![\"thinking\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f914.png\")
Who this guide is for<\/h3>\r\n\r\n- You use the internet on a day-to-day basis \u2013 for work, social media, financial transactions, etc.<\/li>\r\n
- You feel you could be doing more to ensure your digital safety and privacy, but you’re not in immediate danger. (If you are, seek out an expert for a one-on-one consult.)<\/li>\r\n
- You’re comfortable with technology. For example, you’re comfortable going into the settings section of your computer\/smartphone.<\/li>\r\n<\/ul>\r\n
![\"seedling\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f331.png\")
How to use this guide<\/h3>\r\n\r\n- Recommendations have been sorted in ascending levels of difficulty. Start from level one and work your way up!<\/li>\r\n
- Everyone should follow the recommendations in levels one and two.<\/em> They will protect you from the widely-used (yet simple) attacks. Going through them shouldn’t take more than 1-2 hours.<\/li>\r\n
- Level three is a bit more involved in terms of time and money and may not be 100% necessary. But if you’re worried at all and can afford to, we recommend going through that list too. Depending on the amount of digital housekeeping you have to do, it may take anywhere from an hour to an afternoon.<\/li>\r\n
- The scenarios listed after are for higher-stakes situations \u2014 scan them to see if any of them apply to you. (Because the stakes are higher, they assume that you’ve done everything in levels 1-3.)<\/li>\r\n
- This guide is a living document \u2013 please feel free to submit a pull request or fork your own version of this guide on GitHub.<\/li>\r\n<\/ul>\r\n
![\"speaking_head\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f5e3.png\")
This guide in other languages<\/h3>\r\n\r\n- \u7e41\u9ad4\u4e2d\u6587 (Traditional Chinese)<\/a><\/li>\r\n
- \u65e5\u672c\u8a9e<\/a> (Japanese, a work-in-progress)<\/li>\r\n
- Italiano<\/a> (Italian, a work-in-progress)<\/li>\r\n<\/ul>\r\n
![\"clock3\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f552.png\")
Last updated<\/h3>\r\n\r\n- 20 January 2021<\/li>\r\n<\/ul>\r\n
![\"monocle_face\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f9d0.png\")
Theory & science<\/h2>\r\n![\"dart\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f3af.png\")
Threat modeling<\/h3>\r\n\r\n- What kind of danger are you in? E.g. credit card hack, corporate espionage, online harassment\/doxxing.<\/li>\r\n
- What kind of assets are you protecting? E.g. confidential documents, private photos.<\/li>\r\n
- We’re all in a little bit of danger (otherwise we wouldn’t bother putting a password on our computer or phone) but it’s important to think about what’s at stake before dismissing concerns or becoming paranoid.<\/li>\r\n<\/ul>\r\n
![\"link\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f517.png\")
Weakest link<\/h3>\r\n\r\n- Remember the weakest link is all that matters! E.g. if password recovery is linked to email, then hackers only need to get access to your email.<\/li>\r\n<\/ul>\r\n
![\"abcd\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f521.png\")
Encryption levels<\/h3>\r\n\r\n- No encryption: Any third party who intercepts the data can read it as-is.<\/li>\r\n
- Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (e.g. Google or Facebook) still has access, and may hand the data over to law enforcement if they are required to do so by the courts.<\/li>\r\n
- End-to-end encryption: the data can only be read by the original sender and receiver. This means not even the platform has access. So if the courts call, the service provider can’t hand over the messages because they don’t have them either.<\/li>\r\n<\/ol>\r\n
![\"jigsaw\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f9e9.png\")
Metadata<\/h3>\r\n\r\n- Data about your data \u2013 e.g. what number you called, and for how long (but not the contents of the call). With enough metadata, hackers can piece together a pretty good picture of who you are, who you know, where you’re going, etc. Plus legal protections around metadata are generally weaker.<\/li>\r\n<\/ul>\r\n
\r\n\u00a0<\/h2>\r\n![\"sweat_drops\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f4a6.png\")
Level 1 recommendations<\/h2>\r\n![\"white_check_mark\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/2705.png\")
Things to do now<\/h3>\r\nStrengthen passwords<\/h4>\r\n\r\n- Any password less than 10 characters is bad, but it’s also okay-to-string-together-non-sequitur-words.<\/li>\r\n
- Double check the security questions for your key online services (email, bank, Facebook, etc.) and make sure that they’re not easy to answer by friends or by anyone looking you up on Google.<\/li>\r\n
- Start using a different password for every service, because password leaks happen all the time. To make this easy, use a password manager (see Wirecutter’s picks here<\/a>) to store\/autofill\/generate them. For now, make sure you use a unique password for essential services (email, social media, banking, cloud storage).<\/li>\r\n
- Use a non-common\/obvious unlock code for your phone with at least 9 digits.<\/li>\r\n<\/ul>\r\n
Double lock important accounts<\/h4>\r\n
Use two-factor authentication (also known as 2FA and two-step verification) to add an extra lock on top of a typed password. Usually this takes the form of a short code that’s sent to your phone via a specialized app or SMS.<\/p>\r\n
\r\n- Download an authenticator app like Authy<\/a> or Duo Mobile<\/a>. Apps are far more secure than SMS so use one if it’s available.<\/li>\r\n
- Turn on 2FA on your:\r\n
\r\n- Email service. See instructions for Gmail<\/a>, Protonmail<\/a>, or find instructions for your email provider here<\/a>.<\/li>\r\n
- Frequently used social media accounts. See instructions for Twitter<\/a>, Facebook<\/a>, Instagram<\/a>, and other services<\/a>.<\/li>\r\n
- Consider turning on 2FA on any other online accounts where losing access would be catastrophic. Look up instructions on Two Factor Auth<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on cloud backup for your authenticator app in case you ever lose your phone. See instructions for Authy<\/a> and Duo Mobile<\/a>.<\/li>\r\n<\/ul>\r\n
Email<\/h4>\r\n\r\n- If you’re on a webmail service, check that you’re logging into it using an
https:\/\/<\/code> URL. And if there isn’t one, find a new email provider.<\/li>\r\n- After turning on two-factor authentication, see if your email service supports backup codes (a single-use code in case you lose your phone). See Gmail instructions<\/a>.<\/li>\r\n<\/ul>\r\n
Encrypt your devices<\/h4>\r\n\r\n- Encrypt your computer hard drive:\r\n
\r\n- Mac: See Apple’s instructions<\/a>.<\/li>\r\n
- Windows: See Microsoft’s instructions<\/a> (we recommend BitLocker if it’s available)<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Encrypt your phone storage:\r\n
\r\n- iOS: Automatically encrypt.<\/li>\r\n
- Android: Recent versions automatically encrypt. Double check by going to
Settings \u2192 Security \u2192 Encryption<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Secure your backups too!\r\n
\r\n- Encrypt your backup hard drives:\r\n
\r\n- Mac: If you use Time Machine, see Apple’s instructions here<\/a>.<\/li>\r\n
- Windows: See instructions here<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Pick an online backup storage solution that offers end-to-end encryption (which neither iCloud or Google Drive support) like Tresorit<\/a> or Spideroak One<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- N.B. Remember encryption is only fully effective when the device is off!<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Setup up a pin code for your mobile phone SIM card:\r\n
\r\n- See iPhone instructions<\/a>.<\/li>\r\n
- See Android instructions<\/a>.<\/li>\r\n
- Search your phone provider’s website to find out what their default password is (it varies from carrier to carrier).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on the firewall on your computer:\r\n
\r\n- Mac:
System Preferences \u2192 Security & Privacy \u2192 Firewall<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 Windows Firewall<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off remote access on your computer:\r\n
\r\n- Mac:
System Preferences \u2192 Sharing \u2192 Remote Login, Remote Management1<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 System: Allow remote access \u2192 Don't Allow Remote connections to this computer<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Set up basic anti-virus software on your computer:\r\n
\r\n- Mac: None required. (Read Wirecutter’s explanation<\/a>)<\/li>\r\n
- Windows: Make sure Microsoft Defender Antivirus is on see Microsoft’s instructions here<\/a>) and turn on the extra
ransomware protection<\/code> feature<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off app-specific passwords that bypass two-factor authentication (e.g. instructions for Gmail<\/a>).<\/li>\r\n
- Turn off automatically add(ed) invitations on Google Calendar settings<\/a> (here’s why<\/a>).<\/li>\r\n
- Turn on Login Alerts on Facebook<\/a>.<\/li>\r\n
- Disable macros within Microsoft Office<\/a>.<\/li>\r\n
- iOS: Don’t allow USB accessories to control a locked device. Turn off
Settings \u2192 Face ID & Passcode \u2192 Allow Access When Locked: USB Accessories<\/code>.<\/li>\r\n<\/ul>\r\n?? Habits to cultivate<\/h3>\r\nEmail<\/h4>\r\n\r\n- Be on the lookout for phishing scams: where possible double check the From<\/em> email address and the domains that outbound links go to.<\/li>\r\n
- Don’t open unnecessary email attachments. Where possible, open or preview them first in an online document reader. Ask colleagues to use a filesharing service (Dropbox, Google Drive, Tresorit, SpiderOak), which tend to be a little harder to hack into.<\/li>\r\n
- You can upload a suspicious attachment to VirusTotal<\/a> for a check-up (but keep in mind files submitted to VirusTotal are available to security researchers so don\u2019t submit sensitive information).<\/li>\r\n<\/ul>\r\n
Update all the things<\/h4>\r\n\r\n- When you get a notification to update your operating system (on your mobile or computer), do it as soon as you can.<\/li>\r\n
- Update your apps (on mobile or computer) similarly.<\/li>\r\n
- Check occasionally for firmware updates for your router (and other Internet-connected devices).<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Change important passwords (e.g. email, computer login, password manager master) every year or two.<\/li>\r\n
- Wipe your devices properly before donating\/giving away. If you’ve encrypted all of your phones and computers (as suggested above), a normal factory reset will do the job for almost all use cases. If you want an extra layer of security for your computer hard drives, see Wired’s guide on this topic<\/a>.<\/li>\r\n
- Don’t charge your phone at public charging stations\/ports \u2013 they may steal your data. Consider charging your portable battery instead.<\/li>\r\n<\/ul>\r\n
\r\n![\"+1\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f44d.png\")
Great job! You’ve covered the basics. Treat yourself to a cup of tea and a stretch.
Now, ready for the next level?<\/strong><\/p>\r\n\u00a0<\/h2>\r\n Level 2 recommendations<\/h2>\r\n Things to do now<\/h3>\r\nEnhance your privacy<\/h4>\r\n\r\n- Review the privacy settings on social networks you frequent: who can see your content, who can comment on it, and who can see your location.\r\n
\r\n- Limit Facebook tracking by turning off Off-Facebook Activity (follow these EFF’s instructions<\/a>).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the privacy settings on messaging apps you normally use: read receipts, time stamps for “last seen,” and whether your phone number\/profile picture are public.<\/li>\r\n
- Install these protective web browsers add-ons on your computer (and make sure they’re on even during private\/incognito mode):\r\n
\r\n- An ad blocker (e.g. uBlock Origin<\/a>, Ghostery<\/a>).<\/li>\r\n
- A tracker blocker (Privacy Badger<\/a>).<\/li>\r\n
- HTTPS Everywhere<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review which apps on your smartphone have access to your location data. Turn off access if the app doesn’t need it, and minimize the number of apps that track your location all the time.\r\n
\r\n- iOS:
Settings \u2192 Privacy \u2192 Location Services<\/code>.<\/li>\r\n- Android:
Settings \u2192 Apps & notifications \u2192 App permissions<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- On your smartphone, delete any third-party keyboards you might have installed ( they often share what you type with the software maker). On both iOS and Android, they are installed as apps so just delete that. If you really need to use a third-party keyboard, make sure that it is an open source project where others have verified that it does not share your data with third parties.<\/li>\r\n
- If you use smart speakers, turn off its recording function:\r\n
\r\n- Google Home: go to Activity Controls<\/a> and uncheck
Include audio recordings<\/code>.<\/li>\r\n- Amazon Alexa: Follow these instructions<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Set up your home wifi router<\/h4>\r\n\r\n- Login to the administration and settings dashboard (check your router’s instructions but it’s often at
http:\/\/192.168.0.1<\/code>)<\/li>\r\n- If the password to login to this dashboard is really simple, then update it.<\/li>\r\n
- Look through what devices are connected to the network right now (click around until you find the
access control<\/code>) and make sure you know what every device on the list is.<\/li>\r\n- If you see these options, turn them off. Look for them under
advanced settings<\/code> or gateway functions<\/code>:\r\n\r\n- UPnP (universal plug and play)<\/li>\r\n
- WPS (wi-fi protected setup)<\/li>\r\n
- Remote management<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Set up tracking apps for your devices so you can remotely find and wipe your devices from a website if you ever lose them:\r\n
\r\n- iOS & Mac: Instructions for setting up Find My<\/a>.<\/li>\r\n
- Android: Instructions for setting up Find My Device<\/a>.<\/li>\r\n
- Multi-platform (including iOS, Mac, Android if you want everything under one umbrella): Download and install Prey<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the
Third-Party Apps<\/code> or Connected Apps<\/code> on your main email\/social media accounts. These are services that might have access to, say, your Facebook data and even permission to make posts automatically there. (Here are the instructions for checking for them on Facebook and Gmail<\/a>.)<\/li>\r\n- Review the extensions\/add-ons\/plug-ins that have been installed within your computer web browser \u2013 delete any that you haven’t used in a while or don’t remember installing.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\nEnhance your privacy<\/h4>\r\n\r\n- Post less personal information online \u2013 especially information that can be used to identify\/track\/scam you (addresses, phone numbers, birthday, etc.). Remember almost everything you say online is logged somewhere and that even if your setup is secure, your recipient’s setup may not be.<\/li>\r\n
- If you own domains, use WHOIS privacy services and stick with it (they’re worth the money). But note that with WHOIS lookup\/history tools, if you’ve ever put in your real address, it’s very difficult to remove from the logs.<\/li>\r\n<\/ul>\r\n
Watch what you say in online groups<\/h4>\r\n
Don’t say anything you’d regret on in a “private” Slack group, Facebook page, WhatsApp group chat or Telegram channel because:<\/p>\r\n
\r\n- Any one member can leak all of the data.<\/li>\r\n
- Administrators usually have access to everything within the group, including that private direct message between two people, and sometimes even deleted messages.<\/li>\r\n
- Even if you’re not using your real name or photo, what you say can often be traced back to your phone number or email (that is linked to the account).\r\n
\r\n- To prevent this in Telegram, go into
Settings \u2192 Privacy and Security \u2192 Phone Number<\/code>, and then set:\r\n\r\nWho can see my phone number<\/code> to Nobody<\/code>.<\/li>\r\nWho can find me by my number<\/code> to My Contacts<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\nOther<\/h4>\r\n\r\n- When you download new mobile apps, double check to make sure it’s the right one \u2014 there are a lot of fake apps that try to trick people by using a slightly modified name or icon of an existing, popular app.<\/li>\r\n
- Check what apps you have installed on your phone once in a while, and delete the ones you’re not using anymore.<\/li>\r\n
- If you ever need to send someone a password, split it in half and send via two different channels (e.g. email + voice call).<\/li>\r\n
- Put a sticker (or webcam cover) over your laptop’s front-facing camera.<\/li>\r\n
- Don’t use Google\/Twitter\/Facebook to sign up\/login to other services \u2013 each service should have its own account.<\/li>\r\n<\/ul>\r\n
\r\n![\"tada\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f389.png\")
Congratulations! You’re now reasonably
secure, which is more than most :)
Take the rest of the day off, and
come back tomorrow for Level 3.<\/strong><\/p>\r\n Level 3 recommendations<\/h2>\r\n To do<\/h3>\r\nLock up sensitive files<\/h4>\r\n\r\n- Identify files that you don’t want others to access (e.g. private photos, passport documents).<\/li>\r\n
- Use Cryptomator<\/a> or Veracrypt<\/a> to create an encrypted, password-protected vault for them.<\/li>\r\n
- Set them up on both your computer and your phone.<\/li>\r\n
- Move your files into these secure vaults. Make sure they’re not still hanging around on an old folder or on your phone.<\/li>\r\n<\/ul>\r\n
Upgrade your gear<\/h4>\r\n\r\n- Use a paid VPN service when on public networks (e.g. cafe wifi) and even at home if you don’t want your service provider to know where you’re going. Free VPN services are bad because operators don’t have enough incentive to protect you\/your data. See recommendations from Wirecutter<\/a> and Freedom of the Press<\/a>.<\/li>\r\n
- Buy a privacy screen (prevents onlookers from seeing your screen, see this 3M example<\/a>) for your laptop and phone.<\/li>\r\n<\/ul>\r\n
Revisit old passwords<\/h4>\r\n\r\n- Store all of your online service passwords in a password manager. (If you have the right browser add-on\/plugin installed, it will capture all the relevant details during a login process.)<\/li>\r\n
- Using your password manager’s analysis feature, see which accounts\/services have weak passwords and update the ones that might have any personal information about you or that you would really hate to lose.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\n\r\n- Start using Signal<\/a>, an end-to-end encrypted mobile messaging app that’s generally agreed to be safe\/secure\/robust. (Beyond Signal, there is little consensus on what’s secure and people tend to get very emotional about their choice of mobile messaging apps.)<\/li>\r\n
- When making voice or video calls, use an end-to-end encrypted app (e.g. Signal, Jitsi, Wire).<\/li>\r\n
- Buy a harder-to-hack mobile phone
![\"moneybag\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f4b0.png\")
. Typically, this is an iPhone or Android phone that implements a “pure” Google version of Android.<\/li>\r\n<\/ul>\r\n
\r\n![\"astonished\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f632.png\")
Wow, you completed all three levels!
