Tips and tools to help you more safely access LGBTQ resources, navigate social networks, and avoid snoopers.
If you lack proper support and access to LGBTQ resources, this guide teaches you how to explore such resources online in a safer way to help avoid accidental outing to your peers, family, or online advertisers as a result of online tracking or nosy snoopers.
Choosing Your Tools
All digital tools, whether they are hardware or software, should be secure. That is, they should protect you from surveillance, and stop your device from being controlled by others. Sadly, this is currently not the case. For many digital activities, you may end up needing dedicated programs or equipment intended to provide specific security features. Examples we use in this guide include software that allows you to encrypt your messages or files, like PGP.
But given the large number of companies and websites offering secure programs or hardware, how do you choose the one that's right for you?
Security is a Process, not a Purchase Anchor link
The first thing to remember before changing the software you use or buying new tools is that no tool is going to give you absolute protection from surveillance in all circumstances. Using encryption software will generally make it harder for others to read your communications or go through your computer's files. But attacks on your digital security will always seek out the weakest element of your security practices. When you use a new secure tool, you should think about how using it might affect other ways someone could target you. For example, if you decide to use a secure texting program to talk to a contact because you know that your phone might be compromised, might the fact that you're using this program at all give an adversary a clue that you are talking about private information?
Secondly, remember your threat model. You don't need to buy some expensive encrypted phone system that claims to be “NSA-proof” if your biggest threat is physical surveillance from a private investigator with no access to internet surveillance tools. Alternatively, if you are facing a government that regularly jails dissidents because they use encryption tools, it may make sense to use simpler tricks—like a set of pre-arranged codes—rather than risk leaving evidence that you use encryption software on your laptop.
Given all that, here are some questions you can ask about a tool before downloading, purchasing, or using it.
How Transparent is it? Anchor link
Even though digital security seems to be mostly about keeping secrets, there's a strong belief among security researchers that openness and transparency leads to more secure tools.
Much of the software used and recommended by the digital security community is open source, which is to say that the code that defines how it works is publicly available for others to examine, modify, and share. By being transparent about how their program works, the creators of these tools invite others to look for security flaws, and help improve the program.
Open software provides the opportunity for better security but does not guarantee it. The open source advantage relies in part on a community of technologists actually checking the code, which for small projects (and even for popular, complex ones) may be hard to achieve. When you're considering using a tool, see if its source code is available, and whether the code has an independent security audit to confirm the quality of its security. At the very least, software or hardware should have a detailed technical explanation of how it functions, for other experts to inspect.
How Clear are its Creators About its Advantages and Disadvantages? Anchor link
No software or hardware is entirely secure. Creators or sellers who are honest about the limitations of their product will give you a much stronger idea of whether their application is appropriate for you.
Don't trust blanket statements that say that the code is “military-grade” or “NSA-proof”; these mean nothing and give a strong warning that the creators are overconfident or unwilling to consider the possible failings in their product.
Because attackers are always trying to discover new ways to break the security of tools, software and hardware often needs to be updated to fix new vulnerabilities. It can be a serious problem if the creators of a tool are unwilling to do this, either because they fear bad publicity, or because they have not built the infrastructure to fix problems.
You can't predict the future, but a good indicator of how toolmakers will behave in the future is their past activity. If the tool's website lists previous issues and links to regular updates and information—like specifically how long it has been since the software was last updated—you can be more confident that they will continue to provide this service in the future.
What Happens if the Creators are Compromised? Anchor link
When security toolmakers build software and hardware, they (just like you) must have a clear threat model. The best creators will explicitly describe what kind of attackers they can protect you from in their documentation.
But there's one attacker that many manufacturers do not want to think about: what if they, themselves, are compromised or decide to attack their own users. For instance, a court or government may compel a company to give up personal data or create a “backdoor” that will remove all the protections their tool offers. You may want to consider the jurisdiction(s) where the creators are based. If your threat is from the government of Iran, for example, a US-based company will be able to resist Iranian court orders, even if it must comply with US orders.
Even if a creator is able to resist government pressure, an attacker may attempt to achieve the same result by breaking into the toolmakers' own systems in order to attack its customers.
The most resilient tools are those that consider this as a possible attack, and are designed to defend against this. Look for language that asserts that a creator cannot access private data, rather than promises that a creator will not. Look for institutions with a reputation for fighting court orders for personal data.
Check for Recalls and Online Criticism Anchor link
Of course, companies selling products and enthusiasts advertising their latest software can be misled, be misleading, or even outright lie. A product that was originally secure might be discovered to have terrible flaws in the future. Make sure you stay well-informed on the latest news about the tools that you use.
Do you Know Others who Use the Same Tool? Anchor link
It's a lot of work for one person to keep up with the latest news about a tool. If you have colleagues who use a particular product or service, work with them to stay informed about what's happening.
