You should protect yourself from hackers and government surveillance. As an activist, you are in a high risk group.

Digital security practices help protect campaigners from malicious online attacks and intrusive surveillance efforts led either by groups that are hostile to your agenda or by repressive government agencies.

• Securing your phone

• Securing your laptop

Article quality: ⭐️ (2/5)

Digital security guides quickly get outdated. This guide was updated a while ago. Make sure to do additional research!

Who needs this? #

Groups working on social/racial justice, environmental, immigration and refugee issues, as well as gender and reproductive rights are being targeted by hackers/trolls that are intent on subverting their work for political reasons. These groups often learn the price of unsecured digital tools the hard way when their accounts are accessed and corrupted by malicious actors. Campaigners working in environments under repressive regimes must also adapt their digital security practices to prevent surveillance and attempts to neutralize their groups through hacking and information leaks.

Impact/Why do this? #

Groups that put in place some basic digital security practices and tools are saving themselves from some potentially damaging attacks with a little effort and attention.

When you take your internal digital security seriously, your helping keep everyone in your community safe—especially those who are most vulnerable. Make it as high a priority as data analysis, matching voter files to internal records, etc. Recent reports suggest that the Clinton campaign actively rejected advice to turn on two-factor authentication on its Google accounts. The result was Clinton's campaign manager getting hacked -- in a way that couldn't have happened had he turned on two-factor authentication. This in turn enabled the release of thousands of damaging emails. The rest is history. Without security it's potentially game over.

Important first step: Threat modeling / security planning #

Threat modeling (aka "security planning") often involves asking five questions:

1. What do I need to protect?

2. Who do I need to protect it from?

3. How much do they want that information, and how easy is it for them to get it?

4. What happens if they do get it?

5. What am I willing to do to stop that from happening?

A useful tool for conducting a risk level assessment is the Secure Communications Framework (SCF), developed by Tim Sammut. This tool uses a simple chart on which you can plot the different kinds of information, materials and data that your organisation works with, according to:

• The capability of external actors (adversaries, be they individuals or organizations) that would like to acquire this information, for undesirable purposes

• The impact of having this particular type of information compromised or exposed.

If your organisation manages data or information that falls in the blue quadrants (in the illustration below) then following basic best practices for digital security, as outlined in this guide, is sufficient. If you manage information in the orange quadrants then more stringent measures are required and it may be desirable to seek support from trusted security experts, such as the groups listed below. If your organisation manages information that falls into the red quadrant then working with trusted security experts is a must.

Security checklist #

Note: If your threat level assessment reveals a very high risk of attacks, it is best that your organizations seek direct support from one of the groups listed below.

Groups facing a low to moderate threat can start with this list of ‘must-do’ practices that will close some of the basic vulnerabilities that are most often exploited by hackers.

The list below is a good starting point. Since digital security changes frequently, we also suggest you take a look at resources like Activist Checklist and Surveillance Self-Defense

Check if you have updated your OS, browser, and apps on all org computers and devices

More than 90% of software and operating system (OS) updates are to patch security vulnerabilities in programs!

Safety and privacy while browsing

If you are using public / untrusted wifi, using a Virtual Private Network (VPN) is recommended. The most trusted VPNs in activist spaces are IVPN, Mullvad, and Proton VPN. If you are concerned about particular websites tracking your internet browsing then you can install an extension like Privacy Badger.

Turn on two-factor authentication for every cloud service you use, work and personal.

"Two-factor authentication" adds an extra step when logging into an account. It requires you to enter a code (generated by an app or by a text message) in addition to a password. It's an important protection against "phishing" attacks, which can trick you into providing your login credentials to someone else. Services that provide two-factor authentication include Google accounts (covering Gmail, Calendar, and Drive), iCloud, Twitter, Facebook, Dropbox, Box, Microsoft accounts, and more (a more comprehensive list can be found here). For more protection, consider Google's Advanced Protection Program, which provides hardware "keys" that are necessary to log in to your accounts. (The Digital Security Exchange can provide these kits for free.). As a rule of thumb, if a service provider does not offer two-factor authentication then do not use it to store sensitive information.

Download and use Signal and Jitsi and get your colleagues to do it too.

Signal is a popular and secure messaging app that encrypts all of your conversations with other Signal users. It's important because regular SMS text messages are easy to intercept by law enforcement and other third parties. Signal makes it impossible for anyone but you to read the messages of those your communicating with. Plus, it has a great desktop app and it's easy to set up groups.

For secure online conferencing, you can use Signal video calls whenever possible. If Signal doesn't work for you, consider using Jit.si.

Use a password manager to create and store strong passwords.

Weak passwords are an invitation to be hacked. A password manager like 1Password, BitWarden, or KeePassXC makes it easy to create unique, strong passwords for every account you have. Install one of those apps and start replacing and saving your passwords for all of your accounts. In addition, make sure the login passwords for your personal devices and for your password managers are strong.

