Playlist
  • Activist or protester?

    How to keep you and your communications safe wherever your campaigning takes you.

    The revolution may not be tweeted, but modern activism is nonetheless often reliant on online organizing. This playlist will teach you how to understand the risks activists face and how to protect against them.

  • An Introduction to Threat Modeling

    There is no single solution for keeping yourself safe online. Digital security isn’t about which tools you use; rather, it’s about understanding the threats you face and how you can counter those threats. To become more secure, you must determine what you need to protect, and whom you need to protect it from. Threats can change depending on where you’re located, what you’re doing, and whom you’re working with. Therefore, in order to determine what solutions will be best for you, you should conduct a threat modeling assessment.

    When Conducting an Assessment, There are Five Main Questions you Should Ask Yourself: Anchor link

    1. What do you want to protect?
    2. Who do you want to protect it from?
    3. How likely is it that you will need to protect it?
    4. How bad are the consequences if you fail?
    5. How much trouble are you willing to go through in order to try to prevent those?

    When we talk about the first question, we often refer to assets, or the things that you are trying to protect. An asset is something you value and want to protect. When we are talking about digital security, the assets in question are usually information. For example, your emails, contact lists, instant messages, and files are all assets. Your devices are also assets.

    Write down a list of data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.

    In order to answer the second question, “Who do you want to protect it from,” it’s important to understand who might want to target you or your information, or who is your adversary. An adversary is any person or entity that poses a threat against an asset or assets. Examples of potential adversaries are your boss, your government, or a hacker on a public network.

    Make a list of who might want to get ahold of your data or communications. It might be an individual, a government agency, or a corporation.

    A threat is something bad that can happen to an asset. There are numerous ways that an adversary can threaten your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data. An adversary could also disable your access to your own data.

    The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video, whereas a political opponent may wish to gain access to secret content and publish it without you knowing.

    Write down what your adversary might want to do with your private data.

    The capability of your attacker is also an important thing to think about. For example, your mobile phone provider has access to all of your phone records and therefore has the capability to use that data against you. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

    A final thing to consider is risk. Risk is the likelihood that a particular threat against a particular asset will actually occur, and goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.

    It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

    Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.

    In a military context, for example, it might be preferable for an asset to be destroyed than for it to fall into enemy hands. Conversely, in many civilian contexts, it's more important for an asset such as email service to be available than confidential.

    Now, Let’s Practice Threat Modeling Anchor link

    If you want to keep your house and possessions safe, here are a few questions you might ask:

    • Should I lock my door?
    • What kind of lock or locks should I invest in?
    • Do I need a more advanced security system?
    • What are the assets in this scenario?
      • The privacy of my home
      • The items inside my home
    • What is the threat?
      • Someone could break in.
    • What is the actual risk of someone breaking in? Is it likely?

    Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the risk of a break-in is low, then you probably won’t want to invest too much money in a lock. On the other hand, if the risk is high, you’ll want to get the best locks on the market, and perhaps even add a security system.

    Last reviewed: 
    2015-01-12
  • Communicating with Others

    Telecommunication networks and the Internet have made communicating with people easier than ever, but have also made surveillance more prevalent than it has ever been in human history. Without taking extra steps to protect your privacy, every phone call, text message, email, instant message, voice over IP (VoIP) call, video chat, and social media message may be vulnerable to eavesdroppers.

    Often the safest way to communicate with others is in person, without computers or phones being involved at all. Because this isn’t always possible, the next best thing is to use end-to-end encryption while communicating over a network if you need to protect the content of your communications.

    How Does End-to-End Encryption Work? Anchor link

    When two people want to communicate securely (for example, Akiko and Boris) they must each generate crypto keys. Before Akiko sends a message to Boris she encrypts it to Boris's key so that only Boris can decrypt it. Then she sends the already-encrypted message across the Internet. If anyone is eavesdropping on Akiko and Boris—even if they have access to the service that Akiko is using to send this message (such as her email account)—they will only see the encrypted data and will be unable read the message. When Boris receives it, he must use his key to decrypt it into a readable message.

    End-to-end encryption involves some effort, but it's the only way that users can verify the security of their communications without having to trust the platform that they're both using. Some services, such as Skype, have claimed to offer end-to-end encryption when it appears that they actually don't. For end-to-end encryption to be secure, users must be able to verify that the crypto key they're encrypting messages to belongs to the people they believe they do. If communications software doesn't have this ability built-in, then any encryption that it might be using can be intercepted by the service provider itself, for instance if a government compels it to.

    You can read Freedom of the Press Foundation's whitepaper, Encryption Works for detailed instructions on using end-to-end encryption to protect instant messages and email. Be sure to check out the following SSD modules as well:

    Voice Calls Anchor link

    When you make a call from a landline or a mobile phone, your call is not end-to-end encrypted. If you're using a mobile phone, your call may be (weakly) encrypted between your handset and the cell phone towers. However as your conversation travels through the phone network, it's vulnerable to interception by your phone company and, by extension, any governments or organizations that have power over your phone company. The easiest way to ensure you have end-to-end encryption on voice conversations is to use VoIP instead.

    Beware! Most popular VoIP providers, such as Skype and Google Hangouts, offer transport encryption so that eavesdroppers cannot listen in, but the providers themselves are still potentially able to listen in. Depending on your threat model, this may or may not be a problem.