Products Mentioned in This Guide Anchor link
We try to ensure that the software and hardware we mention in this guide complies with the criteria we've listed above: we have made a good faith effort to only list products that have a solid grounding in what we currently know about digital security, are generally transparent about their operation (and their failings), have defenses against the possibility that the creators themselves will be compromised, and are currently maintained, with a large and technically-knowledgeable user base. We believe that they have, at the time of writing, the eye of a wide audience who is examining them for flaws, and would raise concerns to the public quickly. Please understand that we do not have the resources to examine or make independent assurances about their security, we are not endorsing these products and cannot guarantee complete security.
Which Phone Should I Buy? Which Computer? Anchor link
One of the most frequent questions asked of security trainers is “Should I buy Android or an iPhone?” or “Should I use a PC or a Mac?” or “What operating system should I use?” There are no simple answers to these questions. The relative safety of software and devices is constantly shifting as new flaws are discovered and old bugs are fixed. Companies may compete with each other to provide you with better security, or they may all be under pressure from governments to weaken that security.
Some general advice is almost always true, however. When you buy a device or an operating system, keep current with its software updates. Updates will often fix security problems in older code that attacks can exploit. Older phones and operating systems are no longer supported, even for security updates. In particular, Microsoft has made it clear that Windows XP and earlier Windows versions will not receive fixes for even severe security problems. If you use XP, you cannot expect it to be secure from attackers. (The same is true for OS X before 10.7.5 or "Lion").Last reviewed:2014-11-04
Protecting Yourself on Social Networks
Social networking sites are some of the most popular websites and tools we use on the Internet. Facebook, Google+, and Twitter have hundreds of millions of users each.
Social networks are often built on the idea of sharing posts, photographs, and personal information. Yet they have also become forums for organizing and speech—much of which relies on privacy and pseudonymity. Thus, the following questions are important to consider when using social networks: How can I interact with these sites while protecting myself? My basic privacy? My identity? My contacts and associations? What information do I want keep private and who do I want to keep it private from?
Depending on your circumstances, you may need to protect yourself against the social media site itself, against other users of the site, or both.
Here are some tips to keep in mind when you’re setting up your account:
Registering for a Social Media Site Anchor link
- Do you want to use your real name? Some social media sites have so-called "real name policies," but these have become more lax over time. If you do not want to use your real name when registering for a social media site, do not.
- When you register, don't provide more information than is necessary. If you are concerned with hiding your identity, use a separate email address. Be aware that your IP address may be logged at registration.
- Choose a strong password and, if possible, enable two-factor authentication. Check out our guide to enabling two-factor authentication here.
- Beware of password recovery questions whose answers can be mined from your social media details. For example: “What city were you born in?” or “What is the name of your pet?” You may want to choose password recovery answers that are false. One good way to remember the answers to password recovery questions, should you choose to use false answers for added security, is to note your chosen answers in a password safe.
Remember that information stored by third parties is subject to their own policies and may be used for commercial purposes or shared with other companies, for example, marketing firms. We know that reading privacy policies is a near-impossible task, but you may want to take a look at sections on how your data is used, when it is shared with other parties, and how the service responds to law enforcement requests.
Social networking sites, usually for-profit businesses, often collect sensitive information beyond what you explicitly input—where you are, what interests and advertisements you react to, what other sites you've visited (e.g. through "Like" buttons). It can be helpful to block third-party cookies and use tracker-blocking browser extensions to make sure extraneous information isn't being passively transmitted to third parties.
Some social networking sites, like Facebook and Twitter, have business relationships with data brokers in order to target advertisements more effectively. EFF has guides that walk you through how to opt-out of these tracking schemes:
Change Your Privacy Settings Anchor link
Specifically, change the default settings. For example, do you want to share your posts with the public, or only with a specific group of people? Should people be able to find you using your email address or phone number? Do you want your location shared automatically?
Remember, privacy settings are subject to change. Sometimes, these privacy settings get stronger and more granular; sometimes not. Be sure to pay attention to these changes closely to see if any information that was once private will be shared, or if any additional settings will allow you to take more control of your privacy.
Your Social Graph Anchor link
Remember that you’re not the only person who can give away potentially sensitive data about yourself. Your friends can tag you in photos, report your location, and make their connections to you public in a variety of ways. You may have the option of untagging yourself from these posts, but privacy does not work retroactively. You may want to talk to your friends about what you do and do not feel comfortable having them share about you in public.Last reviewed:2015-02-10
Assessing Your Risks
Trying to protect all your data from everyone all the time is impractical and exhausting. But, do not fear! Security is a process, and through thoughtful planning, you can assess what’s right for you. Security isn’t about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.
In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it. This process is called “threat modeling.”
This guide will teach you how to threat model, or how to assess your risks for your digital information and how to determine what solutions are best for you.
What might threat modeling look like? Let’s say you want to keep your house and possessions safe, here are a few questions you might ask:
What do I have inside my home that is worth protecting?
- Assets could include: jewelry, electronics, financial documents, passports, or photos
Who do I want to protect it from?
- Adversaries could include: burglars, roommates, or guests
How likely is it that I will need to protect it?
- Does my neighborhood have a history of burglaries? How trustworthy are my roommates/guests? What are the capabilities of my adversaries? What are the risks I should consider?
How bad are the consequences if I fail?
