Digital Security for Everyone

This guide is designed for beginners and non-technical people with the aim of increasing security across our whole community. The content is based on research, working with security experts and on the ground experience working with community activists and people who believe government and corporations do not have the right to spy on people by default.

Produced by Glenn Todd. Contribution by Gabor Szathmari and experience from FLAC.  Eye Image by Eiti Kimura. Entire resource is licensed Creative Commons Attribution 4.0 International License. Updated July 2020.

Ten quick and easy things to radically improve your digital privacy and security

If this guide feels like too much, start with these 10 things.

Please Note

Security is always changing so do some extra research yourself about recommended tools.The safety of tools can change suddenly if we learn of new exploits or risks with tools. Sometimes great tools get sold to dodgy corporations. Please use these recommendations in context with some healthy cynicism and common sense.

Webinar discussing this content and tools

2 hour discussion on the content of this guide.

Why Secure myself? – I am not doing anything worth spying on

Many people believe that they are not worth spying on. There are many reasons to protect yourself and your community.

Who are we protecting from?

Security has many levels and protects you from different levels of spies. It is important to understand, the people more likely to target you are probably the least sophisticated. This means any improvement to your security will go a long way.

Herd Immunity – My part in protecting everyone

If only a few people are protecting themselves they become targets, as it is assumed they have something worth spying on. When you and others start protecting themselves, then it gets very difficult and expensive to spy on everyone.

Don’t let Paranoia stop you organising

Although they come with risks, digital tools allow us to leverage our actions and communications in unprecedented ways. If we stop using the these tools due to security, we have lost before we have even started. Use the tools wisely. Some risks are involved but missing the big opportunities is a far bigger risk.

Convenience VS Security

Some security technologies can be less than convenient. Typing long passcodes into your phone and surfing with slower internet speeds via tor. It is up to you how much you balance security and convenience. Many security approaches and technologies do not impact on convenience so apply as many security lessons as you practically can.

Be geek street-smart – Security is not perfect

High end security is very complex and can make using your technology less convenient. The aim of this guide is to implement good security and not perfect security. Unless you understand the technologies of a technical level, always assume your system is compromised and use your technology wisely. You may have perfect encrypted messaging but your system may have malware that is recording your keystrokes.

Digital literacy – learn your technology

Computers have given us powerful tools that also need maintenance and management. Learning the basics of how your computers and phones work, will make you far more savvy in understanding digital security

Encryption works – What is encryption?

Encryption involves using advanced mathematics to scramble your data, making it impossible to access without your key (password). The Snowden leaks has proven that encryption works and we can protect ourselves from spying.

Encrypt all devices, drives and sensitive folders

Encrypting is usually a simple matter of turning encryption on via your devices settings. By enabling encryption you make hacking your device either impossible or very difficult and resource intensive.

Multiple backups

Your data can be lost in many ways: Fire, theft, failure, arrest, loss etc. You can also lose data if you apply some security measures incorrectly. Make sure you have adequate backups before you start securing and encrypting.

Update your software regular – apply updates

There is a constant loop happening: Hackers find exploits in software and the software people patch them up. Make sure you apply the latest versions to all your software including operating systems, apps and websites to ensure you have the latest secure versions. Unpatched software is a very common way to be hacked.

Lock your computer and phones. Review security settings

Turn on auto-screen lock features using passwords and 2FA. Facial recognition lock can be unlocked by cops using your face (same with fingerprint). Review and configure security settings. Review and configure app settings (eg turn off location unless it explicitly needs location). Most apps have too much permissions on by default.

Phone security

Phones have become very complex and usually ship with dodgy settings out of the box so the first and most important rule about modern smart phones is DON”T TRUST THEM. Make sure your are geek street smart.
Here are some ways to improve your phone security.

Secure Phone communications

Anything encrypted is better. SMS and voice was built to be intercepted and recorded (since the paper telegram days). Apple messenger and Facetime are respected, however requires iphone. Older phones have lots of vulnerabilities – not recommended  

  • Signal replaces SMS / voice / video
  • Session a version of signal that does not require a phone number for your account

Smart password mangement

Weak passwords are a primary way to hack you. Simple passwords can be broken by a “brute force attack” where average computers have enough resources to crack them reasonably quickly. YOU NEED A PASSWORD MANAGER

Antivirus and scanners

Protect yourself from virus and malware which is a common way to hack you.

Location and tracking

Your location is being tracked and recorded via your mobile device. Many private companies are recording and selling this info. Many drone assassinations in the Middle East are targeted via the location of a persons mobile device.

2FA – Two factor authentication

Sometimes called two-step verification. A process in which users provide two different methods to verify themselves. SMS or email codes in addition to your usual login user and password are common approaches. 2FA apps are a recommended approach. You will need to configure each service separately. Eg you email is seperate to your bank account.

