There’s a lot happening in the world right now, offline and online. Unfortunately, the web isn’t free of malicious people/groups1Which can include state forces, depending on where you live seeking to monitor, suppress, or harm people who speak out against injustice, inequality, and oppression.
Lately I’ve been fielding questions from friends who want to take extra precautions to protect themselves and their loved ones online. In case it might be helpful to others, I’ve compiled recommendations and resources here.
Not everybody is familiar or comfortable with tech, so I’ve tried to stick to safe, secure solutions that are easy to use. More notes at the end of the post.
VPNs
A virtual private network (VPN) protects you by obscuring the details of your web activity/traffic. Try to use VPNs as much as you can. Look for ones that don’t keep logs of your network activity / usage of the VPN service itself.
Good free options:
- ProtonVPN: No data limits; mobile apps available; run by the same people behind ProtonMail (free encrypted email service)
- TunnelBear: 500 MB limit per month, but that should be fine if you’re mostly using these when accessing sensitive stuff like email & socmed; mobile apps available
Paid options:
The Electronic Frontier Foundation has a one-page guide to help you learn more about how VPNs work and what features you should look at.
Browsers
Some browsers are more secure than others.
Firefox and Tor are open-source projects2Meaning their code is freely available, so people can check if there are any malicious scripts or critical flaws in the software run by nonprofits dedicated to online privacy and security. In practice, this means these browsers are significantly less likely to collect excessive personal information and/or attempt to sell that to third parties.
- Firefox: Mac, Windows, mobile apps available
- Tor: For most people, Firefox should be fine. The Tor browser is a bit more complex, and it can be finicky to use. CNET created a beginner’s guide to Tor if you want to give it a try.
General reminders:
Please clear your cache + cookies + browser history regularly. You can usually find these in your browser’s Settings pane.
Don’t let your browser save passwords for the websites you visit. Use a secure password manager instead.
Browser Extensions
You can install some extensions to enhance your browser’s security. Here are some extensions frequently recommended by cybersecurity professionals/groups:
- Privacy Badger: Blocks third-party trackers (e.g., advertisers) from collecting info on the websites you browse/visit
- uBlock Origin: Blocks ads / pop-ups on most websites. Install the Firefox extension here
- Disconnect.me: Blocks most trackers, cookies, beacons used on the websites you browse
- HTTPS Everywhere: Forces your browser to automatically use HTTPS-encrypted versions of websites whenever available
If you want to install other browser extensions, remember to vet them thoroughly. Anyone can publish an extension, so you’re bound to run into ones that aren’t secure, or worse, are shady by design.
Password Management
What makes for a secure password? Wired has guidelines from experts.
Yes, this means you probably can’t memorize secure passwords for all of your accounts. No, this doesn’t mean you should use the same one for multiple websites. (Don’t, don’t, don’t use the same password for multiple accounts. Please.)
Instead, you should use a password manager. The best ones help you generate random, hard-to-crack passwords for different accounts; store your credentials in encrypted “vaults”; and manage your passwords across multiple devices.
Best free options:
- BitWarden: Open-source, no usage limits. Windows, Mac, Linux, iOS, Android, and browser extensions available.
- KeePass: Open-source, no usage limits, but not as polished or user-friendly as BitWarden. Windows, Mac, Linux, and browser extensions available. No official mobile apps but there are some recommended by the KeePass project team themselves.
- LastPass: Popular free option, paid upgrades available. Windows, iOS, Android, and browser extensions available.
Two-Factor Authentication (2FA)
Two-factor authentication adds another layer of security to your online accounts. A website or app with 2FA will verify your identity using another piece of info (other than your password) before granting access to your account.
Here’s a running list of websites, apps, and digital services that support 2FA. You’ll also find links to instructions for turning on 2FA for each site.
Most 2FA options will need you to use authenticator apps. These sync with your chosen website/app/service to generate unique codes whenever you need to login.
Here are a couple of free authenticator apps to consider:
- Google Authenticator: simple, straightforward app; supports scanning QR codes so you can automatically add a service
- Authy: more features, including support for running the Authy app on multiple devices
Email + Messaging
Reading other people’s correspondence is creepy, but unfortunately, there are a lot of creeps3Which can include state forces, depending on where you live out there. Here are some services that can help protect you from them:
- ProtonMail: Free email client that offers end-to-end encryption by default
- Mailvelope: Open-source browser extension that applies end-to-end encryption to web-based email accounts (e.g., Gmail, Yahoo, etc.)