    Some services that offer end-to-end encrypted VoIP calls include:

    In order to have end-to-end encrypted VoIP conversations, both parties must be using the same (or compatible) software.

    Text Messages Anchor link

    Standard text (SMS) messages do not offer end-to-end encryption. If you want to send encrypted messages on your phone, consider using encrypted instant messaging software instead of text messages.

    Some end-to-end encrypted instant messaging services use their own protocol. So, for instance, users of Signal on Android and iOS can chat securely with others who use those programs. ChatSecure is a mobile app that encrypts conversations with OTR on any network that uses XMPP, which means you can choose from a range of independent instant messaging services.

    Instant Messages Anchor link

    Off-the-Record (OTR) is an end-to-end encryption protocol for real-time text conversations that can be used on top of a variety of services.

    Some tools that incorporate OTR with instant messaging include:

    Email Anchor link

    Most email providers give you a way of accessing your email using a web browser, such as Firefox or Chrome. Of these providers, most of them provide support for HTTPS, or transport-layer encryption. You can tell that your email provider supports HTTPS if you log in to your webmail and the URL at the top of your browser begins with the letters HTTPS instead of HTTP (for example: https://mail.google.com).

    If your email provider supports HTTPS, but does not do so by default, try replacing HTTP with HTTPS in the URL and refresh the page. If you’d like to make sure that you are always using HTTPS on sites where it is available, download the HTTPS Everywhere browser add-on for Firefox or Chrome.

    Some webmail providers that use HTTPS by default include:

    • Gmail
    • Riseup
    • Yahoo

    Some webmail providers that give you the option of choosing to use HTTPS by default by selecting it in your settings. The most popular service that still does this is Hotmail.

    What does transport-layer encryption do and why might you need it? HTTPS, also referred to as SSL or TLS, encrypts your communications so that it cannot be read by other people on your network. This can include the other people using the same Wi-Fi in an airport or at a café, the other people at your office or school, the administrators at your ISP, malicious hackers, governments, or law enforcement officials. Communications sent over your web browser, including the web pages that you visit and the content of your emails, blog posts, and messages, using HTTP rather than HTTPS are trivial for an attacker to intercept and read.

    HTTPS is the most basic level of encryption for your web browsing that we recommend for everybody. It is as basic as putting on your seat belt when you drive.

    But there are some things that HTTPS does not do. When you send email using HTTPS, your email provider still gets an unencrypted copy of your communication. Governments and law enforcement may be able to access this data with a warrant. In the United States, most email providers have a policy that says they will tell you when you have received a government request for your user data as long as they are legally allowed to do so, but these policies are strictly voluntary, and in many cases providers are legally prevented from informing their users of requests for data. Some email providers, such as Google, Yahoo, and Microsoft, publish transparency reports, detailing the number of government requests for user data they receive, which countries make the requests, and how often the company has complied by turning over data.

    If your threat model includes a government or law enforcement, or you have some other reason for wanting to make sure that your email provider is not able to turn over the contents of your email communications to a third party, you may want to consider using end-to-end encryption for your email communications.

    PGP (or Pretty Good Privacy) is the standard for end-to-end encryption of your email. Used correctly, it offers very strong protections for your communications. For detailed instructions on how to install and use PGP encryption for your email, see:

    What End-To-End Encryption Does Not Do Anchor link

    End-to-end encryption only protects the content of your communication, not the fact of the communication itself. It does not protect your metadata—which is everything else, including the subject line of your email, or who you are communicating with and when.

    Metadata can provide extremely revealing information about you even when the content of your communication remains secret.

    Metadata about your phone calls can give away some very intimate and sensitive information. For example:

    • They know you rang a phone sex service at 2:24 am and spoke for 18 minutes, but they don't know what you talked about.
    • They know you called the suicide prevention hotline from the Golden Gate Bridge, but the topic of the call remains a secret.
    • They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour, but they don't know what was discussed.
    • They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after, but the content of those calls remains safe from government intrusion.
    • They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood's number later that day, but nobody knows what you spoke about.

    If you are calling from a cell phone, information about your location is metadata. In 2009, Green Party politician Malte Spitz sued Deutsche Telekom to force them to hand over six months of Spitz’s phone data, which he made available to a German newspaper. The resulting visualization showed a detailed history of Spitz’s movements.

    Protecting your metadata will require you to use other tools, such as Tor, at the same time as end-to-end encryption.

    For an example of how Tor and HTTPS work together to protect the contents of your communications and your metadata from a variety of potential attackers, you may wish to take a look at this explanation.

    Last reviewed: 
    2017-01-12
  • Keeping Your Data Safe

    One of the greatest challenges of defending your data from those who might want it is the sheer size of the information you store or carry, and the ease by which it can be taken from you. Many of us carry entire histories of our contacts, our communications, and our current documents on laptops, or even mobile phones. That data can include confidential information of dozens, even thousands, of people. A phone or laptop can be stolen, or copied in seconds.

    The United States is just one of many countries that seizes and copies data at borders. Data can be taken from you at roadblocks, grabbed from you in the street, or burgled from your house.

    Just as you can keep your communications safer with encryption, you can also make it harder for those who physically steal data to unlock its secrets. Computers and mobile phones can be locked by passwords, PINs or gestures, but these locks do not help protect data if the device itself is seized. It's relatively simple to bypass these locks, because your data is stored in an easily readable form within the device. All an attacker needs to do is to access the storage directly, and the data can be copied or examined without knowing your password.

