In our tumultuous political era, those who stake out controversial positions or participate in protests can find themselves subject to digital attacks that go beyond the verbal, such as doxxing and hacking. People in the middle of passionate political debates can benefit from taking certain steps to protect their privacy and safety online. Even if you aren’t a high-profile target yourself, reducing your own exposure can help if a friend or family member is facing increased threats, because we all have information about our friends and family on our digital devices and accounts. In fact, everybody can benefit from such steps. With digital attacks on the rise, we here republish and update advice that we’ve given in the past.
Of course, privacy and security are in many ways socially determined — there’s only so much an individual can do against tech giants, other companies, harassers, law enforcement, or political antagonists when our laws and our tools fail to protect us. The ACLU will continue to lead the fight for digital security and privacy through our litigation, advocacy, and technical efforts.
But there are simple steps that everyone can take to improve their digital privacy and security. While there are many advanced techniques that expert technologists can deploy for much greater security, below are some relatively basic and straightforward steps that will significantly increase your protection against privacy invasions, hacks, and digital harassment.
Please note that although we mention a few services below, we don’t endorse any particular services or products as they can change rapidly. This guidance was written in November 2023.
Protection against doxxing
“Doxxing” is the gathering and publication of personal information such as addresses and phone numbers by hostile parties to try to intimidate and direct violence at someone. Some information, such as home purchases, has been deemed by our society as inherently public, so there’s not much that can be done to keep that private. But the harm of doxxing can be reduced if you limit the amount of information that’s available about you online.
- It’s worth spending some time to opt out of the services of “data brokers” who will happily hand over your personal data in bulk to anyone willing to pay a few dollars. Check out me and the Privacy Rights Clearinghouse for lists of brokers and instructions for opting out of each. There are also commercial services like Abine’s DeleteMe that will do some of the work for you, and Tall Poppy, which can help you and other people in your organization take steps to reduce the risk they face from data exposed online.
- In addition to trying to remove identifiable data from the data brokers, search Google, Bing, and other search engines for your phone number plus your first name, and your phone number plus your last name. Do the same thing for your street address and your first or last names. These might show up in all kinds of places — a flyer for a theatre project you worked on, a Scout troop newsletter, a friend’s old tweet. Sometimes you’ll be able to get them removed if someone you know was the one who posted it or if the site has an opt-out process. Sometimes you won’t — but at least you’ll know how difficult it will be for an antagonist to track down that information.
- If your information is or has been public, and especially if it is being maliciously published as part of a harassment campaign, one particularly severe threat to know about is “swatting.” While rare, this type of attack has in at least one case resulted in a death. An attacker calls 911 with a fake report of a hostage situation, bomb, or other critical incident at the target’s address, resulting in an overly militarized team being sent to confront the target or their family. If you are concerned about this kind of attack and you trust your local police to be reasonable, consider calling your local police’s nonemergency number to alert them to the likelihood of false reports about your address. Here is a verbal script to explain swatting and request that extra precautions be taken by first responders if a report is received about your address.
Your communications and accounts
- Use encrypted messaging. By using encrypted messaging communications where possible, you eliminate numerous sources of surveillance and tracking. Consider using Signal Private Messenger for encrypted voice, video, and text message communication. SMS (plain old “text messaging”) is not encrypted and can be read by your mobile provider, or any phone network provider or malicious government agency. Avoid SMS if possible! Email messages are typically unencrypted and can be read by your email provider and the recipient’s email provider. Many messaging apps other than Signal offer some level of encryption, but different platforms will leak different amounts of metadata (who is texting whom, at what time, and even address book data) to law enforcement. Apple iMessage offers encrypted messaging, but only to other iMessage users; it falls back to unencrypted messages to other people. WhatsApp messages are also encrypted, though its owner Meta has faced criticism for sharing data from WhatsApp with other Meta products (like Facebook and Instagram), as well as with law enforcement. As of 2023, Signal remains the best choice, but it only works when all of the people communicating use it.
