ads
Optional
In order for ads to be personalized, Google collects data about you, you can slightly reduce the amount they collect by opting-out of seeing personalized ads. See this guide, for Android instructions.
Erase after too many login attempts
Optional
To protect against an attacker brute forcing your pin, if you lose your phone, set your device to erase after too many failed login attempts. See this iPhone guide. You can also do this via Find my Phone, but this increased security comes at a cost of decreased privacy.
Monitor Trackers
Optional
A tracker is a piece of software meant to collect data about you or your usages. εxodus is a great service which lets you search for any app, by its name, and see which trackers are embedded in it. They also have an app which shows trackers and permissions for all your installed apps.
Use a Mobile Firewall
Optional
To prevent applications from leaking privacy-sensitive data, you can install a firewall app. This will allow you to block specific apps from making data requests, either in the background, or when on WiFi or mobile data. Consider NetGuard (Android) or LockDown (iOS), or see more Firewalls
Reduce Background Activity
Optional
For Android, SuperFreeze makes it possible to entirely freeze all background activities on a per-app basis. Intended purpose is to speed up your phone, and prolong battery life, but this app is also a great utility to stop certain apps from collecting data and tracking your actions while running in the background
Sandbox Mobile Apps
Optional
Prevent permission-hungry apps from accessing your private data with Island. It is a sandbox environment to clone selected apps and isolate them from accessing your personal data outside the sandbox (including call logs, contacts, photos and etc.) even if related permissions are granted
Tor Traffic
Advanced
Orbot provides a system-wide Tor connection, which will help protect you from surveillance and public WiFi threats
Avoid Custom Virtual Keyboards
Optional
Android and iOS allow you to download and use third-party keyboard apps. These apps will be able to access everything that you type on your phone/ tablet: passwords, messages, search terms etc. It is recommended to stick with your devices stock keyboard. If you choose to use one of these apps, ensure it is reputable, block internet access (can be done with a firewall app), don't grant it permissions it does not need, and turn off analytics or other invasive features in it's settings. This article by Lenny Zelster explains things further
Restart Device Regularly
Optional
Over the years there have vulnerabilities relating to memory exploits (such as CVE-2015-6639 + CVE-2016-2431). Restarting your phone at least once a week will clear the app state cached in memory. A side benefit is that your device may run more smoothly after a restart.
MySudo allows you to create and use virtual phone numbers for different people or groups. This is great for compartmentalisation. Alternativley, use a VOIP provider like Google Voice or Skype, or for temporary usage you can use a service like iNumbr. Where possible, avoid giving out your real phone number while creating accounts online.
Watch out for Stalkerware
Optional
This is a malware that is installed directly onto your device by someone you know (partner, parent, boss etc.). It allows them to see your location, messages and other app data remotely. The app likely won't show up in your app draw, (but may visible in Settings --> Applications --> View All). Sometimes they can be disguised as a non-conspicuous app (such as a game, flashlight or calculator) which initially don't appear suspicious at all. Look out for unusual battery usage, network requests or high device temperature. If you suspect that stalkerware is on your device, the best way to get rid of it is through a factory reset. See this guide for more details
Favor the Browser, over Dedicated App
Optional
Where possible, consider using a secure browser to access sites, rather than installing dedicatd applications. Both Android and iOS applications often have invasive permissions, allowing them intimate access to sensitive data and your devices sensors and radios. But the extent to what these apps can access is often not clear, and even zero-permission apps can see more data than you think: accessing phone sensors, vendor ID's and determine which other apps you have installed. All this is enough to identity you. In some situations you can still use a service, without having to install an application, through accessing it via the browser, and this can help mitigate a lot of the issues cause by untrustworthy apps
Consider running a custom ROM (Android)
Advanced
For Android users, if your concerned about your device manufacturer collecting too much personal information, consider a privacy-focused custom ROM, such as Lineage or GrapheneOS - see more
Although Windows and OS X are easy to use and convenient, they both are far from secure. Your OS provides the interface between hardware and your applications, so if compromised can have detrimental effects.
Security
Priority
Details and Hints
Keep your System up-to-date
Recommended
New vulnerabilities are constantly being discovered. System updates contain fixes/ patches for these security issues, as well as improve performance and sometimes add new features. You should install new updates when prompted, to avoid any critical issues on your system from being exploited
Encrypt your Device
Recommended
If your computer is stolen, seized or falls into the wrong hands, without full disk encryption anyone is able to access all of your data, without a password (by booting to a live USB or removing the hard drive). You can enable encryption very easily, using BitLocker for Windows, FileVault on MacOS, or by enabling LUKS on Linux, during install. Or using an open source, program, such as VeraCrypt or DiskCryptor. For encrypting cloud files, consider Cryptomator or CryFS. Note that you should select a long and strong password, and keep it somewhere safe, as there is no way to recover your password if you loose it
Backup Important Data
Recommended
Maintaining a copy of important data will prevent loss in the case of ransomware, theft or damage to your system. You should encrypt these backups, to keep the data safe. One solution would be to use Cryptomator to encrypt files, and then sync them to a regular cloud storage provider. Or you could have a USB drive, with an encrypted volume (e.g. using VeraCrypt). The best backup solution, should include 2 additional copies of your data- such as a physical off-site copy, and a cloud copy of your data
Be Careful Plugging USB Devices into your Computer
Recommended
Think before inserting a USB device into your PC, as there are many threats that come in the form of a USB device. Something like a USB Killer will destroy your computer, by rapidly charging and discharging capacitors. A Bad USB (such as Malduino or Rubber Ducky), will act as a keyboard, once plugged in, it will proceed to rapidly type commands at lighning speed, often with severe consequences. There's also remote access tools (such as the OMG Cable or P4wnP1_aloa), giving a hacker full remote access to your PC, even after the device has been removed. And of course, there's traditional USB drives, that contain malware that infect your device once inserted. One solution to this, is to make a USB sanitizer, using CIRCLean on a Raspberry Pi. It allows you to plug an obtained USB device into the Pi, and it'll convert the untrusted documents into a readable but disarmed format, and save them on a new USB key, which you can then safely insert into your computer
Activate Screen-Lock when Idle
Recommended
Get in the habit of locking your computer, whenever you step away from it. Reduce the amount of time that your computer is idle for, before the screensaver activates, and ensure that it will lock when the mouse is moved, so no one can access your data, when you step away from your desk. In Windows, check Personalization --> Screensaver --> On resume, display login screen, and in MacOS, check Security & Privacy --> General --> Require password immediately after screensaver starts. In Linux, Brightness & Lock --> Require my password when waking up from suspend. Better still, never leave your computer unattended, even in trusted environments
Disable Cortana or Siri
Recommended
Using a voice-controlled assistant, sends commands back to Microsoft or Apple as well as data about your files for local search, which have some serious privacy implications. They're always listening, waiting for the trigger word, and this can lead to parts of conversations being accidentally recorded. To disable this, in Windows, navigate to Settings --> Cortana and switch it to Off. You should also stop your speech, typing and handwriting patterns being sent to Microsoft, since this can be used to identify you, as well as potentially leaking sensitive data - navigate to Settings --> Privacy --> Speech, Inking, & Typing, and click Turn off. In Mac it's not easy to fully disable Siri, but you can stop it from always listening, go to System Preferences --> Siri, and uncheck Enable Siri
Review your Installed Apps
Recommended
It’s good practice to keep installed applications to a minimum. Not only does this keep your machine lean, it also reduces your exposure to vulnerabilities. You should also clear application cache's regularly. As well as looking through your application list manually, there are also tools that make this easier, such as BleachBit
Manage Permissions
Recommended
In a similar way to phones, your OS can grant certain permissions to applications. It's important to keep control over which apps and services have access to your location, camera, microphone, contacts, calendar and other account information. Some systems let you restrict which apps can send or recieve messages, as well as which apps can which processes can control radios such as Bluetooth and WiFi. In Windows, navigate to Settings --> Privacy, and for MacOS, go to System Preferences --> Security & Privacy --> Privacy. Note that there are other methods that apps can use to access this data, and this is just one step towards protecting it. You should check back regularly, as sometimes system updates can cause some privacy settings to be modified or reverted
Disallow Usage Data from being sent to the Cloud
Recommended
Both Windows and MacOS collect usage information or feedback, which is send to the cloud for analytics, diagnostics and research. Although this data should be anonymized, it can often be linked back to your identity when compared with other usage data. In Windows, there is no way to disable this fully, but you can limit it- navigate to Settings --> Privacy --> Feedback & diagnostics, and select Basic. You also have the option to disallow your advertising ID from being shared with apps on your system. In MacOS, it can be turned off fully, go to System Preferences --> Privacy --> Diagnostics & Usage, and untick both options
Avoid Quick Unlock
Recommended
Use a password to unlock your computer, ensure it is long and strong. Avoid biometrics such as facial recognition and fingerprint. These can be spoofed, allowing an intruder access to your account. Also, for Windows devices, avoid using a short PIN to unlock your machine.
