A DIY Guide to Feminist Cybersecurity
Take control of your digital spaces.
The internet is a crucial environment for our lives. Friendships, relationships, work, activism, commerce, and so many other forms of social connections take place digitally. As we thrive in these internet spaces, harassment and violence along intersecting axes of oppression are felt with unchecked force. Trolls launch campaigns of abuse and intimidation, hackers seek to exploit and manipulate your private data, and companies mine and sell your activity for profit. These threats to digital autonomy are gendered, racialized, queerphobic, transphobic, ableist, and classist in nature. The severity of these threats can have vast physical and psychological repercussions for those who experience them: they cannot be taken lightly.
Digital spaces are unique in that you often have to rely on companies and developers to protect your well being and data as you go about your digital life. These companies and developers frequently ignore or underestimate the digital threats to these spaces and their users. There is little in the way of accountability for companies and developers, all the while users are left with little support for the violence they’ve encountered, even being blamed for actions of a malicious attacker.
You have a right to exist safely in digital spaces. Although we have to rely on outside parties for technology to access these spaces, there are tons of helpful tools and strategies that allow you to take greater control of your digital life and mitigate the risk of malicious threats. We’ll walk through common areas of digital life such as web browsing, private data, and smartphones to show you different ways that you can implement as much or little security as you’re comfortable with. You have power to set boundaries and protections in your digital spaces as you see fit: we hope that this guide will help you to make informed, personal decisions on what is right for you.
How to use this guide
This guide is intended to be a comprehensive and accessible introduction to some of the most valuable cybersecurity tools available. There’s a lot of information here, so it can get a bit overwhelming! Feel free to read each section at your own pace: there’s no obligation to read through the whole guide and install every piece of tech we recommend. Consider checking out our Cheat Sheet section as a quick way to get started with the tools that best meet your digital security needs. Don’t worry if some of the tech is a bit confusing: even experienced techies can get a bit disoriented at first, but rarely do you need to know every inner-working of a tool in order to take advantage of it. If at any point you have questions or concerns, feel free to tweet this guide’s creator at @ciakraa or email at email@example.com and he will try to help as quickly as he can!
We also have a Spanish version of this guide, Guía de Seguridad Digital para Feministas Autogestivas. Check it out!
Be invisible to malicious threats.
Your casual internet browsing yields a treasure trove of personal data for anyone who can see what you’re doing. Websites often track your activity across the internet so they can collect marketing data: demographics, what your interests are, where you spend your time, and so on. As you can imagine, if this data is valuable to companies, it’s valuable to hackers and trolls too; it’s very easy to capture sensitive information like credit card data, physical location, or account data just by being able to monitor someone’s web browsing. So what do you need to know to fight these jerks?
If your internet activity is not encrypted, it is NOT private and you should assume that someone or something could see it.
As you browse the web, think of it as constantly sending a multitude of open letters: anyone that positions themselves correctly can simply read them before passing them on to their intended destination. They can know where it came from, where it’s going, and everything contained within. This is where encryption is handy: encryption is like sealing the letters in envelopes, guaranteeing that only the desired recipient can read the letters’ contents. And thanks to a lot of ingenious technologies, we can obscure the information about the sender and recipient as well.
Left unchecked, your cookies will feed personal data to private companies.
Cookies are an integral part of browsing the web: small pieces of data are stored on your computer by websites to keep track of persistent data such as whether you’re logged in or what your user preferences may be. However, it has become very popular for websites to not only store data about your user experience, but also track data about you. These cookies (as well as their ugly cousins like LFOs that perform similar functions) are especially valued by marketing companies that build intimate profiles of your personal information and web habits to be mined and sold for advertising purposes. Often accumulating for months and even years, malicious cookies can expose vast amounts of personal information about you that companies should not have. This data’s existence and dissemination without your knowledge means it’s very possible for your data to fall into malicious hands be it by hacking, leaking, or just invasive advertising.
Public wifi is so very, very insecure.
When you are on a wifi network, anyone else using that network can watch your web traffic (even if it’s a password-protected network). Because there can be so many people using the same network (like at a coffee shop or library), a malicious hacker could very easily collect tons of personal information about everyone on the network. They could intercept your traffic and feed you fake websites in order to get valuable data from you! And even if you’re not using a network intentionally, just leaving your phone with wifi-enabled means nearby networks can tap into your phone and pull metadata about you without your ever trying to use their internet. To fight this invasive snooping, you have to ensure that your web traffic is encrypted: using the Tor Browser and/or a VPN network as detailed below will give you great privacy. You should also disable wifi on your phone whenever you explicitly don’t need it!
The goal of the section is to make your internet activity secure from nonconsensual tracking and monitoring, effectively making you anonymous (though you are never -truly- anonymous; you have an IP address and an Internet Provider after all). The amount of protection you adopt is totally up to you: usually the trade-off is the more protection you want, the slower and more inconvenient browsing on the web can be. Fortunately, many of the basic technologies outlined require zero effort on your part and still offer a ton of protection.
Zero-Effort Privacy and Security: Browser Extensions
Browser extensions are no-cost software you can install in your browser to customize your browsing experience. Listed below are extensions that help make your internet browsing safer from governments, corporations, or hackers snooping on your activity. If you don’t feel like reading, just follow the download links and install the extensions; your browser will end-up very secure! However, we recommend at least reading about each extension before you install.
It’s also worth pointing out that of the popular internet browsers (Chrome, Firefox, Safari, Internet Explorer), the only browser not developed by a for-profit corporation is Firefox. The developers of Firefox, Mozilla, have a long history of protecting users rights and are very active in fighting for a free and open internet. With the other browsers, your activity is frequently tracked by the company that owns the browser, so this guide strongly recommends using Firefox as your main computer browser. Make sure to check out our section on mobile browsing if you’re interested in securing your mobile activity too.
'Privacy Badger is a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web. If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser. To the advertiser, it's like you suddenly disappeared.' - Electronic Frontier Foundation
Install for Firefox here
Install for Chrome here
Official page for more info can be found here
uBlock Origin blocks ads on 99% of the sites you visit. Ads can be the source of a virus, activity tracking, malware, or just plain annoyingness, so this extension will pre-emptively block these nasty things with no effort from you.