- Be alert for phishing attacks. If your name has come to the attention of hostile parties who decide to target you, “phishing” — sending an email or text message made to look like it’s from a prominent company or one of your friends — is a common way to try steal your passwords in order to break into your accounts. Using a password manager helps here because your password won’t autofill if you click on a link that points you to a slight variation on the name of a prominent URL, a common trick. Always be on the lookout for messages that appear to be from a known source, but are not. Signs can include unusual URLs and messages that are off-kilter in grammar or tone or otherwise don’t sound like their purported author. When in doubt about a suspicious message from a friend, family member, or colleague, check in with the sender via some other channel before assuming the message is legitimate. For example, if you received a suspicious e-mail, give the person a phone call and ask if they really sent it.
- Don’t connect to your personal accounts on internet-connected devices that are not your own. Typing your password into a public workstation at a hotel, an internet cafe, or even a friend’s house means that anyone who has taken control of that machine now knows your password. The same rule applies to any computer, laptop, tablet, smartphone, etc.
- Use a password manager. With password crackers able to try billions of passwords a second, strong unique passwords for every account you use are a key part of good security. But strong passwords are hard to remember, which is why people often make the understandable mistake of using the same password for multiple accounts. If you reuse any password across multiple accounts, and one of those sites is compromised, it can leak your password to the attacker. That attacker can then access all the other sites and services where you have reused the password. Thankfully, there’s an easy solution: use a password manager that will automatically create and keep track of strong passwords for the many sites and services that you use. The password manager is itself locked with a single, (hopefully strong) “master” password. Various password manager options you might consider are included in this list. Sadly, even a sophisticated password manager could be attacked: all software has bugs. But for the most likely attacks against a well-built password manager, any user whose “master” password is strong (long and unguessable) will still be protected.
- Use multi-factor authentication. Strong, unique passwords for each site are a good start toward protecting your personal information, but your account can still be hacked if someone can obtain your password, for example, by sending you a phishing link that tricks you into revealing it. One of the best ways you can protect your accounts is by turning on “multi-factor authentication,” which requires one or more additional sources of verification besides the password before granting access to your account — typically each time you log on from a new computer. The safest forms of additional verification include “authenticator” apps and USB tokens. An “authenticator” app uses a protocol like TOTP, and produces a code you can easily transcribe into the remote service. These should be able to work even if your phone doesn’t have an Internet connection. A USB token is a device you insert into your computer during an authentication prompt, but which you can keep on your keychain the rest of the time. Most or all prominent online services offer multi-factor authentication; if you haven’t turned this on yet, do it.
- Use free and open-source software. Open-source applications are typically not-for-profit, and their computer code is open for anyone to inspect, fix, and redistribute their fixes. This transparency and repairability reduces the incentives and ability of companies or others to turn seemingly innocuous software into a mechanism for spying.
- Install software updates. One of the most common ways hackers attempt break-ins is by exploiting known flaws or bugs in the various applications that are installed on a computer. When responsible application or operating system designers learn about such vulnerabilities, they issue a patch to fix the matter. That’s why it’s important to keep all of the software on your devices as up to date as possible.
- Encrypt your devices. If you lose control of an unencrypted device, even if it has a strong password on it, it’s possible for someone with the right equipment to just read the data off of it directly. Some devices, like modern iPhones, are all encrypted by default. Other devices, like most laptops and some Android devices, will need to be deliberately encrypted. Mac laptops can be encrypted with FileVault, and Windows laptops with BitLocker. Modern Android devices are also encrypted by default as long as you have set up a password. For older Android devices, you might need to do extra work to ensure it is encrypted.
- Use a strong local password. The protection provided by encryption depends on how strong your local password is. Any device that you carry with you could get taken from you, whether by accident (e.g., leaving it on the train) or on purpose (e.g., confiscated by law enforcement, or stolen). If your device is locked with a strong password, that makes it difficult for whoever takes your device to unlock it. A strong password usually means a long, random password. A four-digit passcode is far too easy to guess. Of course, your device’s local password is something that you won’t be able to ask your password manager to remember.