- Do I have anything in my house that I cannot replace? Do I have the time or money to replace these things? Do I have insurance that covers goods stolen from my home?
How much trouble am I willing to go through to prevent these consequences?
- Am I willing to buy a safe for sensitive documents? Can I afford to buy a high-quality lock? Do I have time to open a security box at my local bank and keep my valuables there?
Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the risk of a break-in is low, then you may not want to invest too much money in a lock. But, if the risk is high, you’ll want to get the best lock on the market, and consider adding a security system.
Building a threat model helps you to understand the unique threats you face, your assets, your adversary, your adversary’s capabilities, and the likelihood of risks you face.
What is threat modeling and where do I start? Anchor link
Threat modeling helps you identify threats to the things you value and determine from whom you need to protect them. When building a threat model, answer these five questions:
- What do I want to protect?
- Who do I want to protect it from?
- How bad are the consequences if I fail?
- How likely is it that I will need to protect it?
- How much trouble am I willing to go through to try to prevent potential consequences?
Let’s take a closer look at each of these questions.
What do I want to protect?
An “asset” is something you value and want to protect. In the context of digital security, an asset is usually some kind of information. For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices may also be assets.
Make a list of your assets: data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.
Who do I want to protect it from?
To answer this question, it’s important to identify who might want to target you or your information. A person or entity that poses a threat to your assets is an “adversary.” Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.
Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.
Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you’re done threat modeling.
How bad are the consequences if I fail?
There are many ways that an adversary can threaten your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.
The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.
Threat modeling involves understanding how bad the consequences could be if an adversary successfully attacks one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records and thus has the capability to use that data against you. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.
Write down what your adversary might want to do with your private data.
How likely is it that I will need to protect it?
Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.
It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).
Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.
Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.
How much trouble am I willing to go through to try to prevent potential consequences?
Answering this question requires conducting the risk analysis. Not everyone has the same priorities or views threats in the same way.
For example, an attorney representing a client in a national security case would probably be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.
Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.
Threat modeling as a regular practice Anchor link
Keep in mind your threat model can change as your situation changes. Thus, conducting frequent threat modeling assessments is good practice.
Create your own threat model based on your own unique situation. Then mark your calendar for a date in the future. This will prompt you to review your threat model and check back in to assess whether it’s still relevant to your situation.Last reviewed:2017-09-07
Communicating with Others
Telecommunication networks and the Internet have made communicating with people easier than ever, but have also made surveillance more prevalent than it has ever been in human history. Without taking extra steps to protect your privacy, every phone call, text message, email, instant message, voice over IP (VoIP) call, video chat, and social media message may be vulnerable to eavesdroppers.
Often the safest way to communicate with others is in person, without computers or phones being involved at all. Because this isn’t always possible, the next best thing is to use end-to-end encryption while communicating over a network if you need to protect the content of your communications.
How Does End-to-End Encryption Work? Anchor link
When two people want to communicate securely (for example, Akiko and Boris) they must each generate crypto keys. Before Akiko sends a message to Boris she encrypts it to Boris's key so that only Boris can decrypt it. Then she sends the already-encrypted message across the Internet. If anyone is eavesdropping on Akiko and Boris—even if they have access to the service that Akiko is using to send this message (such as her email account)—they will only see the encrypted data and will be unable read the message. When Boris receives it, he must use his key to decrypt it into a readable message.
End-to-end encryption involves some effort, but it's the only way that users can verify the security of their communications without having to trust the platform that they're both using. Some services, such as Skype, have claimed to offer end-to-end encryption when it appears that they actually don't. For end-to-end encryption to be secure, users must be able to verify that the crypto key they're encrypting messages to belongs to the people they believe they do. If communications software doesn't have this ability built-in, then any encryption that it might be using can be intercepted by the service provider itself, for instance if a government compels it to.
You can read Freedom of the Press Foundation's whitepaper, Encryption Works for detailed instructions on using end-to-end encryption to protect instant messages and email. Be sure to check out the following SSD modules as well:
Voice Calls Anchor link
When you make a call from a landline or a mobile phone, your call is not end-to-end encrypted. If you're using a mobile phone, your call may be (weakly) encrypted between your handset and the cell phone towers. However as your conversation travels through the phone network, it's vulnerable to interception by your phone company and, by extension, any governments or organizations that have power over your phone company. The easiest way to ensure you have end-to-end encryption on voice conversations is to use VoIP instead.
Beware! Most popular VoIP providers, such as Skype and Google Hangouts, offer transport encryption so that eavesdroppers cannot listen in, but the providers themselves are still potentially able to listen in. Depending on your threat model, this may or may not be a problem.
Some services that offer end-to-end encrypted VoIP calls include:
In order to have end-to-end encrypted VoIP conversations, both parties must be using the same (or compatible) software.
Text Messages Anchor link
Standard text (SMS) messages do not offer end-to-end encryption. If you want to send encrypted messages on your phone, consider using encrypted instant messaging software instead of text messages.
Some end-to-end encrypted instant messaging services use their own protocol. So, for instance, users of Signal on Android and iOS can chat securely with others who use those programs. ChatSecure is a mobile app that encrypts conversations with OTR on any network that uses XMPP, which means you can choose from a range of independent instant messaging services.
