TLDR Guide To Personal Digital Security
Who's this for?
- You're pretty tech-savvy and you're comfortable going into the settings section of their computers/smartphones.
- You've read 1-2 guides for personal digital safety/privacy but are not sure about which recommendations you need to follow.
- You're not in immediate danger. So if something is really complicted to set up and maintain, chances are it's not for you. (Usability matters!)
How this works
- This guide is a living document – please feel free to submit a pull request and/or fork your own version of this guide.
- I would recommend doing everything in levels one and two. I did, and I'm only a mildly technically-competent person.
19 November 2018
- What kind of danger are you in? E.g. corporate espionage, police/state intervention, online harrassment/doxing.
- What kind of assets are you protecting? E.g. confidential documents, private photos.
- We're all in a little bit of danger (otherwise we wouldn't bother putting a password on our computers and phones) but it's important to think about what's at stake before dismissing concerns or becoming paranoid :)
- For more info, read the EFF's introduction to threat modeling.
- Remember the weakest link is all that matters! E.g. if password recovery is linked to email, then hackers only need to get access to your email.
- For more info, read the EFF's guide to seven steps to digital security.
- Not encrypted: Any third party who intercepts the data can read it as is.
- Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (e.g. Google or Facebook) still has access, and may hand the data over to law enforcement if they are required to do so by the courts/the government.
- End-to-end encryption: the data can only be read by the original sender and receiver. This means not even the platform has access. So if law enforcement calls, the service provider can’t hand over the messages because they don’t have them either.
Data about your data – e.g. what number you called, and for how long (but not the contents of the call). Without enough metadata, hackers can piece together a pretty good picture of who you are, who you know where you're going, etc. Plus legal protections around metadata are generally weaker.
Things To Do Now
- If you're on a webmail service, check that you're logging into it using an
https://URL. And if there isn't one, find a new email provider.
- Turn on two-factor authentication for your email service (e.g. Gmail instructions) if they support an authenticator app (SMS is no longer considered safe) (e.g. Google Authenticator, DUO Mobile, Authy)
- Any password less than 10 characters is bad, but it's also okay-to-string-together-non-sequitur-words.
- Double check the security questions for your key online services (email, bank, Facebook, etc.) and make sure that they're not easy to answer by friends/looking you up on google.
- Use a different password for every service, because password leaks happen all the time. To make this easy, use a password manager – Lifehacker reviews them here. They also help generate more secure passwords.
- Use a non-common/obvious unlock code for your phone.
- If you use thumbprint (or facial recognition) unlock, immediately power off your phone if you're ever arrested. In the US, officers can compel you to provide your fingerprint but not your passcode. (The latter is protected by the Fifth Amendment – people have a right not to testify against themselves.)
Encrypt your devices
- Encrypt your phone storage: Android, iOS (many phones now encrypt but default but it's worth double checking)
- Encrypt your laptop/desktop hard drive: Windows, Windows if no BitLocker, Mac OSX.
- Secure your backups too! Encrypt your backup hard drives and/or make sure your online backup storage solution supports end-to-end encryption.
- N.B. Remember encryption is only fully effective when the device is off!
- Turn off app-specific passwords that bypass two-factor authentication (e.g. instructions for Gmail).
- Turn on Login Alerts on Facebook.
- Setup up a pin code for your mobile phone SIM card: iPhone, Android. Search your phone provider's website to find out what their default password is (it varies from carrier to carrier).
- Disable macros within Microsoft Office
Habits to Cultivate
- Be on the lookout for phishing scams: where possible double check the From email address and the domains that outbound links go to.
- Don't open unnecessary email attachments. Where possible, open/preview them first in an online document reader, or have colleagues use a filesharing server or service (Google Drive, SpiderOak, Dropbox), which tend to be a little harder to hack into.
- You can upload a suspicious attachment to VirusTotal for a check-up (but keep in mind files submitted to VirusTotal are available to security researchers so don’t submit sensitive information)
Update all the things
- When you get a notification to update your operating system (on your mobile or computer), do it right away
- Same for apps (mobile + computer)
- Check occasionally for firmware updates for your router (and other internet-connected devices)
- Change important passwords (e.g. email, computer login, password manager master) every year or two.
- Wipe your devices properly before donating/giving away: phone, computer
- Don't charge your phone at public charging stations/ports – they steal data.
💩 my phone/computer was stolen!
- Follow the Freedom of Press Foundation's guide: What To Do If Your Phone Is Seized By The Police
- Wipe your phone remotely: see instructions for Android, iOS.
Scenario: I think my computer has been hacked
- Download an application that will notify you when data is being sent out from your computer. E.g. Little Snitch for Mac
- Run Activity Monitor on Mac or Process Explorer on Windows to look at what processes/applications are running. Google any suspicious names.
- Login to important online accounts to see if there have been any suspicious logins – see this Motherboard guide for details.
Things To Do Now
- Review the privacy settings on social networks you frequent: who can see your content, who can comment on it, and who can see your location.