Power Off Computer, instead of Standby
Recommended
You must shut down your device when not in use, in order for the disk to be encrypted. Leaving it in standby/ sleep mode keeps your data in an unencrypted state, and vulnerable to theft. Microsoft even recommends disabling the sleep functionality all together, once BitLocker is enabled. This only applies to encrypted disks, and is true for FileVault (MacOS), BitLocker (Windows), VeraCrypt, Self-Encrypting Drives and most other disk encryption methods. Another reason to shut down, is because the machine is completely offline while it is off, and cannot be hacked remotely. It also can't communicate with a command and control server, if it has already been infected with an exploit
Don't link your PC with your Microsoft or Apple Account
Optional
Create a local account only. This will prevent some data about your usage being uploaded and synced between devices. Avoid syncing your iPhone or Android device to your computer, as this will automatically lead to it being associated with your Apple, Microsoft or Google account. If sync is important to you, there are open source services that encrypt you data, and sync between devices. For example XBrowserSync for bookmarks, history and browser data, ETESync for calendar, contacts and tasks, Syncthing for files, folders and filesystems
Check which Sharing Services are Enabled
Optional
The ability to share files and services with other machines within your network, can be useful, but also acts as a gateway for common threats. You should disable the network sharing features that you are not using. For Windows, navigate to Control Panel --> Network and Internet --> Network and Sharing Center --> Advanced sharing settings, and for MacOS, just go to System Preferences --> Sharing and disable anything that you do not need. For Windows users, you should ensure that remote desktop is disabled. And also control apps’ ability to sync with non-pairing devices, such as beacons that transmit advertising information- this is also in the privacy settings
Don't use Root/ Admin Account for Non-Admin Tasks
Optional
You should not use administrator / root account for general use. Instead, use an unprivileged user account, and temporarily elevate permissions when you need to make administrator changes. This will mitigate a large proportion of vulnerabilities, because a malicious program or an attacker can do significantly less damage without an administrator power. See this guide for Windows and MacOS, on how to implement this. You should also ensure that a password is required for all system wide changes, as this helps protect against malware doing widespread damage. In Windows this is enabled by default, in MacOS, navigate to System Preferences --> Security & Privacy --> General --> Advanced
Block Webcam + Microphone
Optional
To prevent the potential risk of being watched through your webcam, consider covering it with a sticker, slider or electrical tape, while it's not being used. There are also application solutions- such as Oversight (MacOS) or CamWings (Windows) - for ultimate protection, consider physically removing the webcam all together. Blocking unauthorized audio recording, can be done with a mic block, which works by disabling the primary sound input source- but is not fool proof
Use a Privacy Filter
Optional
A lot of information can be gleaned just from glancing at someones screen over their shoulder. When working in a public space (train, coffee shop, share office), use a screen privacy filter. This will allow you to see the content of your screen when looking straight on, but for anyone looking at a slight angle, your screen will appear black.
Physically Secure Device
Optional
When working from a laptop think about using a Kensington Lock to secure your device to a permanent fixture. To help protect against an opportunistic local attack, consider utilizing port locks, to prevent or slow down an intruder from dropping a malicious payload onto your device. Ideally never leave your laptop or other devices unattended
Don't Charge Devices from your PC
Optional
Connecting your smart phone to a computer can be a security risk, it's possible for a self-signed malicious app to be installed, without your knowledge. Also both iPhone or Android device have sync capabilities, which can lead to data being unintentionally shared. If you need to charge your device, consider using a USB data-blocker.
Randomize your hardware address on Wi-Fi
Optional
A MAC Address is an identifier given to a device (specifically the Network Interface Controller), and is is one method used to identify, and track you across different WiFi networks. Some devices allow you to modify or randomize how this address appears. See how, on Windows, MacOS and Linux. You should also disallow you device from automatically connect to open Wi-Fi networks
Use a Firewall
Optional
A firewall is a program which monitors incoming and outgoing traffic, and allows you to blocks internet access for certain applications. This is useful to stop apps from collecting data, calling home, or downloading unnecessary content- correctly configured, firewalls can help protect against remote access attacks, as well as protect your privacy. Your system will have a built-in firewall (Check it's enabled: Windows, Mac OS, Ubuntu and other Linux ditros). Alternatively, for greater control, consider: LuLu (MacOS), gufw (Linux), LittleSnitch, SimpleWall (Windows), there's plenty more firewall apps available
Protect Against Software Keyloggers
Optional
A software keylogger is a malicious application running in the background that logs (and usually relays to a server) every key you press, aka all data that you type (passwords, emails, search terms, financial details etc). The best way to stay protected, is to keep your systems security settings enabled, and periodically check for rootkits- which will detect most loggers. Another option, is to use a key stroke encryption tool. For Windows there is GhostPress, Spy Shelter or KeyScrambler (developed by Qian Wang) which encrypt your keystrokes at the keyboard driver level, and then decrypting them at the application level, meaning any software keylogger would just receive encrypted data.
Check Keyboard Connection
Optional
Check your keyboards USB cable before using, bring your own keyboard to work and watch out for signs that it may have been tampered with. A hardware keylogger is a physical device that either sits between your keyboard and the USB connection into your PC, or is implanted into a keyboard. It intercepts and stores keystrokes, and in some cases can remotely upload them. Unlike a software logger, they can not be detected from your PC, but also they can not intercept data from virtual keyboards (like OSK), clipboard or auto-fill password managers.
Prevent Keystroke Injection Attacks
Optional
Always lock your PC when you step away from it (however this is not fool-proof, and can be circumvented). For Linux, there is USBGuard, and for Windows there's DuckHunt, which will detect super fast (badUSB-level super-fast) it will block input until the attack stops. Alternatively, Windows Group Policy can also be configured to not trust new devices by default. Port Blockers provide some level of physical protection, which may prevent an opportunistic attack, but can be circumvented fairly easily
Don't use commercial "Free" Anti-Virus
Optional
The included security tools, which come with bundled your operating system (such as Windows Defender), should be adequate at protecting against threats. Free anti-virus applications are often more of a hinder than a help- as they require admin permissions, full access to all data and settings, and internet access. They usually collect a lot of data, which is uploaded to the cloud and sometimes sold to third-parties. Therefore, you should avoid non-libre closed source programs such as Avast, AVG, Norton, Kasperky, Avira etc- even the paid plans come with privacy concerns. If you need a dedicated anti-virus application, consider ClamAV, which is open source and libre meaning completely open. And for scanning 1-off files, VirusTotal is a useful tool
Periodically check for Rootkits
Advanced
You should regularly check for rootkits (which may allow an attacker full control over your system), you can do this with a tool like chkrootkit, once installed just run sudo chkrootkit. For Windows users, see rootkit-revealer or gmer
BIOS Boot Password
Advanced
A BIOS or UEFI password once enabled, will need to be entered before the system can be booted, which may help to prevent an inexperienced hacker from getting into your OS, booting from a USB, tampering with BIOS as well as other actions. However, it can be easy to bypass, don't put too much trust in this - it should only be used as an additional step, to exhaust your adversaries resources a little faster. Here is a guide on how to enable password.
Use a Security-Focused Operating System
Advanced
Microsoft, Apple and Google all have practices that violate users privacy, switching to Linux will mitigate most of these issues. For more advanced users, consider a security-focused distro- such as QubeOS, which allows for compartmentalization of applications and data, and has strong encryption and Tor networking build in. For some actions, Tails a live operating system with no memory persistence is as close as you can get to not leaving a data trail on your system. BSD is also great for security, see FreeBSD and OpenBSD. Even a general purpose distro, will be much better for privacy compared to a propriety counterpart: Fedora, Debian, Arch / Manjaro, see more
Make Use of VMs
Advanced
If your job, or any of your activity could endanger your system, or put you at risk, then virtual machines are a great tool to isolate this from your primary system. They allow you to test suspicious software, and analyse potentially dangerous files, while keeping your host system safe. They also provide a host of other features, from quick recovery using snapshots, to the ability to replicate configurations easily, and have multiple VMs running simultaneously. Taking this a step further, VMs can be use for compartmentalization, with a host system performing the single task of spawning VMs (systems like ProxMox, is designed for exactly this). Be aware that virtual machines do not guarantee security, and vulnerabilities, named VM-Escapes, may allow for data in memory to leak into the host system
Compartmentalize
Advanced
Security by Compartmentalization is a strategy, where you isolate different programs and data sources from one another as much as possible. That way, attackers who gain access to one part of the system are not able to compromise all of the user’s privacy, and corporate tracking or government surveillance shouldn't be able to link together different compartments. At the simplest level, you could use separate browsers or multi-account containers for different activities, but taking it further you could have a virtual machine for each category (such as work, shopping, social etc). Alternativley, consider Qubes OS, which is designed for exactly this, and sandboxes each app in it's own Xen Hypervisor VM, while still providing great user experience
Disable Undesired Features (Windows)
Advanced
Microsoft Windows 10 is far from lean, and comes with many bundles "features" that run in the background, collecting data and using resources. Consider disabling: Windows Script Host, AutoRun + AutoPlay, powershell.exe and cmd.exe execution via Windows Explorer, and the execution of commonly abused file extensions. In MS Office, consider disabling Office Macros, OLE object execution, ActiveX, DDE and Excel Links. There are tools that may make these fixes, and more easier, such as HardenTools, or ShutUp10. Note: This should only be done if you are competent Windows user, as modifying the registry can cause issues
Secure Boot
Advanced
For Windows users, ensure that Secure Boot is enabled. This security standard, ensures that your device boots only to trusted software when the PC starts. It prevents malware, such as a rootkit from maliciously replacing your boot loader, which could have serious consequences. Some Linux distros also work with secure boot (if they've applied to have their boot loaders signed by Microsoft), while others are incompatible (in which case, secure boot will need to be disabled)
Secure SSH Access
Advanced
If you access your system remotely, via SSH you should take steps to protect it from automated and targeted attacks. Change the port away from 22, use SSH keys to authenticate, disallow root login with a password and consider using a firewall, and only allow certain IPs to gain SSH access, consider using a Virtual Private Cloud as a gateway. Carry out regular service audits, to discover the services running on your system. For more info, see this guide, on OpenSSH security tweeks
Close Un-used Open Ports
Advanced
Some daemons listen on external ports, if they are not needed, then they are exposed to exploits. Turning off these listening services will protect against some remote exploits, and may also improve boot time. To check for listening services, just run netstat -lt
Implement Mandatory Access Control
Advanced
Restricting privileged access enables users to define rules, that limit how applications can run, or affect other processes and files. This means, that if a vulnerability is exploited, or your system is compromised, the damage will be limited. There are many options available, such as Rule Set Based Access Control, AppArmor or SELinux
Use Canary Tokens
Advanced
Breaches happen, but the longer it takes for you to find out about it, the more damage is done. A canary trap can help you know that someone's gained access to your files or emails much faster, and gain a bit of inform about the incident. A canary token is a file, email, note or webpage that's like a little hacker honeypot, something that looks appealing to them once they've gained access to your system. When they open the file, unknowingly to them, a script is run which will not only alert you of the breach, but also grab some of the intruders system details. These have been used to catch Dropbox employees opening users files, and Yahoo Mail employees reading emails. CanaryTokens.org and BlueCloudDrive are excellent sites, that you can use to generate your tokens. Then just leave them somewhere prominent on your system. Learn more about canary tokens, or see this guide for details on how to create them yourself.