Well done! Now quickly look below
to see if any apply to you.<\/strong><\/p>\r\n![\"exclamation\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/2757.png\")
Scenario-based recommendations<\/h2>\r\n??\u200d? Hosting a public event on a video calling platform (e.g. Zoom)<\/h3>\r\n\r\n- Set a password to enter the meeting to prevent random people from wandering in via a meeting ID generator. Consider setting up an RSVP system so that you don’t have to give out the meeting link and password publicly.<\/li>\r\n
- Familiarize yourself with the platform’s settings and minimize the amount of control (e.g. screen sharing) that non-hosts have. (E.g. settings on Zoom<\/a>)<\/li>\r\n
- Create a plan of action for what you would do if a malicious troll gains access to your call.<\/li>\r\n
- Don’t say what you wouldn’t say in a public forum. Encourage your attendees to do the same. Most commercial platforms have access to your audio\/video data and are mining your metadata to create consumer profiles.<\/li>\r\n<\/ul>\r\n
![\"flight_departure\"](\"https:\/\/github.githubassets.com\/images\/icons\/emoji\/unicode\/1f6eb.png\")
Crossing an international border<\/h3>\r\n\r\n- Turn off your devices because:\r\n
\r\n- Storage\/hard drives are only encrypted when they’re off, not<\/strong> when they’re just in sleep mode<\/li>\r\n
- This will also ensure that your mobile devices require a pin when they are turned on, which is protected by freedom of speech laws in some jurisdictions.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Store less information on your devices \u2013 in case they’re seized, what you don’t have they can’t take.<\/li>\r\n
- Be mindful of what stickers you put on your devices \u2013 a border agent could mistake them for something suspicious.<\/li>\r\n
- Notify your people about your flight number and arrival time. Check in with one of them at regular points in your journey. Have them contact a lawyer\/relevant organization if you do not show up.<\/li>\r\n
- For extreme situations (some of these practices might raise suspicions and backfire):\r\n
\r\n- Set up alternate photo albums, email addresses and social media accounts full of harmless content.<\/li>\r\n
- “Forget” half of your password: Password lock your device\/account so that only a trusted friend has the second half of the password.<\/li>\r\n
- Log out of all important accounts (or simply leave your devices at home).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- For more information, see Wired’s Guide to Getting Past Customs With Your Digital Privacy Intact<\/a> and BoingBoing’s addendum<\/a> about filing for attorney privileges at the US border.<\/li>\r\n<\/ul>\r\n
How to use this guide<\/h3>\r\n\r\n- Recommendations have been sorted in ascending levels of difficulty. Start from level one and work your way up!<\/li>\r\n
- Everyone should follow the recommendations in levels one and two.<\/em> They will protect you from the widely-used (yet simple) attacks. Going through them shouldn’t take more than 1-2 hours.<\/li>\r\n
- Level three is a bit more involved in terms of time and money and may not be 100% necessary. But if you’re worried at all and can afford to, we recommend going through that list too. Depending on the amount of digital housekeeping you have to do, it may take anywhere from an hour to an afternoon.<\/li>\r\n
- The scenarios listed after are for higher-stakes situations \u2014 scan them to see if any of them apply to you. (Because the stakes are higher, they assume that you’ve done everything in levels 1-3.)<\/li>\r\n
- This guide is a living document \u2013 please feel free to submit a pull request or fork your own version of this guide on GitHub.<\/li>\r\n<\/ul>\r\n
This guide in other languages<\/h3>\r\n\r\n- \u7e41\u9ad4\u4e2d\u6587 (Traditional Chinese)<\/a><\/li>\r\n
- \u65e5\u672c\u8a9e<\/a> (Japanese, a work-in-progress)<\/li>\r\n
- Italiano<\/a> (Italian, a work-in-progress)<\/li>\r\n<\/ul>\r\n
Last updated<\/h3>\r\n\r\n- 20 January 2021<\/li>\r\n<\/ul>\r\n
Theory & science<\/h2>\r\n Threat modeling<\/h3>\r\n\r\n- What kind of danger are you in? E.g. credit card hack, corporate espionage, online harassment\/doxxing.<\/li>\r\n
- What kind of assets are you protecting? E.g. confidential documents, private photos.<\/li>\r\n
- We’re all in a little bit of danger (otherwise we wouldn’t bother putting a password on our computer or phone) but it’s important to think about what’s at stake before dismissing concerns or becoming paranoid.<\/li>\r\n<\/ul>\r\n
Weakest link<\/h3>\r\n\r\n- Remember the weakest link is all that matters! E.g. if password recovery is linked to email, then hackers only need to get access to your email.<\/li>\r\n<\/ul>\r\n
Encryption levels<\/h3>\r\n\r\n- No encryption: Any third party who intercepts the data can read it as-is.<\/li>\r\n
- Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (e.g. Google or Facebook) still has access, and may hand the data over to law enforcement if they are required to do so by the courts.<\/li>\r\n
- End-to-end encryption: the data can only be read by the original sender and receiver. This means not even the platform has access. So if the courts call, the service provider can’t hand over the messages because they don’t have them either.<\/li>\r\n<\/ol>\r\n
Metadata<\/h3>\r\n\r\n- Data about your data \u2013 e.g. what number you called, and for how long (but not the contents of the call). With enough metadata, hackers can piece together a pretty good picture of who you are, who you know, where you’re going, etc. Plus legal protections around metadata are generally weaker.<\/li>\r\n<\/ul>\r\n
\r\n\u00a0<\/h2>\r\n Level 1 recommendations<\/h2>\r\n Things to do now<\/h3>\r\nStrengthen passwords<\/h4>\r\n\r\n- Any password less than 10 characters is bad, but it’s also okay-to-string-together-non-sequitur-words.<\/li>\r\n
- Double check the security questions for your key online services (email, bank, Facebook, etc.) and make sure that they’re not easy to answer by friends or by anyone looking you up on Google.<\/li>\r\n
- Start using a different password for every service, because password leaks happen all the time. To make this easy, use a password manager (see Wirecutter’s picks here<\/a>) to store\/autofill\/generate them. For now, make sure you use a unique password for essential services (email, social media, banking, cloud storage).<\/li>\r\n
- Use a non-common\/obvious unlock code for your phone with at least 9 digits.<\/li>\r\n<\/ul>\r\n
Double lock important accounts<\/h4>\r\n
Use two-factor authentication (also known as 2FA and two-step verification) to add an extra lock on top of a typed password. Usually this takes the form of a short code that’s sent to your phone via a specialized app or SMS.<\/p>\r\n
\r\n- Download an authenticator app like Authy<\/a> or Duo Mobile<\/a>. Apps are far more secure than SMS so use one if it’s available.<\/li>\r\n
- Turn on 2FA on your:\r\n
\r\n- Email service. See instructions for Gmail<\/a>, Protonmail<\/a>, or find instructions for your email provider here<\/a>.<\/li>\r\n
- Frequently used social media accounts. See instructions for Twitter<\/a>, Facebook<\/a>, Instagram<\/a>, and other services<\/a>.<\/li>\r\n
- Consider turning on 2FA on any other online accounts where losing access would be catastrophic. Look up instructions on Two Factor Auth<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on cloud backup for your authenticator app in case you ever lose your phone. See instructions for Authy<\/a> and Duo Mobile<\/a>.<\/li>\r\n<\/ul>\r\n
Email<\/h4>\r\n\r\n- If you’re on a webmail service, check that you’re logging into it using an
https:\/\/<\/code> URL. And if there isn’t one, find a new email provider.<\/li>\r\n- After turning on two-factor authentication, see if your email service supports backup codes (a single-use code in case you lose your phone). See Gmail instructions<\/a>.<\/li>\r\n<\/ul>\r\n
Encrypt your devices<\/h4>\r\n\r\n- Encrypt your computer hard drive:\r\n
\r\n- Mac: See Apple’s instructions<\/a>.<\/li>\r\n
- Windows: See Microsoft’s instructions<\/a> (we recommend BitLocker if it’s available)<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Encrypt your phone storage:\r\n
\r\n- iOS: Automatically encrypt.<\/li>\r\n
- Android: Recent versions automatically encrypt. Double check by going to
Settings \u2192 Security \u2192 Encryption<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Secure your backups too!\r\n
\r\n- Encrypt your backup hard drives:\r\n
\r\n- Mac: If you use Time Machine, see Apple’s instructions here<\/a>.<\/li>\r\n
- Windows: See instructions here<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Pick an online backup storage solution that offers end-to-end encryption (which neither iCloud or Google Drive support) like Tresorit<\/a> or Spideroak One<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- N.B. Remember encryption is only fully effective when the device is off!<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Setup up a pin code for your mobile phone SIM card:\r\n
\r\n- See iPhone instructions<\/a>.<\/li>\r\n
- See Android instructions<\/a>.<\/li>\r\n
- Search your phone provider’s website to find out what their default password is (it varies from carrier to carrier).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on the firewall on your computer:\r\n
\r\n- Mac:
System Preferences \u2192 Security & Privacy \u2192 Firewall<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 Windows Firewall<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off remote access on your computer:\r\n
\r\n- Mac:
System Preferences \u2192 Sharing \u2192 Remote Login, Remote Management1<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 System: Allow remote access \u2192 Don't Allow Remote connections to this computer<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Set up basic anti-virus software on your computer:\r\n
\r\n- Mac: None required. (Read Wirecutter’s explanation<\/a>)<\/li>\r\n
- Windows: Make sure Microsoft Defender Antivirus is on see Microsoft’s instructions here<\/a>) and turn on the extra
ransomware protection<\/code> feature<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off app-specific passwords that bypass two-factor authentication (e.g. instructions for Gmail<\/a>).<\/li>\r\n
- Turn off automatically add(ed) invitations on Google Calendar settings<\/a> (here’s why<\/a>).<\/li>\r\n
- Turn on Login Alerts on Facebook<\/a>.<\/li>\r\n
- Disable macros within Microsoft Office<\/a>.<\/li>\r\n
- iOS: Don’t allow USB accessories to control a locked device. Turn off
Settings \u2192 Face ID & Passcode \u2192 Allow Access When Locked: USB Accessories<\/code>.<\/li>\r\n<\/ul>\r\n?? Habits to cultivate<\/h3>\r\nEmail<\/h4>\r\n\r\n- Be on the lookout for phishing scams: where possible double check the From<\/em> email address and the domains that outbound links go to.<\/li>\r\n
- Don’t open unnecessary email attachments. Where possible, open or preview them first in an online document reader. Ask colleagues to use a filesharing service (Dropbox, Google Drive, Tresorit, SpiderOak), which tend to be a little harder to hack into.<\/li>\r\n
- You can upload a suspicious attachment to VirusTotal<\/a> for a check-up (but keep in mind files submitted to VirusTotal are available to security researchers so don\u2019t submit sensitive information).<\/li>\r\n<\/ul>\r\n
Update all the things<\/h4>\r\n\r\n- When you get a notification to update your operating system (on your mobile or computer), do it as soon as you can.<\/li>\r\n
- Update your apps (on mobile or computer) similarly.<\/li>\r\n
- Check occasionally for firmware updates for your router (and other Internet-connected devices).<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Change important passwords (e.g. email, computer login, password manager master) every year or two.<\/li>\r\n
- Wipe your devices properly before donating\/giving away. If you’ve encrypted all of your phones and computers (as suggested above), a normal factory reset will do the job for almost all use cases. If you want an extra layer of security for your computer hard drives, see Wired’s guide on this topic<\/a>.<\/li>\r\n
- Don’t charge your phone at public charging stations\/ports \u2013 they may steal your data. Consider charging your portable battery instead.<\/li>\r\n<\/ul>\r\n
\r\n Great job! You’ve covered the basics. Treat yourself to a cup of tea and a stretch.
