This week brought us a second Trump administration, inevitably eroding many of our rights. The fight for a better society is a long journey filled with struggle, especially since figures in power actively work to keep people from resisting. While pursuing equality, it’s important to make efforts to protect your digital safety – especially when hostile groups or the government can target your activism. It’s nearly impossible to exist without connecting to the internet. Save yourself the headache now by learning about what you can do to become safer online.

Author’s Note: Digital security becomes outdated extremely fast. This article will become obsolete at some point, so make sure to review the advice given here and apply it with updated ideas.

The more your movement wishes to change the status quo, the more likely you will be targeted by cyberwarfare. In fascist and conservative societies, simply being marginalized is seen as opposing the status quo – even if it is not something that can be changed. Being vocally and visibly out puts you at risk, but it’s also where you can create the most change. Online harassment and doxxing are commonplace for non-activists that merely upset the wrong people, but targeted surveillance and hacking are weaponized if your movement is deemed an ideological threat.

The largest real-world examples are the actions taken by the United States Federal Bureau of Investigation against the civil rights movement, which spied on figures like Martin Luther King Jr., Malcolm X, Elijah Muhammad, and Aretha Franklin. COINTELPRO was the official series operated by the FBI, which covertly and illegally surveilled, infiltrated, discredited, and disrupted groups they deemed subversive like Black power, civil rights, the American Indian Movement, Brown Berets, United Farm Workers, and numerous feminist, environmental, and left-wing organizations. COINTELPRO is the most notable example, but similar programs most certainly exist today to allegedly secure national security. Even when the government is not involved, ill-intentioned individuals and organizations put energy into disrupting equality.

Watch It! Do Risk Assessment!

Before you get the conspiracy hats on, it’s important to note that most people will not be targeted by large-scale operations or the government. By nature, activists are at a higher risk, but simply being transgender won’t land you under increased surveillance unless you’re part of a group that can feasibly undermine others.

Risk assessment refers to identifying potential hazards so you can plan to avoid them as much as possible. Digital security is complicated, long-winded, and limiting – the more secure you become, the less freedom you’ll have online. For those reasons, not everyone needs to have a high level of security if it’s unneeded. Before continuing, think about these five questions:

1. What do I need to protect?
2. Who do I need to protect it from?
3. How much do they want that information and how easy is it for them to get it?
4. What happens if they get it?
5. What am I willing to do to stop that from happening?

The Secure Communications Framework

The SCF is an open-source model that was created to help activists, human rights researchers, and other individuals interested in security determine the best tools and practices for their situation/work. The following chart is the secure communications framework, but I’ll break down the lingo used.

Using the bullet points on the SCF above, you can tell there is a significant difference in the risk involved. A draft press release wouldn’t require any changes, even if it was annoying if it got exposed early, but a list of projects might need alteration if it got leaked. Personnel information being exposed might lead to online harassment, but a testimony being leaked might cause an individual to be detained.

As I’ll get into below, digital security is extensive – there is little reason to use top-tier safety mechanisms for work that does not need protection. The more secure something becomes, the more tedious it is to use. The more your work is guarded, the fewer people will hear your message.

Back to Basics: Safety Anyone Can (and Should) Do

Browsers Matter!

Regularly update your operating systems (OS), browsers, and apps. More than 90% of software updates are security patches – forgetting or refusing to update your devices is more likely to put you at a data breach than your device just becoming slow. This is especially important on organizational computers and devices you use for your work!

Speaking of browsers – not all internet applications are created equally. Google Chrome stands as the industry leader, which is incredibly fast and the default for most users – but they’re one of the worst browsers for data security, going to great lengths to obtain and sell user information to the highest advertising bidder. Microsoft Edge is forcibly installed on all Windows devices, the modern version of Windows Explorer – it consumes less power and battery resources than Chrome and sets the precedent for in-browser AI. Apple-based devices use Safari, which boasts robust privacy protections that separate it from its competitors – but it’s difficult to trust one of the tech industry’s leaders at face value. Arc is a new face on the scene, released in 2023 using Chromium to focus on user productivity and multitasking.