Home assistants (such as Google Home, Alexa and Siri) and other internet connected devices collect large amounts of personal data (including voice samples, location data, home details and logs of all interactions). Since you have limited control on what is being collected, how it's stored, and what it will be used for, this makes it hard to recommend any consumer smart-home products to anyone who cares about privacy and security.
Security vs Privacy: There are many smart devices on the market that claim to increase the security of your home while being easy and convenient to use (Such as Smart Burglar Alarms, Internet Security Cameras, Smart Locks and Remote access Doorbells to name a few). These devices may appear to make security easier, but there is a trade-off in terms of privacy: as they collect large amounts of personal data, and leave you without control over how this is stored or used. The security of these devices is also questionable, since many of them can be (and are being) hacked, allowing an intruder to bypass detection with minimum effort.
The most privacy-respecting option, would be to not use "smart" internet-connected devices in your home, and not to rely on a security device that requires an internet connection. But if you do, it is important to fully understand the risks of any given product, before buying it. Then adjust settings to increase privacy and security. The following checklist will help mitigate the risks associated with internet-connected home devices.
Security
Priority
Details and Hints
Rename devices to not specify brand/model
Recommended
If your device name shows what brand or model it is, it will make it easier for a malicious actor launch an attack targeting a specific device. For example avoid names like "Nest Cam", "Yale Lock YRD 256" or "Hive Thermostat". It's usually easy to change the device's default name.
Disable microphone and camera when not in use
Recommended
Smart speakers and other voice controlled devices store sound clips on a server (and sometimes monitored by employees to improve the speech detection), any accidental recordings could disclose sensitive or personal data. A targeted attack could also allow someone to gain control of a microphone/ camera, so using the hardware switch to turn it off will help protect from that.
Understand what data is collected, stored and transmitted
Recommended
Before purchasing any smart home device, do some research - and ensure that you understand, and are comfortable with what is being collected and how it is stored and used. Don't buy devices that share anything with third parties, and check the data breach database.
Set privacy settings, and opt out of sharing data with third parties
Recommended
Once installed, go to settings in the app, and under privacy ensure the strictest options are selected. Usually by default, the most possible data is being collected.
Don't link your smart home devices to your real identity
Recommended
Use a unique user name and password which does not identify you, your family, your location or any other personal details. When creating an account for a new smart home device, do not sign up/log in with Facebook, Google or any other third-party service.
Keep firmware up-to-date
Recommended
Ensure firmware versions on smart devices are up-to-date and software patches have been applied. Most smart home apps will notify you when a new firmware version is available, so all you have to do it accept and install.
Protect your Network
Recommended
On many smart home devices, anybody connected to your home WiFi is able to view the device content (such as camera footages, or motion statistics). So ensure that your WiFi and home networks are properly secured with a strong password and up-to-date firmware. (See the Router Section for more details)
Be wary of wearables
Optional
Wearable smart devices allow companies to log even more data than ever before; they can track your every move to know exactly where you are and what you are doing at any given time. Again, you as the consumer have no control over what is done with that data.
Don't connect your home's critical infrastructure to the Internet
Optional
While a smart thermostat, burglar alarm, smoke detector and other appliances may seem convenient, they by design can be accessed remotely, meaning a hacker can gain control of your entire home, without even needing to be nearby. And by breaching multiple devices, the effects can be very serious.
Mitigate Alexa/ Google Home Risks
Optional
It is a known fact that voice-activated assistants collect a lot of personal data, and open the door to a myriad of security issues. Consider switching to Mycroft which is an open source alternative, with much better privacy. Alternativley, if you wish to continue using your current voice assistant, check out Project Alias, which prevents idle listening
Monitor your home network closely
Optional
Check your local network for suspicious activity. One of the easier methods to do this is with FingBox, but you can also do it directly through some routers.
Deny Internet access where possible
Advanced
If possible deny the device/ app internet access, and use it only on your local network. You can configure a firewall to block certain devices from sending or receiving from the internet.
Assess risks
Advanced
Assess risks with your audience and data in mind: Be mindful of whose data is being collected, e.g. kids. Manage which devices can operate when (such as turning cameras off when you are at home, or disabling the internet for certain devices at specific times of day)
Credit card fraud is the most common form of identity theft (with 133,015 reports in the US in 2017 alone), and a total loss of $905 million, which was a 26% increase from the previous year. The with a median amount lost per person was $429 in 2017. It's more important than ever to take basic steps to protect yourself from falling victim
Note about credit cards: Credit cards have technological methods in place to detect and stop some fraudulent transactions. Major payment processors implement this, by mining huge amounts of data from their card holders, in order to know a great deal about each persons spending habits. This data is used to identify fraud, but is also sold onto other data brokers. Credit cards are therefore good for security, but terrible for data privacy.
Security
Priority
Details and Hints
Sign up for Fraud Alerts and Credit Monitoring
Recommended
A Fraud Alert is a note on your credit report, that asks any business seeking your credit report to contact you to confirm your identity before granting credit in your name. Credit Monitoring tracks your credit history, and will alert you to any suspicious activity. You can enable fraud alerts and credit monitoring through credit the bureau's websites: Experian, TransUnion or Equifax
Apply a Credit Freeze
Recommended
A credit freeze will prevent anyone from requesting your credit report, hence stop someone applying for a financial product in your name, or a corporation requesting your details without your consent. You will need to temporarily disable your credit freeze before getting a loan, or any other financial product. You can freeze your credit through credit the bureau's website: Experian, TransUnion and Equifax
Use Virtual Cards
Optional
Virtual card numbers let you pay for items without revealing your real card or banking details. They also offer additional features, such as single-use cards and spending limits for each card. This means you will not be charged more than you specified, or ongoing subscriptions or in the case of a data breach. Privacy.com, MySudo and others offer this service
Use Cash for Local Transactions
Optional
Unlike any digital payment method, cash is virtually untraceable. Using cash for local and everyday purchases will prevent any financial institution building up a comprehensive data profile based on your spending habits
Use Cryptocurrency for Online Transactions
Optional
Unlike card payments, most cryptocurrencies are not linked to your real identity. Many blockchains have a public record, of all transaction metadata, on a public, immutable ledger. So where possible, opt for a privacy-focused currency, such as Monero. If you are using a widley- supported currency (such as Tether, Bitcoin, LiteCoin, Ripple, Etherium etc), take steps to distance yourself from the transaction details. See more privacy-respecting crypto currencies. Note that using crypto anonymously requires some background knowlegde, and the learning curve can be steep, so take care to ensure you're not putting your privacy at risk (see #70)
Store Crypto Securely
Advanced
Generate wallet address offline, never let your private key touch the internet and preferably avoid storing it on an internet-connected device. Use a secure wallet, such as Wasabi, or a hardware wallet, like Trezor or ColdCard. For long-term storage consider a paper wallet, or a more robust alternative, such as CryptoSteel
Buy Crypto Anonymously
Advanced
If you are buying a common cryptocurrency (such as Bitcoin), purchasing it from an exchange with your debit/ credit card, will link directly back to your real identity. Instead use a service like LocalBitcoins, an anonymous exchange, such as Bisq, or buy from a local Bitcoin ATM (find one here). Avoid any exchange that implements KYC
Tumble/ Mix Coins
Advanced
Before converting Bitcoin back to currency, consider using a bitcoin mixer, or CoinJoin to make your transaction harder to trace. (Some wallets, such as Wasabi support this nativley)
Use an Alias Details for Online Shopping
Advanced
When you pay for goods or services online, you do not know for sure who will have access to your data, or weather it will be stored securley. Consider using an alias name, forwarding email address/ VOIP number, and don't reveal any of your true information. (For Amazon purchases, you can an Amazon gift card with cash, and use an Amazon Locker or local pickup location)
Use alternate delivery address
Advanced
When online shopping, if possible get goods delivered to an address that is not associated to you. For example, using a PO Box, forwarding address, corner-shop collection or pickup box
Many data breaches, hacks and attacks are caused by human error. The following list contains steps you should take, to reduce the risk of this happening to you. Many of them are common sense, but it's worth takin note of.
