- Meta data can be traced back to you.
- Tool to remove meta data https://metadata.systemli.org/
Digital Protection Guidelines
- Do not use your private name publicly.
- If you feel like you are being doxxed or investigated: deactivate or switch your accounts to private
- Recent repressions show that law enforcement look into individuals social media account:
- Likes, comments, who you follow are being monitored and can potentially get you convicted
- Very Important: Connected phone numbers allows law enforcement often to retrieve real identity
- Signal is a private messaging app that uses end-to-end encryption to ensure only the sender and recipient can read messages, not even Signal itself. It's safe because it prioritizes user privacy, doesn't collect data, and is open-source, allowing security audits.
- Update Signal to the latest version.
- Privacy Settings: Phone Number: Set to 'Nobody'.
- Add a non-identifying username.
- Share username or QR code, not phone number.
- Enable Registration Lock.
- Turn on Incognito Keyboard.
- Set Default Disappearing Message Time.
- Limit notifications to just arrival alerts (no sender or message contents).
- Change display name infrequently and choose a distinguishing but non-unique pseudonym.
- Set disappearing message time during group creation.
- Ensure at least 2-3 admins in the group.
- Change group permissions to 'Only admins' for member approvals.
- If using a group link, ensure 'Admin Approval' is turned on after creation.
- For secure online conferencing, campaigners who face security concerns recommend Jit.si - https://jitsi.org/
- Weak passwords are an invitation to be hacked. A password manager like LastPass, 1Password or KeePass makes it easy to create unique, strong passwords for every account you have.
- Pro tip: It's a myth that strong passwords must contain every character. In fact, length is what matters:
- At least 13 characters in length
- Add numbers and special characters
- Use both uppercase and lowercase letters
- Easy to remember, hard to crack:
- Address (not linked to you!)
- Mantra or intention
- Passphrase
- Do not use information publicly available about you:
- Name of your partner, child, or pet
- Favorite sports team
- Favorite food
- Change passwords frequently: Ideally every 3-6 months
- Prioritize accounts for complex passwords: Use one password per account
- Make sure your mobile PIN is at least 6 digits, it is much easier to crack a phone with only 4.
- Make sure you keep auto-update of your applications switched on and ensure they are kept up to date. For Android, only download applications from the Google Play Store. If this is not possible, you can first upload APK files to www.virustotal.com.
- Take extra care when accessing organisational information over public wifi - if you need to do this regularly then invest in a VPN.
- For groups that have more acute security concerns, a factory reset of mobile devices is recommended every few months to make sure any malicious tracking is wiped out (but this presents the inconvenience of re-configuring devices)
- This makes it much harder for law enforcement or hackers to access the data on your devices.
- iPhones are already encrypted.
- Android phones are not (unless you have a Google Pixel), so you should go into the the Security settings and enable encryption.
- On Mac computers, go into System Preferences, then Security & Privacy, and turn on FileVault
- On Windows, you should use the BitLocker application (preinstalled) to encrypt your drive.
- If you want to encrypt specific information / files on your device then you can use an open source program like VeraCrypt.
- More than 90% of software and operating system (OS) updates are to patch security vulnerabilities in programs!
- Especially update your browser, messenger and Operating System like Android, iOS, MacOS, Windows and Linux
- If you are using public / untrusted wifi, using a Virtual Private Network (VPN) is recommended.
- A good open source option is Psiphon . If you are concerned about particular websites tracking your internet browsing then you can install an extension like Privacy Badge.
- As a rule of thumb, if a service provider does not offer two-factor authentication then do not use it to store sensitive information.
- 'Two-factor authentication' adds an extra step when logging into an account. It requires you to enter a code (generated by an app or by a text message) in addition to a password.