The two most secure internet browsers that actually provide digital safety are Firefox and Brave. Opera used to claim this title too, flaunting its free VPN feature built into its programming, but it’s come under fire for selling user data to advertisers. Both Firefox and Brave prioritize user privacy, but it’s personal preference between the two. Supposedly, Brave is better at privacy out-of-the-box, while Firefox requires more set-up – but in turn, Firefox is more customizable.

Special Feature: Tor

Occasionally known as the “dark web browser,” Tor (which stands for The Onion Router) is an open-source overlay network that takes user privacy to an extreme by using numerous networks to encrypt information multiple times. This makes it nearly impossible for entities to track you, making your internet browsing anonymous. Compared to other internet browsers, Tor takes more user knowledge since it’s complicated and has fewer features than mainstream browsers like Chrome, Safari, or Firefox. Tor also hides your IP address (discussed below in VPNs) – but despite the sketchy reputation the dark web has, Tor is fully legal to use. It’s used for tons of legitimate purposes like journalism and activism! However, Tor is not lawless – if you get caught engaging in criminal activities, you can still get in trouble.

HTTPS What?

All websites use either HTTP or HTTPS – it’s included at the very beginning of a web address like https://transsolidarityproject.wordpress.com/. HTTP (Hypertext Transfer Protocol) transfers data over your network, but your information can be read by anyone monitoring that website’s connection. For that reason, HTTP sites are more likely to expose user data like passwords, credit card numbers, and other important details.

HTTPS (Hypertext Transfer Protocol Secure) encrypts HTTP transfers. When someone tries to monitor an HTTPS website, they’ll only get random encrypted characters instead of private user information. HTTPS is considered vastly safer, so websites that utilize it are boosted in search engines to steer users. That doesn’t mean HTTP sites are bad – it just means you should be wary when using them and consider additional security protections if you don’t fully trust the site.

Secure Your Network: VPNs

Virtual private networks, or VPNs, are always brought up quickly when discussing digital privacy. VPNs establish a digital connection between your device and a remote server, encrypting your personal information and masking your IP address. Both of these functions serve important purposes:

• Your IP (Internet Protocol) address is a unique number given to your device while using the internet, allowing it to communicate and connect with the rest of the world. If someone obtains your IP address, they can pinpoint your location up to the postal code you live in – IPs don’t show exact locations, but combined with other information hackers can obtain like birthdates and Social Security numbers, fraud can occur under the right circumstances.
• Information that has been encrypted can only be unlocked through a unique digital key since the encryption process scrambles the data into a secret code. Even if someone gets access to your network, they won’t be able to unscramble the encryption placed on your devices or cloud storage – keeping data confidential.

People use VPNs for a variety of reasons – while I’m focusing on data privacy, many users have VPNs to bypass regional content locks. Once your IP is masked, your location can be set to anywhere in the world – allowing you to access websites and content in other countries. Others use VPNs to simply block internet service providers from logging and tracking their search history, and some users have VPNs to get around government censorship and surveillance. While VPN usage and IP masking can look suspicious to police, there is no way to track live encrypted VPN traffic – and you can’t get in trouble just because your internet usage looks a bit suspicious.

Most people don’t need to use a VPN. Digital privacy feels great, but it’s a lot of steps that most people don’t need if they’re unconcerned with their browsing data being sold to advertisers since most people aren’t worried about being censored or surveilled. At the end of the day, regular folks only need a VPN if they’re connected to a public or otherwise untrusted internet network – which is when you’re at the most risk of having your data stolen. Otherwise, members of the general public can get by using an ad blocker like Privacy Badger – a browser extension available on Chrome, Firefox, Edge, and Opera that stops third-party trackers.

If you have never used a VPN ever, I recommend Tunnelbear – it’ll get you used to the mechanics of how VPNs work for free and has a user-friendly interface. That’s important because VPNs can get complicated if you’re unaccustomed and don’t have high data privacy literacy, which is most people.

For the majority of people, Proton VPN is the best choice. There are hundreds of VPN providers that all promise specialized features and user security. It’s not terribly hard to use, and it’s free. Entirely free, with a connection speed similar to premium versions – the only downside to Proton is that you can only connect their free VPN service to one device at a time. Proton also hosts a secure email service, cloud storage, password manager, calendar, and wallet for users, too.