    If you use encryption, your adversary needs not just your device, but also your password to unscramble the encrypted data—there's no shortcut.

    It's safest and easiest to encrypt all of your data, not just a few folders. Most computers and smartphones offer complete, full-disk encryption as an option. Android offers it under its "Security" settings, Apple devices such as the iPhone and iPad describe it as "Data Protection" and turn it on if you set a passcode. On computer running Windows Pro, it's known as "BitLocker." 

    BitLocker's code is closed and proprietary, which means it is hard for external reviewers to know exactly how secure it is. Using BitLocker requires you trust Microsoft provides a secure storage system without hidden vulnerabilities. On the other hand, if you're already using Windows, you are already trusting Microsoft to the same extent. If you are worried about surveillance from the kind of attackers who might know of or benefit from a back door in either Windows or BitLocker, you may wish to consider an alternative open source operating system such as GNU/Linux or BSD, especially a version that has been hardened against security attacks, such Tails or Qubes OS.

    Apple provides a built-in full disk encryption feature on macOS called FileVault.  On Linux distributions, full-disk encryption is usually offered when you first set up your system. At the time this guide was updated, we do not have a full disk encryption tool for versions of Windows that do not include BitLocker that we can recommend.

    Whatever your device calls it, encryption is only as good as your password. If your attacker has your device, they have all the time in the world to try out new passwords. Forensic software can try millions of passwords a second. That means that a four number pin is unlikely to protect your data for very long at all, and even a long password may merely slow down your attacker. A really strong password under these conditions should be over fifteen characters long.

    Most of us are not realistically going to learn and enter such passphrases on our phones or mobile devices. So while encryption can be useful to prevent casual access, you should preserve truly confidential data by keeping it hidden from physical access by attackers, or cordoned away on a much more secure machine.

    Create a Secure Machine Anchor link

    Maintaining a secure environment can be hard work. At best, you have to change passwords, habits, and perhaps the software you use on your main computer or device. At worst, you have to constantly think about whether you're leaking confidential information or using unsafe practices. Even when you know the problems, some solutions may be out of your hands. Other people might require you to continue unsafe digital security practices even after you have explained the dangers. For instance, work colleagues might want you to continue to open email attachments from them, even though you know your attackers could impersonate them and send you malware. Or you may be concerned that your main computer has already been compromised.

    One strategy to consider is cordoning off valuable data and communications onto a more secure computer. Use that machine only occasionally, and when you do, consciously take much more care over your actions. If you need to open attachments, or use insecure software, do it on another machine.

    If you're setting up a secure machine, what extra steps can you take to make it secure?

    You can almost certainly keep the device in a more physically safe place: somewhere where you are able to tell if it has been tampered with, such as a locked cabinet.

    You can install a privacy- and security-focused operating system like Tails. You might not be able (or want) to use an open source operating system in your everyday work, but if you just need to store, edit and write confidential emails or instant messages from this secure device, Tails will work well, and defaults to high security settings.

    An extra, secure computer may not be as expensive an option as you think. A computer that is seldom used, and only runs a few programs, does not need to be particularly fast or new. You can buy an older netbook for a fraction of the price of a modern laptop or phone. Older machines also have the advantage that secure software like Tails may be more likely to work with them than newer models.

    You can use the secure machine to keep the primary copy of confidential data. A secure machine can be valuable in cordoning off private data in this way, but you should also consider a couple of extra risks it might create. If you concentrate your most treasured information onto this one computer, it may make it more of an obvious target. Keep it well hidden, don't discuss its location, and don't neglect to encrypt the computer's drive with a strong password, so that if it is stolen, the data will remain unreadable without the password safe.

    Another risk is the danger that destroying this one machine will destroy your only copy of the data.

    If your adversary would benefit from you losing all your data, don't keep it in just one place, no matter how secure. Encrypt a copy and keep it somewhere else.

    The highest level of protection from Internet attacks or online surveillance is, not surprisingly, not connecting to the Internet at all. You could make sure your secure computer never connects to a local network or Wifi, and only copy files onto the machine using physical media, like DVDs or USB drives. In network security, this is known as having an "air gap" between the computer and the rest of the world. Not many people go this far, but it can be an option if you want to keep data that is rarely accessed but you never want to lose. Examples might be an encryption key you only use for important messages (like "My other encryption keys are now insecure"), a list of passwords or instructions for other people to find if you are unavailable, or a backup copy of someone else's private data that has been entrusted to you. In most of these cases, you might want to consider just having a hidden storage device, rather than a full computer. An encrypted USB key kept safely hidden is probably as useful (or as useless) as a complete computer unplugged from the Internet.

    If you do use the secure device to connect to the Internet, you might choose not to log in or use your usual accounts. Create separate web or email accounts that you use for communications from this device, and use Tor to keep your IP address hidden from those services. If someone is choosing to specifically target your identity with malware, or is only intercepting your communications, separate accounts and Tor can help break the link between your identity, and this particular machine.

    A variation on the idea of a secure machine is to have an insecure machine: a device that you only use when you are going into dangerous places or need to try a risky operation. Many journalists and activists, for instance, take a minimal netbook with them when they travel. This computer does not have any of their documents, usual contact or email information on it, and so is less of a loss if it is confiscated or scanned. You can apply the same strategy to mobile phones. If you usually use a smartphone, consider buying a cheap throwaway or burner phone when travelling or for specific communications.