- Review what's connected to your main email/social media accounts (e.g. what kinds of services have access to Facebook, and what data can they access and/or can they post on your behalf)
- Set up your devices with third-party applications (e.g. Lookout Security, Prey so you can remotely track, wipe, and encrypt your devices from a website in the future.
- Setup end-to-end encryption for computer-based instant messaging: EFF guide for Mac, Windows, Linux
- Review the extensions/add-ons/plug-ins that have been installed within your computer web browser – delete any that you haven't used in a while or don't remember installing.
Habits To Cultivate
- Post less personal information online – especially information that can be used to identify/track/scam you (addresses, phone numbers, birthday, etc.). Remember almost everything you say online is logged somewhere and that even if your setup is secure, your recipient's setup may not be.
- Use a paid VPN service when on public networks (e.g. cafe wifi) – free VPN services are bad because operators don't have enough incentive to protect you/your data. See this Freedom of the Press' guide to choosing VPNs and their five recommendations.
- Start using Signal, an end-to-end encrypted mobile messaging app that's generally agreed to be safe/secure/robust. (Beyond Signal, there is little consensus on what's secure and people tend to get very emotional about their choice of mobile messaging apps.)
- Start making end-to-end encrypted voice calls (available on Signal, WhatsApp, Jitsi, Silent Phone, Zphone, etc.).
- If you ever need to send someone a password, split it in half and send via two different channels (e.g. email + voice call).
- Buy more secure mobile phones ($$$): either an iPhone or an Android phone that implements a "pure" Google version of Android (at the least you should be able to goto Settings → Security and see options for encryption and SIM card lock).
- If you own domains, use WHOIS privacy services and stick with it (they're worth the money). But note that with WHOIS lookup/history tools, if you've ever put in your real address, it's very difficult to remove from the logs.
Scenario: Online harassment & doxing
- See Feminist Frequency's Speak Up & Stay Safe(r)
- See Crash Override: So You've Been Doxed.
- See Crash Override: Preventing Doxing.
- See Equity Labs: Anti-Doxing Guide for Activists Facing Attacks from the Alt-Right
- Use Traveling Mailbox to obscure your postal address.
- Use Burner to set up burner phone numbers for calling/texting.
- Pay PrivacyDuck to scrub your information online. If you are an activist you can contact Equity Labs for a discounted rate.
- Pay Reputation.com to remove your information from paid sites and monitor them to make sure it stays removed.
- Alternately, both PrivacyDuck and Motherboard have free online resources to help you remove your information yourself.
- Reach out to online communities you're an active member of and ask for help. See PEN America's article on Deploying Your Supportive Cyber Communities.
Scenario: Attending a protest
- Draft a message to a trusted friend who is elsewhere. Be ready to hit send if you are arrested/there is an emergency.
Scenario: Sexting & revenge porn
💦 💦 💦 💦 💦 (a work-in-progress)
- Buy a YubiKey USB key to use for two-factor authentication.
- Fortifty your self-hosted Wordpress website with Cloudflare + iThemes Security.
- Keep your personal information off the internet: Google your own name, phone number and address to see what comes up, and contact the respective site to remove your details.
- Delete old accounts to eliminate traces of personal information on the internet. Use Justdelete.me + Have I Been Pawnd to accelerate this process.
- Keep less information/data/photos on your devices – you can't lose what you don't have!
- Don't use Google/Twitter/Facebook to sign up/login to other services – each service should have its own account.
- Encrypt emails with PGP: Mac OSX,Windows, Linux
- If PGP email is too much of a hassle, sign up for a Protonmail or Tutanota email account.
- Use an adblocker on your computer and mobile.
- Search the web anonymously with DuckDuckGo
- Set up a fenced off, secure OS: Tails.
- If you're crossing the border into a country with a track record of seizing travelers' data and you're carrying highly sensitive information – see Wired's guide and BoingBoing's addendum about making data unavailable, setting up burner accounts, and filing for attorney privileges at the border.
- If you're attending a high-risk protest: leave your phone at home or use burner phone. More info from the EFF about protesting in the US, and internationally.
- Don't put any stickers on your laptop or phone that could be mistaken as a hacking and/or political organization – it might get you stopped at the border one day.
- Generating Diceware passwords
- If you're a journalist who uses Signal regularly, step up your safety practices try following Martin Sheldon's Locking Down Signal guide (or similarly for WhatsApp if you use that a lot).
- If you're a public figure/writer/artist, consider working under a persistent pseudonymn or collective identity – this Tactical Tech manual has more details on that.
Oh my you made it this far! You are a true
These are the main sources that I drew from, all of which were tremendously helpful and are good guides in their own right:
- Digital Security Low Hanging Fruit by John Scott-Railton
- Computer Security Tools and Concepts for Lawyers by Kendra Albert
- Crash Override's Resource Center
- The Electronic Frontier Foundation's Surveillance Self-Defense
- How to encrypt your entire life in less than an hour by Quincy Larson
- Anti-Doxing Guide for Activists Facing Attacks from the Alt-Right by Equity Labs
- The Motherboard Guide to Not Getting Hacked
Let me know by filing an issue if there are any other guides that you found useful that you think I should include.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.