Now, ready for the next level?<\/strong><\/p>\r\n\u00a0<\/h2>\r\n Level 2 recommendations<\/h2>\r\n Things to do now<\/h3>\r\nEnhance your privacy<\/h4>\r\n\r\n- Review the privacy settings on social networks you frequent: who can see your content, who can comment on it, and who can see your location.\r\n
\r\n- Limit Facebook tracking by turning off Off-Facebook Activity (follow these EFF’s instructions<\/a>).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the privacy settings on messaging apps you normally use: read receipts, time stamps for “last seen,” and whether your phone number\/profile picture are public.<\/li>\r\n
- Install these protective web browsers add-ons on your computer (and make sure they’re on even during private\/incognito mode):\r\n
\r\n- An ad blocker (e.g. uBlock Origin<\/a>, Ghostery<\/a>).<\/li>\r\n
- A tracker blocker (Privacy Badger<\/a>).<\/li>\r\n
- HTTPS Everywhere<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review which apps on your smartphone have access to your location data. Turn off access if the app doesn’t need it, and minimize the number of apps that track your location all the time.\r\n
\r\n- iOS:
Settings \u2192 Privacy \u2192 Location Services<\/code>.<\/li>\r\n- Android:
Settings \u2192 Apps & notifications \u2192 App permissions<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- On your smartphone, delete any third-party keyboards you might have installed ( they often share what you type with the software maker). On both iOS and Android, they are installed as apps so just delete that. If you really need to use a third-party keyboard, make sure that it is an open source project where others have verified that it does not share your data with third parties.<\/li>\r\n
- If you use smart speakers, turn off its recording function:\r\n
\r\n- Google Home: go to Activity Controls<\/a> and uncheck
Include audio recordings<\/code>.<\/li>\r\n- Amazon Alexa: Follow these instructions<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Set up your home wifi router<\/h4>\r\n\r\n- Login to the administration and settings dashboard (check your router’s instructions but it’s often at
http:\/\/192.168.0.1<\/code>)<\/li>\r\n- If the password to login to this dashboard is really simple, then update it.<\/li>\r\n
- Look through what devices are connected to the network right now (click around until you find the
access control<\/code>) and make sure you know what every device on the list is.<\/li>\r\n- If you see these options, turn them off. Look for them under
advanced settings<\/code> or gateway functions<\/code>:\r\n\r\n- UPnP (universal plug and play)<\/li>\r\n
- WPS (wi-fi protected setup)<\/li>\r\n
- Remote management<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Set up tracking apps for your devices so you can remotely find and wipe your devices from a website if you ever lose them:\r\n
\r\n- iOS & Mac: Instructions for setting up Find My<\/a>.<\/li>\r\n
- Android: Instructions for setting up Find My Device<\/a>.<\/li>\r\n
- Multi-platform (including iOS, Mac, Android if you want everything under one umbrella): Download and install Prey<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the
Third-Party Apps<\/code> or Connected Apps<\/code> on your main email\/social media accounts. These are services that might have access to, say, your Facebook data and even permission to make posts automatically there. (Here are the instructions for checking for them on Facebook and Gmail<\/a>.)<\/li>\r\n- Review the extensions\/add-ons\/plug-ins that have been installed within your computer web browser \u2013 delete any that you haven’t used in a while or don’t remember installing.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\nEnhance your privacy<\/h4>\r\n\r\n- Post less personal information online \u2013 especially information that can be used to identify\/track\/scam you (addresses, phone numbers, birthday, etc.). Remember almost everything you say online is logged somewhere and that even if your setup is secure, your recipient’s setup may not be.<\/li>\r\n
- If you own domains, use WHOIS privacy services and stick with it (they’re worth the money). But note that with WHOIS lookup\/history tools, if you’ve ever put in your real address, it’s very difficult to remove from the logs.<\/li>\r\n<\/ul>\r\n
Watch what you say in online groups<\/h4>\r\n
Don’t say anything you’d regret on in a “private” Slack group, Facebook page, WhatsApp group chat or Telegram channel because:<\/p>\r\n
\r\n- Any one member can leak all of the data.<\/li>\r\n
- Administrators usually have access to everything within the group, including that private direct message between two people, and sometimes even deleted messages.<\/li>\r\n
- Even if you’re not using your real name or photo, what you say can often be traced back to your phone number or email (that is linked to the account).\r\n
\r\n- To prevent this in Telegram, go into
Settings \u2192 Privacy and Security \u2192 Phone Number<\/code>, and then set:\r\n\r\nWho can see my phone number<\/code> to Nobody<\/code>.<\/li>\r\nWho can find me by my number<\/code> to My Contacts<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\nOther<\/h4>\r\n\r\n- When you download new mobile apps, double check to make sure it’s the right one \u2014 there are a lot of fake apps that try to trick people by using a slightly modified name or icon of an existing, popular app.<\/li>\r\n
- Check what apps you have installed on your phone once in a while, and delete the ones you’re not using anymore.<\/li>\r\n
- If you ever need to send someone a password, split it in half and send via two different channels (e.g. email + voice call).<\/li>\r\n
- Put a sticker (or webcam cover) over your laptop’s front-facing camera.<\/li>\r\n
- Don’t use Google\/Twitter\/Facebook to sign up\/login to other services \u2013 each service should have its own account.<\/li>\r\n<\/ul>\r\n
\r\n Congratulations! You’re now reasonably
secure, which is more than most :)
Take the rest of the day off, and
come back tomorrow for Level 3.<\/strong><\/p>\r\n Level 3 recommendations<\/h2>\r\n To do<\/h3>\r\nLock up sensitive files<\/h4>\r\n\r\n- Identify files that you don’t want others to access (e.g. private photos, passport documents).<\/li>\r\n
- Use Cryptomator<\/a> or Veracrypt<\/a> to create an encrypted, password-protected vault for them.<\/li>\r\n
- Set them up on both your computer and your phone.<\/li>\r\n
- Move your files into these secure vaults. Make sure they’re not still hanging around on an old folder or on your phone.<\/li>\r\n<\/ul>\r\n
Upgrade your gear<\/h4>\r\n\r\n- Use a paid VPN service when on public networks (e.g. cafe wifi) and even at home if you don’t want your service provider to know where you’re going. Free VPN services are bad because operators don’t have enough incentive to protect you\/your data. See recommendations from Wirecutter<\/a> and Freedom of the Press<\/a>.<\/li>\r\n
- Buy a privacy screen (prevents onlookers from seeing your screen, see this 3M example<\/a>) for your laptop and phone.<\/li>\r\n<\/ul>\r\n
Revisit old passwords<\/h4>\r\n\r\n- Store all of your online service passwords in a password manager. (If you have the right browser add-on\/plugin installed, it will capture all the relevant details during a login process.)<\/li>\r\n
- Using your password manager’s analysis feature, see which accounts\/services have weak passwords and update the ones that might have any personal information about you or that you would really hate to lose.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\n\r\n- Start using Signal<\/a>, an end-to-end encrypted mobile messaging app that’s generally agreed to be safe\/secure\/robust. (Beyond Signal, there is little consensus on what’s secure and people tend to get very emotional about their choice of mobile messaging apps.)<\/li>\r\n
- When making voice or video calls, use an end-to-end encrypted app (e.g. Signal, Jitsi, Wire).<\/li>\r\n
- Buy a harder-to-hack mobile phone . Typically, this is an iPhone or Android phone that implements a “pure” Google version of Android.<\/li>\r\n<\/ul>\r\n
\r\n Wow, you completed all three levels!
Well done! Now quickly look below
to see if any apply to you.<\/strong><\/p>\r\n Scenario-based recommendations<\/h2>\r\n??\u200d? Hosting a public event on a video calling platform (e.g. Zoom)<\/h3>\r\n\r\n- Set a password to enter the meeting to prevent random people from wandering in via a meeting ID generator. Consider setting up an RSVP system so that you don’t have to give out the meeting link and password publicly.<\/li>\r\n
- Familiarize yourself with the platform’s settings and minimize the amount of control (e.g. screen sharing) that non-hosts have. (E.g. settings on Zoom<\/a>)<\/li>\r\n
- Create a plan of action for what you would do if a malicious troll gains access to your call.<\/li>\r\n
- Don’t say what you wouldn’t say in a public forum. Encourage your attendees to do the same. Most commercial platforms have access to your audio\/video data and are mining your metadata to create consumer profiles.<\/li>\r\n<\/ul>\r\n
Crossing an international border<\/h3>\r\n\r\n- Turn off your devices because:\r\n
\r\n- Storage\/hard drives are only encrypted when they’re off, not<\/strong> when they’re just in sleep mode<\/li>\r\n
- This will also ensure that your mobile devices require a pin when they are turned on, which is protected by freedom of speech laws in some jurisdictions.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Store less information on your devices \u2013 in case they’re seized, what you don’t have they can’t take.<\/li>\r\n
- Be mindful of what stickers you put on your devices \u2013 a border agent could mistake them for something suspicious.<\/li>\r\n
- Notify your people about your flight number and arrival time. Check in with one of them at regular points in your journey. Have them contact a lawyer\/relevant organization if you do not show up.<\/li>\r\n
- For extreme situations (some of these practices might raise suspicions and backfire):\r\n
\r\n- Set up alternate photo albums, email addresses and social media accounts full of harmless content.<\/li>\r\n
- “Forget” half of your password: Password lock your device\/account so that only a trusted friend has the second half of the password.<\/li>\r\n
- Log out of all important accounts (or simply leave your devices at home).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- For more information, see Wired’s Guide to Getting Past Customs With Your Digital Privacy Intact<\/a> and BoingBoing’s addendum<\/a> about filing for attorney privileges at the US border.<\/li>\r\n<\/ul>\r\n
This guide in other languages<\/h3>\r\n\r\n- \u7e41\u9ad4\u4e2d\u6587 (Traditional Chinese)<\/a><\/li>\r\n
- \u65e5\u672c\u8a9e<\/a> (Japanese, a work-in-progress)<\/li>\r\n
- Italiano<\/a> (Italian, a work-in-progress)<\/li>\r\n<\/ul>\r\n
Last updated<\/h3>\r\n\r\n- 20 January 2021<\/li>\r\n<\/ul>\r\n
Theory & science<\/h2>\r\n Threat modeling<\/h3>\r\n\r\n- What kind of danger are you in? E.g. credit card hack, corporate espionage, online harassment\/doxxing.<\/li>\r\n
- What kind of assets are you protecting? E.g. confidential documents, private photos.<\/li>\r\n
- We’re all in a little bit of danger (otherwise we wouldn’t bother putting a password on our computer or phone) but it’s important to think about what’s at stake before dismissing concerns or becoming paranoid.<\/li>\r\n<\/ul>\r\n
Weakest link<\/h3>\r\n\r\n- Remember the weakest link is all that matters! E.g. if password recovery is linked to email, then hackers only need to get access to your email.<\/li>\r\n<\/ul>\r\n
Encryption levels<\/h3>\r\n\r\n- No encryption: Any third party who intercepts the data can read it as-is.<\/li>\r\n
- Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (e.g. Google or Facebook) still has access, and may hand the data over to law enforcement if they are required to do so by the courts.<\/li>\r\n
- End-to-end encryption: the data can only be read by the original sender and receiver. This means not even the platform has access. So if the courts call, the service provider can’t hand over the messages because they don’t have them either.<\/li>\r\n<\/ol>\r\n
Metadata<\/h3>\r\n\r\n- Data about your data \u2013 e.g. what number you called, and for how long (but not the contents of the call). With enough metadata, hackers can piece together a pretty good picture of who you are, who you know, where you’re going, etc. Plus legal protections around metadata are generally weaker.<\/li>\r\n<\/ul>\r\n
\r\n\u00a0<\/h2>\r\n Level 1 recommendations<\/h2>\r\n Things to do now<\/h3>\r\nStrengthen passwords<\/h4>\r\n\r\n- Any password less than 10 characters is bad, but it’s also okay-to-string-together-non-sequitur-words.<\/li>\r\n
- Double check the security questions for your key online services (email, bank, Facebook, etc.) and make sure that they’re not easy to answer by friends or by anyone looking you up on Google.<\/li>\r\n
- Start using a different password for every service, because password leaks happen all the time. To make this easy, use a password manager (see Wirecutter’s picks here<\/a>) to store\/autofill\/generate them. For now, make sure you use a unique password for essential services (email, social media, banking, cloud storage).<\/li>\r\n
- Use a non-common\/obvious unlock code for your phone with at least 9 digits.<\/li>\r\n<\/ul>\r\n
Double lock important accounts<\/h4>\r\n
Use two-factor authentication (also known as 2FA and two-step verification) to add an extra lock on top of a typed password. Usually this takes the form of a short code that’s sent to your phone via a specialized app or SMS.<\/p>\r\n
\r\n- Download an authenticator app like Authy<\/a> or Duo Mobile<\/a>. Apps are far more secure than SMS so use one if it’s available.<\/li>\r\n