Install for Firefox here
Install for Chrome here
Official page for uBlock Origin extension here
Disconnect identifies the “invisible” web, which is all the trackers, beacons, cookies, and other tools that websites and marketers use to track your activity across the internet. It blocks these malicious trackers from seeing your web activity, which in many cases will even make the site load faster. It's a great companion extension to Privacy Badger.
Install for Firefox here
Install for Chrome here
Official page for more info can be found here
Many sites are set-up to encrypt (i.e. make private) your activity when you visit: it can be limited to sensitive things like making a purchase or it can be used for the whole site. This extension makes it so your browser automatically uses this encryption whenever possible.
Install for Firefox here
Install for Chrome here
Official page for more info can be found here
Mobile Privacy: Firefox Focus and Firefox for Android
We constantly browse the web on our phones and tablets. iOS and Android give you less control over your environment compared to your laptop: you can only install software made available through the app and play stores, and you are limited in the settings and capabilities of those apps. Fortunately for your privacy, the awesome developers at Mozilla have created fantastic browsing apps for your phone!
Firefox Focus for iOS
Firefox Focus is a web browser dedicated to private browsing. By blocking malicious trackers and advertisements, Firefox Focus mitigates website surveillance while increasing the speed of your web pages. It also serves as a content-blocker on iOS, meaning you can enjoy its privacy features in other apps. To enable these features in Safari, go to Safari under Settings, click 'Content Blockers', and enable Firefox Focus.
Install for iOS here
Introductory blog post for more info can be found here
Firefox for Android
Firefox for Android is a fast and reliable web browser that can install all the same extensions as the desktop version of Firefox. So if you want secure mobile browsing on Android, all you have to do is download Firefox for Android and start installing the secure tools in our Privacy Extensions section!
Install for Android here
Official website can be found here
Anonymous browsing: Tor
The drawbacks of a browser like Firefox or Chrome is that a website, hacker, or government can still figure out your physical location and which sites you visit based on what’s being sent to and from your computer (even if they can’t read the contents of what’s being sent). In the case of the government or an internet service provider, they can even block access to a website entirely. Whenever using a normal browser, you are always open to this threat, regardless of what extensions you use. If you are ever in a position where you absolutely NEED to be anonymous, be it for safety or political reasons, then you need to use the Tor network.
The Tor network is an internet protocol that basically hides your identity by bouncing your web requests across the world in multiple layers of encryption before it is received by the website. Although you may visit a website from Boston, the website will see the request come from England or Kenya or Japan or any other country that the Tor network spits your request from; there is no way to track a web request to its origin. The network also hosts websites (called “onion sites”) that are not accessible through regular internet: this can range from political dissident websites to forums for abuse survivors to drug markets to plain ole’ boring websites. However, you can access the rest of the “normal” internet as well.
To funnel your internet activity through the Tor network, all you need to do is download the Tor Browser and use it exactly as you would a regular browser. You shouldn’t install extensions though, as the browser already anonymizes you and uses HTTPS when available! The most significant drawback is that the network is fairly slow: it takes a few seconds to bounce your requests around the world.
A big disclaimer for the Tor browser is that it makes you anonymous, but not private. Although your web requests are anonymous, if you are posting on Facebook or sending an email through Gmail, that activity is still identifiable as “you”. So a good rule of thumb is that when using the Tor browser, do not visit sites or services associated with your private information if you are trying to be anonymous. If you absolutely need to use a site that requires that kind of information, just make up fake data when you register and make sure not to use it outside of Tor. Also keep in mind that the final connection to your destination website is only encrypted if that site supports HTTPS; just because you’re anonymous doesn’t mean that the final ISP connection to the site can’t be monitored. Lastly, try not to download anything: because tor nodes (the servers that bounce around your web requests) can be run by regular people, they could attach a nasty virus to a downloaded file if they wanted.
Download Tor Browser from the official Tor Project site.
The EFF has a great interactive guide for how Tor (as well as HTTPS) protects your browsing. More information about the Tor network can be found on the official page for the Tor Project.
Improved Security with Some Effort + Potential Cost: VPN
Tor is slow, so it tends not to be the most fun thing to use for daily internet browsing. However, there are other ways to protect your web activity through a Virtual Private Network (VPN).
A VPN creates a private, encrypted connection between you and a VPN server; all of your internet activity gets “tunneled” through this private network before leaving the VPN server into the open world. When you access a website with a VPN connection, the website will see the request coming from the VPN server, not you. Someone trying to see what was being passed between your computer and the VPN server won’t be able to see what you’re doing: it’s all encrypted. Think of it as a private tunnel between your computer and the VPN server: the server lets whatever you want into or out of the tunnel, but no-one but you can see what’s inside. What’s especially neat is that a VPN server can live anywhere in the world! If you use a VPN server in Switzerland, websites will think you’re Swiss because your web requests are coming from the VPN server in Switzerland. If you use a VPN server in Japan, websites will think you’re Japanese.
While some techies run their own VPN servers, most people tend to use VPN providers instead. These are companies or organizations that run and manage VPN servers so you don’t have to deal with the technical details: you just use them. Some VPN providers can even de-anonymize your activity further by bouncing the web activity leaving their servers through proxies (other servers). Unfortunately, VPN services are typically not free. You either have to set up your own server somewhere or, more commonly, pay for a monthly service from a VPN provider.
There are many VPN providers out there so it can be tough deciding who to use. Generally you want someone that does not store logs of its users while implementing OpenVPN as its VPN technology (some VPN tech has been hacked by the NSA; as far as we know, OpenVPN has not). It's also great when you have choices about where the VPN server will be: being able to route your traffic through other countries is a fantastic, effortless security measure. Generally speaking, paid providers are much easier to use and can offer customer service and useful guides, but there are free providers out there as well. Here are a few providers we recommend:
- AirVPN is a paid VPN provider that allows you to choose which countries to route your connections through, the ability to pay anonymously via bitcoin, and does not store logs about its users' activity. It costs $5 a month on a yearly plan, or $8 a month on a monthly plan. It comes with its own VPN client for easy use!