    Last reviewed: 
    2016-12-01
  • Creating Strong Passwords

    Because remembering many different passwords is difficult, people often reuse a small number of passwords across many different accounts, sites, and services. Today, users are constantly being asked to come up with new passwords—many people end up reusing the same password dozens or even hundreds of times.

    Reusing passwords is an exceptionally bad security practice, because if an attacker gets hold of one password, she will often try using that password on various accounts belonging to the same person. If that person has reused the same password several times, the attacker will be able to access multiple accounts. That means a given password may be only as secure as the least secure service where it's been used.

    Avoiding password reuse is a valuable security precaution, but you won't be able to remember all your passwords if each one is different. Fortunately, there are software tools to help with this—a password manager (also called a password safe) is a software application that helps store a large number of passwords safely. This makes it practical to avoid using the same password in multiple contexts. The password manager protects all of your passwords with a single master password (or, ideally a passphrasesee discussion below) so you only have to remember one thing. People who use a password manager no longer actually know the passwords for their different accounts; the password manager can handle the entire process of creating and remembering the passwords for them.

    For example, KeePassX is an open source, free password safe that you keep on your desktop. It's important to note that if you're using KeePassX, it will not automatically save changes and additions. This means that if it crashes after you've added some passwords, you can lose them forever. You can change this in the settings.

    Using a password manager also helps you choose strong passwords that are hard for an attacker to guess. This is important too; too often computer users choose short, simple passwords that an attacker can easily guess, including "password1," "12345," a birthdate, or a friend's, spouse's, or pet's name. A password manager can help you create and use a random password without pattern or structure—one that won't be guessable. For example, a password manager is able to choose passwords like "vAeJZ!Q3p$Kdkz/CRHzj0v7,” which a human being would be unlikely to remember—or guess. Don't worry; the password manager can remember these for you!

    Syncing Your Passwords Across Multiple Devices Anchor link

    You may use your passwords on more than one device, such as your computer and your smart phone. Many password managers have a password-synchronizing feature built in. When you sync your password file, it will be up to date on all of your devices, so that if you’ve added a new account on your computer, you will still be able to log into it from your phone. Other password managers will offer to store your passwords “in the cloud,” which is to say, they will store your passwords encrypted on a remote server, and when you need them on a laptop or mobile, they will retrieve and decrypt them for you automatically. Password managers that use their own servers to store or help synchronize your passwords are more convenient, but the trade-off is that they are slightly more vulnerable to attack. If you just keep your passwords on your computer, then someone who can take over your computer may be able to get hold of them. If you keep them in the cloud, your attacker may target that also. It's not usually a compromise you need to worry about unless your attacker has legal powers over the password manager company or is known for targeting companies or internet traffic. If you use a cloud service, the password manager company may also know what services you use, when, and where from.

    Choosing Strong Passwords Anchor link

    There are a few passwords that do need to be memorized and that need to be particularly strong: those that ultimately lock your own data with cryptography. That includes, at least, passwords for your device, encryption like full-disk encryption, and the master password for your password manager.

    Computers are now fast enough to quickly guess passwords shorter than ten or so characters. That means short passwords of any kind, even totally random ones like nQ\m=8*x or !s7e&nUY or gaG5^bG, are not strong enough for use with encryption today.

    There are several ways to create a strong and memorable passphrase; the most straightforward and sure-fire method is Arnold Reinhold's "Diceware."

    Reinhold's method involves rolling physical dice to randomly choose several words from a word list; together, these words will form your passphrase. For disk encryption (and password safe), we recommend selecting a minimum of six words.

    Try making a password using Reinhold’s “Diceware” method.

    When you use a password manager, the security of your passwords and your master password is only as strong as the security of the computer where the password manager is installed and used. If your computer or device is compromised and spyware is installed, the spyware can watch you type your master password and could steal the contents of the password safe. So it's still very important to keep your computer and other devices clean of malicious software when using a password manager.

    A Word About “Security Questions” Anchor link

    Be aware of the “security questions” (such as “What is your mother’s maiden name?” or "What was your first pet's name?") that websites use to confirm your identity if you do forget your password. Honest answers to many security questions are publicly discoverable facts that a determined adversary can easily find, and therefore bypass your password entirely. For instance, US vice-presidential candidate Sarah Palin had her Yahoo! account hacked this way. Instead, give fictional answers that, like your password, no one knows but you. For example, if the password question asks you your pet’s name, you may have posted photos to photo sharing sites with captions such as “Here is a photo of my cute cat, Spot!” Instead of using “Spot” as your password recovery answer, you might choose “Rumplestiltskin.” Do not use the same passwords or security question answers for multiple accounts on different websites or services. You should store your fictional answers in your password safe, too.

    Think of sites where you’ve used security questions. Consider checking your settings and changing your responses.

    Remember to keep a backup of your password safe! If you lose your password safe in a crash (or if you have your devices taken away from you), it may be hard to recover your passwords. Password safe programs will usually have a way to make a separate backup, or you can use your regular backup program.

    You can usually reset your passwords by asking services to send you a password recovery email to your registered email address. For that reason, you may want to memorize the passphrase to this email account also. If you do that, then you will have a way of resetting passwords without depending on your password safe.

