As part of my PhD research, I’ve been studying how at-risk groups manage their information security. I learn from, and work with journalists and human rights organizations. In practice, they’re usually ordinary people with elevated security needs.
Whenever I talk about my research publicly, I often get a variant of the same question:
“What can I, Normal Person, do to improve my security?”
If you talk to most security specialists they will take a step back and answer, “It depends, what are the threats to your data?” Specialists know how to break down an analysis of potential risks, and the capabilities of adversaries.
On more than one occasion, I’ve answered this question like a specialist, but I’m not convinced it was helpful for my audience of Normal People. Why? There aren’t always clear, looming threats. Instead, Normal People often have generalized concerns that call for generalized solutions. Let’s start with a vague outline of our Normal Person.
Our Normal Person is somewhat concerned with their online privacy and security. They know they should do something to improve their security posture, but they don’t want to invest a lot of time on it, and don’t have an exhaustive knowledge about how to do so. They use proprietary operating systems and hardware created by Microsoft, Apple, and Google. They may be using Mozilla’s Firefox, Google Chrome, Safari, Microsoft Internet Explorer, or Edge. They may run antivirus. They turn to friends and family for help with specific security issues.
Do you know anybody like this?
There are great resources for journalists and other users with specific security concerns. Instead, I want to outline a few steps that Normal People can take to improve their security posture. I want to highlight steps that require little investment — things you can do right now.
To get started: Be safer when browsing the Web
- Disrupt online tracking. Advertisers automatically place files — called cookies — onto your browser to keep track of the pages you visit online. You can block tracking cookies with Privacy Badger for Google Chrome or Firefox.
- When you connect to the Web, some sites you visit offer both unsecured (HTTP) and secured (HTTPS) versions of the page. Download HTTPS Everywhere on Google Chrome or Firefox to automatically connect to the secured versions of many websites.
- Advertising is the business model of many parts of the Web, and yet ads can be used to deliver malware to users. Online advertising networks have a hard time detecting bad actors abusing ads to deliver malicious files. Block potentially malicious ads with uBlock Origin for Chrome or Firefox. You can also keep ads for sites you trust.
- Open wi-fi networks are convenient. You can find them everywhere — at coffee shops, restaurants, and airports. The problem is that open wi-fi networks also allow other users on the network to see your unsecured Web traffic. For example, if you open http://example.com, the connection is unencrypted. When connecting to open wi-fi networks, use a Virtual Private Network (VPN). A VPN encrypts and tunnels your Web traffic to a remote location. It can also be helpful for everyday use, especially if you want to access websites that are blocked in your country. For a secure and fast VPN, consider Tunnelbear for $5 each month.
- Whether through our IP addresses, or through information broadcasted by our browsers, most of us are fairly identifiable online. (Learn how identifiable your browser is here.) Download Tor Browser to connect to the Web anonymously. If you use the Firefox browser, you may already feel comfortable using Tor, which is built on top of Firefox. Tor Browser encrypts your traffic and bounces your secured connection within the Tor network before connecting to the Web from a remote location. For example, if you connect to a website (e.g., duckduckgo.com) within Tor Browser, you may appear to connect from a different country. Connecting through Tor can be a little slower than a standard browser, but it’s helpful for sharing information anonymously, avoiding surveillance, or accessing censored webpages. It is important to note that network eavesdroppers can still tell that you’re using Tor — they just can’t tell what you’re doing within Tor. If you’re looking for real anonymity, avoid sharing personal information in websites you access through Tor Browser.
- Occasionally scan for malware with Malwarebytes or similar tools.
Next: Encrypt it all
You can scramble your data so that no one, except for you and the people you wish to include, will be able to read it.
- Encrypt your hard drive. If your device is ever lost or stolen, it’s easy for thieves to take data off your hard disk. Good news: If you have a new password-protected iPhone your disk is already encrypted. If you have an Android Device, it’s pretty easy to encrypt your phone. A few Android phones (the Pixel and some Nexus devices) are encrypted by default. For your laptop or desktop, you can encrypt your hard drive using your operating system’s native software: FileVault for Mac, or BitLocker on Windows.
- If you’re concerned about the privacy of your phone conversations, download Signal for iOS or Android to exchange secure calls and messages with your friends. If you have friends who you text non-stop, have them try Signal as well. Research suggests that half of our texts go to our inner-circle — roughly 5 people. If you and one friend use Signal, it’s a huge improvement for your privacy and theirs. I wrote a guide introducing Signal for beginners, if you want help getting started.
- If you already use WhatsApp, it now uses similar encryption to Signal, but needs a few changes to its settings to maximize the security benefits. Download WhatsApp for iOS or Android, and read about upgrading WhatsApp security.
- If you use an Apple device, iMessage and FaceTime encrypt your conversations with other Apple users by default. If you’re using SMS to speak with users on other platforms, those messages are not protected.
More work, but important: Authenticating logins
Passwords are often the only thing standing between attackers and your information. It takes more work to manage your passwords than the previous steps, but it’s worthwhile.
- Use a password manager. Everyone knows you reuse the same password for everything, because it’s easy to remember. We’re not usually great at remembering multiple passwords. A password manager like 1Password or LastPass can help to randomize strong passwords and store them securely. Use this software to randomize and quickly fill out your unique passwords. I wrote a guide on getting started.
- Passwords aren’t enough. To make it harder for someone to break into your accounts, many online services allow you to verify your identity when logging in by entering an extra piece of information beyond the password.
This may be a text message with an authentication code, or a code generated using a mobile app. Use two-factor authentication everywhere, but especially for your primary email account. If someone gets your email, they can use it to log into everything else. Gmail users can enable two-factor authentication here. If you use Twitter, Facebook, Dropbox, or any number of other services, consider using two-factor for those services as well. I wrote a guide on getting started.
These tips only scratch the surface, but are some of the simplest and most effective approaches that we have for keeping your data, yours.
If you’re interested in learning more, check out the Electronic Frontier Foundation’s Surveillance Self-Defense guide.
Edit: I’ve made a couple of changes to the VPN section, per recommendations of security friends. Because Adblock Plus has opened a marketplace for selectively displaying ads, I have removed it from the recommendations here. I added a section about using Tor Browser, a link to a Signal, password manager, and 2FA resource. I’ve also added a few links on WhatsApp, and resources from the EFF.
Last updated September 12, 2019.