Security
Priority
Details and Hints
Verify Recipients
Recommended
Emails are easy for an attacker to spoof, and unfortunately happens all too often. So whenever an email asks you to take a sensitive action, first verify that the sender is authentic, and when possible enter the URL yourself (rather than clicking a link in the message)
Don’t Trust Your Popup Notifications
Recommended
It is a trivial task for a malicious actor to deploy fake pop-ups, either on your PC, phone or browser. If you click a popup, ensure the URL is correct before entering any information
Never Leave Device Unattended
Recommended
Even with a strong password, it's straight-forward to retrieve the data from your phone or computer (unless it is encrypted). If you lose your device, and have find my phone enabled, then remotely erase it
Prevent Camfecting
Recommended
It is a good idea to invest in some webcam covers, and microphone blockers to protect against camfecting, where a malicious actor, or app is able spy on you and your physical space, without your knowledge. See this guide for more tips. Mute home assistants, (Alexa, Google Home and Siri) when you are not using them, or at least when you are discussing anything sensitive or anything conversation involving personal details
Stay protected from shoulder surfers
Recommended
Be sure to not let anyone 'shoulder surf' (read what is on your screen, when in public space). As they may be able to gather sensitive information about you. You could apply a privacy screen to your laptop and mobile, in order to restrict data being read from an angle
Educate yourself about phishing attacks
Recommended
Phishing is an attempt to obtain sensitive information (like an account password) by disguising as a trustworthy person or company. In recent years phishing attacks have become increasingly sophisticated and hackers are learning to use data that people put on the web to create highly specific and targeted attacks. Check the URL before entering any information. Understand the context- were you expecting the email or message, does it feel normal? Employ general good security practices will also help: Use 2FA, don't reuse passwords, close accounts you no longer use and backup your data. See these guides on: How to Protect against Common Phishing Attacks and The Anatomy of a Phishing Email
Watch out for Stalkerware
Recommended
This is a malware that is installed directly onto your device by someone you know (partner, parent, boss etc). It allows them to see your location, messages and other app data remotely. The app likely won't show up in your app draw, (but may visible in Settings --> Applications --> View All). Sometimes they can be disguised as a non-conspicuous app (such as a game, flashlight or calculator) which initially don't appear suspicious at all. Look out for unusual battery usage, network requests or high device temperature. If you suspect that stalker ware is on your device, the best way to get rid of it is through a factory reset
Install Reputable Software from Trusted Sources
Recommended
It may seem obvious, but so much of the malware many PC users encounter is often as a result of accidentally downloading and installing bad software. Also, some legitimate applications try to offer you slightly dodgy freeware (such as toolbars, anti-virus, and other utilities). Be sure to pay attention while completing the installation process. Only download software from legitimate sources (often this isn't the top result in Google) so it's important to double check before downloading. Before installing, check it in Virus Total, which scans installable files using multiple AV checkers
Store personal data securely
Recommended
Backing up important data is important. But ensure that all information that is stored on your phone/laptop, USB or in a cloud is encrypted. That way, if it is accessed by a hacker (which unfortunately is all too common), it will be almost impossible for them to get to your personal files. For USB devices, see VeraCrypt. For cloud backup, see Cryptomator, and for your phone and laptop, see this guide
Obscure Personal Details from Documents
Recommended
When sharing any document, photo or video- be sure to blank out text with an opaque rectangle. Be careful with blurring/ pixelating out text, as this could be recovered (using something like Depix). This is especially true for video footage (such as with license plates), since an adversary has more frames to work with
Do not assume a site is secure, just because it is HTTPS
Recommended
Unlike HTTP, data sent over HTTPS is encrypted. However that does not mean you should trust that website by default. HTTPS Certificates can be obtained by anybody, so a cloned or scam site may have a valid certificate (as denoted by the padlock icon). Always check the URL, and don't enter any personal details unless you are certain a website is legitimate. Avoid entering data on any site that is not HTTPS
Use Virtual Cards when paying online
Optional
There are risks involved in entering your card details on any website. Credit cards have better consumer protection, compared to debit or bank cards, meaning you are more likely to be recompensated for fraudulent transactions, however they collect and sometimes sell your transaction history. A better option would be to pay with a virtual, 1-time card. This will mean that even if those credentials are compromised a hacker will not be able to lift any of your money. You can also set limits, or create single-use cards, to prevent being over-charged. Privacy.com offer virtual payment cards for that you can use anywhere on the internet, as does Revolut Premium
Review application permissions
Optional
Ensure that no app have unnecessary access to your photos, camera, location, contacts, microphone, call logs etc. See these guides for how to manage app permissions on Android and iOS. On Android, there is a great app called Exodus Privacy, that displays all permissions, and trackers for each of your installed apps
Opt-out of public lists
Optional
In many countries there are public databases that include citizens names, addresses, contact numbers and more. This can often result in unwanted contact from marketing companies, but in some cases used for harassment, stalking and fraud. This guide from The World Privacy Forum provides good instructions for how to approach this. This includes opting out of: Marketing, Financial Institution Listings, Mail Spam, FERPA Education Listings, Data Brokers and Advertising, as well as joining the National Do Not Call Registry
Never Provide Additional PII When Opting-Out
Optional
When removing yourself from less mainstream data sharing services, do not enter any additional intormation in the opt-out form than what is already publicly availible through that site. There have been cases where this extra info is used elsewhere to add more details to your record
Opt-out of data sharing
Optional
Many apps, services and software automatically opt you in for data collection and sharing. You should opt-out of this, for instructions on how to opt-out, see Simple Opt Out. Often this collected data is sold onto third-parties, who combine multiple data sets together, allowing them to easily deduce your identity, along with your habits, purchases, personal details, location etc
Review and update social media privacy
Optional
Companies regularly update their terms, and that often leads to you being opted back. Check you Facebook, Twitter, Google etc. activity and privacy settings. See also re-consent and Jumbo which are tools aimed at making this clearer and easier
Compartmentalize
Advanced
Compartmentalization is where to keep several categories of digital activity and files totally separate from each other. It means that if one area is breached, then an attacker will only have a proportion of your data, and the rest will still be safe. For example, store your work and personal files on separate devices, or use different web browsers for different types of activity, or even run certain tasks in a contained VM or on a separate device (such as having a work phone, and personal phone, or using a separate browser for social media/ chat rooms, or even running a VM for using specialist software)
WhoIs Privacy Guard
Advanced
Owning your own domain can prevent you loosing access to your email addresses, or being locked-in with a certain provider. However if you do not use a privacy guard, or enter false web admin details, your data will be publicly accessible through a WhoIs search. Most reputable domain registrars will have a WhoIs Privacy option
Use a forwarding address
Advanced
Have all mail addressed to a PO Box or forwarding address, to prevent any commerce, utility, finance, media or other companies knowing your read address. This would give you an extra layer of protecting if they suffered a breach, sold on personal details or were presented with a court order
Use anonymous payment methods
Advanced
Paying online with credit or debit card involves entering personal details, including name and residential address. Paying with cryptocurrency will not require you to enter any identifiable information. Both Monero and Zcash are totally anonymous, and so best for privacy. See also: Anonymous Payment Methods
Public records often include sensitive personal data (full name, date of birth, phone number, email, address, ethnicity etc), and are gathered from a range of sources (census records, birth/ death/ marriage certificates, voter registrants, marketing information, customer databases, motor vehicle records, professional/ business licenses and all court files in full detail). This sensitive personal information is easy and legal to access, which raises some serious privacy concerns (identity theft, personal safety risks/ stalkers, destruction of reputations, dossier society)
CCTV is one of the major ways that the corporations, individuals and the government tracks your movements. In London, UK the average person is caught on camera about 500 times per day. This network is continuing to grow, and in many cities around the world, facial recognition is being rolled out, meaning the state can know the identity of residents on the footage in real-time.
Strong authentication, encrypted devices, patched software and anonymous web browsing may be of little use if someone is able to physically compromise you, your devices and your data. This section outlines some basic methods for physical security
Security
Priority
Details and Hints
Destroy Sensitive Documents
Recommended
Instead of disposing of paperwork in the trash, you should first shred it, or take steps to redact any personally identifiable information. This will help protect you from identity theft, reduce the chance of blackmail and keep confidential data confidential
Opt-Out of Public Records
Recommended
People search websites (such as WhitePages, Spokeo and Radaris) list public records, including: full name, date of birth, address, and phone number. Some sites go further, showing place of work, previous addresses, criminal records and photos. This is bad for privacy, and can make you a target for fraud. It is recommended to contact these sites, and opt-out from these listings. Methods for doing so range considerably between countries and states, see Personal Data Removal Workbook by Michael Bazzell or Word Privacy Forum Opt-Out Guide or The LifeWire Remove Personal Information Guide to get started
Don't Reveal Info on Inbound Calls
Recommended
Only share sensitive personal data on outbound calls/ communications that you have initiated. Ensure the phone number is correct, and listen for anything that doesn't sound right. If a company phones you, and asks any questions, hang up and phone them back on their official number
Stay Alert
Recommended
Stay aware of your surroundings. Whenever you step into a new environment, take a moment to assess potential risks. Listen to your instincts, when approached by an unknown individual. Ensure you are not being followed, when you approach your home address. Understand basic self-defense principle, and know how to put them into practice to defend yourself, if needed
Secure Perimeter
Recommended
Maintain physical and structural integrity to all locations where devices with personal info are stored, and ensure steps have been put in place to stop any unauthorized access. Minimize external access: doors, windows, vents. Maintain locking devices responsibly: Keep keys safe, don't use guessable combinations, have multiple locks, change locks after a breach or potential risk. Consider intrusion detection systems, such as alarms and closed circuit monitoring. Make sure walls are structurally sound, and if there is a drop ceiling, ensure walls continue up into the ceiling. When inside - don't trust door chain lock and cover door peep hole
Physically Secure Devices
Recommended
Use a Kensington lock to secure your device. Never leave devices unattended. Cover your web cam, consider a microphone block or disable it when not in use, use a USB data blocker when charging devices, use a privacy screen when working in public spaces
Keep Devices Out of Direct Sight
Recommended
It is possible for an adversary to communicate with voice assistants with lasers at a certain frequency. This can be mitigated by keeping devices out direct line of sight from windows. Any electronics visible from outside, may also pose a risk from theft, and hence should be stored somewhere safe
Protect your PIN
Recommended
When entering a code or password (such as unlocking device, withdrawing money from an ATM, or inputting a building access code), ensure that no one is watching over your shoulder, and they you are not in direct line of sight of a camera. Cover the keypad while entering the code to shield your PIN. After entering your PIN on a touch screen device, wipe over the screen to ensure your PIN can not be determined from smudge marks left by skin.
Check for Skimmers
Recommended
Before entering your card into an ATM, check for any signs that it may have been tampered with. You could use a card skimmer detector, or try to pull the card intake device to ensure it's firmly fitted. Watch out for other signs of compromise, such as small cameras, keypad covers or blockage on the cash out slot. This also applies to any public device that requires biometric or personal data to complete an action.
Protect your Home Address
Optional
Don't set your home address in your phones settings, instead consider selecting a location in a similar region to where you live. Consider storing devices in faraday cage when at your home address. For deliveries, consider using an alias names, and if possible a forwarding or pickup address for receiving online deliveries. You could also combine this with anonymous payment (such as virtual card numbers/ privacy.com, cryptocurrency or cash), and a forwarding email address or VOIP number
Use a PIN, Not Biometrics
Advanced
For situations where law enforcement may be involved (such as a protest, or journalism), if your device is seized, authorities can not force you to hand over your device pin code, however they can ask for your fingerprint or face scan to unlock a device. Therefore in these situations disable biometric unlock.
Reduce exposure to CCTV
Advanced
Wearing a hat, hoodie, dark glasses or face cover can make it harder for your identity to be known. Less busy streets tend to have fewer cameras. Knowing where cameras in your local area are, can help you avoid being caught on them. See more in this article by Snälla Bolaget
Anti-Facial Recognition Clothing
Advanced
Most facial-recognition methods can be easily tricked with certain patterns. Example products from: Adversarial Fashion or this item on Redbubble.