- Feral Hosting is a paid Seedbox provider that allows you to create a personal VPN server as well as other web services like torrent clients, website management, and file storage. This is a great option for the more adventurous nerds that like the idea of having their own server to play with, but with tons of installation guides, automated management, and fantastic customer support (so it's not as hardcore as having a totally independent server). It costs ~$15 a month for its cheapest plan.
- CyberghostVPN has limited no-cost options: you can connect for up to 3 hours to one of their VPN networks. This is great if you can't afford a VPN but might want to be safe when working on public wifi once in a while.
To use a VPN, you need to install a VPN client on your computer that will communicate with your VPN provider. This is what guarantees the encrypted tunnel of communication from your computer to the server. VPN clients that cost money tend to be easier to use, but the free options work fine too (maybe with a bit more installation effort on your part). Once you’re set-up, all you have to do is click a button in your VPN client and your internet activity will be tunneled to your VPN provider. Thus, your activity will be much safer with minimal impact on browsing speeds. Set-up instructions for each VPN client would be too lengthy for this guide (We’re only human!) so follow the instructions on their respective sites to get yourself going. Make sure to do this after signing up with a VPN provider so you have the necessary VPN files ready for your client
Viscosity is a paid client for Mac and Windows
Tunnelblick is a free client for Macs
OpenVPN offers a free client for Windows
If you use AirVPN, they give you a free client!</a>
Ultimate anonymity and amnesia: Tails
Anonymity doesn’t have to stop at your web browser. By using the Tails operating system, you can create an anonymous, amnesic, secure digital space wherever you go. You don’t even need your own computer!
There are a countless number of situations where Tails could be an invaluable tool for your privacy. Activists looking to organize in spite of government surveillance can use Tails to effectively communicate. People being tracked by predatory abusers can use Tails to access the internet without risking their physical location or data. Someone that wants to utilize public computers or internet networks can do so while still having their privacy protected. Any time you want to be maximally private in your activity and your data, Tails is an incredible tool to have at your disposal!
Tails is a portable, Linux-based operating system specifically designed for personal privacy. You install it on a DVD or a USB flash drive and can boot it from nearly any computer you like, whether it's Windows, Apple, or Linux-based. So why is this useful?
- Tails is an amnesic system, meaning no data is stored between sessions: every time you use it you can have a totally fresh digital environment, with no personally identifying information, regardless of whose computer you're using</strong> (this can be especially useful if you do not have safe access to your own computer).
- All internet connections used by Tails are routed through the Tor Network, so your IP address, location, and activity cannot be readily monitored by outside parties</strong> (your ISP can see you are using Tor, but cannot see how you are using it. Only a very determined nation-state could try to pinpoint your Tor activity)
- Your computer's MAC address is spoofed, meaning that your internet connection does not have a unique, recognizable hardware identifier (like it normally does)
- Important privacy extensions like HTTPS Everywhere are preinstalled in Firefox for Tails so your web browsing can be encrypted whenever it leaves the Tor network to a HTTPS-supported site.
- Tails comes with fantastic privacy software already installed, such as a PGP email client for sending encrypted emails.
- There's even a "Camouflage" mode so that your desktop looks just like a Windows desktop, in case you don't want to arouse suspicion.
To install Tails on a DVD or USB flash drive, follow the instructions on the official Tails website. It may seem a bit daunting, but don't worry! While we strongly encourage you to verify the ISO image as instructed, it's not mandatory. Just please be aware of the risks involved and decide for yourself whether those are acceptable or not. For non-emergency use, ignoring the verification could be fine, but if malicious parties are potentially targeting you, it's best to be safe and verify. At the very least, you'll get an awesome crash course in how to use PGP! And make sure to keep up to date with the latest Tails version so you don't expose yourself to vulnerabilities.
Unfortunately, Tails is not a perfectly secure system: like anything else, there are still risks of surveillance or hacking to be found (albeit much lower risks than you get with regular desktop or phone browsing). We definitely suggest you check out the Tails warning documentation so you can be better aware of the strengths and weaknesses of this digital space. </ul>
Protect your digital accounts.
Your online accounts are points of access to your life both online and off. From email to social media to shopping, your accounts are crucial for pretty much everything you do through the internet. Spread out across these accounts is a treasure trove of personal data, credit card information, and even the ability to be “you” in online spaces. Unfortunately, hackers and abusers see the value in being able access these accounts: they’re one of the most popular targets for cyber harassment and crime. This section offers a number of ways to make hacking into your online accounts much more difficult. As with any electronic service, there is no foolproof way to protect against a dedicated hacker (and you should never trust anyone who claims otherwise), but adding layers of security gives you much more control over your online identity and information that can deter and prevent many common forms of hacking.
As we outline best practices, useful technologies, and recommended services, the most crucial thing to remember is to be conscious of the risks of any given context. One of the best things to ask yourself is “If this was hacked, how would it impact my life?” Thinking along these lines mean that YOU can dictate the security and privacy of your digital life. You can choose to add more security measures, or fewer. You can choose to use a safer service, or stay with what you have. It’s your call!
Social Engineering and Phishing
Believe it or not, the majority of successful hacks do not need advanced technical skills. From government spies to pathetic trolls, malicious hackers frequently rely on surprisingly simple schemes to trick people into giving up their passwords, emails, and other private information. Social Engineering involves psychological manipulation of targets to reveal sensitive information. A common example is a hacker calling a customer service or technical support worker at a website: they claim to be an employee or a customer and smooth-talk their way into being given private data about a customer. Another common case is simply contacting a target and pretending to be a representative of a company or service: a hacker can claim to be a utilities worker needing information about your apartment, a healthcare worker asking about your health plan, or any other number of roles in order to steal your information. Phishing is a very popular form of social engineering where a hacker will send you a professionally designed email pretending to be a website or service, including a website link for you to follow. When you click the link, it will take you to a seemingly legitimate website that asks for your password, ATM pin, or other information. But in reality, the website is a fake that collects the private data you mistakenly hand over!