    Multi-factor Authentication and One-time Passwords Anchor link

    Many services and software tools let you use two-factor authentication, also called two-step authentication or two-step login. Here the idea is that in order to log in, you need to be in possession of a certain physical object: usually a mobile phone, but, in some versions, a special device called a security token. Using two-factor authentication ensures that even if your password for the service is hacked or stolen, the thief won't be able to log in unless they also have possession or control of a second device and the special codes that only it can create.

    Typically, this means that a thief or hacker would have to control both your laptop and your phone before they have full access to your accounts.

    Because this can only be set up with the cooperation of the service operator, there is no way to do this by yourself if you're using a service that doesn't offer it.

    Two-factor authentication using a mobile phone can be done in two ways: the service can send you an SMS text message to your phone whenever you try to log in (providing an extra security code that you need to type in), or your phone can run an authenticator application that generates security codes from inside the phone itself. This will help protect your account in situations where an attacker has your password but does not have physical access to your mobile phone.

    Some services, such as Google, also allow you to generate a list of one-time passwords, also called single-use passwords. These are meant to be printed or written down on paper and carried with you (although in some cases it might be possible to memorize a small number of them). Each of these passwords works only once, so if one is stolen by spyware when you enter it, the thief won't be able to use it for anything in the future.

    If you or your organization run your own communications infrastructure, such as your own e-mail servers, there's freely available software that can be used to enable two-factor authentication for accessing your systems. Ask your systems administrators to look for software offering implementations of the open standard “Time-Based One-Time Passwords” or RFC 6238.

    Threats of Physical Harm or Imprisonment Anchor link

    Finally, understand that there is always one way that attackers can obtain your password: They can directly threaten you with physical harm or detention. If you fear this may be a possibility, consider ways in which you can hide the existence of the data or device you are password-protecting, rather than trust that you will never hand over the password. One possibility is to maintain at least one account that contains largely unimportant information, whose password you can divulge quickly.

    If you have good reason to believe that someone may threaten you for your passwords, it's good to make sure your devices are configured so that it won't be obvious that the account you are revealing is not the “real” one. Is your real account shown in your computer's login screen, or automatically displayed when you open a browser? If so, you may need to reconfigure things to make your account less obvious.

    In some jurisdictions, such as the United States or Belgium, you may be able to legally challenge a demand for your password. In other jurisdictions, such as the United Kingdom or India, local laws allow the government to demand disclosure. EFF has detailed information for anyone travelling across U.S. borders who wishes to protect their data on their digital devices in our Defending Privacy at the U.S. Border guide.

    Please note that intentional destruction of evidence or obstruction of an investigation can be charged as a separate crime, often with very serious consequences. In some cases, this can be easier for the government to prove and allow for more substantial punishments than the alleged crime originally being investigated.

    Last reviewed: 
    2016-01-13
  • Attending Protests (International)

    With the proliferation of personal technologies, protesters of all political persuasions are increasingly documenting their protests—and encounters with the police—using electronic devices like cameras and mobile phones. In some cases, getting that one shot of the riot police coming right at you posted somewhere on the Internet is an exceptionally powerful act and can draw vital attention to your cause. The following are useful tips for you to remember if you find yourself at a protest and are concerned about protecting your electronic devices if or when you’re questioned, detained, or arrested by police. Remember that these tips are general guidelines, so if you have specific concerns, please talk to an attorney.

    Preparing Your Personal Devices for a Protest Anchor link

    Think carefully about what’s on your phone before bringing it to a protest. Your phone contains a wealth of private data, which can include your list of contacts, the people you have recently called, your text messages and email, photos and video, GPS location data, your web browsing history and passwords, and the contents of your social media accounts. Through stored passwords or active logins, access to the device can allow someone to obtain yet even more information on remote servers. (You can log out of these services).

    In many countries, people are required to register their SIM cards when they purchase a mobile phone. If you take your mobile phone with you to a protest, it makes it easy for the government to figure out that you are there. If you need to keep your participation in a protest secret from governments or law enforcement, cover your face so that it is harder to identify you from photos. However, do note that masks may get you into trouble in some locations due to anti-mask laws. Also, do not take your mobile phone with you. If you absolutely must bring a mobile phone with you, try to bring one that is not registered in your name.

    To protect your rights, you may want to harden your existing phone against searches. You should also consider bringing a throwaway or alternate phone to the protest that does not contain sensitive data, which you’ve never used to log in to your communications or social media accounts, and which you would not mind losing or parting with for a while. If you have a lot of sensitive or personal information on your phone, the latter might be a better option.

    Password-protection and encryption options: Always password-protect your phone. But while password-protecting your phone is a small barrier to access, please be aware that merely password-protecting or locking your phone is not an effective barrier to expert forensic analysis. Android and iPhone both provide options for full-disk encryption on their operating systems, and you should use them, though the safest option remains leaving the phone elsewhere.

    One problem with mobile phone encryption is that on Android the same password is used for disk encryption and screen unlocking. This was a bad design, because it forces the user to either select a too-weak password for the encryption, or to type a too-long and inconvenient password for the screen. The best compromise may be 8-12 fairly random characters that are nonetheless easy to type quickly on your particular device. Or if you have root access to your Android phone and know how to use a shell, read here for instructions on how to set up a separate (longer) password for full-disk encryption. (See also "Communicating with Others” for details on how to encrypt text and voice calls.)

