Notes on Digital Security

| 16 min

Surveillance is capitalism’s latest trend. It isn’t going anywhere. Start here to learn how to protect yourself.

tldr:

  • For defending against doxing, see Note 25
  • If you are seeking to terminate your pregnancy in a place where that is against the law, the following notes may be relevant: 8 (Tor browser), 17 (Signal), 19 (both), 26 and 31 (Tor again), and 35
  • Student organizers, see the organizer-oriented notes beginning with Note 20

Back in early 2021, I had just come off of a year and a half of learning about online security. My interest at the time was sparked by participation with a few different activist groups and the amazing courses put together by Tech Learning Collective, which in turn led to a pretty significant amount of independent research. There was also a blog post that got some promo and an introductory class for folks in independent radio. These notes, lightly updated in mid-2022 and mid-2023,, are still nowhere near an exhaustive list of what’s out there, but I wanted to share anyway.

An abstract video still projected onto my kitchen cabinets.

An abstract video still projected onto my kitchen cabinets.

Notes for everyone

  1. No app is perfect, and everyone’s individual situation is different. That’s where threat modeling comes in. Everyone will make different choices based on the threats they face.
  2. For example, if I’m all about security and privacy, why I am I writing all about my life on a website? It has to do with my own personal situation. I’m not a core organizer. I do not hold sensitive information about activist activities at this point…but I do try and keep my data out of Meta’s hands.
  3. A threat that all people in our interconnected global world face (pun not intended) is surveillance capitalism. Shoshana Zuboff’s interviews with The Guardian, The Markup and VPRO are a great place to start for information on the topic if you aren’t familiar. (Surveillance capitalism is nothing new.)
  4. Surveillance capitalism not only undermines personal privacy, but challenges democratic government at its core, both by affecting democracy (in a variety of ways) and by providing whomever is in power with potentially enormous access to people’s data.

Data is content, and metadata is context. Metadata can be much more revealing than data, especially when collected in the aggregate.
 – Bruce Schneier

  1. Metadata is the “surplus” data that Google built itself upon and that fuels surveillance capitalism. The Markup’s Blacklight and EFF’s Cover Your Tracks can show you the alarming amount of data that companies are collecting about your online activity.
  2. As a result, the fact that you might feel “anonymous” - perhaps you used a fake name when signing up for a forum - does not mean you your activities are private or secure.

The idea that there are tools that would always work for everyone, everywhere; require no extra knowledge and zero additional infrastructure; are fair and just, and protect users at all times, is a dream that has not yet come true.
 – Tactical Tech

  1. If you want to limit surveillance capitalists’ influence on your life, start by using Firefox (or if a novice Chrome user, Brave) rather than Google Chrome. Google was the original surveillance capitalist company. Then add in the uBlock Origin, Privacy Badger, TOS;DR, and Decentraleyes browser add-ons/extensions. Make sure to also use DuckDuckGo rather than Google Search, and consider leaving corporate social media altogether, with ActivityPub projects like Mastodon as a social media alternative (I’m partway through my own journey, but there is still work (especially de-Googleing) to be done. Update 2022: still working on de-Googleing. Not convinced? Here’s a web comic about Chrome) and a privacy test breakdown for every browser.
  2. Because of advanced fingerprinting techniques, there’s no real perfect system for avoiding trackers. Tor might be your best option if a stronger form of anonymity is required.
  3. Here are a few resources I use to choose my apps and tools, for both secure and open source (so the code can be checked) alternatives:
  1. When thinking about companies/apps themselves, the ideal of privacy is inverted - instead of privacy, we seek transparency. That’s why going with open-source, decentralized, and/or audited tools is recommended where possible.1
  2. Decentralization distributes power. Consequently, trust is distributed among multiple parties, allowing for less of a dependence on a central node but a larger number of potential fail points.
  3. One of the challenges in talking about digital security broadly and to a variety of different people is that there are many different potential threats, and they do not affect all of us equally. The digital world is not always safe for overpoliced Black folks or non-cis-men, and sometimes makes stuff like racism and sexism and domestic violence even worse. White men like me need to remember that we do not face the same challenges as others.
  4. At the same time, the truth is that everyone has something to hide.