Pro tip: It's a myth that strong passwords must contain every character under the sun. In fact, length is what matters. So when possible, use a passphrase, rather than a password. For example, a passphrase like "the Russians probably interfered in our election" is a very strong passphrase!

Here are some recommendations for passwords:

• At least 13 characters in length

• Add numbers and special characters

• Use both uppercase and lowercase letters

Easy to remember, hard to crack:

• Line from a favorite book, movie, or song

• Address (not linked to you!)

• Mantra or intention

• Passphrase

Do NOT use information publicly available about you:

• Name of your partner, child, or pet

• Favorite sports team

• Favorite food

Prioritize accounts for complex passwords

• Do NOT reuse passwords between accounts. Passwords get hacked and leaked all the time. If your password on one site is exposed, an attacker will just attempt to use it on a other popular sites.

Make sure all of your devices are encrypted.

This makes it much harder for law enforcement or hackers to access the data on your devices. iPhones are already encrypted. Android phones are not (unless you have a Google Pixel), so you should go into the the Security settings and enable encryption. Any Mac computers newer than 2017 have FileVault encryption on by default. On Windows, you should use the BitLocker application (preinstalled) to encrypt your drive.

If you want to encrypt specific information / files on your device then you can use an open source program like VeraCrypt.

Mobile device security

• Make sure your mobile PIN is at least 6 digits. A truly random 10-digit phone PIN is recommended and would take up to 6 years (on average) to brute-force crack.

• Make sure you keep auto-update of your applications switched on and ensure they are kept up to date. For Android, only download applications from the Google Play Store. If this is not possible, you can first upload APK files to www.virustotal.com.

• Take extra care when accessing organisational information over public wifi - if you need to do this regularly then invest in a VPN.

• For groups that have more acute security concerns, a factory reset of mobile devices is recommended every few months to make sure any malicious tracking is wiped out (but this presents the inconvenience of re-configuring devices). You can also use iVerify to check for certain spyware.

Tricky parts/fixes #

Most digital security measures take some time to implement and get used to. In the busy and resource-strapped world of advocacy campaigning, this can be a drag. However, if your security risks are low to moderate, then the measures outlined above may take some adjustment to implement but generally do not add a lot of extra time to day to day operations once they have been put in place.

Support groups #

For groups around the world

If you represent a progressive group that needs immediate help, reach out to Access Now's Digital Security Helpline, which is available 24/7.

For U.S. civil society groups

The folks at Ragtag.org run a ‘help desk’ to support progressive campaigners. You can submit digital security questions to them here: https://www.campaignhelpdesk.org/

Attribution #

This article is an adaptation of the one written by Blueprints for Change.

Input and resources for this guide were provided by:

Josh Levy from Digital Security Exchange, Sarah Lange and Holly Davis from Blue Pine Strategies, Dia Kayyali from Witness, Martin Shelton, Steve Anderson, Chris Alford from Amnesty International

This guide was prepared and reviewed by:

Tania Mejia, Tom Liacas, Josh Levy, Chris Alford, Sarah Aoun, Steve Anderson

External resources #

• ActivistChecklist.org - Up-to-date and easy-to-follow checklists and recommendations

• Surveillance Self-Defense by the Electronic Frontier Foundation

• Holistic Security by Tactical Tech

• Security in-a-box

• Email self defense by Free Software Foundation

• Prism Break - List of recommended secure tools

• EFF Tools

• Watch Your Hack by Daniel Verlaan

• Digital Security for Everyone by ActionSkills

• Data Detox Kit by Tactical Tech

• Assess Your Cybersecurity through Threat Modeling by Lisha Sterling

• Defend Dissent by Oregon State University

• Access Now's "A First Look at Digital Security," which features a number of risk profiles (and is great for leading trainings)

• Center for Media Justice - Getting Started with Digital Security: Tips and Resources for Activists

• Electronic Frontier Foundation's guide to Security Self-Defense: https://ssd.eff.org/ and guide to Surveillance Self-Defense: https://ssd.eff.org/

• Martin Shelton's "Securing Your Digital Life Like a Normal Person": https://medium.com/@mshelton/securing-your-digital-life-like-a-normal-person-a-hasty-and-incomplete-guide-56437f127425

• How to Lead a Digital Security Workshop
  https://motherboard.vice.com/en_us/article/4xby8g/how-to-give-a-digital-security-training

• "A DIY Guide to Feminist Cybersecurity": https://hackblossom.org/cybersecurity/

• APC’s Digital Security First Aid Kit for Human Rights Defenders: https://www.apc.org/en/irhr/digital-security-first-aid-kit

• Tactical Technology Collective’s Security in a Box: https://securityinabox.org/en/tools/

• Tech security by Extinction Rebellion Global (behind login)