Privacy & Security

Privacy is a somewhat nebulous concept. To make it more concrete, we propose three fundamental aspects of privacy: secrecy, the ability to express oneself selectively; anonymity, the ability to act without revealing your identity; and autonomy, freedom from interference by those watching you. In the digital realm, privacy and security go hand in hand, since security is often necessary to enforce one’s privacy.

There are no absolutes in privacy or security. We hope to make you safer, and the more people who adopt safer digital privacy practices, the safer we all are. Encourage others who organize in their communities to take privacy seriously and to see it as a fundamental part of their organizing.

While technologies such as encryption can play an important role in protecting individuals and communities, digital safety begins with using devices and software that you control. That means using free/libre software:

“Free software” means software that respects users’ freedom and community. Roughly, it means that the users have the freedom to run, copy, distribute, study, change and improve the software. Thus, “free software” is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech,” not as in “free beer”. We sometimes call it “libre software,” borrowing the French or Spanish word for “free” as in freedom, to show we do not mean the software is gratis.

Threat Modeling

Before you go about trying to implement security and privacy measures, you need to understand what you’re protecting against. This is where threat modeling, also known as risk assessment, comes in.

  1. Identify assets: What is it that you want to protect?
  2. Identify adversaries: Who might interfere?
  3. Identify their capabilities: What kind of resources do your adversaries have at their disposal?
  4. Identify risk: How likely is a threat? How bad are the consequences?

Consider whether your threat model includes mass surveillance programs, such as the NSA’s PRISM and Upstream programs, corporate surveillance, such as Google’s data mining for targeted advertising, targeted surveillance by law enforcement, doxxing, or something else. Most of the technologies and advice listed here can reduce the effectiveness of passive, mass surveillance by government and businesses. Please note that if you are the target of active surveillance, you should consult a lawyer instead of reading this guide.

Operating Systems

Windows, macOS, iOS, and Android are all proprietary, meaning they obey their developers first, and only obey the user secondarily. All four have known privacy flaws. GNU/Linux, on the other hand, is free software.

Phones

All phones have proprietary components, which combined with their always-connected nature and portability makes them inherently insecure. As such, your phone should never be trusted with highly sensitive information involved in browsing, communication, or anything else.

Here are some ways you can mitigate privacy risks in your day-to-day use of a phone:

All in all, consider what information will be exposed if your phone is confiscated or otherwise compromised. (For more, see our “Text, Voice, and Video” section below.)

Many of these tips are elaborated upon in Freedom of the Press Foundation’s training guide:

Full-Disk/Volume Encryption

Full-disk (or full-volume) encryption can protect the contents of your device from being inspected by someone who has taken physical control of your device. On GNU/Linux we recommend dm-crypt with LUKS, Windows includes BitLocker, and macOS includes FileVault. Full-disk encryption is only fully effective when your device is powered off. Make sure to set a strong login password as well.

You may also want to individually encrypt files or encrypt external storage devices. VeraCrypt is a popular free-software tool for doing just that.

Password Policies

Password Managers

Generate strong passwords and keep track of them using a password manager, such as KeePass (or KeePassX for MacOS).

Diceware

If you have one or more passwords that you must remember or type frequently, use Diceware, a technique for creating strong, easy-to-remember passwords by rolling dice.

Two-Factor Authentication

Take advantage of two-factor authentication (2FA) whenever it’s available. Download FreeOTP (Apple App Store, Google Play Store). 2FA can be inconvenient because it relies on you having your phone. Make sure to back up your phone regularly so as not to lose access to your accounts.

Safer Browsing

Advertisers aggressively track your activities online through cookies, browser fingerprinting, and other tracking techniques. Furthermore, if you use a proprietary browser such as Chrome, Internet Explorer, Edge, Safari, or Opera, it is likely compromising your privacy in other ways. We recommend GNU IceCat, Firefox, or Iridium (based on Chromium). We also recommend Firefox Focus if you use a Web browser on iOS.

Browser Extensions

Browser extensions are small programs that extend the functionality of your browser, including enhanced privacy features. Browser extensions are somewhat standardized, so an extension that works in Firefox might also work in Chromium, for example. For GNU IceCat/Firefox we recommend installing CanvasBlocker, Decentraleyes, HTTPS Everywhere, Cookie AutoDelete, and uBlock Origin.

Search Engines

Use a privacy-respecting search engine. When performing sensitive searches, consider taking steps to enhance your anonymity by, for example, using the Tor Browser.

DuckDuckGo is popular and is fairly user-friendly. They are based in the US, but have a good privacy policy.

StartPage has a strong privacy policy that claims not to log searches in a way that can be connected to you. It’s based in the Netherlands.