Reduce Night Vision Exposure
Advanced
Infrared night vision cameras are very easy to block, by using a small IR light source, which is invisible to the human eye, but blinds night vision cameras. Alternatively super-reflective glasses (see Reflectacles) can also fool night vision cameras.
Thanks for visiting, hope you found something useful here :) Contributions are welcome, and much appreciated - to propose an edit raise an issue, or open a PR. See: CONTRIBUTING.md.
I owe a lot of thanks others who've conducted research, written papers, developed software all in the interest of privacy and security. Full attributions and references found in ATTRIBUTIONS.md.
Disclaimer: This is not an exhaustive list, and aims only to be taken as guide.
🦓 Zebra Crossing: an easy-to-use digital safety checklist
🎯 Start here!
🤔 Read this guide if you
Use the internet daily — for work, social media, and financial transactions.
Want to secure your digital safety and privacy proactively but aren’t in immediate danger. (If you are, reach out to someone in your community for a one-on-one consultation.)
Feel comfortable with technology — you feel confident about changing the settings on your computer or smartphone.
🗺 Where this guide is from
This guide draws from our work helping individuals and groups upgrade their digital safety practices, and from our experiences living and working in the United States, Canada, and Hong Kong.
Wherever possible, we chose apps and tools that are accessible and easy to use over ones that are technically sophisticated but difficult to use. Our decision is based on our observation that people become clumsier in stressful situations, so it is important to keep procedures as simple as possible.
🌱 How to use this guide
Start from Level 1 and work your way up! Recommendations are sorted by increasing levels of difficulty.
Level 1 is the quick essentials section. You should be able to work through it within 1 hour, and chances are, you're already familiar with many of the recommendations in there — but it never hurts to double check.
Level 2 digs deeper into your device/app settings and will help you fine tune your privacy online. This section will take 1-2 hours, depending on how many accounts and devices you frequently use.
At a minimum, do everything in Levels 1 and 2. It'll protect you from the most widely-used attacks while drastically decreasing the amount of personal information you're giving out for free.
Level 3 ties up loose ends in your digital safety practice, but it does requires more time and money to complete. Depending on the amount of digital housekeeping required, this part may take anywhere from 1-4 hours.
The scenarios shared after Level 3 are for higher-stakes situations. Scan them to see if any of them apply to you. (Because the stakes are higher, they assume you’ve done everything in Levels 1–3.)
This guide is a living document. Please feel free to submit a pull request or fork your version of this guide on GitHub.
Threat modeling is a process that allows us to identify potential threats to safeguard against them. To build your threat model, ask yourself the following:
“What kind of danger am I in?” E.g. credit card hacks, corporate espionage, or online harassment/doxxing.
“What kind of assets am I protecting?” E.g. confidential documents, private photos, or personal messages.
Remember though, your threat model can change — either gradually over time or abruptly, say, when a new law is suddenly passed.
🔗 Weakest link
The weakest link is where your digital safety is most vulnerable. For example, if an account’s forgot password function sends a link to your email, attackers only need to access your email to gain access to the account.
🔡 Encryption levels
Encryption is the process of scrambling or encoding information to make it unreadable to passers-by and prevent unauthorized access. People often categorize encryption into these three types:
No encryption: Any third party can intercept the data and read it as-is. Often called "plaintext."
Standard encryption: Data is encrypted so that intercepting third parties cannot read it, but the platform being used to send the data (e.g. Facebook Messenger) can unscramble and read it. The platform may hand the unscrambled data to courts or government agencies if ordered to do so.
End-to-end encryption: Only the original sender and receiver can read the data. The platform being used to send the data only has the scrambled, unreadable version. So if courts or government agencies order the platform to hand over the data, there's nothing useful to hand over.
🧩 Metadata
Metadata is the contextual information surrounding your data. For example, the metadata for a phone call includes the number you called and the length of your call (but not the call’s contents). With enough metadata, attackers can piece together a relatively reliable picture of who you are, who you know, and where you’re going.
Unfortunately, legal protections around metadata tend to be weak or nonexistent.
🚶🏽♀️ Level 1
✅ Things to do
Identify important accounts
Imagine that an attacker gains access to all of your online accounts. Which of these accounts would be really painful to lose? List them out and write them down.
Typically this list includes accounts used for email, online banking, social media, and maybe one or two related to work.
The list should be short, and have less than 5-6 items.
Double-lock important accounts
The first lock is usually your account password. The second lock takes on a different form and/or comes via a different channel — most often as a code sent to your phone via an app or text message (SMS). This additional lock is usually called two-factor authentication (abbreviated as 2FA) or two-step verification.
Turn on two-factor authentication for the important accounts you just identified. To find instructions on how to do so:
Run an internet search for two-factor authentication and the account name
Double-check backup security questions on important accounts
Make sure the answers to these questions are not easy to find out using public information about you. Security questions often get used to verify your identity during login or password resets, so they play a crucial role.
Secure your email
Check the address bar for https:// If you’re using a webmail service, check that you're logging into it using an https:// URL. If there isn't one available, find a new email provider.
Find out if your email service supports backup codes. Once you turn on 2FA, your email provider may provide single-use backup codes you can use if you lose your phone.
Use a non-common/obvious unlock code for your phone with at least 9 digits. We recommend using a long string of numbers as it's easier to tap (but using both letters and numbers is okay too). Swipe patterns are not recommended, however, as they are too easy replicated by onlookers.
If it asks you for a SIM pin code and you don't remember setting one, then the phone company/provider might have set one by default. Go to your phone provider’s website to find out what it is.
Don’t allow USB accessories to control a locked device:
iOS: Turn off Settings → Face ID & Passcode → Allow Access When Locked: USB Accessories.
Android: Setting is off by default and is only available if Developer Options are turned on.
Secure your computer
Turn on HTTPS-only mode (warns against unencrypted website traffic) on your desktop web browser(s):
Turn off automatically added calendar invitations, which can be used to send malicious links.
Google Calendar Settings→ Event Settings → Add invitations to my calendar: When I respond to the invitation in email
Outlook: File → Options → Calendar → Automatic accept or decline → Auto Accept/Decline: Automatically Accept Meeting Requests and Remove Canceled Meetings
Disable macros in Microsoft Office. Macros are small bits of code that automate actions which can be exploited by attackers. They can still be useful sometimes, which is why we recommend the Disable all macros with notification, which allows you to manually allow macros from trusted sources to run.
A phishing scam is an email or text message where an attacker is trying to trick you into giving your password or other login details. To defend yourself:
Trust your instincts. If you feel like something is off — whether it's the way the text is written, the way the graphics look, or an unusual, first-time request from a service provider — it probably is.
Check who it's from. Look over the sender's name and phone number or email address. If it's an email, be sure to closely read the bit after the @ symbol.
Think twice before clicking a link. When in doubt, carefully examine the domain in the link. To look at it without opening the link:
On mobile:
iOS: Tap and hold on a link. A mini preview of the destination will appear. On the top right of this mini-window, tap Hide preview. From then on, iOS will show the full URL whenever you tap and hold on a link.
Android: Tap and hold on a link.
On desktop:
Firefox, Chrome, Edge: When your mouse cursor hovers over a link or button, the full URL will show up on the bottom left.
macOS Safari: To turn on the above feature, go to View → Show Status Bar
macOS Mail: Hover your mouse cursor over a link and wait for a few seconds for a pop-up to appear.
After clicking links, scan the URL address bar in your web browser.
Is there a red warning icon or 'Not Secure' label? This means the website is running unencrypted on http (rather than https).
Is the domain spelled incorrectly?
Beware of file attachments
Don’t download/open unnecessary attachments.
When in doubt, reply to the original sender to ask what it is.
On email, preview attachments within the app or website. On Gmail and Protonmail, simply clicking the attachment brings up its preview, which runs in a safe environment inside the mail program.
Ask the sender to use a filesharing service (Dropbox, Google Drive, Tresorit), which also have their own online preview system.
Upload suspicious attachments to VirusTotal to have them analyze it. Keep in mind files submitted to VirusTotal may be shared with multiple security researchers, so don’t submit sensitive information.
Update all the things
Device operating systems: When you get a notification on your devices to update the operating system, do it as soon as possible.
Automatic updates: Turn on auto-update for your apps if the feature is available. If asked to update an app, do so as soon as possible.
Firmware updates: Check occasionally for firmware updates for your router and other internet-connected devices.
Other considerations
Wipe your devices properly before donating or giving them away. If you’ve encrypted your phones and computers (as suggested earlier), a standard factory reset will work for most use cases.
Don’t charge your phone at public charging stations/ports. They present a risk because attackers might steal your data. Instead, use a portable battery or bring our own adapter to plug directly into the power outlet.
👍 Great job! You've secured 👍 some important quick wins 👍 for your online safety & privacy. 👍 Please, do treat yourself to 👍 a cup of tea and a stretch. 👍 👍 Now, ready for Level 2?
🏃🏻♂️ Level 2
✅ Things to do
Install a password manager
One common way attackers gain access to your account is if your password is too easy: it's too short, too obvious, or — if you use the same password on multiple accounts — already been leaked as a part of a data breach/hacking incident.
The best way to counteract this problem is to install and use a password manager, which helps you generate long passwords, store them, and fill them in automatically when you're logging into a website.
Install the password manager app on both your phone and computer.
Install the password manager browser extension on your desktop web browser.
Only create passwords with more than 12 characters. We recommend using the option in the password manager that strings together random, unrelated words (e.g. plant-truck-nose-frame-lace) so that it's easy to type in those rare instances when the autofill isn't working.
Create login items/entries for your important accounts (identified in Level 1) and make sure each password is unique.
Next time you have to type in your password for another account, create an entry for it. This way, you will gradually get any frequently used accounts into the password manager.
Transfer all of your accounts later. Entering all of your accounts into the password manager will take a while, and is best saved for another day. (We've placed this time-consuming task in our Level 3.)
Don't use your password manager as a two-factor authentication app. It's better to not put all your eggs in one basket.
Encrypt your devices
Remember, encryption is only fully effective when the device is off!
