Everyone who is an activist or human rights advocate is at risk of being targeted by people and governments who don’t like your political views. Targeting could include having your accounts hacked, identity theft, photos and documents stolen, surveillance of online activities, and the shutdown of you or your organization’s website through a DDOS attack. Edward Snowden even revealed that the U.S. government has the ability to monitor us through our smartphone cameras, laptop cameras, and cameras on our televisions. There are some types of attacks that are far too complex for the average activist to protect themselves from, but there are very concrete actions that EVERY activist should be taking to stay as safe as possible. Here’s 10 recommended steps for making yourself and your organization secure!
1. Use the Security Education Companion (SEC) to design digital security trainings for yourself and fellow activists
Individual activists can educate themselves on digital security, but group training is most efficient. When hackers target organizations, members are usually the first target. The most popular method of attack is “social engineering”, which involves tricking members of your org into giving away sensitive information about themselves or your org which can then be used to hack your org’s accounts. We encourage you to use SEC to train your members during their onboarding process and continue doing trainings once a year. SEC is a resource for people teaching digital security to their friends and neighbors. SEC.EFF.ORG has tutorials for privacy-protecting tools, translated guides in 11 languages, lesson plans, teaching materials, and more.
2. Use a password manager
Technology has become so advanced that our passwords can be cracked by password cracking software. Some of these tools can test over a hundred million passwords per second. So, the days of simple easy-to-remember passwords are long gone. The safest and strongest passwords are too difficult to remember because they tend to look something like this: F8m4eOzy@jVz7fGh97T#2?w#. As an activist and someone who works for a company that faces regular cyber attacks, most of my passwords are 18 characters or more and digital security training is mandatory. Since I cannot remember complex passwords for dozens of accounts, I use a password manager.
A password manager helps to identify unsafe websites but the primary benefit, is that it allows you to create very strong and complex passwords for every web or mobile app you have an account for. The manager stores your passwords and then logs in and out of applications via a browser plugin. This means that instead of memorizing 50 different passwords, you only have to memorize one — the password for your password manager account. This one password should still be complex, but it should also be memorable. There are ways to do this. For example, you can use rules to create a sentence you can memorize. You can make your own pattern like b’s and e’s will be uppercased, all a’s will be followed by a 2. A password that uses this pattern is “mya2untga2vEmE5000dolla2rsla2styEa2rforchristma2s”. This password is memorable and its 49 characters long!
Whilst the complexity of your passwords can vary, you definitely want to give Bank/Financial, IRS, and Email accounts the longest and most complex passwords.
Here’s a list of well known password managers. Most of them have a free tier for individuals.
3. Share passwords through a Password Manager
Members or workers of an organization may need to log in and out of shared email or social media accounts. But it is not safe to share passwords through text message, email, slack messages, etc. Your best bet is to use a password manager, share over the phone, or share in person. This is the only way to securely share passwords between people. 1Password has a family plan of $5/month for a family of 5 along with team and business plans. Taking the time to setup or invest in one of these accounts can potentially save you lots of money and headache if you ever become a target.
4. Use two factor authentication
Two factor authentication is the requirement of 2 pieces of evidence to successfully log into an account. Usually, the first step requires a password, and the second step requires a code that is delivered through text or email OR you can use a yubikey, which is a hardware authentication device. Whilst it is very inconvenient to use two factor authentication for every single account, you should DEFINITELY enable it for your password manager. That is the most important account for you to protect. Second, you should enable 2FA on all important email accounts, particularly the one that you use most often to create new accounts since you will need it for password resets. Third, you should definitely enable 2FA on your online bank accounts and any investment accounts — especially if you own cryptocurrency or have digital wallets. And all of these steps apply to organization accounts.
5. Enable “lost my iphone” on your iphone
Find My iPhone helps you locate and protect your Apple device. If it’s ever lost or stolen, all you have to do is sign in to iCloud.com or the Find My iPhone app to see your missing device on a map. You can also play a sound to help you find it, use Lost Mode to lock and track it, or remotely erase all of your personal information.
6. Use “incognito” tab in Chrome when you don’t want your activities to be stored in your history or cache
In Google Chrome, incognito mode allows you to browse without google chrome remembering your activity. Chrome won’t save your browsing history, cookies and site data, or information entered in forms. This means that if someone hacks your computer, they cannot access your browsing history. But, the records will still be available to your internet service provider, and if you are using a work laptop, your history will be available to your employer as well.
7. Stay off public WiFi
Public WiFi is completely unsafe. Every time you log on to a free network in a hotel lobby, coffee shop, or airport lounge you risk theft of your personal data including passwords, financial information, and private pictures or videos. As you peruse the web or do your online banking, all your activity can be monitored by a stranger who has tricked you into connecting to the wrong network. A hacker can even trick you into downloading software onto your computer while you think you’re just doing a routine software update. This malware can be remotely accessed to grab sensitive data from your device. One way to avoid this type of attack is to use a VPN, or Virtual Private Network. Many corporations provide VPN access to employees but non-profits and activists should also invest in VPNs. You will also want to turn off the automatic WiFi connection feature on your phone. Last, if you can you should definitely buy an unlimited data plan for your phone so you’ll never have to use public WiFi. If you can’t, make sure to avoid logging into financial websites or sites with sensitive data and avoid sites that start with http (https is more secure) when you are on public WiFi.
8. Review web and mobile app settings
Go through the settings for every app on your phone and disable things like microphone and camera access, location tracking, etc unless it’s absolutely necessary. You also may have even accidentally allowed apps to access your personal data such as birthday, phone number, contact list, gps locations, text messages, etc. Remove any unnecessary access to your private data.
9. Know how to identify sophisticated phishing attacks
Some attacks are obvious, but some are not so obvious. Many people have been tricked into thinking their boyfriend, parent, or even manager at work is contacting them for sensitive information when in fact, an attacker has impersonated someone you know by finding out their name, birthday, address, relationship to you, etc. If you receive an email from someone you know asking for sensitive data, be weary. If they send you a link or file that you were not expecting to receive, also be weary. If you click on the link or file, you may accidentally download malware onto your computer. When you receive unexpected emails, always double check the address that it’s coming from and investigate further before giving information away. Many attackers will use the name of the person you know in their email address. For example, they may try to impersonate a person you know by the name of Shelly Donald by emailing you from the address firstname.lastname@example.org. You see “Shelly Donald” and just assume it’s the Shelly you know but if you look closer you’ll see that the domain name is not “gmail.com” it’s “gmail.forusnow.com”. Even some of the most experienced technologists can be tricked by sophisticated phishing attacks. Be careful, and do your due diligence.
10. Cover the cameras on your phone, laptop, iPad, and television
Edward Snowden revealed in the documentary Citizen Four that the government’s covert surveillance programs can watch you through the cameras on your devices. Even former FBI director James Comey admitted to covering his web cameras with tape. That’s one method. . . another is to purchase webcam covers. There are a variety of types for every device and they are easy to find on Amazon.
Becoming secure in the digital age requires developing new habits. You have to build these habits into your daily lifestyle, and at first it will feel like an inconvenience but after a while it will become second nature. As an activist, the risk of being targeted is REAL. Anti-progressives have traditionally been more tech savvy than progressives so protect yourself! And encourage others to follow in your footsteps.
Organeyez is a media and software company creating tools and content to help activists and social justice movements be more effective. Visit our website and follow us on instagram and facebook for more tips, insights, and inspirational material.