- Turn on 2FA on your:\r\n
\r\n- Email service. See instructions for Gmail<\/a>, Protonmail<\/a>, or find instructions for your email provider here<\/a>.<\/li>\r\n
- Frequently used social media accounts. See instructions for Twitter<\/a>, Facebook<\/a>, Instagram<\/a>, and other services<\/a>.<\/li>\r\n
- Consider turning on 2FA on any other online accounts where losing access would be catastrophic. Look up instructions on Two Factor Auth<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on cloud backup for your authenticator app in case you ever lose your phone. See instructions for Authy<\/a> and Duo Mobile<\/a>.<\/li>\r\n<\/ul>\r\n
Email<\/h4>\r\n\r\n- If you’re on a webmail service, check that you’re logging into it using an
https:\/\/<\/code> URL. And if there isn’t one, find a new email provider.<\/li>\r\n- After turning on two-factor authentication, see if your email service supports backup codes (a single-use code in case you lose your phone). See Gmail instructions<\/a>.<\/li>\r\n<\/ul>\r\n
Encrypt your devices<\/h4>\r\n\r\n- Encrypt your computer hard drive:\r\n
\r\n- Mac: See Apple’s instructions<\/a>.<\/li>\r\n
- Windows: See Microsoft’s instructions<\/a> (we recommend BitLocker if it’s available)<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Encrypt your phone storage:\r\n
\r\n- iOS: Automatically encrypt.<\/li>\r\n
- Android: Recent versions automatically encrypt. Double check by going to
Settings \u2192 Security \u2192 Encryption<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Secure your backups too!\r\n
\r\n- Encrypt your backup hard drives:\r\n
\r\n- Mac: If you use Time Machine, see Apple’s instructions here<\/a>.<\/li>\r\n
- Windows: See instructions here<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Pick an online backup storage solution that offers end-to-end encryption (which neither iCloud or Google Drive support) like Tresorit<\/a> or Spideroak One<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- N.B. Remember encryption is only fully effective when the device is off!<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Setup up a pin code for your mobile phone SIM card:\r\n
\r\n- See iPhone instructions<\/a>.<\/li>\r\n
- See Android instructions<\/a>.<\/li>\r\n
- Search your phone provider’s website to find out what their default password is (it varies from carrier to carrier).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on the firewall on your computer:\r\n
\r\n- Mac:
System Preferences \u2192 Security & Privacy \u2192 Firewall<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 Windows Firewall<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off remote access on your computer:\r\n
\r\n- Mac:
System Preferences \u2192 Sharing \u2192 Remote Login, Remote Management1<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 System: Allow remote access \u2192 Don't Allow Remote connections to this computer<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Set up basic anti-virus software on your computer:\r\n
\r\n- Mac: None required. (Read Wirecutter’s explanation<\/a>)<\/li>\r\n
- Windows: Make sure Microsoft Defender Antivirus is on see Microsoft’s instructions here<\/a>) and turn on the extra
ransomware protection<\/code> feature<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off app-specific passwords that bypass two-factor authentication (e.g. instructions for Gmail<\/a>).<\/li>\r\n
- Turn off automatically add(ed) invitations on Google Calendar settings<\/a> (here’s why<\/a>).<\/li>\r\n
- Turn on Login Alerts on Facebook<\/a>.<\/li>\r\n
- Disable macros within Microsoft Office<\/a>.<\/li>\r\n
- iOS: Don’t allow USB accessories to control a locked device. Turn off
Settings \u2192 Face ID & Passcode \u2192 Allow Access When Locked: USB Accessories<\/code>.<\/li>\r\n<\/ul>\r\n?? Habits to cultivate<\/h3>\r\nEmail<\/h4>\r\n\r\n- Be on the lookout for phishing scams: where possible double check the From<\/em> email address and the domains that outbound links go to.<\/li>\r\n
- Don’t open unnecessary email attachments. Where possible, open or preview them first in an online document reader. Ask colleagues to use a filesharing service (Dropbox, Google Drive, Tresorit, SpiderOak), which tend to be a little harder to hack into.<\/li>\r\n
- You can upload a suspicious attachment to VirusTotal<\/a> for a check-up (but keep in mind files submitted to VirusTotal are available to security researchers so don\u2019t submit sensitive information).<\/li>\r\n<\/ul>\r\n
Update all the things<\/h4>\r\n\r\n- When you get a notification to update your operating system (on your mobile or computer), do it as soon as you can.<\/li>\r\n
- Update your apps (on mobile or computer) similarly.<\/li>\r\n
- Check occasionally for firmware updates for your router (and other Internet-connected devices).<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Change important passwords (e.g. email, computer login, password manager master) every year or two.<\/li>\r\n
- Wipe your devices properly before donating\/giving away. If you’ve encrypted all of your phones and computers (as suggested above), a normal factory reset will do the job for almost all use cases. If you want an extra layer of security for your computer hard drives, see Wired’s guide on this topic<\/a>.<\/li>\r\n
- Don’t charge your phone at public charging stations\/ports \u2013 they may steal your data. Consider charging your portable battery instead.<\/li>\r\n<\/ul>\r\n
\r\n Great job! You’ve covered the basics. Treat yourself to a cup of tea and a stretch.
Now, ready for the next level?<\/strong><\/p>\r\n\u00a0<\/h2>\r\n Level 2 recommendations<\/h2>\r\n Things to do now<\/h3>\r\nEnhance your privacy<\/h4>\r\n\r\n- Review the privacy settings on social networks you frequent: who can see your content, who can comment on it, and who can see your location.\r\n
\r\n- Limit Facebook tracking by turning off Off-Facebook Activity (follow these EFF’s instructions<\/a>).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the privacy settings on messaging apps you normally use: read receipts, time stamps for “last seen,” and whether your phone number\/profile picture are public.<\/li>\r\n
- Install these protective web browsers add-ons on your computer (and make sure they’re on even during private\/incognito mode):\r\n
\r\n- An ad blocker (e.g. uBlock Origin<\/a>, Ghostery<\/a>).<\/li>\r\n
- A tracker blocker (Privacy Badger<\/a>).<\/li>\r\n
- HTTPS Everywhere<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review which apps on your smartphone have access to your location data. Turn off access if the app doesn’t need it, and minimize the number of apps that track your location all the time.\r\n
\r\n- iOS:
Settings \u2192 Privacy \u2192 Location Services<\/code>.<\/li>\r\n- Android:
Settings \u2192 Apps & notifications \u2192 App permissions<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- On your smartphone, delete any third-party keyboards you might have installed ( they often share what you type with the software maker). On both iOS and Android, they are installed as apps so just delete that. If you really need to use a third-party keyboard, make sure that it is an open source project where others have verified that it does not share your data with third parties.<\/li>\r\n
- If you use smart speakers, turn off its recording function:\r\n
\r\n- Google Home: go to Activity Controls<\/a> and uncheck
Include audio recordings<\/code>.<\/li>\r\n- Amazon Alexa: Follow these instructions<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Set up your home wifi router<\/h4>\r\n\r\n- Login to the administration and settings dashboard (check your router’s instructions but it’s often at
http:\/\/192.168.0.1<\/code>)<\/li>\r\n- If the password to login to this dashboard is really simple, then update it.<\/li>\r\n
- Look through what devices are connected to the network right now (click around until you find the
access control<\/code>) and make sure you know what every device on the list is.<\/li>\r\n- If you see these options, turn them off. Look for them under
advanced settings<\/code> or gateway functions<\/code>:\r\n\r\n- UPnP (universal plug and play)<\/li>\r\n
- WPS (wi-fi protected setup)<\/li>\r\n
- Remote management<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Set up tracking apps for your devices so you can remotely find and wipe your devices from a website if you ever lose them:\r\n
\r\n- iOS & Mac: Instructions for setting up Find My<\/a>.<\/li>\r\n
- Android: Instructions for setting up Find My Device<\/a>.<\/li>\r\n
- Multi-platform (including iOS, Mac, Android if you want everything under one umbrella): Download and install Prey<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the
Third-Party Apps<\/code> or Connected Apps<\/code> on your main email\/social media accounts. These are services that might have access to, say, your Facebook data and even permission to make posts automatically there. (Here are the instructions for checking for them on Facebook and Gmail<\/a>.)<\/li>\r\n- Review the extensions\/add-ons\/plug-ins that have been installed within your computer web browser \u2013 delete any that you haven’t used in a while or don’t remember installing.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\nEnhance your privacy<\/h4>\r\n\r\n- Post less personal information online \u2013 especially information that can be used to identify\/track\/scam you (addresses, phone numbers, birthday, etc.). Remember almost everything you say online is logged somewhere and that even if your setup is secure, your recipient’s setup may not be.<\/li>\r\n
- If you own domains, use WHOIS privacy services and stick with it (they’re worth the money). But note that with WHOIS lookup\/history tools, if you’ve ever put in your real address, it’s very difficult to remove from the logs.<\/li>\r\n<\/ul>\r\n
Watch what you say in online groups<\/h4>\r\n
Don’t say anything you’d regret on in a “private” Slack group, Facebook page, WhatsApp group chat or Telegram channel because:<\/p>\r\n
\r\n- Any one member can leak all of the data.<\/li>\r\n
- Administrators usually have access to everything within the group, including that private direct message between two people, and sometimes even deleted messages.<\/li>\r\n
- Even if you’re not using your real name or photo, what you say can often be traced back to your phone number or email (that is linked to the account).\r\n
\r\n- To prevent this in Telegram, go into
Settings \u2192 Privacy and Security \u2192 Phone Number<\/code>, and then set:\r\n\r\nWho can see my phone number<\/code> to Nobody<\/code>.<\/li>\r\nWho can find me by my number<\/code> to My Contacts<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\nOther<\/h4>\r\n\r\n- When you download new mobile apps, double check to make sure it’s the right one \u2014 there are a lot of fake apps that try to trick people by using a slightly modified name or icon of an existing, popular app.<\/li>\r\n
- Check what apps you have installed on your phone once in a while, and delete the ones you’re not using anymore.<\/li>\r\n
- If you ever need to send someone a password, split it in half and send via two different channels (e.g. email + voice call).<\/li>\r\n
- Put a sticker (or webcam cover) over your laptop’s front-facing camera.<\/li>\r\n
- Don’t use Google\/Twitter\/Facebook to sign up\/login to other services \u2013 each service should have its own account.<\/li>\r\n<\/ul>\r\n
\r\n Congratulations! You’re now reasonably
secure, which is more than most :)
Take the rest of the day off, and
come back tomorrow for Level 3.<\/strong><\/p>\r\n Level 3 recommendations<\/h2>\r\n To do<\/h3>\r\nLock up sensitive files<\/h4>\r\n\r\n- Identify files that you don’t want others to access (e.g. private photos, passport documents).<\/li>\r\n
- Use Cryptomator<\/a> or Veracrypt<\/a> to create an encrypted, password-protected vault for them.<\/li>\r\n
- Set them up on both your computer and your phone.<\/li>\r\n
- Move your files into these secure vaults. Make sure they’re not still hanging around on an old folder or on your phone.<\/li>\r\n<\/ul>\r\n
Upgrade your gear<\/h4>\r\n\r\n- Use a paid VPN service when on public networks (e.g. cafe wifi) and even at home if you don’t want your service provider to know where you’re going. Free VPN services are bad because operators don’t have enough incentive to protect you\/your data. See recommendations from Wirecutter<\/a> and Freedom of the Press<\/a>.<\/li>\r\n
- Buy a privacy screen (prevents onlookers from seeing your screen, see this 3M example<\/a>) for your laptop and phone.<\/li>\r\n<\/ul>\r\n
Revisit old passwords<\/h4>\r\n\r\n- Store all of your online service passwords in a password manager. (If you have the right browser add-on\/plugin installed, it will capture all the relevant details during a login process.)<\/li>\r\n
- Using your password manager’s analysis feature, see which accounts\/services have weak passwords and update the ones that might have any personal information about you or that you would really hate to lose.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\n\r\n- Start using Signal<\/a>, an end-to-end encrypted mobile messaging app that’s generally agreed to be safe\/secure\/robust. (Beyond Signal, there is little consensus on what’s secure and people tend to get very emotional about their choice of mobile messaging apps.)<\/li>\r\n
- When making voice or video calls, use an end-to-end encrypted app (e.g. Signal, Jitsi, Wire).<\/li>\r\n
- Buy a harder-to-hack mobile phone . Typically, this is an iPhone or Android phone that implements a “pure” Google version of Android.<\/li>\r\n<\/ul>\r\n
\r\n Wow, you completed all three levels!