Log into the administration and settings dashboard. It’s usually accessible by going to http://192.168.0.1 in your web browser. Otherwise, check your router’s instructions.
Update the dashboard login if the password is simple.
Review the devices currently connect to your network. You may have to explore until you find the access control. Make sure you know what every device on the list is.
Turn off the following options if you see them. (Look for them under advanced settings or gateway functions):
UPnP (Universal Plug and Play)
WPS (Wi-Fi Protected Setup)
Remote Management
Track your devices in case you lose them
Set up tracking or Find My, which will allow you to remotely find and wipe your devices by logging into a website if you ever lose them.
Review the privacy settings on social media platforms and messaging apps you frequently use. Check who can see your content, what information about you is being made public, and what you are sharing with third-party apps/advertisers.
Wherever possible, turn off read receipts for messaging apps. It may seem inconvenient at first, but in the long run you will have more privacy and freedom when people don't know if you've read their messages or not.
Here are links to and instructions for the most commonly-used platforms/apps:
Platforms/apps with privacy settings available through a desktop browser:
Platforms/apps with mobile-only access their full privacy settings:
Instagram: Settings → Privacy
WhatsApp: Settings → Account → Privacy
Snapchat: Settings → Privacy controls
TikTok: Profile → Settings and privacy → Privacy
Telegram: Settings → Privacy and Security
Limit how Facebook tracks you on other websites by clearing and disconnecting Off-Facebook activity.
On email & social media accounts
Review Third-Party Apps or Connected Apps linked to major social media/email platforms. These third-party/connected apps have access to your data, and they might be selling it.
Review which apps on your smartphone have access to your location data. Turn off access for the apps that don’t need it, and minimize the number of apps tracking your location.
iOS: Settings → Privacy → Location Services
Android: Settings → Location → App access to location
Turn off your unique advertising ID number so that advertisers can't pinpoint you as easily:
iOS: Settings → Privacy → Tracking → Allow Apps to Request to Track: Off
iOS: Settings → Privacy → Apple Advertising → Personalized Ads: Off
Android: Settings → Privacy → Ads → Delete advertising ID
On Android, turn off passive Wi-Fi and Bluetooth scanning.
Settings → Location → Wi-Fi and Bluetooth scanning
Delete third-party keyboards on your phone. They often share what you type with the software maker.
These keyboards are installed as apps on iOS and Android, so take the time to scan through all of your installed apps to find and delete them.
If you need to use a third-party keyboard, make sure it’s an open-source project that others have verified and does not share your data with third parties.
On your mobile/computer web browsers
Review your web browser's privacy settings
On your mobile:
iOS Safari: [iOS] Settings → Safari → Privacy & Security, turn on all of them except Block All Cookies
Android Chrome: [Chrome] Settings → Privacy and security, turn on Safe Browsing (either option), Always use secure connections, Do Not Track
Android Firefox: [Firefox] Settings → Privacy and security, turn on HTTPS-Only Mode, Enhanced Tracking Protection
On your computer:
macOS Safari: Preferences → Privacy, turn on Website tracking and Hide IP address
macOS/Windows Chrome: Preferences → Privacy and security → Cookies and other site data, turn on Block third-party cookies, Do not track
macOS/Windows Firefox: Preferences → Privacy & Security, turn on Enhanced Tracking Protection (any option), Do Not Track and HTTPS-Only Mode (scroll to the bottom)
Install these web browser extensions/add-ons if your browser supports it. Make sure they’re on even during private/incognito mode.
Post less personal information online. This includes information that can be used to identify/track/scam you (addresses, phone numbers, birthday, etc.).
Set up a separate account under a pen name to leave local business reviews (on Google Maps, Yelp, etc.) if you write many of them. Otherwise, reviews will be shown under your real name and possibly give away your home location.
When registering domains, make sure WHOIS/domain privacy is turned on. Many domain name registrars and webhosts offer this feature for free. Note: There are unofficial WHOIS lookup/history tools out there that make it hard to remove your information from the history log once you’ve entered it at an earlier point in time.
Watch what you say in online groups
Don’t say anything you’d regret on in a “private” group on Slack, Discord, Facebook, WhatsApp group chat, Telegram channel, or any “private” online forum. Here’s why:
Any member can leak all of the data.
Administrators usually have access to everything within the group, including deleted messages and private direct messages between two people.
What you say can be traced back to your account's phone number or email. Even if you're not using your real name or photo.
To prevent this in Telegram, go into Settings → Privacy and Security → Phone Number, and then set:
Who can see my phone number to Nobody.
Who can find me by my number to My Contacts.
Other considerations
When downloading a new mobile app, double-check to confirm it’s the right one. Many fake apps trick people by using a slightly modified name or icon of an existing, popular app.
Regularly check the installed apps on your phone. Delete the ones you’re no longer using.
Need to send someone a password? Split it in half and send it via two different channels. For example, send half of the password through email and the other half via a voice call.
Don’t use Google/Twitter/Facebook to sign up or log into other services, which gives these platforms unnecessary data about you. Each service should have its account, and it should be easy to do this with a password manager.
🎉 Congratulations! You dove 🎉 fearlessly into your settings, 🎉 clicking, tapping, swiping, 🎉 which makes you a very, very 🎉 above average human being. 🎉 Now, you deserve a day off. 🎉 🎉 When you come back, 🎉 be prepared to join 🎉 the upper ranks of safety 🎉 as you enter Level 3.
🧗🏿♀️ Level 3
✅ Things to do
Put an extra lock on sensitive files
Identify files you don’t want others to access. This may include private photos, passport scans, and financial documents.
Create an encrypted, password-protected vault for your files.
Place a sticker (or webcam cover) over your laptop’s front-facing camera.
If you buy a webcam cover for a laptop, make sure it is less than 0.1mm thick so that it doesn't affect how the laptop closes.
Don't use devices your workplace gives you for personal things. Either have separate devices for your work and personal lives, or, if it's too troublesome to have multiple devices, use your personal device for everything. Devices set up by workplaces often have monitoring systems that can turn malevolent during disputes.
Buy a mobile phone that always gets the latest software updates. Recommended phones:
Apple iPhone
Google Pixel Android
Use a paid VPN service both when you're on a public network (library or café) and when you're at home (to decrease data shared with your internet/phone company).
Avoid free VPN services because free services often make their money back by selling your data.
Wire: Sign up with an email address or phone number.
Set messages to disappear after 1 or 4 weeks.
Signal: Go to Settings → Privacy → Disappearing Messages → Default Timer for New Chats.
Wire: No app-wide setting exists. You have to set it up for each conversation by tapping/clicking the timer icon ⏱.
These apps also end-to-end encrypt video and voice calls, so continue using them wherever possible.
End-to-end encryption for video/voice calls with more than 5 people may not be worth it. There are several reasons:
Privacy is hard to maintain in large group calls as they often become quasi-public events due to the large number of participants.
End-to-end encrypted video/voice requires more bandwidth than usual, and there's a large chance one or more people on the call won't be able to connect properly.
For online file-sharing and backup
Store files on the cloud using end-to-end encryption.
Remember: files stored on Dropbox, Google Drive and iCloud are not end-to-end encrypted.
Further secure your messaging apps
Be aware of what other people can see in a group chat
Messaging apps use either your phone number or a username as the unique identifier (which other people use to add you on the platform). As such, your phone number or username is then visible to anyone you're in a group chat with, along with the name and photo in your profile.
Here's a breakdown of what unique identifiers are used for some popular messaging apps that offer some form of end-to-end encryption:
Signal: phone number
Wire: username (no one else can see the email or phone number you used to register your account)
Telegram: phone number by default but you can set up a username and then stop sharing your phone number:
Settings → Username
Settings → Privacy and Security → Phone Number → Who can see my phone number: Nobody
WhatsApp: phone number
If you don't want to give out your personal phone number, consider getting a virtual phone number from one of the providers listed in our scenario for Masking your identity for online dating, events, or organizing.
Use app-specific safety & privacy features
Signal
Turn on the extra layer of pin code protection and prevent others from logging in with your phone number.
Settings → Account → Signal PIN
Settings → Account → Registration Lock: On
Telegram
Turn on two-step verification to prevent someone from moving your account without your permission.
Settings → Privacy and Security → Two-Step Verification
Start conversations by using New Secret Chat so that they are end-to-end encrypted. All other conversations and groups are not. Unfortunately, that this means your messages will not show up in your desktop or web app.
WhatsApp
Turn on security notifications on WhatsApp to get a notification when a person you're talking to switches to a new device.
Settings → Account → Security → Show Security Notifications on This Phone: On
Turn on two-step verification to prevent someone from moving your account without your permission:
For iOS users who use iCloud Backup (not end-to-end encrypted) to backup their entire phone, make sure WhatsApp is not included as part of the process. This iCloud Backup should not be confused with WhatsApp's interal backup feature that also uses iCloud.
[iOS] Settings → Your name → iCloud → Manage Storage → Backups → device → WhatsApp: Off
Fully utilize your password manager
Store login credentials for all online accounts in a password manager. We previously asked you to store passwords for your most important accounts on there. Now, it's time to transfer everything onto there.
The fastest way to enter the details is to logout and login to each account on your computer, and let the password manager's browser extension/add-on capture the details automatically.
In some cases, the password manager may warn you that the password you have is weak. If so, spend that extra minute on the account website to change to a new password.
Use your password manager’s feature that checks your passwords for weaknesses. If available, this scans your stored passwords to see if it's too short, has been reused, or has already been leaked as part of a data breach.
Feature name in:
1Password: Watchtower 💰
Bitwarden: Vault Health Report 💰
😲 Wow, you really did it. 😲 You finished all 3 levels! 😲 You deserve a reward — 😲 a cookie, perhaps, 😲 but not the tracking type. 😲 😲 Rest for the rest of the week 😲 and when you're well rested, 😲 come back and check out 😲 the scenarios below.
🤹🏻 Scenarios
👤 Masking your identity for online dating, events, or organizing
Don't use your full name
Consider using a nickname or just your first name. This is especially important if your full name is very unique, which makes it very easy to search for online.