Searx is a privacy-respecting search aggregator. The source code is free, and you can run your own instance of the service if you want.

VPNs

Internet service providers (ISPs) abuse their position as your gateway to the Internet by keeping track of websites you visit and even inspecting the contents of files you download in order to serve copyright violation notices. Some ISPs, including Verizon and Xfinity, have been caught in the act of performing man-in-the-middle (MITM) attacks on their customers by intercepting customers’ traffic and injecting their own advertising into Web pages. Using public wi-fi puts you at further risk, since anyone on the network can snoop on your Internet traffic, which has both important privacy and security implications.

A virtual private network (VPN) allows you to make a single secure connection that relays your Internet traffic for you. This protects you from someone snooping on your local network, from your ISP, and hinders the websites you visit from determining your geographical location. Note, however, that using a VPN creates a single point of failure since you are now trusting the VPN provider with all of your Internet traffic. Depending on your threat model, using a VPN may or may not be a good idea.

Online VPN reviews and top-10 lists are almost always stealth advertising paid for by the VPN providers themselves. Avoid gratis VPN services at all costs. The lower the price, generally, the lower the quality.

Email

Email is inherently problematic when it comes to privacy because of its very design. While you can take steps to conceal the contents of your email messages, email exposes information about sender and recipient. Email is still useful and, of course, unavoidable. There’s nothing wrong with using it as long as you keep in mind what information it does and doesn’t expose.

For community groups, we recommend using Tutanota or ProtonMail as your email provider and listserv, since they offer automatic end-to-end encryption of in-network messages.

Phishing

Email is an exceedingly common vector for social engineering attacks, whereby an attacker impersonates a trustworthy entity, such as a bank or someone you know, in order to elicit sensitive information from you. This is often done by including a link to a decoy login page designed to steal your login credentials or a link to a site hosting malware that attacks your browser. Furthermore, malware is commonly attached to an email disguised as a legitimate document.

Because phishing is a cheap and easy method of attack, it is a popular method employed against activists. It is important to avoid following links or opening email attachments that you were not expecting. Even professional security researchers can fall for phishing attacks. Stay vigilant, and whenever you receive an email with a link or attachment that you were not expecting—even if it appears to be from someone you know—check with the sender via another channel before opening it to make sure it is legitimate.

Text, Voice, and Video

SMS text messaging does not offer privacy, and mainstream methods of voice and video communication are known to be surveilled as well, including normal phone calls and software like Skype. iMessage and FaceTime are popular among macOS/iOS users, but both are proprietary.

Secure Messaging Apps

Check out Conversations/ChatSecure and Element and try one out. Also be aware of Signal and Wire but understand that they are walled gardens, only allowing you to communicate with others using the same service and same software.

No solution is perfect. Consider the pros and cons of each one in relation to your threat model. For example, if you want to prioritize anonymity, Signal would be a poor choice since it uses your phone number as an identifier.

Voice and Video

Most of the chat clients we listed above also support secure voice and video calls. For video/voice conferences, we recommend Jitsi Meet.

Collaboration

Ditch Google Drive in your organizing. Instead of trusting a data-mining company with your data:

Using these platforms on Tor can add an extra layer anonymity.

Social Media

There is nothing inherently wrong with social media, however popular centralized social media sites such as Facebook and Twitter are dangerous because they subject their users to broad and unhindered surveillance. Their users are not their customers. Their customers are advertisers, and their users’ information and attention are the commodity they sell. The more they are able to learn about you, the higher the price at which they can sell you to the advertisers. Furthermore, oppressive governments get access to their abundance of data—with or without the companies’ cooperation or knowledge—which they use to quash dissent.

Behavior

Sometimes you can enhance your privacy just by changing your habits. Here are some suggestions:

Know Your Rights

Dealing with law enforcement can be stressful and confusing. The Electronic Frontier Foundation has a good resource on your digital rights in the U.S. Here are some highlights:

Private Software Alternatives

Here is a curated list of privacy-respecting alternatives to popular software:


Please keep in mind that the state of the art is always changing. Make sure to do your own research and keep up to date. This guide was last reviewed on 2021-08-07.

Changes
  • 2021-08-07: Removed link to privacytools.io (The website recommends non-free software, which is counter to our recommendation policies.)
  • 2021-08-07: Removed recommendation of uMatrix extension (The extension was discontinued and its functionality has largely become redundant with uBlock Origin.)
  • 2021-08-07: Removed recommendation of Privacy Badger extension (The extension's functionality has become redundant with uBlock Origin.)
  • 2021-08-07: Riot Matrix client replaced by Element (Riot was renamed to Element.)