Saying that you don’t need or want privacy because you have nothing to hide is to assume that no one should have, or could have, to hide anything - including their immigration status, unemployment history, financial history, and health records. You’re assuming that no one, including yourself, might object to revealing to anyone information about their religious beliefs, political affiliations, and sexual activities, as casually as some choose to reveal their movie and music tastes and reading preferences.
 – Edward Snowden

  1. Security is protection against threats. One way to talk about digital security is via the CIA triad: confidentiality (who has access, a.k.a. privacy), integrity (protecting data), and availability (the system still works for authorized users).
  2. In most cases you probably don’t need to buy any anti-virus software. Just set up your system to be as safe as possible using the tools it provides.
Another abstract projection in my kitchen.

Another abstract projection in my kitchen.

  1. There is a lot for you to do, however, to keep yourself secure online. Firstly, use a password manager and enable two-factor authentication on your accounts. Make sure to vary both your usernames and passwords (if you need to remember a particular password, try using a passphrase. You can even draw the passphrase words out of a hat or something. You should also add HTTPS Everywhere to your browser to ensure your browsing activity is encrypted through HTTPS.
  2. Mathematically scrambling data - encryption - is one of the most powerful tools we have for maintaining digital security. End-to-end (E2E) encrypted apps like Signal (and WhatsApp, but use Signal instead) are particularly important and useful. Most people don’t realize that they use encryption every day through HTTPS and core Internet protocols like TLS and S/MIME.

surveilled at home and school
I have this memory of basketball camp …
this morning I said writing is for the present
active in the lives of people
timelessness hates us
when I open my heart to experience , I feel the —
I just let it be in there and various
real private browser hours
I let it go completely and play !


 – “i have too much to hide” by Benjamin Krusling

  1. Make sure to encrypt your computer(s) and phone(s)2 as well. If using cloud storage, like Dropbox (don’t use Google Drive for sensitive or personal things!), use Cryptomator to encrypt your files.
  2. Using a VPN is not enough if you want to keep your activities secure and private - try Tor, and Signal instead (or in addition to a vetted VPN like ProtonVPN).

Notes for organizers and activists

  1. You must also stay vigilant. Sophisticated phishing attacks are something that you - and anyone known to be associated with you - will need to be careful of. These aren’t your average spam messages. These are often meant specifically for you, replicating emails and websites that you might use in order to try to get your passwords or personal information. It could look like an email with a link from your bank, email, or social media account, for example - and the link will send you to a site run by the hacker(s). To defend yourself, first educate yourself on phishing techniques. Then turn on two-factor authentication for all of your accounts, preferably either through an authenticator app or even a physical security key.

In a world where millions of digital communications are silently intercepted, collected, and stored every day, how do activists effectively say ‘I do not consent to this search?’ As in a physical encounter with law enforcement, we must be proactive. Online, this means using encryption along with other privacy-protecting and autonomy-preserving tools.
 – Civil Liberties Defense Center