    Back up your data: It’s important that you frequently back up the data stored on your phone, especially if your device lands into the hands of a police officer. You may not get your phone back for a while (if at all) and it is possible that its contents may be deleted, whether intentionally or not.

    For similar reasons, consider writing one important, but non-incriminating phone number on your body with a permanent marker in case you lose your phone, but are permitted to make a call.

    Cell site location information: If you take your mobile phone with you to a protest, it makes it easy for the government to figure out that you are there by seeking the information from your provider. (We believe that governments should obtain an individualized warrant to obtain location information, but governments often disagree). If you need to keep the fact of your participation in a protest from the government, do not take your mobile phone with you. If you absolutely must bring a mobile phone with you, try to bring one that is not registered in your name.

    If you are concerned about being arrested at the protest, it’s best practice to pre-arrange a message to a trusted friend who is in a safe place. Write your text message to that person in advance and queue it up so that you can send it quickly in case of an emergency to let them know you have been arrested. Similarly, you may want to plan a pre-arranged call after the protest with a friend—if they don’t hear from you, they can assume you’ve been arrested.

    In addition to being made aware that your phone has been seized and you have been arrested, that trusted friend might be able to change the passwords to your email and social media accounts in case you are coerced into giving up your passwords to the authorities.

    Please note that deliberately concealing or destroying evidence may be considered an illegal act in itself in some jurisdictions (including many social democracies).

    Be sure you and your friend understand the law and the risks before engaging in this plan. For instance, if you are protesting in a country with a strong tradition of the rule of law and where protesting in itself is not a crime, it may be that conspiring to lock out law enforcement from your accounts may lead to you breaking the law when previously you would be able to leave without charge. On the other hand, if you are concerned for the physical safety of you and your colleagues at the hands of a unchecked militia, protecting your friends’ identities and your own data from them may be a greater priority than complying with an investigation.

    You’re at the Protest—Now What? Anchor link

    Once you are at the protest, keep in mind that law enforcement may be monitoring communications in the area. You may wish to encrypt your chats using ChatSecure, or your text and phone conversations using Signal.

    Please remember that even if your communications are encrypted, your metadata is not; your mobile phone will still give away your location and the metadata about your communications, such as whom you are talking to and for how long.

    If you want to keep your identity and location secret, make sure to strip all metadata off of your photos before you post them.

    In other circumstances, metadata can be useful for demonstrating the credibility of evidence collected at a protest. The Guardian Project makes a tool called InformaCam that allows you to store metadata along with including information about the user’s current GPS coordinates, altitude, compass bearing, light meter readings, the signatures of neighboring devices, cell towers, and WiFi networks; and serves to shed light on the exact circumstances and contexts under which the digital image was taken.

    Last reviewed: 
    2015-11-19
  • Attending Protests (United States)

    With the proliferation of personal technologies, protesters of all political persuasions are increasingly documenting their protests—and encounters with the police—using electronic devices like cameras and mobile phones. In some cases, getting that one shot of the riot police coming right at you posted somewhere on the Internet is an exceptionally powerful act and can draw vital attention to your cause.

    The following are useful tips for you to remember if you find yourself at a protest and are concerned about protecting your electronic devices if or when you’re questioned, detained, or arrested by police. Remember that these tips are general guidelines, so if you have specific concerns, please talk to an attorney.

    Protect your Phone Before you Protest Anchor link

    Think carefully about what’s on your phone before bringing it to a protest.

    Your phone contains a wealth of private data, which can include your list of contacts, the people you have recently called, your text messages and email, photos and video, GPS location data, your web browsing history and passwords or active logins, and the contents of your email and social media accounts. Through stored passwords, access to the device can allow someone to obtain yet even more information on remote servers.

    The United States Supreme Court recently held that the police are required to get a warrant to obtain this information when someone is arrested, but the exact limits of that ruling are still being examined. In addition, sometimes law enforcement will seek to seize a phone because they believe it contains evidence of a crime (such as photos you may have taken of the protest), or as part of a vehicle search. They can then later get a warrant to examine the phone that they’ve already seized.

    To protect your rights, you may want to harden your existing phone against searches. You should also consider bringing a throwaway or alternate phone to the protest that does not contain sensitive data, which you’ve never used to log in to your communications or social media accounts, and which you would not mind losing or parting with for a while. If you have a lot of sensitive or personal information on your phone, the latter might be a better option.

    Password-protection and encryption options: Always password-protect your phone. Be aware that merely password-protecting or locking your phone is not an effective barrier to expert forensic analysis. Android and iPhone both provide options for full-disk encryption on their operating systems, and you should use them, though the safest option remains leaving the phone elsewhere.

    One problem with mobile phone encryption is that on Android the same password is used for disk encryption and screen unlocking. This was a bad design, because it forces the user to either select a too-weak password for the encryption, or to type a too-long and inconvenient password for the screen. The best compromise may be 8-12 fairly random characters that are nonetheless easy to type quickly on your particular device. Or if you have root access to your Android phone and know how to use a shell, read here. (See also "Communicating with Others” for details on how to encrypt text and voice calls.)

    Back up your data: It’s important that you frequently back up the data stored on your phone, especially if your device lands into the hands of a police officer. You may not get your phone back for a while (if at all) and it is possible that its contents may be deleted, whether intentional or not. While we believe it would be improper for the police to delete your information, there’s a chance it could happen.