Instant Messages Anchor link
Some tools that incorporate OTR with instant messaging include:
Email Anchor link
Most email providers give you a way of accessing your email using a web browser, such as Firefox or Chrome. Of these providers, most of them provide support for HTTPS, or transport-layer encryption. You can tell that your email provider supports HTTPS if you log in to your webmail and the URL at the top of your browser begins with the letters HTTPS instead of HTTP (for example: https://mail.google.com).
If your email provider supports HTTPS, but does not do so by default, try replacing HTTP with HTTPS in the URL and refresh the page. If you’d like to make sure that you are always using HTTPS on sites where it is available, download the HTTPS Everywhere browser add-on for Firefox or Chrome.
Some webmail providers that use HTTPS by default include:
Some webmail providers that give you the option of choosing to use HTTPS by default by selecting it in your settings. The most popular service that still does this is Hotmail.
What does transport-layer encryption do and why might you need it? HTTPS, also referred to as SSL or TLS, encrypts your communications so that it cannot be read by other people on your network. This can include the other people using the same Wi-Fi in an airport or at a café, the other people at your office or school, the administrators at your ISP, malicious hackers, governments, or law enforcement officials. Communications sent over your web browser, including the web pages that you visit and the content of your emails, blog posts, and messages, using HTTP rather than HTTPS are trivial for an attacker to intercept and read.
HTTPS is the most basic level of encryption for your web browsing that we recommend for everybody. It is as basic as putting on your seat belt when you drive.
But there are some things that HTTPS does not do. When you send email using HTTPS, your email provider still gets an unencrypted copy of your communication. Governments and law enforcement may be able to access this data with a warrant. In the United States, most email providers have a policy that says they will tell you when you have received a government request for your user data as long as they are legally allowed to do so, but these policies are strictly voluntary, and in many cases providers are legally prevented from informing their users of requests for data. Some email providers, such as Google, Yahoo, and Microsoft, publish transparency reports, detailing the number of government requests for user data they receive, which countries make the requests, and how often the company has complied by turning over data.
If your threat model includes a government or law enforcement, or you have some other reason for wanting to make sure that your email provider is not able to turn over the contents of your email communications to a third party, you may want to consider using end-to-end encryption for your email communications.
PGP (or Pretty Good Privacy) is the standard for end-to-end encryption of your email. Used correctly, it offers very strong protections for your communications. For detailed instructions on how to install and use PGP encryption for your email, see:
What End-To-End Encryption Does Not Do Anchor link
End-to-end encryption only protects the content of your communication, not the fact of the communication itself. It does not protect your metadata—which is everything else, including the subject line of your email, or who you are communicating with and when.
Metadata can provide extremely revealing information about you even when the content of your communication remains secret.
Metadata about your phone calls can give away some very intimate and sensitive information. For example:
- They know you rang a phone sex service at 2:24 am and spoke for 18 minutes, but they don't know what you talked about.
- They know you called the suicide prevention hotline from the Golden Gate Bridge, but the topic of the call remains a secret.
- They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour, but they don't know what was discussed.
- They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after, but the content of those calls remains safe from government intrusion.
- They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood's number later that day, but nobody knows what you spoke about.
If you are calling from a cell phone, information about your location is metadata. In 2009, Green Party politician Malte Spitz sued Deutsche Telekom to force them to hand over six months of Spitz’s phone data, which he made available to a German newspaper. The resulting visualization showed a detailed history of Spitz’s movements.
Protecting your metadata will require you to use other tools, such as Tor, at the same time as end-to-end encryption.
For an example of how Tor and HTTPS work together to protect the contents of your communications and your metadata from a variety of potential attackers, you may wish to take a look at this explanation.Last reviewed:2017-01-12
Creating Strong Passwords
Because remembering many different passwords is difficult, people often reuse a small number of passwords across many different accounts, sites, and services. Today, users are constantly being asked to come up with new passwords—many people end up reusing the same password dozens or even hundreds of times.
Reusing passwords is an exceptionally bad security practice, because if an attacker gets hold of one password, she will often try using that password on various accounts belonging to the same person. If that person has reused the same password several times, the attacker will be able to access multiple accounts. That means a given password may be only as secure as the least secure service where it's been used.
Avoiding password reuse is a valuable security precaution, but you won't be able to remember all your passwords if each one is different. Fortunately, there are software tools to help with this—a password manager (also called a password safe) is a software application that helps store a large number of passwords safely. This makes it practical to avoid using the same password in multiple contexts. The password manager protects all of your passwords with a single master password (or, ideally a passphrase—see discussion below) so you only have to remember one thing. People who use a password manager no longer actually know the passwords for their different accounts; the password manager can handle the entire process of creating and remembering the passwords for them.
For example, KeePassX is an open source, free password safe that you keep on your desktop. It's important to note that if you're using KeePassX, it will not automatically save changes and additions. This means that if it crashes after you've added some passwords, you can lose them forever. You can change this in the settings.