So how can you protect yourself against these sorts of attacks? We have a few pointers that will help you out!
Do not login to websites from a link in an email
As a rule of thumb, if an email link directs you to a login screen, you should be suspicious. It's best to simply go to the website yourself in your browser, login normally, and look for the page the email wanted you to browse. An exception is when you reset a password for a site (the website needs to provide a personalized link for you to change your password). In this case just make sure that you explicitly requested a password reset. And use a unique password just to be safe!
Always install software updates as soon as possible
Hackers often rely on exploitable vulnerabilities in popular software to target their victims. Software developers can quickly become aware of these vulnerabilities and release software updates to fix the issue. It's imperative that you keep your software up-to-date so that your apps have the latest security fixes available to you! This is easy to do too: when your computer notifies you that there are updates to install, just go ahead and do it. Especially make sure to install macOS, iOS, Android, and Windows operating system updates ASAP!
Try not to login to websites via Facebook, Twitter, or Google
Many websites offer the option of logging in with your social media account rather than having to create an account for the website. Although convenient, this presents a huge security risk: how do you know if this site is legitimate? By encouraging unsuspecting users to use their social media accounts, a malicious website can easily collect valuable names and passwords. It's much safer to just create a new account for the site.
Do not trust emails asking for personal information, survey data, or anything else that could reveal info about you, no matter how professional they look
The vast majority of websites do not need your personal data to provide their services, so be suspicious if they ask for it (besides, who cares what they want? It's not your responsibility to give them anything). If you think the request is legitimate, do not follow their supplied link: you should be able to do whatever you have to do by navigating their website in your browser. If you can't, they clearly have shitty security practices and you should be suspicious of them in general!
Use HTTPS connections whenever possible
In the Anonymity section, we talked about the value of using the HTTPS Everywhere extension. When you connect to a website using HTTPS, your browser ensures the site is not a fake by verifying the site's HTTPS certificate is legitimate. Because fake sites cannot replicate the expected HTTPS certificate, your browser could give you a warning that a fake site is insecure. Trust your browser! By installing the HTTPS Everywhere extension, your browser will try to use HTTPS whenever possible, thus offering an easy first-line of defense against phishing scams.
Beware public wifi
When you are on a wifi network, anyone else using that network can watch or intercept your web traffic (even if it's a password-protected network). So an easy phishing scheme could be sitting in a coffee shop and intercepting all requests to facebook.com so everyone sees a fake phishing site instead, thus collecting many people's passwords. The absolute best protection is to use a Virtual Private Network to seamlessly encrypt your web traffic so it cannot be intercepted. A great alternative is to use the Tor Browser to send your browsing over the Tor network, thus anonymizing you while encrypting your data (although it will be slower than using your normal browser). If you're on a phone, try to only use your regularly installed apps for using websites rather than logging in through a browser (since phone browsing is much less secure).
So do you really need to give out your personal info? (...no)
Quite frequently a website or service will want more than just an email address and a password: they may want your name, your location, and other juicy marketable data. Well, fuck ‘em! Who says you have to tell them the truth? A good rule of thumb is to only give personal information that is absolutely necessary. Don’t be afraid to make things up! You can always give a fake name, a fake address, and all sorts of other made-up information. Unless you’re buying something, rarely is this personal information ever really crucial. By providing fake data, you lower the risk of a compromised account being linked to other accounts by shared data, as well reducing the possibility of a malicious person finding out more about you in real life.
(By the way, email addresses don’t need to be real either. If you’re just registering quickly to use a site once or twice, use a disposable email address! This is especially handy if you need to do something online anonymously. We like using Sharklasers.com because sharks are neato, but there are many similar services out there.)
Strong Passwords: “Ugh”
To quote xkcd, “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
The vast majority of online accounts can be accessed through a password and email address/username. As we all know, a good password is essential in ensuring that hackers can’t get into our shit. However, the ways we create and remember passwords tend to be very easy to hack: common words and phrases can be programmatically exploited when trying to access an account. As the first and frequently only line of defense to accessing your account, strong passwords are key!
Here are a few general rules to follow for creating good, strong passwords:
- A mixture of random letters, numbers, and special characters is best.
- The longer, the better. 12 characters or more!
- DON’T RE-USE PASSWORDS ACROSS MULTIPLE SITES.
- DON’T RE-USE PASSWORDS ACROSS MULTIPLE SITES.
Memorizing passwords that follows these rules can be a total pain, especially when you have so many. Luckily, xkcd has a wonderful approach: When creating passwords, use passphrases of three or four random words. Not only are these passwords far easier to remember, they’re far more difficult to hack because they’re so long! Here’s a few examples:
Password Managers: “Cool!”
As you can guess, making strong passwords sucks. When you have dozens of accounts across many sites, it’s practically impossible to be perfect about creating and remembering all these unique passwords. Not to mention that sometimes sites are terrible about storing passwords: they get hacked, but -you- have to change your password. There are tools to help you though! A password manager is an online service that can generate and store all your passwords for you so that you don’t have to know them by heart.
Lifehacker has a useful guide detailing some of the most popular password managers out there.
You’re probably suspicious: isn’t it dangerous to have all your passwords in one place? And you’d be right to think so, because it is! That’s why it’s important to evaluate how a given password manager actually manages the passwords and what protections are in place. Ultimately, you have to decide for yourself how you balance the risk of bad passwords, spread out across your accounts, against the risk of good passwords centralized in one location.
Given how hard it is to remember safe, unique passwords, we still recommend a password manager, specifically the service LastPass.
LastPass uses a combination of browser extensions, phone apps, encryption, two-factor authentication, and a multitude of other technologies to ensure your passwords are stored safely and accessibly (for only you!). It can also randomly generate -extremely- strong passwords for you to use. We especially like LastPass because all of your passwords are encrypted when saved in LastPass’ cloud: even if they were hacked, a hacker could not use them unless they knew your LastPass password (which is never stored by LastPass). Needless to say, if you decide to use LastPass, make sure your password to access LastPass is the strongest password you’ve ever had! You won’t have to remember your passwords anymore, so this should be a bit easier to do.