Private Internet – Stop using Google and FaceBook (so much)

Google has become so useful in many areas that it has become an important tool in many peoples life. Google is also an extensive tracking engine that is building a very extensive and detailed profile on you. Microsoft’s Bing engine is doing the same thing. Don’t log into Google or logout when not using google […]

  • Startpage Anonymous search. Alternative to Google search without the tracking
  • DuckDuckGo Anonymous search. Alternative to Google search without the tracking
  • mbasic.facebook.com You can access FaceBook via your phone browser and view messages

Private Internet – Block ads and trackers

Minimise browser plugins as some have built in trackers. Cookies are stored in your browser to personalise your experience on websites and are also used to track you. Delete these regularly (every time you quit) to reduce their ability to build a profile on you. In Brave/Chrome > clear browsing data > on exit.  

  • Brave Browser Chrome browser with adblockers and tracking protection built in
  • Lightbeam Visualise the trackers that are tracking you

Private Internet – VPN – Virtual private network

A VPN works by connecting your computer  (using encryption) to another computer located somewhere else in the world. Your access to the  internet then comes from that computer located somewhere else in the world. So if the computer is located in France, then you are surfing from France. This simple technology thwarts the mandatory data […]

Private Internet – Tor – Anonymous Browsing

Bounces internet users’ and websites’ traffic through “relays” run by thousands of volunteers around the world, making it extremely hard for anyone to identify the source of the information or the location of the user. Use tor with your VPN and ideally with a secure OS and burner laptop. Unfortunately Tor can slow your internet […]

Private Internet – Anonymous Connection

You could use a public wifi but be careful and use a VPN as they are insecure and can be used to hack you. You can also order an overseas SIM online with Australian data roaming – that doesn’t require ID.

Private internet – commerce

There are two major ways to buy things anonymously online. The first one is using Visa or Mastercard gift cards. These can be bought with cash at many supermarkets and at Australia Post. The other way is using the crypto-currency: Bitcoin. Please search for more information on the Bitcoin technology and how to use it.

Advanced anonymous internet

So you want to be a ninja online? Like martial arts to be truly invisible online you need to spend a lot of time becoming an expert in the technology. There are no shortcuts to becoming a martial arts ninja but there are some ways to skill up without being a top level security geek.

Security Culture – working in groups

Security culture is an agreement made by a group which outlines the minimum security, tools and security processes the group will use. This allow individuals to understand their personal risk as well as the risk to the group and the groups actions.

Remote Group collaboration – working online

Slack, Google and similar tools are not encrypted: authorities can request the hosting companies to hand over the documents, user list and the chat logs. Nextcloud is a secure replacement for the google collaboration ecosystem

Document Collaboration

Crypt pad is  realtime Collaborative docs simplar to google docs. Due to its secure nature it laks an easy way to group documents, requiring the need to create and manage an inventory of the secure URLs. You can also use a desktop text or document editor and share by encrypted channel (not realtime)

Secure Email

Google and similar tools are not encrypted: authorities can request the hosting companies to hand over your data. Secure email can be simplified by your group using only one email service such as riseup, tutanota, or protonmail. This means the “end to end” (from your email to your friends email) encryption is managed by the […]

Group Chat

  • Keybase group chat/collaboration + files sharing (similar to slack) (easy to use) (unfortunately bought out by zoom)
  • Semaphor I have not used this since the new version which is now free. Recommend by security geeks
  • Matrix riot Security notices can be a barrier for non-tech people
  • Signal Small groups – (large groups make it annoying to use as main sms replacement)

Video conferencing

We are looking for a better option for video conferencing. It is important to know that regular phone conversations or popular VoIP tools like Skype or Google Hangouts have wiretapping capabilities built-in. Authorities can request Microsoft to record and hand over conversations with a warrant.

  • jitsi The best ethical choice - turn on the encryption. Can be unstable
  • Zoom only uses encryption for paid uses and it needs to be switched on. Zoom works with law enforcement and Chinese authorities so cannot be trusted
  • Facetime Apple has a good reputation or security but requires an iphone or mac.
  • Signal Signal is good for one on one video

Phones and laptops in meetings

Microphones and cameras can be remotely activated without you knowing and can be switched on remotely. Good practice is to gather all devices and remove them from meetings. Even if they have dead batteries, this encourages good security culture. Some people place tape over their laptop camera because someone watching you remotely is creepy.

Databases and CRMs

(In our context ) A database is a  collection of information on people. A CRM (Client Relationship Manager) is a specialised database for managing people’s information, interactions and relationships with people. As database tools become more advanced, we are increasingly building up a lot of information so we need to pay special attention to privacy […]

Email list management

Should be self-hosted somewhere overseas. The servers hosting the email list management software contain the list of all email subscribers. Ideally, all subscribers should use a brand-new email account solely dedicated for receiving emails from the email list.

More digital security guides

Last updated: March 22nd, 2021

Creative Commons Licence
More digital security guides by actionskills.co is licensed under a Creative Commons Attribution 4.0 International License.
https://actionskills.au/resource/security-links/.