If you really want to pay someone for a VPN (and it’s not Proton), NordVPN is an industry-standard. It has a little bit of everything, providing slightly more encryption than Proton, and has built-in antivirus protection among its many tools. It has something to offer for everyone – but it’s definitely more pricey than other VPN providers. If you’re curious about other VPNs, the r/VPN subreddit has a datasheet comparing major providers.

Why would I use a VPN and not Tor?

User-friendliness, mostly. You don’t need both – if you have Tor, you don’t need a VPN, and if you have a VPN, you don’t really need Tor unless you’re going for the freedom and anonymity that Tor provides. Generally, VPNs are more user-friendly and significantly faster than Tor but it’s personal preference. Like Proton, Tor is entirely free to use.

Security Management & 2FA

Two-step or two-factor authentication (2FA) requires two forms of identification to access an account, which protects your devices and information even when passwords are leaked. With standard single-factor authentication (SFA), a user just inserts one password to access their account – but if their password becomes compromised, all of their account data is at risk. With 2FA, users provide that same password but also have to provide a different second item like a security token, fingerprint scan, facial recognition, or pressing a button on an additional device.

You don’t need 2FA on everything, but you should enable it where possible – especially on password managers, finances, and social media profiles. It’s a simple step that saves you a lot of hassle! It’s rumored that the 2016 Hillary Clinton campaign actively rejected security advice to use 2FA on its accounts, leading to the thousands of emails that were leaked by Russian hackers – if they had used 2FA, we might be living in a very different America.

Most 2FA apps are entirely free, but it’s up to you which one to go with. Google Authenticator is the go-to for most folks, followed by 2FA Authenticator, Microsoft Authenticator, and Duo Mobile. However, I’d actually recommend 2FA out of the above options since it allows for cloud back-ups and provides protection that Google doesn’t.

Don’t Dox Yourself, Use an Alias

You have the power to determine how much of yourself is online. Make an effort to review what information is publicly available so you don’t accidentally dox yourself. Doxxing refers to when personally identifiable information about an individual or organization is released without their consent, and it can be done maliciously by all sides of the political spectrum. A handful of US states have criminalized doxxing, but assuming the perpetrator has taken steps to not get doxxed themselves, it’s difficult to tackle.

By using an online alias or alternate name, you can protect your real-life identity since your actual name and contact information aren’t readily available. However, aliases are less common today outside of certain communities and forums.

Do You Trust Meta?

Just like internet browsers, not all social media sites equally value your personal information and privacy. Some of the most privacy-friendly sites used in the US include Reddit and Snapchat – Reddit is filled with anonymous accounts used for their forums, and Snapchat deletes messages after being read while also notifying users if someone tries to screenshot their content. Similarly, Amazon, Grindr, Pinterest, Spotify, and Lyft all collect minimal data compared to other major sites. Not on the below list, Bluesky is a growing platform and alternative to Twitter/X that does not sell data – they’re an open-source network with a focus on privacy meant to resemble what Twitter used to be like before its takeover by Elon Musk.

Some of the worst offenders for digital security include Meta, YouTube, LinkedIn, and Uber. Despite lobbying by Meta owner Zuckerberg, Meta sells insurmountably more user data than supposedly dangerous sites like TikTok – which is why its sites are poor choices for privacy, including Facebook, Instagram, WhatsApp, Threads, and Messenger. Since it’s owned by Google, YouTube is slow to delete its user data even after account deletion. Uber obtains a large quantity of user information, which can be used to target individuals seeking criminalized services like gender-affirming care and abortions if given to the wrong entities. Lastly, while LinkedIn isn’t as malicious as other sites, they’ve suffered the greatest number of data breaches.

Protect Your Messages

The use of artificial intelligence is growing – which means privacy theft, scams, and blackmail schemes are becoming more complicated. There are very real people willing to buy private chat logs, photos, and videos from your phone. One step you can take towards protecting yourself online is switching messaging platforms.

For secure messaging, there is no better alternative than Signal. All messages are secured with end-to-end encryption and it’s used by government agencies as well as activist groups. While you must have a phone number to sign up for a free Signal account, your information is secure and isn’t sold.

After Signal, WhatsApp is an internationally used platform that automatically deletes messages and images – but many users don’t inherently trust its privacy claims since WhatsApp is owned by Meta. Most messaging platforms are more secure than direct SMS or texting since texting generally lacks encryption, although this varies depending if you’re using mobile data or a local internet connection.