  1. Going to a protest? See the iPhone Security Guide I put together a few days ago. [EDIT: as of 2022 some of the iPhone guide is outdated.] If you choose to use a Faraday bag to limit tracking, or take other measures like using OpenStreetMap instead of Google or Apple maps, you should also use it when you are not going out, so that it does not show a pattern. One thing to note is that, if you have a smart phone, accelerometer data is currently available to all apps, as of this writing - this is one reason for highly sensitive situations to be very careful about smart phone use.
  2. Organizers who seek to change the world face unique challenges that other folks do not need to deal with. Recent examples, like the doxing of pro-democracy activists in Hong Kong and revelations of private surveillance of animal rights groups and activists, not to mention movies like Judas and the Black Messiah, are reminders of the importance of OPSEC for activists when dealing with “assholes with resources” or even governmental entities.
  3. Organizers are not only responsible for their personal security, but the security of their team and their activities. They also face greater risk and exposure due to their prominence within the group.
  4. When it comes to setting standards for a small group or even an entire organization, we have to talk about security culture. This goes way beyond choosing the “right” tools like Jitsi, Signal, and EteSync (etc).
Security culture
Regardless of your personal risk level, defaulting to tools that are private and/or secure is the easiest way to maintain a culture that keeps its people safe from online surveillance. The focus on culture, rather than just implementing policy or focusing on individual actions, is something that - funnily enough - I have only run into in two places: the corporate world and the activist world.
At a company like AT&T, security culture is focused on employees shared attitudes and actions related to corporate security policy and the way that affects their overall success. In their own words, security culture requires an “investment” of time and energy.
For organizers, security culture is “a set of customs shared by a community whose members may be targeted, designed to minimize risk.” You should use secure practices from the beginning so that you don’t have to come up with security measures over and over again. It’s a form of collective care as well - a defense against racist tech, doxing, and the far-right. Limiting the amount people know to only what they need to know can also help address issues like undercover surveillance and badjacketing.
For both organizers and corporations, the focus is on culture, not protocol. The focus is on habits, not rules. They use different terms, but the core is the same: security culture is about making security the default - for everything. Security culture is a framework to center when working with others in an activist space. The best way to keep each other safe is to engage in secure practices at all times, not just by using particular tools, but by creating a culture of security.
  1. One concern for organizers (along with journalists and politicians) is doxing. One preventative steps is to remove as much of your information from data brokers as possible. Here are a few useful guides, and I’ve personally followed the Big Ass Data Broker Opt-Out List. If you are doxed, see Equality Labs’ guide for next steps, and seek out help. Cyber Civil Rights Initiative also has an online removal guide. Another potential layer of protection is to use a post office box or service like VirtualPostMail so that you don’t have to include your residential address on public documents. (If you own real estate/property, however, there may be no way to avoid it.) [EDIT 2022: I do not have experience with this, but Google offers special advanced protection. I am wary of Google, of course, but I wanted to mention it as something that could be explored.]
  2. One of the most useful tools for organizers is Tor. Tor harnesses decentralization and encryption to create anonymity. But make sure to sign into accounts you set up on Tor on Tor - never deanonymize yourself by logging in to an anonymous account through a regular browser. (Don’t F it up!) A reader of this article also suggests The Hitchhiker’s Guide to Online Anonymity (repo) as a resource for more info on how to stay anonymous.
  3. Another useful tool built upon Tor is OnionShare, developed by Micah Lee of The Intercept, which can be used to share files and host .onion hidden services. Micah recently wrote up instructions for how to set up an anonymous dropbox on a Raspberry Pi. To share files without using Tor, BitWarden Send is an option.
  4. Many people who use Signal all the time do not take advantage of all of its security features. Make sure to compare safety numbers with people you are in contact with to avoid man-in-the-middle attacks and other vulnerabilities - preferably in an audible manner, on video chat, or in some non-Signal, offline way.
  5. To give out your Signal number without publicizing your personal number, see The Intercept’s guide to using a different phone number on Signal. Make sure to also add a carrier pin to your phone(s). And if you are prominent organizer, having burner phones is probably not a bad idea. Services like MySudo can be an option, but they will be tied to your payment method. (My protester iPhone guide is probably also relevant, although as of 2022 slightly outdated.)
  6. A tool built upon Signal that will be useful to many organizers is Signalboost. Check it out. [EDIT 2022: this tool is unfortunately no longer available.]
  7. If you need a “burner” email address, your best option is probably ProtonMail, since they don’t require you to connect an existing email address or phone number. Make sure to set it up through Tor and only access it through Tor. Be careful when using ProtonMail - just using the service is not enough to fully secure your communications with PGP encryption. You should also use .onion addresses wherever available. If you just need a disposable address, try Maildrop or 33mail. And if you are looking for something longer term, just a good email provider, Mailpile is another to consider.
  8. PGP (a.k.a. GPG) is an important and widely-used encryption tool. But its issues are well-documented. Make sure you read up before using it, and remember, only the body of the message is encrypted. Mailvelope is the most user-friendly PGP client I’ve encountered. But skipping PGP and just using Signal is probably your best option.
  9. When using Firefox, consider using an enhanced privacy configuration like the arkenfox user.js.
  10. And even after all this, there are also physical-world threats that intersect with digital security that can allow bad actors to access local files.3 Some relevant tools include Haven and RF-shielded (a.k.a. Faraday) bags. There are also alternative operating systems appropriate for high-level security.
A third abstract video projected onto my kitchen wall.

A third abstract video projected onto my kitchen wall.

Addenda, Autumn 2022:

  1. Some additions via Caroline Sinders: falsify information when you can, when the info requested is not necessary, and log out (or even delete) apps like Facebook when crossing (state or national, depending on your threat model) borders.

Watch me in my hotel room
Watch my outline as I move from city to city
Watch me watching pornography
Watch me talking to my friends and my family


I know you love me (Daddy!)
‘Cause you’re always watching me (Daddy!)
I know you love me (Daddy!)
‘Cause you’re always watching me (Daddy!)