Well done! Now quickly look below
to see if any apply to you.<\/strong><\/p>\r\n Scenario-based recommendations<\/h2>\r\n??\u200d? Hosting a public event on a video calling platform (e.g. Zoom)<\/h3>\r\n\r\n- Set a password to enter the meeting to prevent random people from wandering in via a meeting ID generator. Consider setting up an RSVP system so that you don’t have to give out the meeting link and password publicly.<\/li>\r\n
- Familiarize yourself with the platform’s settings and minimize the amount of control (e.g. screen sharing) that non-hosts have. (E.g. settings on Zoom<\/a>)<\/li>\r\n
- Create a plan of action for what you would do if a malicious troll gains access to your call.<\/li>\r\n
- Don’t say what you wouldn’t say in a public forum. Encourage your attendees to do the same. Most commercial platforms have access to your audio\/video data and are mining your metadata to create consumer profiles.<\/li>\r\n<\/ul>\r\n
Crossing an international border<\/h3>\r\n\r\n- Turn off your devices because:\r\n
\r\n- Storage\/hard drives are only encrypted when they’re off, not<\/strong> when they’re just in sleep mode<\/li>\r\n
- This will also ensure that your mobile devices require a pin when they are turned on, which is protected by freedom of speech laws in some jurisdictions.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Store less information on your devices \u2013 in case they’re seized, what you don’t have they can’t take.<\/li>\r\n
- Be mindful of what stickers you put on your devices \u2013 a border agent could mistake them for something suspicious.<\/li>\r\n
- Notify your people about your flight number and arrival time. Check in with one of them at regular points in your journey. Have them contact a lawyer\/relevant organization if you do not show up.<\/li>\r\n
- For extreme situations (some of these practices might raise suspicions and backfire):\r\n
\r\n- Set up alternate photo albums, email addresses and social media accounts full of harmless content.<\/li>\r\n
- “Forget” half of your password: Password lock your device\/account so that only a trusted friend has the second half of the password.<\/li>\r\n
- Log out of all important accounts (or simply leave your devices at home).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- For more information, see Wired’s Guide to Getting Past Customs With Your Digital Privacy Intact<\/a> and BoingBoing’s addendum<\/a> about filing for attorney privileges at the US border.<\/li>\r\n<\/ul>\r\n
Last updated<\/h3>\r\n\r\n- 20 January 2021<\/li>\r\n<\/ul>\r\n
Theory & science<\/h2>\r\n Threat modeling<\/h3>\r\n\r\n- What kind of danger are you in? E.g. credit card hack, corporate espionage, online harassment\/doxxing.<\/li>\r\n
- What kind of assets are you protecting? E.g. confidential documents, private photos.<\/li>\r\n
- We’re all in a little bit of danger (otherwise we wouldn’t bother putting a password on our computer or phone) but it’s important to think about what’s at stake before dismissing concerns or becoming paranoid.<\/li>\r\n<\/ul>\r\n
Weakest link<\/h3>\r\n\r\n- Remember the weakest link is all that matters! E.g. if password recovery is linked to email, then hackers only need to get access to your email.<\/li>\r\n<\/ul>\r\n
Encryption levels<\/h3>\r\n\r\n- No encryption: Any third party who intercepts the data can read it as-is.<\/li>\r\n
- Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (e.g. Google or Facebook) still has access, and may hand the data over to law enforcement if they are required to do so by the courts.<\/li>\r\n
- End-to-end encryption: the data can only be read by the original sender and receiver. This means not even the platform has access. So if the courts call, the service provider can’t hand over the messages because they don’t have them either.<\/li>\r\n<\/ol>\r\n
Metadata<\/h3>\r\n\r\n- Data about your data \u2013 e.g. what number you called, and for how long (but not the contents of the call). With enough metadata, hackers can piece together a pretty good picture of who you are, who you know, where you’re going, etc. Plus legal protections around metadata are generally weaker.<\/li>\r\n<\/ul>\r\n
\r\n\u00a0<\/h2>\r\n Level 1 recommendations<\/h2>\r\n Things to do now<\/h3>\r\nStrengthen passwords<\/h4>\r\n\r\n- Any password less than 10 characters is bad, but it’s also okay-to-string-together-non-sequitur-words.<\/li>\r\n
- Double check the security questions for your key online services (email, bank, Facebook, etc.) and make sure that they’re not easy to answer by friends or by anyone looking you up on Google.<\/li>\r\n
- Start using a different password for every service, because password leaks happen all the time. To make this easy, use a password manager (see Wirecutter’s picks here<\/a>) to store\/autofill\/generate them. For now, make sure you use a unique password for essential services (email, social media, banking, cloud storage).<\/li>\r\n
- Use a non-common\/obvious unlock code for your phone with at least 9 digits.<\/li>\r\n<\/ul>\r\n
Double lock important accounts<\/h4>\r\n
Use two-factor authentication (also known as 2FA and two-step verification) to add an extra lock on top of a typed password. Usually this takes the form of a short code that’s sent to your phone via a specialized app or SMS.<\/p>\r\n
\r\n- Download an authenticator app like Authy<\/a> or Duo Mobile<\/a>. Apps are far more secure than SMS so use one if it’s available.<\/li>\r\n
- Turn on 2FA on your:\r\n
\r\n- Email service. See instructions for Gmail<\/a>, Protonmail<\/a>, or find instructions for your email provider here<\/a>.<\/li>\r\n
- Frequently used social media accounts. See instructions for Twitter<\/a>, Facebook<\/a>, Instagram<\/a>, and other services<\/a>.<\/li>\r\n
- Consider turning on 2FA on any other online accounts where losing access would be catastrophic. Look up instructions on Two Factor Auth<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on cloud backup for your authenticator app in case you ever lose your phone. See instructions for Authy<\/a> and Duo Mobile<\/a>.<\/li>\r\n<\/ul>\r\n
Email<\/h4>\r\n\r\n- If you’re on a webmail service, check that you’re logging into it using an
https:\/\/<\/code> URL. And if there isn’t one, find a new email provider.<\/li>\r\n- After turning on two-factor authentication, see if your email service supports backup codes (a single-use code in case you lose your phone). See Gmail instructions<\/a>.<\/li>\r\n<\/ul>\r\n
Encrypt your devices<\/h4>\r\n\r\n- Encrypt your computer hard drive:\r\n
\r\n- Mac: See Apple’s instructions<\/a>.<\/li>\r\n
- Windows: See Microsoft’s instructions<\/a> (we recommend BitLocker if it’s available)<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Encrypt your phone storage:\r\n
\r\n- iOS: Automatically encrypt.<\/li>\r\n
- Android: Recent versions automatically encrypt. Double check by going to
Settings \u2192 Security \u2192 Encryption<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Secure your backups too!\r\n
\r\n- Encrypt your backup hard drives:\r\n
\r\n- Mac: If you use Time Machine, see Apple’s instructions here<\/a>.<\/li>\r\n
- Windows: See instructions here<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Pick an online backup storage solution that offers end-to-end encryption (which neither iCloud or Google Drive support) like Tresorit<\/a> or Spideroak One<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- N.B. Remember encryption is only fully effective when the device is off!<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Setup up a pin code for your mobile phone SIM card:\r\n
\r\n- See iPhone instructions<\/a>.<\/li>\r\n
- See Android instructions<\/a>.<\/li>\r\n
- Search your phone provider’s website to find out what their default password is (it varies from carrier to carrier).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on the firewall on your computer:\r\n
\r\n- Mac:
System Preferences \u2192 Security & Privacy \u2192 Firewall<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 Windows Firewall<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off remote access on your computer:\r\n
\r\n- Mac:
System Preferences \u2192 Sharing \u2192 Remote Login, Remote Management1<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 System: Allow remote access \u2192 Don't Allow Remote connections to this computer<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Set up basic anti-virus software on your computer:\r\n
\r\n- Mac: None required. (Read Wirecutter’s explanation<\/a>)<\/li>\r\n
- Windows: Make sure Microsoft Defender Antivirus is on see Microsoft’s instructions here<\/a>) and turn on the extra
ransomware protection<\/code> feature<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off app-specific passwords that bypass two-factor authentication (e.g. instructions for Gmail<\/a>).<\/li>\r\n
- Turn off automatically add(ed) invitations on Google Calendar settings<\/a> (here’s why<\/a>).<\/li>\r\n
- Turn on Login Alerts on Facebook<\/a>.<\/li>\r\n
- Disable macros within Microsoft Office<\/a>.<\/li>\r\n
- iOS: Don’t allow USB accessories to control a locked device. Turn off
Settings \u2192 Face ID & Passcode \u2192 Allow Access When Locked: USB Accessories<\/code>.<\/li>\r\n<\/ul>\r\n?? Habits to cultivate<\/h3>\r\nEmail<\/h4>\r\n\r\n- Be on the lookout for phishing scams: where possible double check the From<\/em> email address and the domains that outbound links go to.<\/li>\r\n
- Don’t open unnecessary email attachments. Where possible, open or preview them first in an online document reader. Ask colleagues to use a filesharing service (Dropbox, Google Drive, Tresorit, SpiderOak), which tend to be a little harder to hack into.<\/li>\r\n
- You can upload a suspicious attachment to VirusTotal<\/a> for a check-up (but keep in mind files submitted to VirusTotal are available to security researchers so don\u2019t submit sensitive information).<\/li>\r\n<\/ul>\r\n
Update all the things<\/h4>\r\n\r\n- When you get a notification to update your operating system (on your mobile or computer), do it as soon as you can.<\/li>\r\n
- Update your apps (on mobile or computer) similarly.<\/li>\r\n
- Check occasionally for firmware updates for your router (and other Internet-connected devices).<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Change important passwords (e.g. email, computer login, password manager master) every year or two.<\/li>\r\n
- Wipe your devices properly before donating\/giving away. If you’ve encrypted all of your phones and computers (as suggested above), a normal factory reset will do the job for almost all use cases. If you want an extra layer of security for your computer hard drives, see Wired’s guide on this topic<\/a>.<\/li>\r\n
- Don’t charge your phone at public charging stations\/ports \u2013 they may steal your data. Consider charging your portable battery instead.<\/li>\r\n<\/ul>\r\n
\r\n Great job! You’ve covered the basics. Treat yourself to a cup of tea and a stretch.
Now, ready for the next level?<\/strong><\/p>\r\n\u00a0<\/h2>\r\n Level 2 recommendations<\/h2>\r\n Things to do now<\/h3>\r\nEnhance your privacy<\/h4>\r\n\r\n- Review the privacy settings on social networks you frequent: who can see your content, who can comment on it, and who can see your location.\r\n
\r\n- Limit Facebook tracking by turning off Off-Facebook Activity (follow these EFF’s instructions<\/a>).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the privacy settings on messaging apps you normally use: read receipts, time stamps for “last seen,” and whether your phone number\/profile picture are public.<\/li>\r\n
- Install these protective web browsers add-ons on your computer (and make sure they’re on even during private\/incognito mode):\r\n
\r\n- An ad blocker (e.g. uBlock Origin<\/a>, Ghostery<\/a>).<\/li>\r\n
- A tracker blocker (Privacy Badger<\/a>).<\/li>\r\n
- HTTPS Everywhere<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review which apps on your smartphone have access to your location data. Turn off access if the app doesn’t need it, and minimize the number of apps that track your location all the time.\r\n
\r\n- iOS:
Settings \u2192 Privacy \u2192 Location Services<\/code>.<\/li>\r\n- Android:
Settings \u2192 Apps & notifications \u2192 App permissions<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- On your smartphone, delete any third-party keyboards you might have installed ( they often share what you type with the software maker). On both iOS and Android, they are installed as apps so just delete that. If you really need to use a third-party keyboard, make sure that it is an open source project where others have verified that it does not share your data with third parties.<\/li>\r\n
- If you use smart speakers, turn off its recording function:\r\n
\r\n- Google Home: go to Activity Controls<\/a> and uncheck
Include audio recordings<\/code>.<\/li>\r\n- Amazon Alexa: Follow these instructions<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Set up your home wifi router<\/h4>\r\n\r\n- Login to the administration and settings dashboard (check your router’s instructions but it’s often at
http:\/\/192.168.0.1<\/code>)<\/li>\r\n- If the password to login to this dashboard is really simple, then update it.<\/li>\r\n
- Look through what devices are connected to the network right now (click around until you find the
access control<\/code>) and make sure you know what every device on the list is.<\/li>\r\n- If you see these options, turn them off. Look for them under
advanced settings<\/code> or gateway functions<\/code>:\r\n\r\n- UPnP (universal plug and play)<\/li>\r\n
- WPS (wi-fi protected setup)<\/li>\r\n
- Remote management<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Set up tracking apps for your devices so you can remotely find and wipe your devices from a website if you ever lose them:\r\n
\r\n- iOS & Mac: Instructions for setting up Find My<\/a>.<\/li>\r\n
- Android: Instructions for setting up Find My Device<\/a>.<\/li>\r\n
- Multi-platform (including iOS, Mac, Android if you want everything under one umbrella): Download and install Prey<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the
Third-Party Apps<\/code> or Connected Apps<\/code> on your main email\/social media accounts. These are services that might have access to, say, your Facebook data and even permission to make posts automatically there. (Here are the instructions for checking for them on Facebook and Gmail<\/a>.)<\/li>\r\n- Review the extensions\/add-ons\/plug-ins that have been installed within your computer web browser \u2013 delete any that you haven’t used in a while or don’t remember installing.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\nEnhance your privacy<\/h4>\r\n\r\n- Post less personal information online \u2013 especially information that can be used to identify\/track\/scam you (addresses, phone numbers, birthday, etc.). Remember almost everything you say online is logged somewhere and that even if your setup is secure, your recipient’s setup may not be.<\/li>\r\n
- If you own domains, use WHOIS privacy services and stick with it (they’re worth the money). But note that with WHOIS lookup\/history tools, if you’ve ever put in your real address, it’s very difficult to remove from the logs.<\/li>\r\n<\/ul>\r\n
Watch what you say in online groups<\/h4>\r\n
Don’t say anything you’d regret on in a “private” Slack group, Facebook page, WhatsApp group chat or Telegram channel because:<\/p>\r\n
\r\n- Any one member can leak all of the data.<\/li>\r\n
- Administrators usually have access to everything within the group, including that private direct message between two people, and sometimes even deleted messages.<\/li>\r\n
- Even if you’re not using your real name or photo, what you say can often be traced back to your phone number or email (that is linked to the account).\r\n
\r\n- To prevent this in Telegram, go into
Settings \u2192 Privacy and Security \u2192 Phone Number<\/code>, and then set:\r\n\r\nWho can see my phone number<\/code> to Nobody<\/code>.<\/li>\r\nWho can find me by my number<\/code> to My Contacts<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\nOther<\/h4>\r\n\r\n- When you download new mobile apps, double check to make sure it’s the right one \u2014 there are a lot of fake apps that try to trick people by using a slightly modified name or icon of an existing, popular app.<\/li>\r\n
- Check what apps you have installed on your phone once in a while, and delete the ones you’re not using anymore.<\/li>\r\n
- If you ever need to send someone a password, split it in half and send via two different channels (e.g. email + voice call).<\/li>\r\n
- Put a sticker (or webcam cover) over your laptop’s front-facing camera.<\/li>\r\n
- Don’t use Google\/Twitter\/Facebook to sign up\/login to other services \u2013 each service should have its own account.<\/li>\r\n<\/ul>\r\n
\r\n Congratulations! You’re now reasonably
secure, which is more than most :)
Take the rest of the day off, and
come back tomorrow for Level 3.<\/strong><\/p>\r\n Level 3 recommendations<\/h2>\r\n To do<\/h3>\r\nLock up sensitive files<\/h4>\r\n\r\n- Identify files that you don’t want others to access (e.g. private photos, passport documents).<\/li>\r\n
- Use Cryptomator<\/a> or Veracrypt<\/a> to create an encrypted, password-protected vault for them.<\/li>\r\n
- Set them up on both your computer and your phone.<\/li>\r\n
- Move your files into these secure vaults. Make sure they’re not still hanging around on an old folder or on your phone.<\/li>\r\n<\/ul>\r\n
Upgrade your gear<\/h4>\r\n\r\n- Use a paid VPN service when on public networks (e.g. cafe wifi) and even at home if you don’t want your service provider to know where you’re going. Free VPN services are bad because operators don’t have enough incentive to protect you\/your data. See recommendations from Wirecutter<\/a> and Freedom of the Press<\/a>.<\/li>\r\n
- Buy a privacy screen (prevents onlookers from seeing your screen, see this 3M example<\/a>) for your laptop and phone.<\/li>\r\n<\/ul>\r\n
Revisit old passwords<\/h4>\r\n\r\n- Store all of your online service passwords in a password manager. (If you have the right browser add-on\/plugin installed, it will capture all the relevant details during a login process.)<\/li>\r\n
- Using your password manager’s analysis feature, see which accounts\/services have weak passwords and update the ones that might have any personal information about you or that you would really hate to lose.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\n\r\n- Start using Signal<\/a>, an end-to-end encrypted mobile messaging app that’s generally agreed to be safe\/secure\/robust. (Beyond Signal, there is little consensus on what’s secure and people tend to get very emotional about their choice of mobile messaging apps.)<\/li>\r\n
- When making voice or video calls, use an end-to-end encrypted app (e.g. Signal, Jitsi, Wire).<\/li>\r\n
- Buy a harder-to-hack mobile phone . Typically, this is an iPhone or Android phone that implements a “pure” Google version of Android.<\/li>\r\n<\/ul>\r\n
\r\n Wow, you completed all three levels!