Using a password manager also helps you choose strong passwords that are hard for an attacker to guess. This is important too; too often computer users choose short, simple passwords that an attacker can easily guess, including "password1," "12345," a birthdate, or a friend's, spouse's, or pet's name. A password manager can help you create and use a random password without pattern or structure—one that won't be guessable. For example, a password manager is able to choose passwords like "vAeJZ!Q3p$Kdkz/CRHzj0v7,” which a human being would be unlikely to remember—or guess. Don't worry; the password manager can remember these for you!
Syncing Your Passwords Across Multiple Devices Anchor link
You may use your passwords on more than one device, such as your computer and your smart phone. Many password managers have a password-synchronizing feature built in. When you sync your password file, it will be up to date on all of your devices, so that if you’ve added a new account on your computer, you will still be able to log into it from your phone. Other password managers will offer to store your passwords “in the cloud,” which is to say, they will store your passwords encrypted on a remote server, and when you need them on a laptop or mobile, they will retrieve and decrypt them for you automatically. Password managers that use their own servers to store or help synchronize your passwords are more convenient, but the trade-off is that they are slightly more vulnerable to attack. If you just keep your passwords on your computer, then someone who can take over your computer may be able to get hold of them. If you keep them in the cloud, your attacker may target that also. It's not usually a compromise you need to worry about unless your attacker has legal powers over the password manager company or is known for targeting companies or internet traffic. If you use a cloud service, the password manager company may also know what services you use, when, and where from.
Choosing Strong Passwords Anchor link
There are a few passwords that do need to be memorized and that need to be particularly strong: those that ultimately lock your own data with cryptography. That includes, at least, passwords for your device, encryption like full-disk encryption, and the master password for your password manager.
Computers are now fast enough to quickly guess passwords shorter than ten or so characters. That means short passwords of any kind, even totally random ones like nQ\m=8*x or !s7e&nUY or gaG5^bG, are not strong enough for use with encryption today.
Reinhold's method involves rolling physical dice to randomly choose several words from a word list; together, these words will form your passphrase. For disk encryption (and password safe), we recommend selecting a minimum of six words.
Try making a password using Reinhold’s “Diceware” method.
When you use a password manager, the security of your passwords and your master password is only as strong as the security of the computer where the password manager is installed and used. If your computer or device is compromised and spyware is installed, the spyware can watch you type your master password and could steal the contents of the password safe. So it's still very important to keep your computer and other devices clean of malicious software when using a password manager.
A Word About “Security Questions” Anchor link
Be aware of the “security questions” (such as “What is your mother’s maiden name?” or "What was your first pet's name?") that websites use to confirm your identity if you do forget your password. Honest answers to many security questions are publicly discoverable facts that a determined adversary can easily find, and therefore bypass your password entirely. For instance, US vice-presidential candidate Sarah Palin had her Yahoo! account hacked this way. Instead, give fictional answers that, like your password, no one knows but you. For example, if the password question asks you your pet’s name, you may have posted photos to photo sharing sites with captions such as “Here is a photo of my cute cat, Spot!” Instead of using “Spot” as your password recovery answer, you might choose “Rumplestiltskin.” Do not use the same passwords or security question answers for multiple accounts on different websites or services. You should store your fictional answers in your password safe, too.
Think of sites where you’ve used security questions. Consider checking your settings and changing your responses.
Remember to keep a backup of your password safe! If you lose your password safe in a crash (or if you have your devices taken away from you), it may be hard to recover your passwords. Password safe programs will usually have a way to make a separate backup, or you can use your regular backup program.
You can usually reset your passwords by asking services to send you a password recovery email to your registered email address. For that reason, you may want to memorize the passphrase to this email account also. If you do that, then you will have a way of resetting passwords without depending on your password safe.
Multi-factor Authentication and One-time Passwords Anchor link
Many services and software tools let you use two-factor authentication, also called two-step authentication or two-step login. Here the idea is that in order to log in, you need to be in possession of a certain physical object: usually a mobile phone, but, in some versions, a special device called a security token. Using two-factor authentication ensures that even if your password for the service is hacked or stolen, the thief won't be able to log in unless they also have possession or control of a second device and the special codes that only it can create.
Typically, this means that a thief or hacker would have to control both your laptop and your phone before they have full access to your accounts.
Because this can only be set up with the cooperation of the service operator, there is no way to do this by yourself if you're using a service that doesn't offer it.
Two-factor authentication using a mobile phone can be done in two ways: the service can send you an SMS text message to your phone whenever you try to log in (providing an extra security code that you need to type in), or your phone can run an authenticator application that generates security codes from inside the phone itself. This will help protect your account in situations where an attacker has your password but does not have physical access to your mobile phone.
Some services, such as Google, also allow you to generate a list of one-time passwords, also called single-use passwords. These are meant to be printed or written down on paper and carried with you (although in some cases it might be possible to memorize a small number of them). Each of these passwords works only once, so if one is stolen by spyware when you enter it, the thief won't be able to use it for anything in the future.
If you or your organization run your own communications infrastructure, such as your own e-mail servers, there's freely available software that can be used to enable two-factor authentication for accessing your systems. Ask your systems administrators to look for software offering implementations of the open standard “Time-Based One-Time Passwords” or RFC 6238.