Consider using a persistent pseudonym or collective identity, especially if you’re a public figure. For more information on how and why, see:
TextNow:: Offers ad-supported US and Canada numbers
Google Voice:: Offers a free US number, but is only available in the US
Your local phone companies 💰
Get a prepaid or cheap SIM card plan
Note: If you lose/unsubscribe to your secondary phone number, other people can buy it and impersonate you.
Get an email alias
For sites and services that use email as the primary identifier/username, get a new 🆓 email account or an email alias that forwards to your main account from:
Sign up for a privacy-focused virtual credit card 💰 (only available in the US). Both of these services a) mask who you are to the seller, and b) mask what you've bought from the bank.
Even with all the third-party services above, courts can still compel companies to hand over information about you. So if you are really in a high-risk situation, you may need to do all of the above and more. For one example of this, see Matt Mitchell's PRIVACY RECIPE: Creating an online persona.
✊🏾 Attending a protest
When it comes to attending a protest, there are many, many considerations depending on where you are and who you are. In this guide, we are only going to make recommendations related to uses of technology.
Things to do before you go
Keep communications private
Use an end-to-end encrypted messaging app and make sure disappearing messages is turned on. See the encrypted messaging app part of Level 3 above.
Double-check the privacy settings in your messaging apps.
Turn off message previews in your notifications.
iOS:Settings → Notifications → Show Previews: When Unlocked.
Draft a message to a trusted friend before or legal hotline. Prepare to hit send if arrested at the protest or if there’s an emergency.
As a backup, write down the phone number of the trusted friend/hotline on your arm with a permanent marker.
Charge your phone fully and bring a spare battery.
Clean out any sensitive personal information on your phone. Delete any photos, chat logs, and notes that can be used against you.
If you use your fingerprint or face to unlock your phone, turn it off before the protest. In some jurisdictions, officers can compel you to provide your fingerprint but not your passcode.
Dress up to not stand out. Wear plain clothes that don't attract attention, cover up visible tattoos, and put on a face mask. Make it harder to be easily identified from a photo and by facial recognition technology.
Get a burner phone only if you really need it
A burner phone is a single-use, disposable phone and SIM card that you buy with cash. Ideally, it makes you anonymous to the phone company and online services, and not reveal information about you if someone takes or steals your phone.
Burner phones require extra time and money to set up. For example, see Micah Lee's guide on setting one up in the US.
Decide what you want to use a burner phone for, and what that use might reveal about you. Every action you perform with your phone creates a clue about who you are. E.g. if you activate it at home, it will give away your home address.
Do you need a burner phone and SIM card or do you just need a burner virtual phone number? For the latter, see the scenario above: Masking your identity for online dating, events, or organizing.
Remember when you're out
Power off your phone if there's risk of an imminent arrest or phone seizure. Encryption works best when devices are off.
Try not to take photos or videos where people’s faces are visible. Taking a photo of people’s backs is okay. The one exception is if you’re filming a video of a conflict or arrest where documentation is critical.
If there are faces captured in a photo/video, make sure to blur them before sharing them online.
🩸 Accessing reproductive health services privately
Getting the care you need can be a controversial and fraught endeavor in many parts of the world. Here are some recommendations that may apply if you live in one of those places.
Researching and talking to friends
Follow the privacy-enhancing recommendations in Level 2.
Use a VPN to minimize what your internet provider can see.
Open a new private window on your web browser to minimize tracking and makes sure your browsing history isn't saved. Alternately, use a different browser in private mode only for health research to further compartmentalize data.
Think twice before sharing information, and when you do, use an end-to-end encrypted messaging app with disappearing messages on. (Avoid email if possible.)
Tracking your period
Use an app that stores your data locally, or use pen and paper.
Storage/hard drives are only encrypted when off, not when they’re just in sleep mode.
This will also ensure that your mobile devices can only be unlocked using a pin code, which is protected by freedom of speech laws in some jurisdictions.
Backup before you depart and keep a copy at home in case your devices are lost in transit.
Store less information on your devices. They can’t take what you don’t have if your devices are seized.
Be mindful of what stickers you put on your devices. A border agent could mistake them for something suspicious.
Decide beforehand what you will do if you are asked to unlock your devices. Searches sometimes happen as a routine part of border crossing.
Notify your people about your flight number and arrival time. Regularly check in with one of them at points in your journey. Have them contact a lawyer/relevant organization if you do not show up.
For extreme situations
Note: Some of these practices might raise suspicions and backfire.
Create an alternate universe version of yourself... digitally. Create photo albums, email addresses, and social media accounts full of vanilla content.
“Forget” half of your password. Password lock your device/account so that only a trusted friend has the second half of the password.
Log out of all important accounts. Or leave your devices at home.
For travel to the US, consider filing for attorney privileges. See BoingBoing’s note about filing for attorney privileges at the U.S. border.
🤐 Traveling to a place with weak data privacy laws or internet censorship
Be aware that phone companies might share your location and personal info with others without your permission.
Consider traveling with a burner phone while leaving your laptop at home. This will be especially useful if you need to install new/untested software for work that might violate data privacy policies.
Re-evaluate which online platforms are safe to use.
See how often a platform hands over its data by looking up their transparency reports.
Look up the location of the platform's global headquarters and see where the nearest local/regional office is. Location affects a platform's relationship with the authorities and its privacy policy.
💻 Hosting a public event online
Don’t say anything you wouldn’t say in public. Encourage your attendees to do the same. Most commercial platforms have access to your audio/video data and mine your metadata to create consumer profiles.
Limit the amount of control an audience member has.
For example, for most Zoom events, it's not necessary for everyone to have screensharing access.
Don't make the meeting link too public. Either set a meeting password or set up an RSVP system so that you don’t have to give out the meeting link and password publicly.
Create a user/content moderation plan.
If you have co-hosts or moderators, make sure they are set up in the online system as administrators/editors/moderators.
Familiarize yourselves with what filtering/muting/blocking powers you have as a host/moderator.
Create an emergency plan of action around what you would do if a malicious troll enters your event.
🥴 Online harassment & doxxing
Harassment and doxxing tend to be very specific situations, which vary drastically depending on who you are, what you do, who the attacker is, etc.
While we have some general recommendations below, we suggest seeking additional information from someone in your community and from an online resource/guide that hews closer to your exact situation.
Build support systems
Recruit a trusted friend
Do not force yourself into a corner by going at this alone!
Baseline: Ask a trusted friend to hold space for you and your situation. They can be your sounding board while helping you analyze how grave the threat is.
Preferred: Ask a trusted friend to accompany you as you investigate, record, report and block harassers.
For serious situations: Hand your phone/accounts over to a trusted friend and ask them to summarize incoming messages and updates. Decreasing your exposure will decrease your stress.
Bonus: Have the trusted friend start a group chat with you, them, and 2-3 additional people explicitly for your situation. This way, support work is distributed among multiple people.
We recommend either going through the recommendations below with your trusted friend or handing the recommendations over to them.
If no one is available right now, Heartmob has a list of supportive organizations, many of which have 24/7 hotlines.
Research and monitor the situation
Search for public information about yourself (dox yourself)
Search for your name, nicknames, usernames, and address on Google, Bing, and other popular search engines. Try adding filetype:pdf to your search query to catch any CVs or documents you might have missed.
Run an image search on your most-used profile pictures on the same search engines.
Search for your name, nicknames, and usernames on any social media platforms you regularly use. Check social media platforms that are popular where you’re located, too.
Want to do a more thorough search? See Access Now Digital Security Helpline’s Self-Doxing Guide.
Monitor updates and collect evidence
Monitor your name and username. Add them as search keywords in the following tools:
Log (date, time, description, screenshot, URL) incidents in whatever program/app is most accessible for you. If there’s a lot of phone-only content, use the Hunchly mobile app.
If future legal action is likely, pay Page Vault to capture a snapshot of a website. Ask a lawyer to file an evidence preservation request with the relevant online platform.
Decide on a course of action
Ways to deal with your harasser(s)
The following choices are not mutually exclusive, and the best choice may change over time as the situation evolves:
Ignore: Sometimes, harassers will become bored and walk away if they don’t get attention.
De-escalate: In some contexts, you can defuse the situation with some calm words before it worsens.
Mute on social media: This lets you have peace of mind and not have your harasser’s updates suddenly pop up on social media. (You might still want to check what they’re saying proactively.)
Block on social media: Sends a strong signal to your harasser. They won’t be able to see your posts or message you. They will, however, notice that you blocked them and might interpret it as a sign of escalation.
Go public: Sometimes, shaming a harasser publicly or rallying people to your support will make them disappear. However, this has a high risk of escalating the situation and drawing more attention to it.
Report: Report the harasser to the relevant online platform to have their account frozen or deleted. You may also report the incident to your local law enforcement if it makes sense.
If you decide to report
If harassment is happening on a social media platform: File a report with a social media company and ask at least 10 friends to do the same. Have 1–2 people file a copyright infringement claim if it makes sense.
Review the relevant reporting links for the following services:
If there’s harassment material on a website: File a report with the website’s web hosting service and domain registrar. You might be able to find out who these companies are by performing a WHOIS lookup on the website domain.
If you contact law enforcement:
Beware that not all officers are used to dealing with online harassment threats.
If you believe you might become a target of swatting (where people prank call the cops on you), let them know ahead of time. Send them an article about swatting if it’s a new idea to them.
Delete online information about you
In most cases, you will be safer if you review and remove some of the public information that's out there online about. See the scenario below titled: Remove information about you off of the internet.
Notify other parties
In parallel to monitoring the situation and dealing with your harasser(s), it may be important to:
Tell your close contacts, family, and employer what’s going on. Get ahead of the situation by making talking points together so that they know how to respond if internet strangers or the press contacts them.
If the situation escalates, find and notify someone in your community nearby with crisis experience for protection and support.
Bonus: helpful social media platform tools and features
Facebook
Facebook has a few features to control your interactions, but ultimately relies on you setting limits on who can see and comment on your posts and profile.
Ignore Messages within Facebook Messenger to move the current and future messages to the Message Requests section
Privacy Checkup within Facebook includes a section on Who can see what you share that walks you the visibiity of your profile and posts.