- Learn how to lock your device quickly. In addition to unlocking with a password, many devices today can be unlocked with your face, or with a fingerprint. This is convenient, but it can also be risky. If you go to a protest where you might get arrested, or if your home might be raided while you are there, law enforcement could take your device and unlock it by merely holding it up to your face, or pressing your finger on it. If you find yourself in a risky situation, it’s useful to know how to quickly lock your device so that it will only unlock with your strong local password, disabling biometric access. This is different for different devices. For example, on most Android devices, you can long-press the power button, and choose “lockdown” from the menu that appears. On iOS devices, hold down the power button together with either of the volume buttons until the emergency menu appears. Practice this before you go to a protest. You’ll know you’ve got it right when the device requires you to re-enter your password rather than letting you unlock it with your face or your finger. Remember that this step only disables biometrics for this one instance of locking. Once you’ve unlocked the device with your password, the biometric unlock will be available again.
- Limit your apps. Every app installed on a smartphone or computer is an additional risk. The app can collect data about the environment or its user’s actions, and might be buggy, or might report back to its vendor, who themselves could face a cyberattack. Remove any app you don’t actually use, and limit the permissions of the ones that you do use to the minimum necessary (including “asking the app not to track” on platforms that support that). A flashlight app doesn’t need access to your location, for example.
- Use caution when scanning QR codes. Scanning a QR code is very similar to clicking a link in an e-mail or text message. It causes your web browser (or other app) to take an action on your behalf. If you wouldn’t click a random link in a text from a stranger, why would you scan a random QR code stuck to a telephone pole?
- Don’t sign into your web browser. Signing into your browser, especially if it is operated by a surveillance economy company, as Chrome is operated by Google, allows the browser vendor to easily track what you do and where you go online. Sign in only when you specifically need to do so, and sign out afterwards. Consider also using a web browser that is not maintained by a surveillance-economy company. Firefox, Brave, and Tor Browser are all web browsers that are more respectful of your data and your privacy than other major browsers. It’s perfectly fine to have multiple web browsers; try using different ones.
- Make use of your browser’s “private browsing” or “incognito” mode. Using this setting where possible won’t protect you from all tracking by services you use within the session (or from tracking by your network provider), but it will avoid leaving traces on your local machine. Using private browsing mode also means that if you do identify yourself to a service during that session (e.g., by logging in to a web site), that identification is less likely to be linked to your activities in other sessions. Look in the help menu of your browser to find out how to browse privately.
- Use search engines that don’t track you. Not all search engines are created equal when it comes to privacy. Many major search engines (including Google, Yahoo and Bing) record both identifying information (like cookies, your IP address, or other fingerprinting data) and all the search terms you’ve used — an extremely revealing and usually sensitive set of data. As an alternative, consider using a search engine that doesn’t track your activities, such as DuckDuckGo, StartPage, or Brave Search.
- Use other services that don’t track you. For example, if you need to collaborate in real time on a document, you don’t always need to use a surveillance economy service like Google Docs or Microsoft Office365. You can use a simple shared editor like Framapad or Cryptpad. Neither of these services will build profiles of you for targeting purposes, or associate your identity with the contents of your documents.
- Delete cookies and browsing history. Cookies are small files saved on your device by your browser so that the websites you visit can remember things about you. They are useful for many things but are also used by advertising networks to track you. By deleting all of your cookies as well as your browsing history, you can reset the memory of the systems that track you. Use the help menu of your browser to find out how to delete your cookies and browsing history, and do this regularly. Other aspects of web browsing still leak user data and linkable activity, but some web browsers (see above) are better about minimizing the amount of leakage than others.
Remember: You will never achieve absolute security from privacy invasions, but you can make gains in fighting surveillance and harassment by political antagonists, government, companies, or hackers with steps like the ones we have described here.