You can get started with LastPass at their official site.
As we keep our minds on risk mitigation, we recommend that you do not use LastPass for your email, bank, or healthcare accounts. Although LastPass is a very secure service, it’s still a company subject to mistakes and vulnerabilities. By separating out your most crucial passwords, you have a bit of protection by not having ALL your eggs in one basket. The important eggs are worth storing in their own basket!
A few good rules of thumb for using LastPass:
- Use password generation for lengthy, complicated passwords. At least 16 characters with letters, numbers, and symbols is good.
- Make sure to enable Two-Factor Authentication for LastPass.
- Always require your master password for entering passwords for important accounts.
- Once you have logged-in to LastPass from your phone and/or tablet, from your vault page on the LastPass website, go to Settings, and under the “Mobile Devices” tab, make sure to check “Restrict mobile devices to the specific UUIDs listed as enabled below”. This way only these specific devices can be used to login to your LastPass.
Two-Factor Authentication: “Yay!”
One of the absolute best things you can do for your online accounts is enable two-factor authentication (2FA) whenever it’s available. Essentially, rather than only needing a password to login, you need to enter a second piece of data as well. This is typically a short code sent to you in an email, a text, or generated by an app on your phone. 2FA is a wonderful piece of security because it means that even if your password(s) were hacked, a hacker would still need access to your email, phone, or app in order to get into your account.
You should definitely enable 2FA for any of your crucial accounts that offer it. Most big tech services like Google, Facebook, Dropbox, and Twitter have this option available, as do popular password managers like LastPass. Typically you just need to dig around in your account settings on a given site to find the instructions on how to enable it. Here is a useful guide from Google if you would like to know more about how Two-Factor Authentication works.
When you use a site or service that offers Two-Factor Authentication (2FA), you often have the option to generate a QR code or numeric code that you enter into a 2FA app on your phone. From then on, when you log into a site and service and are prompted for a 2FA code, you just have to look in the app for a generated code to use with that account. This is more secure than receiving a code via text or email, as it is much more difficult for a hacker or surveillance to get access to. While there are many 2FA apps that offer this functionality, we recommend an app called Authy.
Authy is a neat app that will automatically generate your two-factor authentication codes offline anywhere you have the Authy app installed. Authy can be installed on any phone or desktop, with all your 2FA code-generating accounts backed-up on a single Authy account. This means that if you were to lose a phone, or get a new laptop, all you have to do is install Authy and login with your Authy account info (have a very strong password!!) and your 2FA codes are still being generated seamlessly. Your 2FA accounts are encrypted in the cloud too, meaning that if Authy’s servers were ever hacked, your Authy data would be unusable! And because these codes can be generated offline, you do not need internet or cell service to access them.
Available for free in the iTunes and Google Play stores, also as a chrome extension
Guides for installing can be found on Authy's website
So... how do I know if I've been Hacked?
Private companies have some of the worst security practices imaginable. Your passwords can be stored in their databases in plaintext, associated to your email and mailing addresses, sometimes even with credit card information attached. There are no regulations that force companies to take your security seriously, so very few do. As a consequence, corporate hacks and leaks are becoming increasingly common and will only continue to be more prevalent as big data mines and sells vast quantities of personal data. You probably hear about corporate hacks in the news, but they rarely make waves and are quickly forgotten. Unfortunately, this private data does not disappear with time: it is aggregated across the internet and stored indefinitely, sometimes by hackers, sometimes by security professionals. Thus, if you are not aware of a company leaking your data, or simply forget about it, you can still very much be at risk for targeted hacking (they have your personal information, after all).
Check out haveibeenpwned to see if your email or username has ever been compromised in a major data breach. Your only course of defense is to use strong, unique passwords and two-factor authentication for all of your important accounts.
Own your files, pictures, and media.
You’re a tech-savvy cyberpunk: your accounts are secure, your browsing is encrypted, and you’re enjoying the internet from the cozy confines of your VPN. What happens when someone steals your laptop? Or if your cloud service gets hacked? What if that cool new app has a bug that lets hackers download your data?
If you have files, pictures, or any kind of media that is not encrypted, it is NOT private and you should assume that someone or something can see it.
Unfortunately, a side-effect of having so much wonderful tech available to us is that we put a lot of trust in the developers and companies that make that tech possible. We give them our pictures, our textual communications, or any number of data and rely on them to make sure it stays safe. While hackers are an obvious and universal threat, we also need to consider the possibility that a malicious app developer could read the private data you’ve sent on their app. Government surveillance could read your texts. Someone stealing your laptop could figure out your password and have access to everything you’ve saved on the hard-drive. This is why encryption is key: it’s the most secure thing you can do to guarantee that your data is only for the eyes of whom YOU deem necessary.
Before we explain the different ways you can encrypt your data, it might help to explain what encryption is. Feel free to skip ahead to encryption approaches if you’re already comfortable with encryption.
What Is Encryption?
Encryption keeps unwanted people from reading your data. It does this by transforming your data into completely unintelligible nonsense so that no-one but the intended receiver can figure out what it is. It’s really just secret code. So how does this code get created?
Encryption, at its core, is mathematical functions dependent on two variables: your data and a piece of information called an encryption key. Although there are many different approaches, most frequently an encryption key comes in two related flavors: the public key and the private key. When you want to encrypt data for someone, you use their public key to “lock it”. When they want to read that encrypted data, they use their private key to “unlock it”.
How do the keys get used? As an example, let’s say you want to send a private message to a friend in an email. To first encrypt your data, you pass your data and your friend’s public key into an encryption function: this produces a jumble of letters and numbers called “ciphertext”. If anyone were to read this ciphertext, it’d be nearly impossible to figure out what it means. When your friend wants to read it, they pass this ciphertext into another encryption function along with their private key; this produces your original data. Think of it like dropping a letter into a locked mailbox: once you put it in the mailbox, only someone with the key to that mailbox can open it and read the letter.