- Signal: Most secure messaging option by far. Open-source, end-to-end encryption, now also includes image blurring. Windows, Mac, mobile apps available
General reminders:
Please don’t leave yourself signed into your email account4or any other online account, really by default.
Avoid using your email or social media accounts to automatically register for / log in to other websites.
Remember that messaging is a two-way activity: Your messages also reside in the recipient’s inbox/accounts, so if those get compromised, your information is at risk, too. Encourage friends and family to be more cautious in their online communications.
Image Scrubbing
When posting photos (and videos!) online, check if you’ve captured people’s faces or other identifiable marks. This kind of information is being used to track down people these days. The same holds true for metadata, i.e., information about your camera / device that is automatically embedded in your image file.
Here are some tools + tips to help you blur out identifiable features in photos:
- The Guardian Project‘s ObscuraCam app automatically blurs out faces
- An iOS shortcut
- Sam Loeschen’s Censr VR app
- Again, Signal has built-in blur options now!
- Edit your photo BEFORE uploading it. Don’t just rely on, say, Twitter’s or Instagram’s built-in tools to scribble over people’s faces. Why? The original photo is still saved somewhere on their server, and the scribbles are just overlaid. Don’t risk it; edit before you upload.
- Use the Clone Stamp tool rather than the Blur tool (some people claim that the latter is easy to reverse).
Here are some free tools + a tip to remove metadata from photos before you upload them:
- Everest Pipkin’s open-source image scrubber
- Batch-process multiple images using EXIFPurge or ImageOptim
- Instead of posting the original image file, take a screenshot of it and upload that instead.
Other Tools/Tips
- As much as possible, avoid giving identifiable personal information (birthday, phone number, address, etc) to any online platform. Avoid linking different accounts to each other, too.
- Have you been tagging your location on your social media posts? Stop that.
- Do you know if your phone is logging your whereabouts? Well, here’s how to tell it to stop, too: iOS location settings / Android location settings
- If you’re signing petitions that display your signature/particulars to the public, use throwaway/burner emails. There are services like Guerilla Mail for this.
- Avoid using your personal email address in online forms, miscellaneous registrations, etc. Instead, create an account JUST for use on public forms/websites etc., and make sure it’s not linked to any of your personal accounts.
- If you ever need multiple email addresses (e.g., for various petitions hosted on the same website, or something like that), remember that Gmail lets you create “aliases” for your email. Add a period anywhere in your username and/or use “@googlemail.com” instead of “@gmail.com” — most forms will read these as new / different addresses, but any mail will still end up in your inbox.
- Speaking of email: have you emailed Congress to remind them to be public servants and work for Filipinos’ best interests? You should. Here’s an app to help you email members of Congress about the Terror Bill.
- Double-check links before you click them. Avoid downloading things unless you know where they’re from.
- Keep your apps and software updated. A lot of breaches happen through old / outdated programs that get exploited.
Additional Resources
- The Electronic Frontier Foundation’s index of Surveillance Self-Defense guides is great for both beginners and advanced users.
- Feminist cyber activism organization HACK*BLOSSOM has a comprehensive DIY guide, including tips for mobile security.
- Not exactly for digital activities, but if you’re at a protest and trouble’s brewing, here’s Teen Vogue’s guide to safely filming police misconduct.
Right now, there’s a lot of information flying around online. Here are some Carrd links that could help you learn more about some of the critical issues / events going on:
- The PH Terror Bill
- Critical issues in the Philippines right now
- Black Lives Matter
- Hong Kong protests
- Palestine occupation
Last Note
This isn’t an exhaustive guide, nor does this post claim to be the last word on cybersecurity. Digital security has far too many dimensions to be tackled in a single post — and anyway, I’m not a cybersecurity professional. I’ve done as much research as I can to vet recommended programs / tools / tips here, but in the end, I’m just another nerd trying to make tech accessible and useful.
After all, technology is not, and never has been, neutral.5I have lots of thoughts about this, but that’s for another post. Anyone who claims otherwise is, at best, oblivious to current events, or at worst, deliberately obscuring the many ways technology can (and does) inflict real harm on people.
That said, “not neutral” doesn’t mean “all bad.” Digital spaces also offer us opportunities to raise awareness about critical issues; band together6 Especially in the middle of a pandemic and take action in different ways; and, well, try to create a better world for everyone. Taking those opportunities and standing up for what’s right shouldn’t have to result in danger for yourself or your loved ones, but here we are. I hope this post makes it a bit easier for people to stay safe, to be brave.