    For similar reasons, consider writing one important, but non-incriminating phone number on your body with a permanent marker in case you lose your phone, but are permitted to make a call.

    Cell site location information: If you take your mobile phone with you to a protest, it makes it easy for the government to figure out that you are there by seeking the information from your provider. (We believe that the law requires the government obtain an individualized warrant to obtain location information, but the government disagrees). If you need to keep the fact of your participation in a protest from the government do not take your mobile phone with you. If you absolutely must bring a mobile phone with you, try to bring one that is not registered in your name.

    You may not be able to reach colleagues if you are detained. You may want to plan a pre-arranged call after the protest with a friend—if they don’t hear from you, they can assume you’ve been arrested.

    You’re at the Protest – now What? Anchor link

    Maintain control over your phone: Maintaining control might mean keeping your phone on you at all times, or handing it over to a trusted friend if you are engaging in action that you think might lead to your arrest.

    Consider taking pictures and video: Just knowing that there are cameras documenting the event can be enough to discourage police misconduct during the protest. EFF believes that you have the First Amendment right to document public protests, including police action. However, please understand that the police may disagree, citing various local and state laws. If you plan to record audio, you should review this helpful guide, the Reporter’s Committee for Freedom of the Press’ Can We Tape?.

    If you want to keep your identity and location secret, make sure to strip all metadata off of your photos before you post them.

    In other circumstances, metadata can be useful for demonstrating the credibility of evidence collected at a protest. The Guardian Project makes a tool called InformaCam that allows you to store metadata along with including information about the user’s current GPS coordinates, altitude, compass bearing, light meter readings, the signatures of neighboring devices, cell towers, and WiFi networks; and serves to shed light on the exact circumstances and contexts under which the digital image was taken.

    If you take photos or video, the police may also seek to seize your phone to obtain the material as evidence. If you are engaged in journalism, you may be able to assert the reporter’s privilege to protect your unpublished material. The RCFP has a guide explaining the Reporter’s Privilege in various states.

    If you are concerned about being identified, cover your face so that you cannot be identified from photos. Masks may get you into trouble in some locations due to anti-mask laws.

    Help! Help! I’m Being Arrested Anchor link

    Remember that you have a right to remain silent—about your phone and anything else.

    If questioned by police, you can politely but firmly ask to speak to your attorney and politely but firmly request that all further questioning stop until your attorney is present. It is best to say nothing at all until you have a chance to talk to a lawyer. However, if you do decide to answer questions, be sure to tell the truth. It is likely a crime to lie to a police officer and you may find yourself in more trouble for lying to law enforcement than for whatever it was they wanted on your computer.

    If the police ask to see your phone, you can tell them you do not consent to the search of the device. They might still be able to search your phone with a warrant after they arrest you, but at least it’s clear that you did not give them permission to do so.

    If the police ask for the password to your electronic device (or ask you to unlock it), you can politely refuse to provide it and ask to speak to your lawyer. If the police ask if a phone is yours, you can tell them that it is lawfully in your possession without admitting or denying ownership or control. Every arrest situation is different, and you will need an attorney to help you sort through your particular circumstance.

    Ask your attorney about the Fifth Amendment, which protects you from being forced to give the government self-incriminating testimony. If turning over an encryption key or password triggers this right, not even a court can force you to divulge the information. If turning over an encryption key or password will reveal to the government information it does not have (such as demonstrating that you have control over files on a computer), there is a strong argument that the Fifth Amendment protects you. If, however, turning over passwords and encryption keys will not result in a “testimonial act,” for instance demonstrating that you have control over the data, then the Fifth Amendment may not protect you. Your attorney can help you figure out how this applies in a particular situation.

    And just because the police cannot compel you to give up your password, doesn’t mean that they can’t pressure you. The police may detain you and you may go to jail rather than being immediately released if they think you’re refusing to be cooperative. You will need to decide whether to comply.

    The Police Have my Phone, How do I Get it Back? Anchor link

    If your phone or electronic device was illegally seized, and is not promptly returned when you are released, you can have your attorney file a motion with the court to have your property returned. If the police believe that evidence of a crime was found on your electronic device, including in your photos or videos, the police can keep it as evidence. They may also attempt to make you forfeit your electronic device, but you can challenge that in court.

    Cell phones and other electronic devices are an essential component of 21st century protests. Everyone in the United States, both citizens and non-citizens, can and should exercise their First Amendment right to free speech and assembly, and hopefully the above tips can be a useful guide for you to intelligently manage the risks to your property and privacy.

    Last reviewed: 
    2015-01-09
  • Choosing Your Tools

    All digital tools, whether they are hardware or software, should be secure. That is, they should protect you from surveillance, and stop your device from being controlled by others. Sadly, this is currently not the case. For many digital activities, you may end up needing dedicated programs or equipment intended to provide specific security features. Examples we use in this guide include software that allows you to encrypt your messages or files, like PGP.

    But given the large number of companies and websites offering secure programs or hardware, how do you choose the one that's right for you?

