We’re spending more and more time working and playing in the digital world, so we need to learn and practice new skills to ensure we’re safe and secure — not only when we’re online, but also when we’re moving between physical and digital environments.
There are hundreds of digital safety resources online. We reviewed some of these and— with added expertise from the OPTF team—we’ve compiled a list of tips on staying safe in your digital world.
These Digital Safety Tips are intended for those of us who are active users of digital technologies and wish to have a basic level of protection against digital threats.
If you’re someone who is concerned about being targeted by digital attacks, or working on sensitive issues (eg. you are a journalist or human rights defender), you should consider these Digital Safety Tips. However, it is also important you take additional precautions and implement stronger and more comprehensive digital security and privacy practices.
Secure your infrastructure
- Update or upgrade all your software. Do not use pirated or unofficial software.
Most of us put locks on our doors to keep our homes safe and secure. So why would you use leaky software that leaves your digital life open to intruders?
Use original software for your operating system (eg. Windows) and all the apps you use. Be careful not to download applications from unknown sources, or install programs that have been sent to you through email.
If you can’t afford to buy the originals, talk to the organisation you work for, or get them to talk to their donors. You can also look into programs like TechSoup or ask a more knowledgeable friend to set you up with an easy-to-use free software solution.
If you own an iOS device (iPhone or iPad) you have access to ongoing updates, and these updates can be completed in the phone’s operating system by accessing your settings. Make sure you regularly update your device’s operating system.
The situation is more complex if you own an Android device. Low-cost devices often come with their own flavour of the Android operating system and may have low-levels of security or even have built in compromises and vulnerabilities. Often these operating systems can not be updated. Even branded Android phones, such as Samsung, have a poor history of maintaining the security of older models phones. Android owners can read more about the challenge of keeping the operating system safe here.
Protecting against Malware
- Only install software from trusted sources. Don’t be tricked into downloading unknown software.
Malware or malicious software is intended to undermine the security of your computer or mobile device. Depending on the type of malware, it may allow hackers to steal or siphon data from your device, alter or delete your data, lock you out of your device, completely take control of your device, take over a system can for distributed denial of service attacks, or other harmful cyber acts.
Malware can be automatically installed on your device by visiting a malicious website or by clicking on a link in a message.
Securing your infrastructure is one way to limit malware. Also, both Windows and MacOS have built-in features to minimise the installation of malware. However, it is still possible for malware to infiltrate your laptop or device, or undermine your privacy and security.
If you have a file or link that you think is suspicious, you can use VirusTotal to check if it is malware.
If you suspect your computer or device has been infected by malware, then you may need to install a malware removal or antivirus software, or reformat your laptop device.
Passwords and controlling access
- Use two factor authentication.
- Use a password manager.
- Check if your email has been part of a data breach
Because so much information about us is publicly available or easily guessed, simple passwords such as our partner’s name or name of the street we live on are simply not safe or secure to use. Thankfully, most apps and websites force us to use more complex passwords. However, that doesn’t mean common passwords like ‘1Qwerty!’ are secure. Using computer-generated passwords—like with this tool—can help create truly random, complex, and secure passwords. This tool gives you an idea of how to measure the strength of your passwords. And using different complex passwords for different apps and services means that even if one password is leaked, your other services will stay safe. Remember to store your passwords somewhere only you will be able to access them! Password managers may be able to help with this, unless you have a photographic memory!
Sensitive information, including password reset options, are often sent through email and we recommend making sure your email accounts have strong passwords and use 2FA. There may be other accounts you use — like banking and financial, and health-related apps, where you want to also ensure strong access controls.
Two Factor Authentication (2FA)
Many sites use two factor authentication to improve security. If you have a choice of using 2FA — we recommend you do, especially for your important accounts. This means that as well as entering in a password, you will have to enter a time-sensitive code that is either sent to your mobile via SMS, emailed to you, or that is generated from an authentication app. If you are able to use an authentication app, this is generally more secure than SMS. SMS has multiple privacy and security flaws, and it is often used in phishing attacks.
Changing passwords regularly
We know it can be time-consuming and painful, but it’s important to change your passwords on a regular basis. Think of it like a visit to the dentist or going to a check-up with your doctor. Pick a day or two, and update all of the passwords for your commonly used services. Some password managers may also alert you if a password you are using has been exposed by a data leak or a hack.
Password managers are recommended for people who have a lot of different passwords to manage. There’s a number of cloud-based password managers that are popular. One thing to note about these services is that your passwords are potentially vulnerable to hacking attempts. There are a number of open-source decentralised password managers that are worth exploring.
We recommend using BitWarden – which is available across all the major platforms, enables syncing across devices and is open source. The basic offering of BitWarden is free, however, there is also a fee-based business version. If you don’t want to sync your passwords across devices, then you can use a non-cloud password manager such as KeePass. This lets you store your passwords encrypted or in a vault on your own device.
Using your browser to remember passwords
Every browser lets you remember your usernames and passwords, generally speaking these passwords are encrypted on your device, but they can only be used with that specific browser software, and passwords may be lost if local data is damaged or corrupted. Also, if your device is compromised, then the accounts that are remembered by your browser become vulnerable. We would recommend avoiding the use of your browser to remember passwords, and instead consider using a non-cloud password manager.
Securing your email and messaging
- Protonmail gives you a high level of security but doesn’t protect your anonymity.