This is a very simplistic explanation, but all-in-all it’s what you need to know to use encryption. Most of the extensions and tech from earlier sections do this process for you when internet browsing. There are also apps that can do this for your files on your computer as well. However, if you want to encrypt text in an email or in a Google doc, or don’t want to risk using an app for local files, then you can manually do the encryption with free encryption software as well.
Batten down the hatches: Encrypt your hard-drive!
So, say your laptop gets stolen. Boo to that! Computers are expensive :(
Chances are you have sensitive files you wouldn’t want Thief-Asshole to see. If you encrypt your hard-drive, Thief-Assholes won’t be able to barge into your laptop and see all of your data! This style of encryption works by encrypting your entire computer every time you shut it off. When you start-up, you have to enter your encryption password (a strong one, we hope!) so the hard-drive is decrypted and becomes usable. The important thing to remember is that this only protects your computer if the computer has been turned off; if a malicious person gets access to your computer while you’re logged-in, then your files are still vulnerable (you’ll want to encrypt the actual files with PGP as the next level of precaution).
OS X comes with software, File Vault 2, already installed on your computer that can do this hard-drive encryption for you. All you have to do is set it up according to Apple's instructions.
Windows 10 will encrypt your hard-drive by default, as detailed here. However, if you have an earlier version of Windows, you can use the software Bitlocker.
Make sure to remember your encryption password! If you were to forget this, all of your computer's data would be irretrievably lost. It's also important to note that while hard drive encryption is a great deterrent for a casual thief or troll trying to physically access your computer, it would not be effective against a more sophisticated attacker (like a government tech force). If that is your concern, you'll want to manually encrypt your most important files with PGP.
A very important thing to keep in mind is BACK-UPS. Sure, it’s great to encrypt your hard-drive, but if your computer is stolen, you’ve still lost all that data. If you back-up your computer on external hard-drives, make sure to encrypt your external hard-drive as well. What good is encrypting your computer if someone can just grab your external hard-drive and have easy access to your private data? No good, that’s what! See our HEAD IN THE CLOUDS section below on how to back-up files to an encrypted cloud as well.
Get your hands dirty: Encrypt your files and emails manually!
For the advanced cyberpunks out there, being able to encrypt files and email is a crucial asset. This is especially great if you want to send private information to another person that you absolutely -need- to stay private: encrypted email has the benefit that only the recipient will ever be able to see that emails contents, regardless of the email service being used or interest by surveillance tech. Being able to manually encrypt a file means you have greater control encrypting files for other people (who are also using encryption), or even just yourself.
Pretty Good Privacy
Pretty Good Privacy is a technology that you can use on any operating system to encrypt emails and files, as well as signing data (basically adding a digital signature proving that your encryption keys were properly used) and verifying signatures (making sure that someone else’s signature is legit). This is a bit more advanced to set-up, but not too difficult if you have an hour or so and bit of patience. Once you’re done, encrypting files and emails will be a breeze!
It’s very important to consider what would happen if your encryption keys were lost (say if your laptop was stolen or broken): anything that had been encrypted for you to see would be lost forever. If you have files or email you need encrypted and accessible that absolutely cannot be lost, you need to back-up your keys. From whichever PGP program you installed, you should have an option to export keys. Save these keys on a thumb drive and keep them somewhere incredibly safe.
The Electronic Frontier Foundation offers in-depth guides for installing PGP on OS X as well as Windows.
Head in the clouds: Back-up your files in an encrypted cloud!
Chances are you use a service like Dropbox or Google Drive to sync files to the cloud. While nifty, these services are liable to share your files with “interested parties” if compelled. And if they were ever hacked, all of your files would be open for the internet to see. Like most things in life, these services are much better when using encryption: if the files are encrypted in the cloud, and decrypted on your computer, you get the same functionality as Dropbox or Google Drive without nearly as much security risk!
There are numerous services out there that offer encrypted cloud storage, so check out Lifehacker's guide to cloud storage services to figure out what’s right for you.
SECURITY TIP: Make sure to ALWAYS back-up your files locally in addition to syncing them to the cloud. If your cloud service suddenly died for whatever reason, you’d be awfully vulnerable (and your laptop would probably get stolen that same week or something because the world is cruel). Back up your most important files to an external hard-drive, which you should -definitely- encrypt as well (as detailed in the previous sections).
Phones will never be secure but you might as well try.
Protecting your laptop or desktop is great, but what about threats to your privacy & security when you’re on your phone? Smartphones are uniquely desirable targets for malicious threats because they carry so much concentrated personal information about you. The GPS in your phone can track your physical location throughout the day. Much of your communications with friends, often with sensitive information or pictures, are stored in accessible texts. Often times your emails, pictures, videos, files, and all sorts of other important data are stored amongst your apps.
While smartphones are huge asset for functionality and convenience, the tradeoff is less control over your digital space. You have to trust your Apps to use your data safely. You have to trust your operating system to withstand hacking. You have to trust your cell provider to not interfere with your data or calls. You have to hope nobody malicious takes control of your phone. Before we delve any further, it’s really important we emphasize that phone security is far less developed than regular computer security, often with much less visibility into how data is managed and used, with much fewer options for security. Although there are many great tools for phone security, they’re not comprehensive and will not stop data-mining, physical tracking, or monitoring.
So with so much personal information at risk, how can you use your smartphone without taking steps to protect your digital autonomy? Encrypt! Encrypt! Encrypt! As you secure your digital space, it’s important to recognize that apps do not only have to be a threat to your security: they can also be an asset. Some of the most sensitive data on your phone, from your pictures to your texts to your internet browsing can be secured to decent degree. And the most common thread should be a familiar one: Encryption!
By encrypting your phone and the data found on it, you can have greater assurance that if something were to happen to phone (whether it be stolen or hacked), you’d still have protections in place. We’re going to walk through a few recommendations for ways you can encrypt your files, your texts, and even your phone calls.