Threats of Physical Harm or Imprisonment Anchor link
Finally, understand that there is always one way that attackers can obtain your password: They can directly threaten you with physical harm or detention. If you fear this may be a possibility, consider ways in which you can hide the existence of the data or device you are password-protecting, rather than trust that you will never hand over the password. One possibility is to maintain at least one account that contains largely unimportant information, whose password you can divulge quickly.
If you have good reason to believe that someone may threaten you for your passwords, it's good to make sure your devices are configured so that it won't be obvious that the account you are revealing is not the “real” one. Is your real account shown in your computer's login screen, or automatically displayed when you open a browser? If so, you may need to reconfigure things to make your account less obvious.
In some jurisdictions, such as the United States or Belgium, you may be able to legally challenge a demand for your password. In other jurisdictions, such as the United Kingdom or India, local laws allow the government to demand disclosure. EFF has detailed information for anyone travelling across U.S. borders who wishes to protect their data on their digital devices in our Defending Privacy at the U.S. Border guide.
Please note that intentional destruction of evidence or obstruction of an investigation can be charged as a separate crime, often with very serious consequences. In some cases, this can be easier for the government to prove and allow for more substantial punishments than the alleged crime originally being investigated.Last reviewed:2016-01-13
How to: Circumvent Online Censorship
This is a short overview to circumventing online censorship, but is by no means comprehensive.
Governments, companies, schools, and Internet providers sometimes use software to prevent their users from accessing certain websites and services. This is called Internet filtering or blocking, and it is a form of censorship. Filtering comes in different forms. Censors can block individual web pages, or even entire websites. Sometimes, content is blocked based on the keywords it contains.
There are different ways of beating Internet censorship. Some protect you from surveillance, but many do not. When someone who controls your net connection filters or blocks a site, you can almost always use a circumvention tool to get to the information you need. Note: Circumvention tools that promise privacy or security are not always private or secure. And tools that use terms like “anonymizer” do not always keeps your identity completely secret.
In this article, we'll talk about four ways to circumvent censorship:
- Visiting a web proxy to access a blocked website.
- Visiting an encrypted web proxy to access a blocked website.
- Using a Virtual Private Network (VPN) to access blocked websites or services.
- Using the Tor Browser to access a blocked website or protect your identity.
Basic techniques Anchor link
Circumvention tools usually work by diverting your web traffic so it avoids the machines that do the blocking or filtering. A service that redirects your Internet connection past these blocks is sometimes called a proxy.
HTTPS is the secure version of the HTTP protocol you use to access websites. Sometimes a censor will only block the insecure (HTTP) version of a site. That means you can access the blocked site simply by entering the version of the web address that starts with HTTPS.
This is useful if the censorship you are fighting blocks individual web pages based on their contents. HTTPS stops censors from reading your web traffic, so they cannot tell what keywords are being sent, or which individual web page you are visiting.
Censors can still see the domain names of all websites you visit. So, for example, if you visit “eff.org/https-everywhere” censors can see that you are on “eff.org” but not that you are on the “https-everywhere” page.
If you suspect this type of simple blocking, try entering https:// before the domain in place of http:
Try installing EFF’s HTTPS Everywhere extension to automatically turn on HTTPS where possible.
Another way that you may be able to circumvent basic censorship techniques is by trying an alternate domain name or URL. For example, instead of visiting http://twitter.com, you might try the mobile version of the site at http://m.twitter.com. Censors that block websites or web pages work from a blacklist of banned websites, so anything that is not on that blacklist will get through. They might not know of all different versions of a particular website's name—especially if the administrators of the site know it is blocked and register more than one domain.
Web-based proxies Anchor link
A web-based proxy (such as http://proxy.org/) is a website that lets its users access other blocked or censored websites. It is therefore a good way to circumvent censorship. In order to use a web-based proxy, visit the proxy and enter the web address that you want to see; the proxy will then display the web page you asked for.
However, web-based proxies don’t provide any security and will be a poor choice if your threat model includes someone monitoring your internet connection. They will not help you to use blocked services such as your instant messaging apps. The web-based proxy will have a complete record of everything you do online, which can be a privacy risk for some users depending on their threat model.
Encrypted proxies Anchor link
Numerous proxy tools utilize encryption to provide an additional layer of security on top of the ability to bypass filtering. The connection is encrypted so others cannot see what you are visiting. While encrypted proxies are generally more secure than plain web-based proxies, the tool provider may have information about you. They might have your name and email address in their records, for instance. That means that these tools do not provide full anonymity.
The simplest form of an encrypted web proxy is one that starts with “https”— this will use the encryption usually provided by secure websites. However, be cautious—the owners of these proxies can see the data you send to and from other secure websites. Ultrasurf and Psiphon are examples of these tools.