Messages aren’t the only thing you should keep secure – Jitsi is the most recommended platform for video calls and conferencing. Unlike Zoom, Jitsi actually uses end-to-end encryption and passwords to protect users. Zoom has been targeted by numerous security threats and data breaches.

While I am recommending Signal and Jitsi for digital privacy, the same rules apply to everything else I’ve mentioned. Most people do not need everything on this list – targeted ads are mildly annoying but worth the freedom and ease that comes with mainstream browsers like Chrome. Even if you’re transitioning to these sites, it’s impossible to get all of your contacts to stop using their preferred messaging platform like Facebook for something like Signal instead. For those reasons, this means digital security in practice is ‘use what you need, as needed.’ The majority of your messages don’t necessarily need tons of protection since they shouldn’t contain sensitive information – so I recommend using platforms like Signal as needed for sensitive topics and contacts, kept separately from your other messages.

Protect Your Device (Physically)

It’s essentially impossible to exist in modern society without a cell phone or similar device. They store our credit cards, identification, maps, contacts, and photos – you can hardly apply for a job without having a reliable phone number. Some people believe that old phones (or dumb phones) are safer than modern cell phones – this is untrue. The information you likely want to protect from the SCF can’t be secured with dumb phones because they cannot encrypt data and cannot use encrypted apps like Signal or VPNs. True dumb phones can’t operate in most places since they lack the modern VoLTE required, and modern dumb phones are just lobotomized smartphones without the capability to use apps or security updates.

It is remarkably easy to get caught up in data breaches in the cloud when discussing digital security, but you can have your data stolen just as easily IRL. Physical and external devices like your phone, USBs, and micro USBs can leak your information if stolen – having your devices encrypted is vital for this possibility. The most dangerous information you can have on your device is photos, contacts, recordings, and login information – especially if you are part of a sensitive movement or organization. In those cases, that data should only be stored on select devices that just a few people can access. When your device is stolen by thieves or law enforcement, it’s more than just your information they’re accessing if they can see your entire contact list.

Out of all the security options available, facial recognition is one of the worst since it allows your device to be accessed easily – if someone looks too similar to you, it’ll automatically unlock. Worse yet, it’s entirely possible for someone to use your face while you’re restricted or unconscious to unlock the device for them. Following that, finger sensors are only slightly more secure since it is easy for police to force individuals to unlock their phones through their fingerprints. Six-digit passcodes and complex patterns are the most secure way to lock your phone since they are the hardest to hack – as long as you aren’t using a code that’s overtly generic like your birthdate or home address. Beyond passcodes and patterns, the strongest passwords are ones that use a combination of different characters or make up a passphrase that you can memorize.

Create a Paper Trail

In the event that your data is exposed or stolen, document it. Failing to do so means you can’t track the incident – just make sure to shred physical paper copies once you’re done. Documentation allows you to think more carefully about how and why a breach occurred, regardless of whether it was an error on your end or a breach in a remote server like Google. This is exponentially more important when other people are involved, such as in an organization, group, or movement, so all affected individuals can verify their data and reset security protections. Further, you’ll be able to take legal action later on if you find the perpetrator of your leak.

---

High-Level Security

The following guidance is not for most people – it’s for individuals and organizations at high risk of being targeted and surveilled by opposing groups or the government. The majority of people will only need the following protections sparingly when they engage in high-risk work.

License plates trace your identity, allowing people to find your home address, criminal history, and accident history just by searching online or calling their local DMV. SIM cards work the same way – they can be searched to find out your phone number, contacts, text messages, location, and other identifying information. When engaging with high-risk work, such as going to a protest, it’s better to purchase a burner SIM with cash. Burner phones do not inherently make your digital information more private unless you have a generic SIM you buy to later discard. With as little information on the device as possible, you minimize your risk even if your phone is taken by law enforcement.

Not everyone can be on the front lines at a protest. To maintain security, you should limit high-value individuals from going to actions like protests and demonstrations – if they are detained, their data is the most at-risk. This includes admins and anyone who has login details, contacts, and sensitive messages for your group. Best practices advocate having these individuals stay back and message others remotely during a demonstration through the burner devices people IRL should have, since that both protects your data from possible exposure while also giving your activists access to data as needed by messaging you.