Well done! Now quickly look below
to see if any apply to you.<\/strong><\/p>\r\n Scenario-based recommendations<\/h2>\r\n??\u200d? Hosting a public event on a video calling platform (e.g. Zoom)<\/h3>\r\n\r\n- Set a password to enter the meeting to prevent random people from wandering in via a meeting ID generator. Consider setting up an RSVP system so that you don’t have to give out the meeting link and password publicly.<\/li>\r\n
- Familiarize yourself with the platform’s settings and minimize the amount of control (e.g. screen sharing) that non-hosts have. (E.g. settings on Zoom<\/a>)<\/li>\r\n
- Create a plan of action for what you would do if a malicious troll gains access to your call.<\/li>\r\n
- Don’t say what you wouldn’t say in a public forum. Encourage your attendees to do the same. Most commercial platforms have access to your audio\/video data and are mining your metadata to create consumer profiles.<\/li>\r\n<\/ul>\r\n
Crossing an international border<\/h3>\r\n\r\n- Turn off your devices because:\r\n
\r\n- Storage\/hard drives are only encrypted when they’re off, not<\/strong> when they’re just in sleep mode<\/li>\r\n
- This will also ensure that your mobile devices require a pin when they are turned on, which is protected by freedom of speech laws in some jurisdictions.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Store less information on your devices \u2013 in case they’re seized, what you don’t have they can’t take.<\/li>\r\n
- Be mindful of what stickers you put on your devices \u2013 a border agent could mistake them for something suspicious.<\/li>\r\n
- Notify your people about your flight number and arrival time. Check in with one of them at regular points in your journey. Have them contact a lawyer\/relevant organization if you do not show up.<\/li>\r\n
- For extreme situations (some of these practices might raise suspicions and backfire):\r\n
\r\n- Set up alternate photo albums, email addresses and social media accounts full of harmless content.<\/li>\r\n
- “Forget” half of your password: Password lock your device\/account so that only a trusted friend has the second half of the password.<\/li>\r\n
- Log out of all important accounts (or simply leave your devices at home).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- For more information, see Wired’s Guide to Getting Past Customs With Your Digital Privacy Intact<\/a> and BoingBoing’s addendum<\/a> about filing for attorney privileges at the US border.<\/li>\r\n<\/ul>\r\n
Theory & science<\/h2>\r\n Threat modeling<\/h3>\r\n\r\n- What kind of danger are you in? E.g. credit card hack, corporate espionage, online harassment\/doxxing.<\/li>\r\n
- What kind of assets are you protecting? E.g. confidential documents, private photos.<\/li>\r\n
- We’re all in a little bit of danger (otherwise we wouldn’t bother putting a password on our computer or phone) but it’s important to think about what’s at stake before dismissing concerns or becoming paranoid.<\/li>\r\n<\/ul>\r\n
Weakest link<\/h3>\r\n\r\n- Remember the weakest link is all that matters! E.g. if password recovery is linked to email, then hackers only need to get access to your email.<\/li>\r\n<\/ul>\r\n
Encryption levels<\/h3>\r\n\r\n- No encryption: Any third party who intercepts the data can read it as-is.<\/li>\r\n
- Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (e.g. Google or Facebook) still has access, and may hand the data over to law enforcement if they are required to do so by the courts.<\/li>\r\n
- End-to-end encryption: the data can only be read by the original sender and receiver. This means not even the platform has access. So if the courts call, the service provider can’t hand over the messages because they don’t have them either.<\/li>\r\n<\/ol>\r\n
Metadata<\/h3>\r\n\r\n- Data about your data \u2013 e.g. what number you called, and for how long (but not the contents of the call). With enough metadata, hackers can piece together a pretty good picture of who you are, who you know, where you’re going, etc. Plus legal protections around metadata are generally weaker.<\/li>\r\n<\/ul>\r\n
\r\n\u00a0<\/h2>\r\n Level 1 recommendations<\/h2>\r\n Things to do now<\/h3>\r\nStrengthen passwords<\/h4>\r\n\r\n- Any password less than 10 characters is bad, but it’s also okay-to-string-together-non-sequitur-words.<\/li>\r\n
- Double check the security questions for your key online services (email, bank, Facebook, etc.) and make sure that they’re not easy to answer by friends or by anyone looking you up on Google.<\/li>\r\n
- Start using a different password for every service, because password leaks happen all the time. To make this easy, use a password manager (see Wirecutter’s picks here<\/a>) to store\/autofill\/generate them. For now, make sure you use a unique password for essential services (email, social media, banking, cloud storage).<\/li>\r\n
- Use a non-common\/obvious unlock code for your phone with at least 9 digits.<\/li>\r\n<\/ul>\r\n
Double lock important accounts<\/h4>\r\n
Use two-factor authentication (also known as 2FA and two-step verification) to add an extra lock on top of a typed password. Usually this takes the form of a short code that’s sent to your phone via a specialized app or SMS.<\/p>\r\n
\r\n- Download an authenticator app like Authy<\/a> or Duo Mobile<\/a>. Apps are far more secure than SMS so use one if it’s available.<\/li>\r\n
- Turn on 2FA on your:\r\n
\r\n- Email service. See instructions for Gmail<\/a>, Protonmail<\/a>, or find instructions for your email provider here<\/a>.<\/li>\r\n
- Frequently used social media accounts. See instructions for Twitter<\/a>, Facebook<\/a>, Instagram<\/a>, and other services<\/a>.<\/li>\r\n
- Consider turning on 2FA on any other online accounts where losing access would be catastrophic. Look up instructions on Two Factor Auth<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on cloud backup for your authenticator app in case you ever lose your phone. See instructions for Authy<\/a> and Duo Mobile<\/a>.<\/li>\r\n<\/ul>\r\n
Email<\/h4>\r\n\r\n- If you’re on a webmail service, check that you’re logging into it using an
https:\/\/<\/code> URL. And if there isn’t one, find a new email provider.<\/li>\r\n- After turning on two-factor authentication, see if your email service supports backup codes (a single-use code in case you lose your phone). See Gmail instructions<\/a>.<\/li>\r\n<\/ul>\r\n
Encrypt your devices<\/h4>\r\n\r\n- Encrypt your computer hard drive:\r\n
\r\n- Mac: See Apple’s instructions<\/a>.<\/li>\r\n
- Windows: See Microsoft’s instructions<\/a> (we recommend BitLocker if it’s available)<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Encrypt your phone storage:\r\n
\r\n- iOS: Automatically encrypt.<\/li>\r\n
- Android: Recent versions automatically encrypt. Double check by going to
Settings \u2192 Security \u2192 Encryption<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Secure your backups too!\r\n
\r\n- Encrypt your backup hard drives:\r\n
\r\n- Mac: If you use Time Machine, see Apple’s instructions here<\/a>.<\/li>\r\n
- Windows: See instructions here<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Pick an online backup storage solution that offers end-to-end encryption (which neither iCloud or Google Drive support) like Tresorit<\/a> or Spideroak One<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- N.B. Remember encryption is only fully effective when the device is off!<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Setup up a pin code for your mobile phone SIM card:\r\n
\r\n- See iPhone instructions<\/a>.<\/li>\r\n
- See Android instructions<\/a>.<\/li>\r\n
- Search your phone provider’s website to find out what their default password is (it varies from carrier to carrier).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on the firewall on your computer:\r\n
\r\n- Mac:
System Preferences \u2192 Security & Privacy \u2192 Firewall<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 Windows Firewall<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off remote access on your computer:\r\n
\r\n- Mac:
System Preferences \u2192 Sharing \u2192 Remote Login, Remote Management1<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 System: Allow remote access \u2192 Don't Allow Remote connections to this computer<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Set up basic anti-virus software on your computer:\r\n
\r\n- Mac: None required. (Read Wirecutter’s explanation<\/a>)<\/li>\r\n
- Windows: Make sure Microsoft Defender Antivirus is on see Microsoft’s instructions here<\/a>) and turn on the extra
ransomware protection<\/code> feature<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off app-specific passwords that bypass two-factor authentication (e.g. instructions for Gmail<\/a>).<\/li>\r\n
- Turn off automatically add(ed) invitations on Google Calendar settings<\/a> (here’s why<\/a>).<\/li>\r\n
- Turn on Login Alerts on Facebook<\/a>.<\/li>\r\n
- Disable macros within Microsoft Office<\/a>.<\/li>\r\n
- iOS: Don’t allow USB accessories to control a locked device. Turn off
Settings \u2192 Face ID & Passcode \u2192 Allow Access When Locked: USB Accessories<\/code>.<\/li>\r\n<\/ul>\r\n?? Habits to cultivate<\/h3>\r\nEmail<\/h4>\r\n\r\n- Be on the lookout for phishing scams: where possible double check the From<\/em> email address and the domains that outbound links go to.<\/li>\r\n
- Don’t open unnecessary email attachments. Where possible, open or preview them first in an online document reader. Ask colleagues to use a filesharing service (Dropbox, Google Drive, Tresorit, SpiderOak), which tend to be a little harder to hack into.<\/li>\r\n
- You can upload a suspicious attachment to VirusTotal<\/a> for a check-up (but keep in mind files submitted to VirusTotal are available to security researchers so don\u2019t submit sensitive information).<\/li>\r\n<\/ul>\r\n
Update all the things<\/h4>\r\n\r\n- When you get a notification to update your operating system (on your mobile or computer), do it as soon as you can.<\/li>\r\n
- Update your apps (on mobile or computer) similarly.<\/li>\r\n
- Check occasionally for firmware updates for your router (and other Internet-connected devices).<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Change important passwords (e.g. email, computer login, password manager master) every year or two.<\/li>\r\n
- Wipe your devices properly before donating\/giving away. If you’ve encrypted all of your phones and computers (as suggested above), a normal factory reset will do the job for almost all use cases. If you want an extra layer of security for your computer hard drives, see Wired’s guide on this topic<\/a>.<\/li>\r\n
- Don’t charge your phone at public charging stations\/ports \u2013 they may steal your data. Consider charging your portable battery instead.<\/li>\r\n<\/ul>\r\n
\r\n Great job! You’ve covered the basics. Treat yourself to a cup of tea and a stretch.
