It contains a set of general recommendations on counter surveillance for individuals at high-risk of surveillance including but not limited to journalists, political activists as well as for members of NGOs, political parties
and high-tech companies.
Regard this as a “wash hands, boil water”-type guide,
a solid set of recommendations to get started.
The following recommendations are meant for getting started. While they are very effective they are not a complete solution to shield you from digital surveillance.
Gradual change is ok. While recommendations labeled as [habit] might not be possible to follow 100% of the time they still make a huge difference when followed. On a similar note following some of the recommendations is better than following none.
Since some of the recommendations might sound a bit controversial there is a Frequently Asked Questions area further down this page.
- [habit] Use Signal for messaging
here is a guide about using Signal, use it instead of SMS, Email,
Telegram, Facebook Messenger, Whatsapp, …
- Apply software updates regularly
where possible turn on auto-updates to keep your operating systems and apps up to date automatically.
- Use an iPhone SE or newer
instead of Android or other smartphones
- [habit] Use Google Chrome on desktop
instead of Tor Browser, Firefox, Safari, Internet Explorer,
Opera, Brave, or other browsers
- [habit] Use Safari on iOS
instead of Firefox, Chrome, Opera, or other browsers
- Do not install any browser extensions
exceptions: HTTPSeverywhere and uBlock Origin
- [habit] Prefer websites served via HTTPS
e.g. Facebook, New York Times, Guardian, Die Presse, …
avoid websites that are not served via HTTPS e.g. ORF.at, Krone.at, …
- [habit] Use a Password Manager
use Keepass (macOS, Windows) or 1Password to manage and generate a new strong passphrase for each service you use, do not answer security questions, also use randomly generated strong passwords instead.
- Use an unguessable pin for unlocking your phone (6 digits minimum)
not passcodes like 123456, 444444 nor numbers representing significant dates (e.g. birthdays, …) nor other numbers meaningful to you in any way
- Use a long passphrase for unlocking your computer
here is a guide on coming up with strong passphrases from the Electronic Frontier Foundation.
- Do not use any anti-virus software
do uninstall if necessary, exception: Windows Defender on Windows 10
- Turn on full-disk-encryption on all your devices
here are instructions for full-disk-encryption on macOS and Windows 10
- Do not plug your devices directly into USB ports
instead charge at an ordinary power outlet or use a PortaPow
to protect your device. In case your device asks you whether to
trust upon plugging in: answer “no”
The following recommendations are about further improving your overall security profile but are also a bit more difficult to set up and get right.
That’s why we put them into this separate section for now.
- Use two-factor-authentication (e.g. using a security key)
Enable two-factor-authentication at every service that supports it like Facebook, Twitter, Google, Dropbox et al.
Avoid using SMS/phone numbers as second factor, SMS can get intercepted, phone numbers can get taken over by number porting or sim swaps
- Disable unlocking your phone via fingerprints
while passcodes need to be known, fingerprints can be collected and reproduced, make sure to only unlock while you are not observed by a person or surveillance cameras e.g. unlock under a blanket in hotel rooms or when in public spaces
It depends …
Recommendations require context to make sense.
This guide leads with clear and concise recommendations on what to do and what not to do, very similar to the guides from Tech Solidarity. It aims for being as effective as possible by preferring setups that are known to work without much effort and without much room for mistakes.
The recommendations aim to be adoptable without severe user experience regressions compared to the status quo.
In some cases there might be circumstances where the explicitly not recommended alternatives might be ok to use but where explaining how to set them up and how to use them in a way that reaches a level of protection that is similar to the explicit recommendations would either be very difficult or unfeasible for most users.
To contextualize some of the potentially controversial recommendations
we added a frequently asked questions segment further down this page.
Threat modeling is an activity that includes assessing risks to yourself as well as risk to others, identifying threats and coming up with counter measures.
Defining a holistic threat model specific to you can be quite challenging. Threat models also tend to change over time depending on the situation you are in and should be reviewed regularly.
This guide is written with digital mass surveillance and digital targeted surveillance in mind and does not substitute a concrete threat model, similar to how “wash hands, boil water” is useful and effective general advice and yet does not substitute planning for an upcoming hiking trip.
“Assessing your risks” is a good starting point on threat modeling written by the Electronic Frontier Foundation.
Frequently Asked Questions
Why not Android?