Speaking of which, law enforcement in the United States must have a warrant to search your phone – including if they’ve already seized it after arrest or if they believe they have probable cause for evidence of a crime. Your cell phone is covered under the Fourth Amendment from unreasonable searches and seizures, backed by the 2014 Supreme Court decision in Riley v. California. However, police are allowed to force you to unlock your phones in certain states if you use biometric logins like fingerprints or facial recognition. The courts are especially conflicted about this since it should fall under the Fifth Amendment’s right to not testify against one’s self, but it hasn’t reached the Supreme Court.

---

Additional Resources

Access Now has information about censorship, surveillance, and data – “A First Look at Digital Security” runs you through what exactly needs protecting and how to do it based on your needs. They even have a free 24/7 digital helpline available in English, Spanish, French, German, Portuguese, Russian, Tagalong, Arabic, and Italian.

ActionSkills has some pretty cool websites worth checking out – like the Commons Library, which hosts educational resources that you can browse for free. The Library even has information on digital security.

Activist Handbook has a few articles on general digital security as well as further guidance for your cell phone and laptop.

Association for Progressive Communications’ Digital Security First Aid Kit for Human Rights Defenders is a collection of tools and links for better online safety. The site is geared towards activists, covering how to send information without being tracked, hacks, abuse, and surveillance.

Blueprints for Change is a network for activists looking for tools suited to advance their work, including digital security, apps, communication campaigns, disinformation, canvassing, crowdsourcing, and more.

Digital Defenders has several online publications, ranging from digital support for civil rights, internet blockages, and related topics.

Digital First Aid gives you advice on how to best handle common digital security issues, like losing access to your device or account, viruses, hacking, impersonation, harassment, and surveillance.

Electronic Frontier Foundation is another large digital privacy and free speech group, which hosts tools for activists like the Surveillance Self-Defense (learn the basics on data surveillance), Privacy Badger (a tracking blocker for those who don’t want VPNs), Certbot (enables HTTPS on manually-administered websites), Atlas of Surveillance (documents local police technologies for users to search), Cover Your Tracks (check how well you’re protected from digital tracking), and Street Level Surveillance (which explains how various technologies are used to spy on the public).

Free Software Foundation believes in software freedom, but one of their best resources is their email self-defense guide for individuals wanting to secure their personal email from surveillance but don’t want to move to a platform like Proton.

Front Line Defenders has numerous projects worth looking at, including Security-in-a-Box – an open-source tool that teaches users how to protect their passwords, communication methods, devices, internet connections, and files. Read their entire digital security section here.

Medium has a good article about digital privacy for normal people who don’t need to be overly concerned with security.

Mozilla, which owns and operates Firefox, actually has a ton of information about digital security – including best practices for digital activism.

Oregon State University has a free book on cryptography, a key focus on cybersecurity since it relates to encryption. The book explains why digital security matters and the history of both digital privacy activism and suppression in the United States.

Prism Break is a great reference tool for comparing various software and companies, giving you information on the best platforms for digital privacy.

Rise Up is an autonomous body that values digital liberation and hosts numerous projects for independent forums and media.

SAFETAG is an international network of white hat hackers for small organizations – auditors who intentionally try to penetrate your security to improve your framework.

Security Planner is another free beginner guide to digital security, which gives personalized advice for free based on your needs.

Tactical Tech is a major digital security organization – but they have just as many creative demonstrations and physical exhibitions as they have reference guides and projects. Some of their online projects include the Data Detox Kit (teaches basic digital health, AI, and misinformation), Digital Enquirer (self-paced modules for users interested in online media literacy), the Influence Industry Project (effects of data collection on politics), the GAFAM Empire (information on the monopolized empire by Google, Amazon, Facebook, Apple, and Microsoft), Our Data Ourselves (learn about data, activism, politics, and yourself), Holistic Security (approach to teaching digital security as an aspect of general wellbeing)

The Movement Hub hosts free online resources for grassroots activism, which includes digital campaigning. Digital Activism is a private website that supports verified organizers with tools after registering.

Watch Your Hack uses everyday language to explain simple internet safety to protect yourself from common hacking techniques.