Virtual Private Networks Anchor link
A Virtual Private Network (VPN) encrypts and sends all Internet data from your computer through another computer. This computer could belong to a commercial or nonprofit VPN service, your company, or a trusted contact. Once a VPN service is correctly configured, you can use it to access webpages, e-mail, instant messaging, VoIP, and any other Internet service. A VPN protects your traffic from being spied on locally, but your VPN provider can still keep logs of the websites you access, or even let a third party snoop directly on your web browsing. Depending on your threat model, the possibility of a government listening in on your VPN connection or getting hold of VPN logs may be a significant risk. For some users, this could outweigh the short-term benefits of using a VPN.
For information about specific VPN services, click here.
We at EFF cannot vouch for this rating of VPNs. Some VPNs with exemplary privacy policies could be run by devious people. Do not use a VPN that you do not trust.
Tor Anchor link
Tor is open-source software designed to give you anonymity on the web. Tor Browser is a web browser built on top of the Tor anonymity network. Because of how Tor routes your web browsing traffic, it also allows you to circumvent censorship. (See our How to: Use Tor guides for Linux, macOS and Windows).
When you first start the Tor Browser, you can choose an option specifying that you are on a network that is censored:
Tor will not only bypass almost all national censorship, but, if properly configured, can also protect your identity from an adversary listening in on your country’s networks. It can, however, be slow and difficult to use.Last reviewed:2017-08-10
How to: Encrypt Your iPhone
If you have an iPhone 3GS or later, an iPod touch 3rd generation or later, or any iPad, you can protect the contents of your device using encryption. That means that if someone gets physical access to your device, they will also need your passcode to decrypt what's stored on it, including contacts, instant messages or texts, call logs and email.
In fact, most modern Apple devices encrypt their contents by default, with various levels of protection. But to protect yourself from someone obtaining your data by physically stealing your device, you need to tie that encryption to a passphrase or code that only you know.
On devices running iOS 4–iOS 7, you can do this by going to the General settings, and choosing Passcode (or iTouch & Passcode). As for iOS 8-9, Passcode (or “Touch ID & Passcode”) has its own section in the Settings app. Follow the prompts to create a passcode. You should set the “Require passcode” option to “Immediately,” so that your device isn't unlocked when you are not using it. Disable Simple Passcode so that you can use a code that's longer than 4 digits.
If you choose a passcode that's all-numeric, you will still get a numeric keypad when you need to unlock your phone, which may be easier than typing a set of letters and symbols on a tiny virtual keyboard. You should still try to keep your passcode long even though Apple's hardware is designed to slow down password-cracking tools. Try creating a passcode that is more than 6 digits.
Once you've set a passcode, scroll down to the bottom of the Passcode settings page. You should see a message that says “Data protection enabled.” This means that the device's encryption is now tied to your passcode, and that most data on your phone will need that code to unlock it.
Here are some other iOS features you should think about using if you're dealing with private data: Anchor link
iTunes has an option to backup your device onto your computer. If you choose the “Encrypt backup” option on the Summary tab of your device in iTunes, iTunes will backup more confidential information (such as Wifi passwords and email passwords), but will encrypt it all before saving it onto your computer. Be sure to keep the password you use here safe: restoring from backups is a rare event, but extra painful if you cannot remember the password to unlock the backup in an emergency.
If you back up to Apple's iCloud, you should use a long passphrase to protect the data, and keep that passphrase safe. While Apple encrypts most data in its backups, it may be possible for the company to obtain access for law enforcement purposes since Apple also controls the keys used for iCloud encryption.
If you turn on data protection as described above, you will also be able to delete your data on your device securely and quickly. In the Passcode settings, you can set your device to wipe all its data after ten failed attempts to guess your passphrase.
According to Apple’s old Law Enforcement Guide, “Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media. Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.”
The above information applies only to iOS devices running versions of iOS prior to 8.0.
- Now, Apple states that "On devices running iOS 8 and later versions, your personal data is placed under the protection of your passcode. For all devices running iOS 8 and later versions, Apple will not perform iOS data extractions in response to government search warrants because the files to be extracted are protected by an encryption key that is tied to the user’s passcode, which Apple does not possess."
REMEMBER: While Apple will be unable to extract data directly off a phone, if the device is set to sync with iCloud, or backup to a computer, much of the same data will indeed be accessible to law enforcement. Under most circumstances, iOS encryption is only effective when a device has been fully powered down (or freshly-rebooted, without being unlocked). Some attackers might be able to take valuable data from your device's memory when it's turned on. (They might even be able to take the data when it has just been turned off). Keep this in mind and, if possible, try to make sure your device is powered off (or rebooted and not unlocked) if you believe it's likely to be seized or stolen.
If you are concerned about your device getting lost or stolen, you can also set up your Apple device so that it can be erased remotely, using the “Find My iPhone” feature. Note that this will allow Apple to remotely request the location of your device at any time. You should balance the benefit of deleting data if you lose control of your device, with the risk of revealing your own position. (Mobile phones transmit this information to telephone companies as a matter of course; WiFi devices like iPads and the iPod Touch do not.)
How to: Use Signal on iOS
Signal is a free and open source software application for Android, iOS, and Desktop that employs end-to-end encryption, allowing users to send end-to-end encrypted group, text, picture, and video messages, and have encrypted phone conversations between Signal users. Although Signal uses telephone numbers as contacts, encrypted calls and messages actually use your data connection; therefore both parties to the conversation must have Internet access on their mobile devices. Due to this, Signal users don’t incur SMS and MMS fees.