- Use Session messenger to maximise your anonymity
Email is extremely convenient, but it can make you vulnerable to surveillance. Sending and receiving emails creates a large amount of metadata about you and your communications. That means your email address and the address of the destination cannot be encrypted and always remains visible throughout the message’s journey. The date and time when the message was sent is also visible, as is the subject line of the message. The body of the email along with attachments can be encrypted using software add-ons such as PGP Tools or GPG Suite.
Secure Email Services
There really is no such thing as a secure email service. Gmail is extremely convenient, but your message content is readable by Google’s algorithms. Protonmail offers a higher level of security, but they cannot prevent your emails from creating metadata that can be used to identify you.
If you want to minimise advertisers and marketers targeting advertising based on your email contents, then Protonmail is probably the way to go. However, if you are an activist or defender who might be targeted (legally or otherwise) by corporations or governments, it’s best to avoid email communications altogether.
It goes without saying that Facebook Messenger and WhatsApp should be avoided. Both these platforms are designed to monetise using your data.
If you need secure instant messaging, then you can’t go past our flagship app Session. It provides privacy, security and anonymity. The downside (and also the upside) of Session is that it doesn’t link to your address book — so you have to manually ask your friends to create Session accounts and send you their Session ID (which is like a phone number, but is not associated with your real identity in any way). Session is perfect for human rights defenders, journalists and whistleblowers.
If Session is in the ‘too hard’ basket for you, we suggest you use Signal. The downside of Signal is that it is centralised and requires the use of a phone number to register. This means if push comes to shove, Signal could be forced to provide authorities with metadata that can be used to identify you.
Telegram is also very popular — but it’s not necessarily very secure or private. If you use Telegram, remember to use ‘Secret Chat’ if you want to increase your security for direct chats with someone else.
Checking if your email or mobile was in a data breach
Hackers often go after ‘honey pots’ of data that contain email addresses, personal information and sometimes unencrypted passwords. You can use Have I Been Pwned to find out if your email or mobile was part of a data breach. If it was, we recommend immediately changing your password, or abandoning the use of the email address for future account registrations.
Encrypting your storage
- Use Veracrypt to encrypt your data
Most operating systems on your devices have built-in features for encrypting your storage or your files. There are also open-source applications that allow you to create encrypted folders and files to protect and hide sensitive data.
If you store or carry around sensitive data, it’s important to understand and implement the best strategies to protect your storage.
Encrypting your files on your mobile devices
Mobile operating systems have built-in encryption features, which use the screen-lock password to decrypt. This is useful if you lose your mobile or it’s confiscated from you. Android and MacOS have different ways of activating encryption and this guide can help you.
Laptop / Desktop Encryption apps
Veracrypt is an open-source tool that’s perfect for encrypting files, folders and drives that are not on mobile devices. It enables you to not only encrypt individual files, but to create an encrypted folder that can be placed on a thumb-drive or removable hard-drive, ensuring your data is safe while you are on the move. This is also a great way to send data over the mail. For example, you can create an encrypted folder on your thumb drive and share the access passphrase with the recipient using a private messenger such as Session. Here’s a guide to using Veracrypt.
Safe Browsing and Accessing Blocked Websites
- Use Lokinet
- Use Tor Browser
- Use DuckDuckgo
Circumvention technologies and private browsing
Censorship, whether it be in the form of great firewalls or more localised blocks on websites and internet services, is continuing to increase across the entire internet landscape, and countering these blocks is becoming increasingly difficult.
There are a number of tools that give you the ability to reroute internet traffic around these blocks. VPN technologies are the most common, and are used by people in many countries to bypass government-installed firewalls that restrict internet access. Selecting the right VPN for your needs can be challenging, and you can read a good backgrounder on the topic here.
At OPTF, we’ve also been building a piece of technology that lets you connect and access the internet anonymously and circumvent censorship. Take a look at Lokinet — which channels all your data, including email and web traffic through Oxen’s onion-routed network.
The Tor Browser uses another onion-routed network called Tor, enabling you to visit websites anonymously and circumvent most blocks.
Websites are also able to track your behaviour by using small files kept on your computer called “cookies.” You can turn these off in your browser settings. However, be warned that because data collection is integral to the operation of many companies, their services might not work properly without cookies. In which case, you might be better off avoiding these sites in the first place. If you need to access these sites, you should regularly clear your cookies in your browser settings. This prevents websites you visit in the future from accessing your browsing history or tracking you across websites using old cookies.
Blocking privacy invasion
There are a number of browser plug-ins and extensions that help block privacy-invading content, including advertisements. uBlockOrigin is a wide-spectrum content blocker that works with Firefox and Chromium browsers. The Brave Browser is also designed to protect your privacy and block ads and pop-ups,. It is convenient to download and use, and has Tor built-in.
People from around the world use Google to conduct millions of searches every minute. What we know, and conveniently put aside, is that every search we make is analysed and Google collects significant amounts of data about what we are interested in and what links we click on. If you don’t want Google to track what you search, try using DuckDuckGo — a privacy-respecting search engine that is slowly gaining popularity among users. Startpage is also another option for searching without going through Google’s analytical engines.
The following two resources provide more information about protecting yourself in the digital world.
Security in a Box – Digital security tools and tactics
Totem Project – Digital security training for activists and journalists