Instagram
Instagram has a set of nuanced features within its mobile app to filter and fine-tune social interactions on its platform.
Restrict an account, which means the other person can’t see when you’re online, whether you’ve read their messages, and hides their comments.
Reduce dogpiling by using Red Block. Red Block blocks all followers of a specific profile.
See what lists you’ve been added to by going to Profile → Lists → ··· → Lists you’re on. If you see a suspicious list or list owner, tap the three dots on the top right to report the list and leave the list by blocking the creator.
Control who can reply to your tweets by tapping Everyone can reply and restricting it to People you follow or Only people you mention.
Discord
Discord is centered around separate communities/servers, which affects the way blocking works.
When you block someone:
They are unable to direct message you, call you, or tag you in a post.
Their messages to you disappear.
Messages that they write on shared channels are hidden. But messages that you write on shared channels are still visible to them.
They appear offline to you at all times, but they can still see your online/offline status.
Privacy settings allow you to adjust whether community/server members can direct message you, and who's allowed to send you friend requests.
Choosing between muting or blocking an account
Some platforms tell the other person you've blocked them, while others hide the action completely. Read this Consumer Reports guide for details on what blocking looks like to the other party.
Show yourself some kindness
Don’t worry if you’re not able to keep up with your regular workday routine.
Call in friends to help share a meal, take a break, or watch your pet(s) for a few days.
Do your best to eat and shower regularly.
Engage in movement, no matter how small. That could be a walk or even stretching. Pick something you enjoy, and that eases your mind.
Prepare a box of comforts beforehand. Include things you like to see, touch, taste, and listen to.
If the incident is traumatizing, refer to it using a nickname.
Remember, it is not your fault. Online harassment is never justified and is ignited for the most random reasons.
Bonus tips for journalists and researchers
Make yourself a more challenging target. Consider making your social media accounts private (or temporarily deleting them) for 48 hours surrounding a major, new release.
Don’t make more noise about yourself. Don’t livetweet your situation, don’t quit your job suddenly, and don’t talk to media outlets who will twist your words.
If necessary, prepare a formal written statement or reply with the help of people who have experience dealing with the media.
If the noise doesn’t stop, flood the airwaves with positive stories about yourself. Ask people within your professional community to write positive articles or social media posts about you and your work.
Remember, you did nothing wrong. Ignorant employers or colleagues may not be supportive and start seeing you as a liability — they’re wrong.
👀 Remove information about you off of the internet
If you’re about to become a public figure or are experiencing harassment, consider the suggestions below.
Clean up your social media presences
You might not need to delete your entire account, but consider deleting (or making private) old posts or posts that reveal too much about where you live, where you go, and who you’re with.
Facebook
See what your public profile looks like, and remove/restrict things as you see fit.
Desktop: go to your profile and click the 👁 button next to the right of the Edit Profile button.
Mobile: go to your profile, tap the three dots on the right of Add Story and tap View As.
Make it so only friends can see your past posts.
Desktop: Go to Settings → Privacy → Limit Past Posts.
Mobile: Go to Settings & Privacy → Settings → Privacy Settings → Limit who can see past posts.
Consider bulk deleting past posts. To delete multiple posts at once:
Settings and privacy → Activity log → Your Posts and then select to Archive or Trash
There’s often no easy solution. Sometimes you have to delete your entire account.
In the case of Reddit, you have to use third-party scripts because deleting your account still leaves your posts up.
Delete your social media accounts...temporarily
Many social media companies let you restore your deleted account after a specific period. This can be useful if you want to hide for a while and wait for an event to pass.
FacebookRead instructions to deactivate or delete your account temporarily. You have 30 days after deactivation to reverse it.
InstagramRead instructions to disable your account temporarily, but deleting it seems permanent.
TwitterRead instructions to deactivate your account. It will be permanently deleted if you don’t log in after 30 days.
SnapchatRead instructions to delete your account. It will be permanently deleted if you don’t log in after 30 days.
Remove your information from other people’s accounts or websites
Remember: Information removal requests takes time to process and often require repeated attempts.
Ask Google and Bing and Bing to remove search results pointing to pages with your personal information on them.
Remove any local business reviews you’ve left on Google Maps, Yelp, etc. They might point to your home or frequently visited places.
If you’re willing to pay 💰, Yael Grauer recommends using DeleteMe and Kanary to remove your information from English-language public and paywalled sites.
If you want to do it yourself, check out Yael Grauer’s Big Ass Data Broker Opt-Out List. (To be 100% thorough, use this on top of paid services.)
Remove articles and press about you online
Note: The larger the publication, the harder it is to persuade them.
Think of this as risk reduction, not total elimination. It will be impossible to have everything removed.
Contact the editor or your previous contact. Explain your situation honestly and hope for a sympathetic editor/writer.
If you think the editor/writer will not respond well, it may be better not to reach out—doing so may draw more attention to your situation.
For older articles, it may help to remind them that the article is still easily accessible on search engines.
Obscure your personal information
See the scenario:Masking your identity for online dating, events, or organizing.
Get a P.O. box at a post office or use Traveling Mailbox (U.S. only) to hide your home address.
Delete old accounts to eliminate traces of personal information on the internet. Use the JustDeleteMe directory to accelerate this process.
💔 Dealing with stalkerware/spyware
When someone close to you (usually a romantic partner) spies on you using a hidden app on your mobile device, that person is using stalkerware.
If you’re not sure and things haven’t escalated between you and your partner
Keep a hidden, pen-and-paper log of suspicious incidents.
Make sure your partner is not getting information from previously shared accounts. Did you share your calendar with them? Do you have any joint online accounts?
Check to see if you set up location share on an app. Instructions for:
Don’t delete suspicious apps immediately. You may need to keep them as evidence. Plus, deletion may also cause the situation with your partner to escalate.
If you’re pretty sure they’re spying on you and you’re scared
Don’t go through this alone — seek help:
Reach out to a trusted friend (through a public phone/line). Ask them to hold space for you and your situation. They can be your sounding board while helping you analyze how grave the threat is.
Connect with one of the many organizations who specialize in stalkerware and domestic abuse (through a public/friend's phone/line). Some of them help you collect evidence and remove stalkerware safely.
When you no longer need evidence, remove the suspicious apps/stalkerware yourself by performing a factory reset on your computer/phone. Buying a brand new device is even safer, of course.
Remember to reinstall apps and import data manually, lest you restore a backup with stalkerware in it.
Below are some general recommendations that all journalists and researchers should consider, especially for those working with (human) sources. If you have access to experts and training sessions through your workplace or professional communities, we highly recommend you taking advantage of that.
Be prepared
To remotely wipe the contents of your devices. See scenario below titled: Somebody took my phone/computer!
To be on the receiving end of an email phishing campaign (as journalist emails are usually more public than others).
If you're traveling, review the scenario titled Crossing an international border.
If you’re covering a protest, review the scenario titled Attending a protest and decide which parts apply to you (if you have special journalist rights/protections where you’re working).
If you're doing research on social media, do so under a separate account that uses an alias (not your real name). Set up this account using a disposable email address. (Not all newsrooms/employers allow this, but push the allowed boundaries as much as possible.)
Use a VPN if you’re browsing the internet at the office. For example, website administrators can see that you’re visiting from the New York Times network.
Store sensitive data in a password-protected cloud or external storage device as much as possible. Read the relevant recommendations in our Level 3 section above.
Permanently erase sensitive files from your computer. Recommended apps:
macOS: CleanMyMac X (its file shredder feature is included in the free trial)
To prevent misuse, get a new SIM card and cancel your old one. Make sure to do this only after you've tried calling your phone to reach whoever has picked it up.
If you get your device back, reset it back to its factory settings and restore it from your last backup.
If the authorities seize your device at an international border crossing, ask for a seizure receipt (available in some jurisdictions, such as Canada).
👾 Figuring out if your device has been hacked
Log in to your important accounts and look for any suspicious logged in sessions. Instructions for:
Use the device's built-in tools to look for irregular patterns.
On your computer, look for any processes that are using a lot of your CPU, or have names that you don't recognize (look them up to be sure). Use these tools:
macOS: Activity Monitor
Windows: Process Explorer to look at what processes/applications are running. Google any suspicious names.
On your phone, look for apps that are using an abnormally large amount of battery or data. Use these tools:
iOS: Settings → Battery → Battery usage by app
iOS: Settings → Cellular → Cellular data
Android: Settings → Battery → Battery usage
Android: Settings → Network and interent → SIMs → App data usage
Android: Settings → Network and interent → Internet → Non-operator data usage
Download third-party apps to help you analyze the data streams going in and out of your device:
This section contains additional tips and tools that we encountered during our research. Many of the recommendations below are popular with members of the cybersecurity community, but we found them to be a little too hard to follow, a little too new/untested or a little too specific for a small group of people.
Cool tools for maximum safety
Write and take notes on end-to-end encrypted apps. Instead of Google Docs or Microsoft Office, use CryptPad or Standard Notes. Both are open-source and free to use.
Consider switching to a more privacy-oriented hosting service like Greenhost or one of these recommendations from Gecko & Fly and PrivacyTools.
Set up a security.txt file so that researchers have a place to disclose security vulnerabilities.
Other bonus items
Want a new messaging app? Check this table of secure messaging apps (Secure Messaging Apps Comparison to learn more about security considerations beyond end-to-end encryption and what trade-offs you may be OK with.
Sign up to be notified by Have I Been Pwned when an account tied to your email is compromised.
Access Facebook with more anonymity and bypass internet filtering by using its onion service.
Freeze your credit (USA only) to prevent bad actors from accessing or mis-using your personal information. See IntelTechniques’ Credit Freeze Guide for details.
🏆 Oh my, you have arrived. 🏆 This is the end. 🏆 Thank you for reading. 🏆 Thank you for being thorough. 🏆 You are a true champ.
🧠 Other resources
We consulted many sources and drew upon our experiences in creating this guide. If you’re not finding quite what you want here, we recommend checking out the following resources:
Special thanks to the CryptoHarlem community, the students at the School of Journalism and Communication at the Chinese University of Hong Kong, and our GitHub contributors.