Protect your data: Phone Encryption on iOS and Android
Just as you can encrypt your computer so no-one can dig around on your hard-drive without a password, you can encrypt your phone. This is especially important because if you were ever to have your phone stolen or confiscated; you definitely wouldn’t want someone to have free reign over all the pictures, videos, texts, and contacts on your phone. iOS and Android have different ways to accomplish hardware encryption, so feel free to read whichever is appropriate for you (note that iOS8 enables encryption by default, though older versions do not). We’ve linked to some nifty guides that can explain the process better than we can :)
Protect your texts
Texts can be some of the most personal and private communications we have. They’re also especially vulnerable to being seen by others: your cell network can see them as they’re being sent (as can any government agency who’s chummy with that network). Anyone with access to your phone could read them too (hopefully you encrypted your phone to avoid this!). Lucky for you, there are some really awesome apps that will encrypt your texts across both iOS and Android to ensure truly private conversations.
Signal is free, open-source app for encrypted texting by the security gurus at Open Whisper Systems. When you send a text to a friend that is also using Signal, the text will be encrypted so that only you and your friend can read the text on your phones. This happens automatically without any effort on your part! And the only information available to people monitoring the cell network is who sent the text, who received it, and when it was received: they cannot see the contents of the text.
Texts sent to friends not on Signal will be unencrypted, but having the option makes these apps perfect as your general purpose texting app. Especially nifty is that regardless of whether your texts were encrypted for the recipient, they will be encrypted locally on your phone. So if someone ever got control of your phone, they would still need to decrypt your app (and your phone!) to see your stored messages (which the vast majority of thieves and hackers could not do).
The Electronic Frontier Foundation offers guides for using Signal on iOS and Signal on Android.
Protect your calls
Wiretapping is practically an American tradition. If there are ever times where you would not feel comfortable or safe having a phone call monitored, you should consider using a phone app whose specialty is encrypting your calls. Most apps accomplish this by sending your conversation over your data connection rather than your cellular network connection, thus allowing the 1s and 0s to be encrypted before reaching your conversation partner.
Encrypted Call Apps
We recommend using Signal, which is available for both iOS and Android. Both are free, open-source encrypted call apps developed by the fantastic Open Whisper Systems. Make sure to note that encrypted phone calls only work when the person you're calling also uses these apps. Also, be aware that calls can be a bit harder to hear when they're encrypted.
The Electronic Frontier Foundation offers guides for using Signal on iOS and Signal on Android.
Protect your smartphone browsing
You’re in luck! You have a wonderful set of easy and effective options for securing the web activity on your phone. Just check out our mobile browsing section and download either Firefox Focus for iOS or Firefox for Android.
Earlier in the guide, we talked about securing your web browsing with a VPN. Fortunately, you can use a VPN on your phone as well! If you already have a VPN provider, it’s relatively easy to set-up on your phone. Follow Apple’s instructions for iOS or check out OpenVPN (our recommended VPN client for Android).
Follow Apple's instructions for configuring your VPN on iOS.
Install OpenVPN to enable VPN on Android.
Final Thoughts on Cell Phone Security
You’ve thoroughly vetted all your apps. You encrypt your phone, your texts, and even some of your phone calls. Your phone is a fortress! Or is it?
The most crucial thing to remember is that no phone is 100% secure. If you are ever in a situation where personal safety is absolutely necessary, such as attending an event with significant police presence or avoiding an abusive/predatory person, consider leaving your phone at home until you feel safe, or use a disposable phone. Turning your phone off for a bit, and then back on, actually triggers some government surveillance programs, so don’t try it if you’re going to a demonstration or something. Consider buying a burner phone just if you can afford it. These approaches aren’t always possible though; this guide cannot tell you what is right for you. But your digital space is yours to manage: whatever action you decide is the right one.
Don't let trolls see your private thoughts and experiences.
Disclaimer: This section assumes you have read or skimmed the previous and have already taken advantage of basic security practices like two-factor authentication, strong passwords, browser extensions, phone encryption, and computer encryption. All of those points are incredibly crucial for protecting your social media and communications, but we will not reiterate them here in-depth.
We socialize on the internet. We make digital friends through social media, we do our organizing through social media, and do much of our communication through social media. Since this all accomplished through elaborate networks of different tech companies (easily accessible to government surveillance), it’s near impossible to guarantee true privacy when relying on private companies for connecting to friends online. Developers, IT workers, marketers, and countless other people can see even your most intimate messages and media. And because most of these companies store big data indefinitely, your conversations today or yesterday can still be threatened years in the future.
We’ll first walk you through suggestions on how to leverage existing security options across social media platforms. Even better, we’ll explore free, open-source alternatives to chats and emails so that when you need to, you can have truly private conversations that can withstand even the most determined hackers and surveillance.
Know your Social Media Security
The first step to securing your social life is to simply get familiar with the privacy and security options that are available to you. While these options will not stop marketers, rogue developers, or government surveillance from accessing your data, they can make it much more difficult for an inexperienced troll to hack or abuse you. Because security options and strategies can differ significantly across platforms, we’ll walk through a few common points that you should keep in mind whenever using a social media service.
Watch out for Phishing schemes and other social engineering
Social Engineering, the psychological manipulation of targets, is by far the most popular way to hack social media accounts. Read up on Social Engineering in our Hacking section so you can be aware of these sorts of threats! Basically, never give your password to anyone, never log-in to an account from an unfamiliar link or website, and try not to use your social media accounts to log into other websites. Only log-in to your social media accounts through their official site in your browser or through the official apps.
Use Two-Factor Authentication and Strong Passwords
Hacking a social media account is very easy if your account only requires a simple password. But this hacking is very easy to avoid! If you have set-up Two-Factor Authentication and Strong Passwords for your accounts (as detailed earlier in the guide), a malicious troll would need both extremely powerful computers AND personal access to your phone/computer, simultaneously. Because these technologies are so easy to implement, they are undoubtedly one of the best steps to take to protecting your social media.
Many social media services will use GPS data from your phone or IP address location from your computer to associate a physical location to your posts. This information is often freely exposed to developers, meaning anyone that can see your posts could easily find out very sensitive information about your home and travel habits. Many sites, like Twitter, offer an option to disable geotagging in their privacy settings, so look for that option on any site you post content or media to. A more comprehensive solution (though more advanced) is to use a Virtual Private Network so all of your activity appears to be coming from a random datacenter somewhere.