Now, ready for the next level?<\/strong><\/p>\r\n\u00a0<\/h2>\r\n Level 2 recommendations<\/h2>\r\n Things to do now<\/h3>\r\nEnhance your privacy<\/h4>\r\n\r\n- Review the privacy settings on social networks you frequent: who can see your content, who can comment on it, and who can see your location.\r\n
\r\n- Limit Facebook tracking by turning off Off-Facebook Activity (follow these EFF’s instructions<\/a>).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the privacy settings on messaging apps you normally use: read receipts, time stamps for “last seen,” and whether your phone number\/profile picture are public.<\/li>\r\n
- Install these protective web browsers add-ons on your computer (and make sure they’re on even during private\/incognito mode):\r\n
\r\n- An ad blocker (e.g. uBlock Origin<\/a>, Ghostery<\/a>).<\/li>\r\n
- A tracker blocker (Privacy Badger<\/a>).<\/li>\r\n
- HTTPS Everywhere<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review which apps on your smartphone have access to your location data. Turn off access if the app doesn’t need it, and minimize the number of apps that track your location all the time.\r\n
\r\n- iOS:
Settings \u2192 Privacy \u2192 Location Services<\/code>.<\/li>\r\n- Android:
Settings \u2192 Apps & notifications \u2192 App permissions<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- On your smartphone, delete any third-party keyboards you might have installed ( they often share what you type with the software maker). On both iOS and Android, they are installed as apps so just delete that. If you really need to use a third-party keyboard, make sure that it is an open source project where others have verified that it does not share your data with third parties.<\/li>\r\n
- If you use smart speakers, turn off its recording function:\r\n
\r\n- Google Home: go to Activity Controls<\/a> and uncheck
Include audio recordings<\/code>.<\/li>\r\n- Amazon Alexa: Follow these instructions<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Set up your home wifi router<\/h4>\r\n\r\n- Login to the administration and settings dashboard (check your router’s instructions but it’s often at
http:\/\/192.168.0.1<\/code>)<\/li>\r\n- If the password to login to this dashboard is really simple, then update it.<\/li>\r\n
- Look through what devices are connected to the network right now (click around until you find the
access control<\/code>) and make sure you know what every device on the list is.<\/li>\r\n- If you see these options, turn them off. Look for them under
advanced settings<\/code> or gateway functions<\/code>:\r\n\r\n- UPnP (universal plug and play)<\/li>\r\n
- WPS (wi-fi protected setup)<\/li>\r\n
- Remote management<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n\r\n- Set up tracking apps for your devices so you can remotely find and wipe your devices from a website if you ever lose them:\r\n
\r\n- iOS & Mac: Instructions for setting up Find My<\/a>.<\/li>\r\n
- Android: Instructions for setting up Find My Device<\/a>.<\/li>\r\n
- Multi-platform (including iOS, Mac, Android if you want everything under one umbrella): Download and install Prey<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the
Third-Party Apps<\/code> or Connected Apps<\/code> on your main email\/social media accounts. These are services that might have access to, say, your Facebook data and even permission to make posts automatically there. (Here are the instructions for checking for them on Facebook and Gmail<\/a>.)<\/li>\r\n- Review the extensions\/add-ons\/plug-ins that have been installed within your computer web browser \u2013 delete any that you haven’t used in a while or don’t remember installing.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\nEnhance your privacy<\/h4>\r\n\r\n- Post less personal information online \u2013 especially information that can be used to identify\/track\/scam you (addresses, phone numbers, birthday, etc.). Remember almost everything you say online is logged somewhere and that even if your setup is secure, your recipient’s setup may not be.<\/li>\r\n
- If you own domains, use WHOIS privacy services and stick with it (they’re worth the money). But note that with WHOIS lookup\/history tools, if you’ve ever put in your real address, it’s very difficult to remove from the logs.<\/li>\r\n<\/ul>\r\n
Watch what you say in online groups<\/h4>\r\n
Don’t say anything you’d regret on in a “private” Slack group, Facebook page, WhatsApp group chat or Telegram channel because:<\/p>\r\n
\r\n- Any one member can leak all of the data.<\/li>\r\n
- Administrators usually have access to everything within the group, including that private direct message between two people, and sometimes even deleted messages.<\/li>\r\n
- Even if you’re not using your real name or photo, what you say can often be traced back to your phone number or email (that is linked to the account).\r\n
\r\n- To prevent this in Telegram, go into
Settings \u2192 Privacy and Security \u2192 Phone Number<\/code>, and then set:\r\n\r\nWho can see my phone number<\/code> to Nobody<\/code>.<\/li>\r\nWho can find me by my number<\/code> to My Contacts<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\nOther<\/h4>\r\n\r\n- When you download new mobile apps, double check to make sure it’s the right one \u2014 there are a lot of fake apps that try to trick people by using a slightly modified name or icon of an existing, popular app.<\/li>\r\n
- Check what apps you have installed on your phone once in a while, and delete the ones you’re not using anymore.<\/li>\r\n
- If you ever need to send someone a password, split it in half and send via two different channels (e.g. email + voice call).<\/li>\r\n
- Put a sticker (or webcam cover) over your laptop’s front-facing camera.<\/li>\r\n
- Don’t use Google\/Twitter\/Facebook to sign up\/login to other services \u2013 each service should have its own account.<\/li>\r\n<\/ul>\r\n
\r\n Congratulations! You’re now reasonably
secure, which is more than most :)
Take the rest of the day off, and
come back tomorrow for Level 3.<\/strong><\/p>\r\n Level 3 recommendations<\/h2>\r\n To do<\/h3>\r\nLock up sensitive files<\/h4>\r\n\r\n- Identify files that you don’t want others to access (e.g. private photos, passport documents).<\/li>\r\n
- Use Cryptomator<\/a> or Veracrypt<\/a> to create an encrypted, password-protected vault for them.<\/li>\r\n
- Set them up on both your computer and your phone.<\/li>\r\n
- Move your files into these secure vaults. Make sure they’re not still hanging around on an old folder or on your phone.<\/li>\r\n<\/ul>\r\n
Upgrade your gear<\/h4>\r\n\r\n- Use a paid VPN service when on public networks (e.g. cafe wifi) and even at home if you don’t want your service provider to know where you’re going. Free VPN services are bad because operators don’t have enough incentive to protect you\/your data. See recommendations from Wirecutter<\/a> and Freedom of the Press<\/a>.<\/li>\r\n
- Buy a privacy screen (prevents onlookers from seeing your screen, see this 3M example<\/a>) for your laptop and phone.<\/li>\r\n<\/ul>\r\n
Revisit old passwords<\/h4>\r\n\r\n- Store all of your online service passwords in a password manager. (If you have the right browser add-on\/plugin installed, it will capture all the relevant details during a login process.)<\/li>\r\n
- Using your password manager’s analysis feature, see which accounts\/services have weak passwords and update the ones that might have any personal information about you or that you would really hate to lose.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\n\r\n- Start using Signal<\/a>, an end-to-end encrypted mobile messaging app that’s generally agreed to be safe\/secure\/robust. (Beyond Signal, there is little consensus on what’s secure and people tend to get very emotional about their choice of mobile messaging apps.)<\/li>\r\n
- When making voice or video calls, use an end-to-end encrypted app (e.g. Signal, Jitsi, Wire).<\/li>\r\n
- Buy a harder-to-hack mobile phone . Typically, this is an iPhone or Android phone that implements a “pure” Google version of Android.<\/li>\r\n<\/ul>\r\n
\r\n Wow, you completed all three levels!
Well done! Now quickly look below
to see if any apply to you.<\/strong><\/p>\r\n Scenario-based recommendations<\/h2>\r\n??\u200d? Hosting a public event on a video calling platform (e.g. Zoom)<\/h3>\r\n\r\n- Set a password to enter the meeting to prevent random people from wandering in via a meeting ID generator. Consider setting up an RSVP system so that you don’t have to give out the meeting link and password publicly.<\/li>\r\n
- Familiarize yourself with the platform’s settings and minimize the amount of control (e.g. screen sharing) that non-hosts have. (E.g. settings on Zoom<\/a>)<\/li>\r\n
- Create a plan of action for what you would do if a malicious troll gains access to your call.<\/li>\r\n
- Don’t say what you wouldn’t say in a public forum. Encourage your attendees to do the same. Most commercial platforms have access to your audio\/video data and are mining your metadata to create consumer profiles.<\/li>\r\n<\/ul>\r\n
Crossing an international border<\/h3>\r\n\r\n- Turn off your devices because:\r\n
\r\n- Storage\/hard drives are only encrypted when they’re off, not<\/strong> when they’re just in sleep mode<\/li>\r\n
- This will also ensure that your mobile devices require a pin when they are turned on, which is protected by freedom of speech laws in some jurisdictions.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Store less information on your devices \u2013 in case they’re seized, what you don’t have they can’t take.<\/li>\r\n
- Be mindful of what stickers you put on your devices \u2013 a border agent could mistake them for something suspicious.<\/li>\r\n
- Notify your people about your flight number and arrival time. Check in with one of them at regular points in your journey. Have them contact a lawyer\/relevant organization if you do not show up.<\/li>\r\n
- For extreme situations (some of these practices might raise suspicions and backfire):\r\n
\r\n- Set up alternate photo albums, email addresses and social media accounts full of harmless content.<\/li>\r\n
- “Forget” half of your password: Password lock your device\/account so that only a trusted friend has the second half of the password.<\/li>\r\n
- Log out of all important accounts (or simply leave your devices at home).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- For more information, see Wired’s Guide to Getting Past Customs With Your Digital Privacy Intact<\/a> and BoingBoing’s addendum<\/a> about filing for attorney privileges at the US border.<\/li>\r\n<\/ul>\r\n
Threat modeling<\/h3>\r\n- \r\n
- What kind of danger are you in? E.g. credit card hack, corporate espionage, online harassment\/doxxing.<\/li>\r\n
- What kind of assets are you protecting? E.g. confidential documents, private photos.<\/li>\r\n
- We’re all in a little bit of danger (otherwise we wouldn’t bother putting a password on our computer or phone) but it’s important to think about what’s at stake before dismissing concerns or becoming paranoid.<\/li>\r\n<\/ul>\r\n Weakest link<\/h3>\r\n
- \r\n
- Remember the weakest link is all that matters! E.g. if password recovery is linked to email, then hackers only need to get access to your email.<\/li>\r\n<\/ul>\r\n Encryption levels<\/h3>\r\n
- \r\n
- No encryption: Any third party who intercepts the data can read it as-is.<\/li>\r\n
- Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (e.g. Google or Facebook) still has access, and may hand the data over to law enforcement if they are required to do so by the courts.<\/li>\r\n
- End-to-end encryption: the data can only be read by the original sender and receiver. This means not even the platform has access. So if the courts call, the service provider can’t hand over the messages because they don’t have them either.<\/li>\r\n<\/ol>\r\n Metadata<\/h3>\r\n
- \r\n
- Data about your data \u2013 e.g. what number you called, and for how long (but not the contents of the call). With enough metadata, hackers can piece together a pretty good picture of who you are, who you know, where you’re going, etc. Plus legal protections around metadata are generally weaker.<\/li>\r\n<\/ul>\r\n
\r\n\u00a0<\/h2>\r\n
Level 1 recommendations<\/h2>\r\n Things to do now<\/h3>\r\nStrengthen passwords<\/h4>\r\n
- \r\n
- Any password less than 10 characters is bad, but it’s also okay-to-string-together-non-sequitur-words.<\/li>\r\n
- Double check the security questions for your key online services (email, bank, Facebook, etc.) and make sure that they’re not easy to answer by friends or by anyone looking you up on Google.<\/li>\r\n
- Start using a different password for every service, because password leaks happen all the time. To make this easy, use a password manager (see Wirecutter’s picks here<\/a>) to store\/autofill\/generate them. For now, make sure you use a unique password for essential services (email, social media, banking, cloud storage).<\/li>\r\n
- Use a non-common\/obvious unlock code for your phone with at least 9 digits.<\/li>\r\n<\/ul>\r\n
Double lock important accounts<\/h4>\r\n
Use two-factor authentication (also known as 2FA and two-step verification) to add an extra lock on top of a typed password. Usually this takes the form of a short code that’s sent to your phone via a specialized app or SMS.<\/p>\r\n
- \r\n
- Download an authenticator app like Authy<\/a> or Duo Mobile<\/a>. Apps are far more secure than SMS so use one if it’s available.<\/li>\r\n
- Turn on 2FA on your:\r\n
- \r\n
- Email service. See instructions for Gmail<\/a>, Protonmail<\/a>, or find instructions for your email provider here<\/a>.<\/li>\r\n
- Frequently used social media accounts. See instructions for Twitter<\/a>, Facebook<\/a>, Instagram<\/a>, and other services<\/a>.<\/li>\r\n
- Consider turning on 2FA on any other online accounts where losing access would be catastrophic. Look up instructions on Two Factor Auth<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on cloud backup for your authenticator app in case you ever lose your phone. See instructions for Authy<\/a> and Duo Mobile<\/a>.<\/li>\r\n<\/ul>\r\n
Email<\/h4>\r\n
- \r\n
- If you’re on a webmail service, check that you’re logging into it using an
https:\/\/<\/code> URL. And if there isn’t one, find a new email provider.<\/li>\r\n- After turning on two-factor authentication, see if your email service supports backup codes (a single-use code in case you lose your phone). See Gmail instructions<\/a>.<\/li>\r\n<\/ul>\r\n
Encrypt your devices<\/h4>\r\n
- \r\n
- Encrypt your computer hard drive:\r\n
- \r\n
- Mac: See Apple’s instructions<\/a>.<\/li>\r\n
- Windows: See Microsoft’s instructions<\/a> (we recommend BitLocker if it’s available)<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Encrypt your phone storage:\r\n
- \r\n
- iOS: Automatically encrypt.<\/li>\r\n
- Android: Recent versions automatically encrypt. Double check by going to
Settings \u2192 Security \u2192 Encryption<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Secure your backups too!\r\n
- \r\n
- Encrypt your backup hard drives:\r\n
- \r\n
- Mac: If you use Time Machine, see Apple’s instructions here<\/a>.<\/li>\r\n
- Windows: See instructions here<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Pick an online backup storage solution that offers end-to-end encryption (which neither iCloud or Google Drive support) like Tresorit<\/a> or Spideroak One<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- N.B. Remember encryption is only fully effective when the device is off!<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n
- \r\n
- Setup up a pin code for your mobile phone SIM card:\r\n
- \r\n
- See iPhone instructions<\/a>.<\/li>\r\n
- See Android instructions<\/a>.<\/li>\r\n
- Search your phone provider’s website to find out what their default password is (it varies from carrier to carrier).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Turn on the firewall on your computer:\r\n
- \r\n
- Mac:
System Preferences \u2192 Security & Privacy \u2192 Firewall<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 Windows Firewall<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off remote access on your computer:\r\n
- \r\n
- Mac:
System Preferences \u2192 Sharing \u2192 Remote Login, Remote Management1<\/code>.<\/li>\r\n- Windows:
Control Panel \u2192 System and Security \u2192 System: Allow remote access \u2192 Don't Allow Remote connections to this computer<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Set up basic anti-virus software on your computer:\r\n
- \r\n
- Mac: None required. (Read Wirecutter’s explanation<\/a>)<\/li>\r\n
- Windows: Make sure Microsoft Defender Antivirus is on see Microsoft’s instructions here<\/a>) and turn on the extra
ransomware protection<\/code> feature<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- Turn off app-specific passwords that bypass two-factor authentication (e.g. instructions for Gmail<\/a>).<\/li>\r\n
- Turn off automatically add(ed) invitations on Google Calendar settings<\/a> (here’s why<\/a>).<\/li>\r\n
- Turn on Login Alerts on Facebook<\/a>.<\/li>\r\n
- Disable macros within Microsoft Office<\/a>.<\/li>\r\n
- iOS: Don’t allow USB accessories to control a locked device. Turn off
Settings \u2192 Face ID & Passcode \u2192 Allow Access When Locked: USB Accessories<\/code>.<\/li>\r\n<\/ul>\r\n?? Habits to cultivate<\/h3>\r\n
Email<\/h4>\r\n
- \r\n
- Be on the lookout for phishing scams: where possible double check the From<\/em> email address and the domains that outbound links go to.<\/li>\r\n
- Don’t open unnecessary email attachments. Where possible, open or preview them first in an online document reader. Ask colleagues to use a filesharing service (Dropbox, Google Drive, Tresorit, SpiderOak), which tend to be a little harder to hack into.<\/li>\r\n
- You can upload a suspicious attachment to VirusTotal<\/a> for a check-up (but keep in mind files submitted to VirusTotal are available to security researchers so don\u2019t submit sensitive information).<\/li>\r\n<\/ul>\r\n
Update all the things<\/h4>\r\n
- \r\n
- When you get a notification to update your operating system (on your mobile or computer), do it as soon as you can.<\/li>\r\n
- Update your apps (on mobile or computer) similarly.<\/li>\r\n
- Check occasionally for firmware updates for your router (and other Internet-connected devices).<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n
- \r\n
- Change important passwords (e.g. email, computer login, password manager master) every year or two.<\/li>\r\n
- Wipe your devices properly before donating\/giving away. If you’ve encrypted all of your phones and computers (as suggested above), a normal factory reset will do the job for almost all use cases. If you want an extra layer of security for your computer hard drives, see Wired’s guide on this topic<\/a>.<\/li>\r\n
- Don’t charge your phone at public charging stations\/ports \u2013 they may steal your data. Consider charging your portable battery instead.<\/li>\r\n<\/ul>\r\n
\r\n Great job! You’ve covered the basics. Treat yourself to a cup of tea and a stretch. Now, ready for the next level?<\/strong><\/p>\r\n\u00a0<\/h2>\r\n
Level 2 recommendations<\/h2>\r\n Things to do now<\/h3>\r\nEnhance your privacy<\/h4>\r\n
- \r\n
- Review the privacy settings on social networks you frequent: who can see your content, who can comment on it, and who can see your location.\r\n
- \r\n
- Limit Facebook tracking by turning off Off-Facebook Activity (follow these EFF’s instructions<\/a>).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the privacy settings on messaging apps you normally use: read receipts, time stamps for “last seen,” and whether your phone number\/profile picture are public.<\/li>\r\n
- Install these protective web browsers add-ons on your computer (and make sure they’re on even during private\/incognito mode):\r\n
- \r\n
- An ad blocker (e.g. uBlock Origin<\/a>, Ghostery<\/a>).<\/li>\r\n
- A tracker blocker (Privacy Badger<\/a>).<\/li>\r\n
- HTTPS Everywhere<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review which apps on your smartphone have access to your location data. Turn off access if the app doesn’t need it, and minimize the number of apps that track your location all the time.\r\n
- \r\n
- iOS:
Settings \u2192 Privacy \u2192 Location Services<\/code>.<\/li>\r\n- Android:
Settings \u2192 Apps & notifications \u2192 App permissions<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n- On your smartphone, delete any third-party keyboards you might have installed ( they often share what you type with the software maker). On both iOS and Android, they are installed as apps so just delete that. If you really need to use a third-party keyboard, make sure that it is an open source project where others have verified that it does not share your data with third parties.<\/li>\r\n
- If you use smart speakers, turn off its recording function:\r\n
- \r\n
- Google Home: go to Activity Controls<\/a> and uncheck
Include audio recordings<\/code>.<\/li>\r\n- Amazon Alexa: Follow these instructions<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Set up your home wifi router<\/h4>\r\n
- \r\n
- Login to the administration and settings dashboard (check your router’s instructions but it’s often at
http:\/\/192.168.0.1<\/code>)<\/li>\r\n- If the password to login to this dashboard is really simple, then update it.<\/li>\r\n
- Look through what devices are connected to the network right now (click around until you find the
access control<\/code>) and make sure you know what every device on the list is.<\/li>\r\n- If you see these options, turn them off. Look for them under
advanced settings<\/code> orgateway functions<\/code>:\r\n- \r\n
- UPnP (universal plug and play)<\/li>\r\n
- WPS (wi-fi protected setup)<\/li>\r\n
- Remote management<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
Other<\/h4>\r\n
- \r\n
- Set up tracking apps for your devices so you can remotely find and wipe your devices from a website if you ever lose them:\r\n
- \r\n
- iOS & Mac: Instructions for setting up Find My<\/a>.<\/li>\r\n
- Android: Instructions for setting up Find My Device<\/a>.<\/li>\r\n
- Multi-platform (including iOS, Mac, Android if you want everything under one umbrella): Download and install Prey<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Review the
Third-Party Apps<\/code> orConnected Apps<\/code> on your main email\/social media accounts. These are services that might have access to, say, your Facebook data and even permission to make posts automatically there. (Here are the instructions for checking for them on Facebook and Gmail<\/a>.)<\/li>\r\n- Review the extensions\/add-ons\/plug-ins that have been installed within your computer web browser \u2013 delete any that you haven’t used in a while or don’t remember installing.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\n
Enhance your privacy<\/h4>\r\n
- \r\n
- Post less personal information online \u2013 especially information that can be used to identify\/track\/scam you (addresses, phone numbers, birthday, etc.). Remember almost everything you say online is logged somewhere and that even if your setup is secure, your recipient’s setup may not be.<\/li>\r\n
- If you own domains, use WHOIS privacy services and stick with it (they’re worth the money). But note that with WHOIS lookup\/history tools, if you’ve ever put in your real address, it’s very difficult to remove from the logs.<\/li>\r\n<\/ul>\r\n
Watch what you say in online groups<\/h4>\r\n
Don’t say anything you’d regret on in a “private” Slack group, Facebook page, WhatsApp group chat or Telegram channel because:<\/p>\r\n
- \r\n
- Any one member can leak all of the data.<\/li>\r\n
- Administrators usually have access to everything within the group, including that private direct message between two people, and sometimes even deleted messages.<\/li>\r\n
- Even if you’re not using your real name or photo, what you say can often be traced back to your phone number or email (that is linked to the account).\r\n
- \r\n
- To prevent this in Telegram, go into
Settings \u2192 Privacy and Security \u2192 Phone Number<\/code>, and then set:\r\n- \r\n
Who can see my phone number<\/code> toNobody<\/code>.<\/li>\r\nWho can find me by my number<\/code> toMy Contacts<\/code>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\nOther<\/h4>\r\n
- \r\n
- When you download new mobile apps, double check to make sure it’s the right one \u2014 there are a lot of fake apps that try to trick people by using a slightly modified name or icon of an existing, popular app.<\/li>\r\n
- Check what apps you have installed on your phone once in a while, and delete the ones you’re not using anymore.<\/li>\r\n
- If you ever need to send someone a password, split it in half and send via two different channels (e.g. email + voice call).<\/li>\r\n
- Put a sticker (or webcam cover) over your laptop’s front-facing camera.<\/li>\r\n
- Don’t use Google\/Twitter\/Facebook to sign up\/login to other services \u2013 each service should have its own account.<\/li>\r\n<\/ul>\r\n
\r\n Congratulations! You’re now reasonably secure, which is more than most :) Take the rest of the day off, and come back tomorrow for Level 3.<\/strong><\/p>\r\n Level 3 recommendations<\/h2>\r\n To do<\/h3>\r\nLock up sensitive files<\/h4>\r\n
- \r\n
- Identify files that you don’t want others to access (e.g. private photos, passport documents).<\/li>\r\n
- Use Cryptomator<\/a> or Veracrypt<\/a> to create an encrypted, password-protected vault for them.<\/li>\r\n
- Set them up on both your computer and your phone.<\/li>\r\n
- Move your files into these secure vaults. Make sure they’re not still hanging around on an old folder or on your phone.<\/li>\r\n<\/ul>\r\n
Upgrade your gear<\/h4>\r\n
- \r\n
- Use a paid VPN service when on public networks (e.g. cafe wifi) and even at home if you don’t want your service provider to know where you’re going. Free VPN services are bad because operators don’t have enough incentive to protect you\/your data. See recommendations from Wirecutter<\/a> and Freedom of the Press<\/a>.<\/li>\r\n
- Buy a privacy screen (prevents onlookers from seeing your screen, see this 3M example<\/a>) for your laptop and phone.<\/li>\r\n<\/ul>\r\n
Revisit old passwords<\/h4>\r\n
- \r\n
- Store all of your online service passwords in a password manager. (If you have the right browser add-on\/plugin installed, it will capture all the relevant details during a login process.)<\/li>\r\n
- Using your password manager’s analysis feature, see which accounts\/services have weak passwords and update the ones that might have any personal information about you or that you would really hate to lose.<\/li>\r\n<\/ul>\r\n
?? Habits to cultivate<\/h3>\r\n
- \r\n
- Start using Signal<\/a>, an end-to-end encrypted mobile messaging app that’s generally agreed to be safe\/secure\/robust. (Beyond Signal, there is little consensus on what’s secure and people tend to get very emotional about their choice of mobile messaging apps.)<\/li>\r\n
- When making voice or video calls, use an end-to-end encrypted app (e.g. Signal, Jitsi, Wire).<\/li>\r\n
- Buy a harder-to-hack mobile phone
. Typically, this is an iPhone or Android phone that implements a “pure” Google version of Android.<\/li>\r\n<\/ul>\r\n
\r\n Wow, you completed all three levels! Well done! Now quickly look below to see if any apply to you.<\/strong><\/p>\r\n Scenario-based recommendations<\/h2>\r\n??\u200d? Hosting a public event on a video calling platform (e.g. Zoom)<\/h3>\r\n
- \r\n
- Set a password to enter the meeting to prevent random people from wandering in via a meeting ID generator. Consider setting up an RSVP system so that you don’t have to give out the meeting link and password publicly.<\/li>\r\n
- Familiarize yourself with the platform’s settings and minimize the amount of control (e.g. screen sharing) that non-hosts have. (E.g. settings on Zoom<\/a>)<\/li>\r\n
- Create a plan of action for what you would do if a malicious troll gains access to your call.<\/li>\r\n
- Don’t say what you wouldn’t say in a public forum. Encourage your attendees to do the same. Most commercial platforms have access to your audio\/video data and are mining your metadata to create consumer profiles.<\/li>\r\n<\/ul>\r\n
Crossing an international border<\/h3>\r\n- \r\n
- Turn off your devices because:\r\n
- \r\n
- Storage\/hard drives are only encrypted when they’re off, not<\/strong> when they’re just in sleep mode<\/li>\r\n
- This will also ensure that your mobile devices require a pin when they are turned on, which is protected by freedom of speech laws in some jurisdictions.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Store less information on your devices \u2013 in case they’re seized, what you don’t have they can’t take.<\/li>\r\n
- Be mindful of what stickers you put on your devices \u2013 a border agent could mistake them for something suspicious.<\/li>\r\n
- Notify your people about your flight number and arrival time. Check in with one of them at regular points in your journey. Have them contact a lawyer\/relevant organization if you do not show up.<\/li>\r\n
- For extreme situations (some of these practices might raise suspicions and backfire):\r\n
- \r\n
- Set up alternate photo albums, email addresses and social media accounts full of harmless content.<\/li>\r\n
- “Forget” half of your password: Password lock your device\/account so that only a trusted friend has the second half of the password.<\/li>\r\n
- Log out of all important accounts (or simply leave your devices at home).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- For more information, see Wired’s Guide to Getting Past Customs With Your Digital Privacy Intact<\/a> and BoingBoing’s addendum<\/a> about filing for attorney privileges at the US border.<\/li>\r\n<\/ul>\r\n
- Storage\/hard drives are only encrypted when they’re off, not<\/strong> when they’re just in sleep mode<\/li>\r\n
- Start using Signal<\/a>, an end-to-end encrypted mobile messaging app that’s generally agreed to be safe\/secure\/robust. (Beyond Signal, there is little consensus on what’s secure and people tend to get very emotional about their choice of mobile messaging apps.)<\/li>\r\n
- Buy a privacy screen (prevents onlookers from seeing your screen, see this 3M example<\/a>) for your laptop and phone.<\/li>\r\n<\/ul>\r\n
- To prevent this in Telegram, go into
- Android: Instructions for setting up Find My Device<\/a>.<\/li>\r\n
- iOS & Mac: Instructions for setting up Find My<\/a>.<\/li>\r\n
- Set up tracking apps for your devices so you can remotely find and wipe your devices from a website if you ever lose them:\r\n
- Amazon Alexa: Follow these instructions<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n<\/ul>\r\n
- Android:
- A tracker blocker (Privacy Badger<\/a>).<\/li>\r\n
- Limit Facebook tracking by turning off Off-Facebook Activity (follow these EFF’s instructions<\/a>).<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Don’t charge your phone at public charging stations\/ports \u2013 they may steal your data. Consider charging your portable battery instead.<\/li>\r\n<\/ul>\r\n
- Windows: Make sure Microsoft Defender Antivirus is on see Microsoft’s instructions here<\/a>) and turn on the extra
- Windows:
- Windows:
- See Android instructions<\/a>.<\/li>\r\n
- See iPhone instructions<\/a>.<\/li>\r\n
- Windows: See instructions here<\/a>.<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Mac: If you use Time Machine, see Apple’s instructions here<\/a>.<\/li>\r\n
- Secure your backups too!\r\n
- Windows: See Microsoft’s instructions<\/a> (we recommend BitLocker if it’s available)<\/li>\r\n<\/ul>\r\n<\/li>\r\n
- Mac: See Apple’s instructions<\/a>.<\/li>\r\n
- After turning on two-factor authentication, see if your email service supports backup codes (a single-use code in case you lose your phone). See Gmail instructions<\/a>.<\/li>\r\n<\/ul>\r\n
- Frequently used social media accounts. See instructions for Twitter<\/a>, Facebook<\/a>, Instagram<\/a>, and other services<\/a>.<\/li>\r\n
- Turn on 2FA on your:\r\n
- Use a non-common\/obvious unlock code for your phone with at least 9 digits.<\/li>\r\n<\/ul>\r\n
- Data about your data \u2013 e.g. what number you called, and for how long (but not the contents of the call). With enough metadata, hackers can piece together a pretty good picture of who you are, who you know, where you’re going, etc. Plus legal protections around metadata are generally weaker.<\/li>\r\n<\/ul>\r\n
- Remember the weakest link is all that matters! E.g. if password recovery is linked to email, then hackers only need to get access to your email.<\/li>\r\n<\/ul>\r\n