“Most android phones are not updatable at all since manufacturers don’t publish any update.
That, alone, should be enough to put phones among the most vulnerable devices on the planet.” — user5994461
“[…] Android is markedly less secure than iOS. This isn’t about which is our favorite company; it’s about what the best options are for ordinary users.
If you know exactly what you’re doing, and you’re using a Google phone, you might be able to get approximately the same security out of an Android device as an iOS device. But ordinary users have no chance.” — tptacek
Why not Firefox?
Firefox lags behind Chrome in exploit mitigation like process separation and sandboxing. Firefox also is considered a less difficult target by security competitions like Pwn2Own.
“Chrome is significantly more secure than Firefox”—tptacek
Why not WhatsApp?
Here is an article with more information on WhatsApp, Signal and other messaging apps like Telegram, Allo and Facebook Messenger.
Here is a list of concerns regarding WhatsApp published by the EFF.
If you use WhatsApp, follow this guide to make sure that security notifications are enabled and that chat backup is disabled.
Why not Tor Browser?
“Firefox is one of the weakest browsers in terms of anti exploitation mitigations, making it less safe to use than alternatives. Tor Browser Bundle is at the tail end of the pipeline of patching (of which it receives only a minimal patch set), making it a risky choice to defeat state level adversaries.
Threat models that include a Global Passive Adversary, or a capable nation state level adversary, or an adversary that doesn’t require an IP address to conduct an investigation, are not well protected by Tor.”—thegrugq
What about GPG/PGP?
No support for forward secrecy and difficult to use correctly.
Why not Telegram?
Telegram is not using end-to-end encryption by default. In addition to that there are ongoing doubts about the cryptographic decisions that went into Telegram’s protocol and architecture.
Why no anti-virus software?
“The problem is that many AVs are not tested well, and prone to actually making you more vulnerable by bugs in their analysis code.
Basically, think of receiving an email with a malware attachment. If you have good hygiene, you won’t open it yourself. But your AV will open it to ‘scan’ it, and that gives it an opportunity to compromise it.
Add the fact that most AV runs with high privileges and is not sandboxes [sic!], and this is a pretty bad state.” — Anderkent
“Because intelligence agencies buy or hack antivirus software because its access patterns don’t look suspicious. Scanning your harddrive and uploading random contents? What AV is supposed to be doing.” — 3pt14159
“AV only detects already known malware, and often poorly. As a trade off you are running highly privileged code that fundamentally needs to process untrusted input and is often of low quality. For a high interest target, AV software opens up more holes than it closes.” — UncleMeat
Why not always recommend open-source alternatives?
While open source software comes with benefits like the ability to audit and alter the source code this it is just one of many aspects to take into account.
See the discussion over at Hacker News.
Why avoid websites not served via HTTPS?
“The news articles you read can provide intimate details about your interests, your work, and your personal life that you may want to keep private from prying eyes. Without HTTPS, an eavesdropper — whether it’s a snooper on public wifi, or a government collecting information about websites you visit — can trivially see exactly what news articles you read when you go to sites like the USA Today or the Wall Street Journal. Eavesdropping on people reading the news is a real threat, as demonstrated by the NSA and GCHQ spying on visitors to WikiLeaks.org.
HTTPS prevents this type of spying, and while an eavesdropper might be able to determine you visited the USA Today’s website, they wouldn’t be able to see which specific stories you read.”
“Unencrypted websites can be used to do more than just steal sensitive information that a user might submit through their browser. An attacker can take advantage of the lack of encryption to inject malware into a website, which can lead to the complete compromise of a user’s computer and all of their data. A version of this technique, codenamed “Quantum Insert,” was revealed to have been used by GCHQ to attack sysadmins who read Slashdot, a popular news website in the IT community (Slashdot has since deployed HTTPS site-wide).
More recently, a report from Citizen Lab revealed private companies selling network appliances that could perform this attack on users of popular unencrypted websites, including YouTube.”
Below is a selection of guides and forum discussions that you can dive into.
- Basic Security Precautions for Non-Profits & Journalists
(by Tech Solidarity), Discussion on Hacker News
- Security Guidelines for Congressional Campaigns
(by Tech Solidarity), Discussion on Hacker News
- Journalist Training
(by Tech Solidarity)
- Surveillance Self-Defense
(by Electronic Frontier Foundation)
- Campaign Information Security
(by the grugq)