Don't trust apps that require access to your account
It's very popular to use apps both within a social media site (for instance, a Facebook app) and outside a site (for instance, a Snapchat utility). However, when you sign-up for these apps, you often expose a ton of personal data: your identity, your pictures, your messages, your friends. While this may not seem like a big deal, it means that you are trusting unknown developers with deeply personal information. Many of these app services are created by inexperienced programmers that do not have the resources to adequately protect your data (if they even care). More frequently, they're just interested in harvesting your data for marketing money. Unless you really, really need the app, reconsider whether you want some randos seeing everything you do on a social media site.
Get comfortable with your site's Privacy settings
Every social media site has different security capabilities, some more comprehensive than others. You should check out these quick privacy guides for your favorite sites and understand which tools you have at your disposal.
Use super-strong encryption for your messaging with Signal
It’s very common to use a messaging program like Facebook Chat or Google Hangouts to talk to friends: you can use the same service across devices fairly easily and always have access to your conversations. Unfortunately, these conversations are subjected to intense data mining for marketers and government agencies. And if anyone were to ever hack or leak your account, they could see years and years of private conversations because that data never goes away.
Luckily, there’s a great open-source, secure, and free alternative to standard corporate chat services. Signal is an app for encrypting texts so that the content of your messages can’t be seen by anyone other than you and the person you’re talking to. It can be used for one-on-one messages, groupchats, and even phone calls.
Check out our section on Signal to get started!
Protect your email conversations with PGP
The de facto standard for secure communications is PGP encryption, which you might remember from the Data section (you might want to go back and read about how encryption works since we won’t repeat it here). Email, like most things, is ruthlessly mined by the email services (that’s why they’re free, after all). PGP, which standards for Pretty Good Privacy, allows you to encrypt emails (and pretty much anything else) with a super high level of sophistication. This is preferable to instant messaging because:
- The recipient needs to use a password to unencrypt anything you send them, so it’s significantly harder for a thief or hacker to get access to your email
- You can digitally “sign” your email, better proving that you were the one who wrote the email.
- You can often find people’s public keys (the thing you need to encrypt a message for them) online, allowing you to encrypt things for friends, colleagues, and professionals very easily.
These guides, although fairly involved, offer great instruction in how to set-up PGP with your email. Any email address can be used with PGP encryption!
Find the right tools for your security needs
With so many cybersecurity tools out there, it can be intimidating to figure out which tools best meet your needs. Our cheat sheets will point you to recommended tech based on which digital activities and spaces you’re looking to take better control of. We’ll also give recommendations for the more experienced cyberpunks that may need more hardcore security than your average person. Just make sure to keep in mind that regardless of which tech you decide to use, nothing in the digital world is 100% guaranteed to be secure! So always be vigilant and conscious about your security. Don’t assume you’re invincible: no-one ever is!
This cheat sheet is best for internet feminists: you can make it much more difficult for trolls, trackers, and hackers to compromise your digital spaces. Our recommended tech for you is all free, requires only minimal set-up, and gives you easy options for securing your digital spaces and data. With almost all of this tech, you rarely have to think about what it's doing: it just works.
- Install privacy extensions for Firefox to stop web trackers and encrypt your browsing whenever possible. Secure your mobile browsing too!
- Enable Two-Factor Authentication for your digital accounts (especially email and social-media) to keep your accounts safe
- Download the Tor Browser so you can browse anonymously when you need to
- Encrypt your phone and your computer to protect your private files, pictures, and media
- Be aware of common Hacking and Phishing schemes
- Know your Social Media Security
(We definitely recommend using a password manager to strengthen your passwords, though it's not free. If you do not use a password manager, please consider using very strong and unique passwords for your most important digital accounts!)
Private Conversations with Friends and Colleagues
This cheat sheet is best for people who want their communications to be absolutely private. Being able to converse securely is invaluable for journalists, activists, medical professionals, public figures, and casual internet users who are uncomfortable with their conversations being accessed by government surveillance, corporate data miners, or hackers. You don't necessarily have to use this tech 24/7; sometimes it's easier just to use as as-needed. It's up to you to decide when the situation calls for greater privacy!
This cheat sheet is best for people who, for whatever reason, need greater control over digital information concerning their location, identity, and browsing activity. These are invaluable tools if you are worried about a website or troll being able to determine your address based on IP Address, or if you do not wish for your web browsing to be traced back to your home. Although some of this tech can cost money, it is often a worthwhile price to pay for.
- Hide your physical location and encrypt your web connections with your own Virtual Private Network connected to your computer and your phone
- Install Tails on a flash drive so you can have a portable, anonymous, amnesic operating system on any computer you encounter
- Browse the internet anonymously with Tor Browser
- Use privacy extensions for Firefox and secure mobile browsers for casual web browsing
- Use a fake email address for creating digital accounts
Who we are
Noah Kelley is the writer and developer of this guide! Fiercely dedicated to establishing a culture of safe, accessible, and enriching technology free from exploitation, Noah explores cyberfeminism through the activist organization HACK*BLOSSOM. You can follow him/bug him with cybersecurity questions at @ciakraa on Twitter, like him on Facebook, or email him at firstname.lastname@example.org. Bonus points if you email with PGP ;)
This guide was written in our spare time as a labor of love! We hope you enjoyed it :D
We would like to extend special thanks to the following organizations that helped make this guide possible:
- Model View Culture - The talented writers and editors of Model View Culture are at the forefront of Feminism and Tech. Without their labor and their struggles, our understanding of digital spaces would not be what it is today.
- The Tor Project - The tireless work of the Tor Project's contributors continues to provide life-saving anonymity to the countless people in need of secure digital spaces.
- Electronic Frontier Foundation - EFF's resources and activism are instrumental in fighting for privacy and security across the digital landscape.
- Mozilla Foundation - Mozilla's continued dedication to open-source technology and user security makes our cybersecurity possible.
- Library Freedom Project - Much thanks for great technical feedback during the writing of this guide.