Installing Signal – Private Messenger on your iPhone Anchor link
Step 1: Download and Install Signal – Private Messenger
On your iOS device, enter the App Store and search for “Signal.” Select the app Signal – Private Messenger by Open Whisper Systems.
Tap "GET" to download the app, then "INSTALL." You may be prompted to enter your Apple ID credentials. Once it has downloaded, click “OPEN” to launch the app.
Step 2: Register and Verify your Phone Number
You will now see the following screen. Enter your mobile phone number and tap “Verify This Device.”
In order to verify your phone number, you will be sent an SMS text with a six-digit code. You will now be prompted to enter that code, and then tap "Submit Verification Code."
After this process is complete, Signal will request access to your contacts. Tap "Continue."
Signal will then request permission to send you notifications. Tap "OK."
Using Signal Anchor link
In order to use Signal, the person that you are calling must have Signal installed. If you try to call or send a message to someone using the Signal app and they do not have any of the aforementioned apps installed, the app will ask if you would like to invite them via SMS, but it will not allow you to complete your call or send a message to them from inside the app.
Signal provides you with a list of other Signal users in your contacts. To do this, data representing the phone numbers in your contact list is uploaded to the Signal servers, although this data is deleted almost immediately.
How to Send an Encrypted Message Anchor link
Note that Open Whisper Systems, the makers of Signal, use other companies' infrastructure to send its users alerts when they receive a new message. It uses Google on Android, and Apple on iPhone. That means information about who is receiving messages and when they were received may leak to these companies.
To get started, tap the compose icon in the upper-right corner of the screen.
You will see a list of all the registered Signal users in your contacts.
When you tap a contact, you'll be brought to the text-messaging screen for your contact. From this screen, you can send end-to-end encrypted text, picture, or video messages.
How to Initiate an Encrypted Call
To initiate an encrypted call to a contact, select that contact and then tap on the phone icon.
At this point, Signal may ask for permission to access the microphone. Tap "OK."
Once a call is established, your call is encrypted.
How to Initiate an Encrypted Video Call
To make an encrypted video call, simply call someone as described above:
and tap the video camera icon. You may have to allow Signal to access video from your camera. This shares your video with your friend (your friend may have to do the same):
How to Start an Encrypted Group Chat
You can send an encrypted group message by tapping the compose icon in the upper-right corner of the screen (the square with a pencil pointing to the center), and then tapping the icon in the same place with three figures.
On the following screen, you'll be able to name the group and add participants to it. After adding participants, you can tap on the "+" icon in the upper right corner of the screen.
This will initiate the group chat.
If you wish to change the group name, or add or remove participants, this can be done from the group chat screen by tapping the overflow icon (the three dots in the upper-right corner of the screen) and selecting “Edit group.”
How to Verify your Contacts
At this point, you can verify the authenticity of the person you are talking with, to ensure that their encryption key wasn't tampered with or replaced with the key of someone else when your application downloaded it (a process called key verification). Verifying is a process that takes place when you are physically in the presence of the person you are talking with.
First, open the screen where you are able to message your contact, as described above. From this screen, tap the name of your contact at the top of the screen.
From the following screen, tap "Verify Safety Numbers."
You will now be brought to a screen which displays a QR code and a list of 'safety numbers.' This code will be unique for every different contact you are conversing with. Have your contact navigate to the corresponding screen for their conversation with you, so that they have a QR code displayed on their screen as well.
Back on your device, tap "Scan Code." At this point, Signal may ask for permission to access the camera. Tap "OK."
Now you will be able to use the camera to scan the QR code that is displayed on your contact's screen. Align your camera to the QR code:
Hopefully, your camera will scan the barcode and show a "Safety Numbers Verified!" dialogue, like this:
This indicates that you have verified your contact successfully. If instead your screen looks like this, something has gone wrong:
You may want to avoid discussing sensitive topics until you have verified keys with that person.
Note for power users: The screen displaying your QR code also has an icon to share your safety number in the top-right corner. In-person verification is the preferred method, but you may have already authenticated your contact using another secure application, such as PGP. Since you've already verified your contact, you can safely use the trust established in that application to verify numbers within Signal, without having to be physically in the presence of your contact. In this case you can share your safety number with that application by tapping the "share" icon, and send your contact your safety number.
Signal has a feature called “disappearing messages” which ensures that messages will be removed from your device and the device of your contact some chosen amount of time after they are seen. To enable "disappearing messages" for a conversation, open the screen where you are able to message your contact. From this screen, tap the name of the contact at the top of the screen, then tap the slider next to "Disappearing Messages."
A slider will appear that allows you to choose how quickly messages will disappear:
After you select an option, you can tap the "<" icon on the top-left corner of the screen, and you should see information in the conversation indicating that “disappearing messages” have been enabled.
You can now send messages with the assurance that they will be removed after the chosen amount of time.Last reviewed:2017-03-17