There is a lot of interest in digital privacy and security the last few days. While I’ve been helping individuals bootstrap themselves, I thought I should put together a list both for me to refer to and for other people who are bootstrapping others (or themselves) right now.
IMPORTANT: This is not an exhaustive list; I’m not a security professional. I haven’t talked about things that require, say, self-hosting or extensive configuration; GPG is meant to be the most technically complicated thing on this list. Nor is this meant to be "best practices" – I’ve made some very deliberate compromises with these choices – see my note about messaging.
This is meant to be a "day off" length of project to set up for every regular user.
Note: Prioritize this for your next chunk of free time. Like today. On Monday the court could decide if federal agencies have any say in anything or states can just ignore it.
Rather than rewrite a lot of good guides, I’m going to list some of the operational security and privacy measures that I’ve thought of over the last few days. Some you’ve probably seen before, some you may not have considered. I’ve linked to guides whenever possible.
These are arranged in rough order of "bang for your buck" and ease of implementation.
- Messaging: The key thing that you want is "end to end encryption" (the message stays in its envelope until it gets to the recipient), and a service that doesn’t go through an advertising company. Open source is preferable. While there are arguably better technical solutions (E2E P2P XMPP over Onion, probably), the best "drop-in" solution for the general public right now seems to be Signal. Signal can do encrypted VOIP phone calls as well.
- VPNs: A "free" VPN is not sufficient. I personally use Private Internet Access, but I’ve also heard good things about ProtonVPN. Torrentfreak has a good roundup of what VPN providers retain data and how well they protect privacy.
- Reduce or remove the number of apps recording or phoning home your location. That means fitness apps, Pokemon Go, Google and Apple Maps, and probably a lot more. Force stop and Disable as many of them as you can, but be aware this is a partial solution at best, since your location is tracked by your cell provider by network tower location.
- Control and/or delete the information you share online. Aside from the "people search" websites I talked about last week, the Washington Post has a pretty good article about deleting as much as you can online, and a guide to the privacy settings to change in your apps and phones.
- As noted by many people, period tracker apps are problematic in the current environment. Planned Parenthood has designed and released one that reportedly keeps all data local and private if you must use one.
- Turn off the Google App and Assistant and Alexa and Ring and and and. It is no longer funny that you installed a wiretap in your home.
- Use a privacy-centered browser. That means ditch Chrome and Edge immediately at a minimum. Firefox is probably the most familiar decent alternative, especially if you use containers (with guides on increasing privacy even more), and Vivaldi (good but getting feature bloated, IMHO) and Chromium (a de-Googled version of Chrome) if you absolutely need those Chrome extensions. For your most private stuff, keep a copy of the Tor Browser around; it allows you to browse as close to completely privately as you can get with zero configuration.
- Move to a privacy-centered search engine. DuckDuckGo has become a pretty mature and good alternative. Alternately, try Searx (or host a copy yourself!) to get search results from multiple search engines while keeping your privacy.
- Use the web app versions of social media sites, particularly in something like Hermit (Android) where each webapp is kept isolated. I do not know of an iOS app that does the same thing.
- Change your DNS server on your computers, phones, and (if you can) router. TL;DR: The DNS server is how your computer knows where "plannedparenthood.org" is at and how to reach it. Right now, your devices are probably asking either your ISP, your phone company, CloudFlare, or Google. They may not know why you went to those sites, but there’s a record of you going to those sites. Using your VPN should solve this, but if you can change your home router settings, that will help even when the VPN isn’t active or for devices that can’t use it. I wrote more about this in 2018; the advice is still good.
- Get a GPG key and encrypt and sign all your email. Lifehacker’s guide is still good; just know that Enigmail is no longer needed with Thunderbird – it can handle it all without an extension. The TL;DR: Use Mailvelope if you must use webmail, Thunderbird for desktop email.
- Move away from advertising companies hosting your email. A good list of privacy-centric email providers is here: https://www.lifewire.com/best-secure-email-services-4136763
- If you find yourself needing to navigate in the real world and simultaneously, say, be in airplane mode so your phone isn’t talking to anyone, consider apps that download OpenStreetMap data and use it offline. OsmAnd is a good example of one such application, though I wish its address support was better. I’ve learned to search for the name of the place rather than the address, which seems to work well. Also it’s better for just walking or biking around and exploring.
- Every purchase you make – unless you’re buying with cash – is recorded somewhere, and is able to be tied back to you. It might take some work, but the data is there. Keep this in mind when making sensitive purchases. Allies who are willing to be the point of the spear, make those purchases for those who are not in a position to be able to do so.
- Absence of data is also data. So if you’re doing more active activism, seriously consider leaving your smartphone at home, or getting an older unlocked burner phone not otherwise associated with you. Otherwise, at least look into a Faraday bag. Location data was used to target individuals at BLM protests.
- I highly recommend Cory Doctorow’s Little Brother and Homeland as enjoyable novels that also introduce a lot of very pertinent concepts. You can get the Creative Commons PDF of Little Brother at https://craphound.com/littlebrother/CoryDoctorow-_Little_Brother.pdf
This is not an exhaustive list; I’m not a security professional. I haven’t talked about things that require, say, self-hosting or extensive configuration; GPG is meant to be the most technically complicated thing on this list. Nor is this meant to be "best practices" – I’ve made some very deliberate compromises with these choices – see my note about messaging. This is meant to be a "day off" length of project to set up for every regular user.
If you are considering direct activism, there are far more detailed guides about protecting yourself digitally while taking part in direct activism; please do some real research.
Just be sure to use DuckDuckGo instead of Google.
Featured photo by Tobias Tullius on Unsplash