Protecting me from evil
Protecting me from terrorism
Protecting me from child molesters
Protecting me from evil


Watch me, watch me, watch me […]
Daddy! Daddy! […]


I know you love me
‘Cause you’re always watching me
I know you love me
‘Cause you’re always watching me


 – “Watch Me” by ANOHNI

  1. In the original version of this, I failed to mention SecureDrop, a tool for whistleblowers to submit information.
  2. If you use Windows for sensitive activities, consider using privacy-enhancing apps such as HardenTools or Privacy.Sexy.
  3. A few tips for using new apps: 1) do not share your contacts with apps and 2) do not use you Google/Apple/GitHub/Amazon account to log into other websites. You can also check on any app’s Internet usage with Little Snitch and similar apps.
  4. I stopped using Keybase after it was acquired by Zoom. Perhaps that wasn’t necessary? Hard to say. But in any case, I recently learned there is an open source alternative called Keyoxide.
  5. With the changing landscape and decrease in cookie usage, Google is testing out a tracking system called FLOC. See here if your Chrome installation is part of the trial. Then stop using Chrome (see #7 above).
  6. Another way websites track you is through HTTP referrals. Use href.li to anonymize links and avoid this. They also do so by adding tracking elements to the end of URLs when you share them or access them from an email. I often remove the tracking information manually, when it is clear, but you can also use ClearURLs. Another advanced trick is to use User-Agent Switcher to appear as another browser.
  7. Access social media from trackerless frontend versions where possible, such as Teddit (Reddit), Bibliogram (Instagram), ProxiTok (TikTok), a nitter instance (Twitter), an Invidious instance (Youtube), Scribe (Medium), Rimgo (Imgur), Quetre (Quora), LibreMDB (IMDB), or stream music using nuclear. There are a number of other useful frontends as well, including Whoogle and Lingva for Google Translate, and a browser add-on that helps with this. And if you must use Facebook, make sure to change your settings to the most private possible.
  8. If you have a website, I ask that you add Permissions-Policy interest-cohort=() to your website header to opt out of the Google FLOC trial from the website side. Then also make sure that you have top-notch security headers (including removing the server header).
  9. A thought: surveillance capitalism is domination, but not in the ways we are accustomed to. Its authority is ubiquitous and insidious. This power would never restrict access to certain books; it would far rather just know what you read (and how often, on what device, how many words per second, where you pause to stop reading and think or snack or use the bathroom, etc.) so it can sell you something.
  10. A question: a lot of OSINT is enabled by the very same technologies that enable surveillance capitalism. Can we separate from it?
  11. A feeling: it is discouraging to see all the ways that people accentuate this system. Driven by fear, we and our neighbors are putting cameras all over their homes, adding to an already out-of-control video surveillance network.
  12. A perhaps-unnecessary qualification: I’m not a tech skeptic - I work at a tech company - but that doesn’t mean I have to love all the ways we use technology today.
  13. Since I wrote this, nothing has gotten better in the area of surveillance. And the new laws and changes are not enough.
  14. Thinking about community safety in a time of crisis, which is potentially related to this topic, a good practice would be to “set up phone trees to disseminate information widely using cascading phone calls (each person calls 10 people, they call 10 people, etc.),” as suggested by CLDC. Walkie talkies, Bridgefy, and sat phones are also part of that equation.

One of the challenges with digital security is that it is constantly shifting and changing as new apps are created, new threats are discovered, and they way we engage with technology and the Internet continues to evolve. But seeking to learn how the technological systems we rely on actually work, and taking control of the ways we engage with them, is a political act.

There is so much to say on this topic - I haven’t even scratched the surface. Here are a few more resources to dig into to learn more:

If we want to see change in our lives, we have to change things ourselves.
 – Grace Lee Boggs

Three painted rectangles denoting the end of a path.

  1. If you use Android, review εxodus’s app audits↩︎

  2. Apple is gaining a reputation for providing the best privacy features. The fact that they are also premium devices is no coincidence. In addition to protecting the elite and others with proximity to power or privilege, Google will be quite happy to give you cheaper hardware as long as you (unknowingly) give them your behavioral surplus. ↩︎

  3. I do love programs that operate locally, like Obsidian and Tape↩︎