    Security is a Process, not a Purchase Anchor link

    The first thing to remember before changing the software you use or buying new tools is that no tool is going to give you absolute protection from surveillance in all circumstances. Using encryption software will generally make it harder for others to read your communications or rummage through your computer's files. But attacks on your digital security will always seek out the weakest element of your security practices. When you use a new secure tool, you should think about how using it might affect other ways someone could target you. For example, if you decide to use a secure texting program to talk to a contact because you know that your phone might be compromised, might the fact that you're using this program at all give an adversary a clue that you are talking about private information?

    Secondly, remember your threat model. You don't need to buy some expensive encrypted phone system that claims to be “NSA-proof” if your biggest threat is physical surveillance from a private investigator with no access to internet surveillance tools. Alternatively, if you are facing a government that regularly jails dissidents because they use encryption tools, it may make sense to use simpler tricks—like a set of pre-arranged codes—rather than risk leaving evidence that you use encryption software on your laptop.

    Given all that, here are some questions you can ask about a tool before downloading, purchasing, or using it.

    How Transparent is it? Anchor link

    Even though digital security seems to be mostly about keeping secrets, there's a strong belief among security researchers that openness and transparency leads to more secure tools.

    Much of the software used and recommended by the digital security community is free and open source, which is to say that the code that defines how it works is publicly available for others to examine, modify, and share. By being transparent about how their program works, the creators of these tools invite others to look for security flaws, and help improve the program.

    Open software provides the opportunity for better security but does not guarantee it. The open source advantage relies in part on a community of technologists actually checking the code, which for small projects (and even for popular, complex ones) may be hard to achieve. When you're considering using a tool, see if its source code is available, and whether the code has an independent security audit to confirm the quality of its security. At the very least, software or hardware should have a detailed technical explanation of how it functions, for other experts to inspect.

    How Clear are its Creators About its Advantages and Disadvantages? Anchor link

    No software or hardware is entirely secure. Creators or sellers who are honest about the limitations of their product will give you a much stronger idea of whether their application is appropriate for you.

    Don't trust blanket statements that say that the code is “military-grade” or “NSA-proof”; these mean nothing and give a strong warning that the creators are overconfident or unwilling to consider the possible failings in their product.

    Because attackers are always trying to discover new ways to break the security of tools, software and hardware often needs to be updated to fix new vulnerabilities. It can be a serious problem if the creators of a tool are unwilling to do this, either because they fear bad publicity, or because they have not built the infrastructure to fix problems.

    You can't predict the future, but a good indicator of how toolmakers will behave in the future is their past activity. If the tool's website lists previous issues and links to regular updates and information—like specifically how long it has been since the software was last updated—you can be more confident that they will continue to provide this service in the future.

    What Happens if the Creators are Compromised? Anchor link

    When security toolmakers build software and hardware, they (just like you) must have a clear threat model. The best creators will explicitly describe what kind of attackers they can protect you from in their documentation.

    But there's one attacker that many manufacturers do not want to think about: what if they, themselves, are compromised or decide to attack their own users. For instance, a court or government may compel a company to give up personal data or create a “backdoor” that will remove all the protections their tool offers. You may want to consider the jurisdiction(s) where the creators are based. If your threat is from the government of Iran, for example, a US-based company will be able to resist Iranian court orders, even if it must comply with US orders.

    Even if a creator is able to resist government pressure, an attacker may attempt to achieve the same result by breaking into the toolmakers' own systems in order to attack its customers.

    The most resilient tools are those that consider this as a possible attack, and are designed to defend against this. Look for language that asserts that a creator cannot access private data, rather than promises that a creator will not. Look for institutions with a reputation for fighting court orders for personal data.

    Check for Recalls and Online Criticism Anchor link

    Of course, companies selling products and enthusiasts advertising their latest software can be misled, be misleading, or even outright lie. A product that was originally secure might be discovered to have terrible flaws in the future. Make sure you stay well-informed on the latest news about the tools that you use.

    Do you Know Others who Use the Same Tool? Anchor link

    It's a lot of work for one person to keep up with the latest news about a tool. If you have colleagues who use a particular product or service, work with them to stay abreast on what's happening.

    Products Mentioned in This Guide Anchor link

    We try to ensure that the software and hardware we mention in this guide complies with the criteria we've listed above: we have made a good faith effort to only list products that have a solid grounding in what we currently know about digital security, are generally transparent about their operation (and their failings), have defenses against the possibility that the creators themselves will be compromised, and are currently maintained, with a large and technically-knowledgeable user base. We believe that they have, at the time of writing, the eye of a wide audience who is examining them for flaws, and would raise concerns to the public quickly. Please understand that we do not have the resources to examine or make independent assurances about their security, we are not endorsing these products and cannot guarantee complete security.

    Which Phone Should I Buy? Which Computer? Anchor link

    One of the most frequent questions asked of security trainers is “Should I buy Android or an iPhone?” or “Should I use a PC or a Mac?” or “What operating system should I use?” There are no simple answers to these questions. The relative safety of software and devices is constantly shifting as new flaws are discovered and old bugs are fixed. Companies may compete with each other to provide you with better security, or they may all be under pressure from governments to weaken that security.

    Some general advice is almost always true, however. When you buy a device or an operating system, keep current with its software updates. Updates will often fix security problems in older code that attacks can exploit. Older phones and operating systems are no longer supported, even for security updates. In particular, Microsoft has made it clear that Windows XP and earlier Windows versions will not receive fixes for even severe security problems. If you use XP, you cannot expect it to be secure from attackers. (The same is true for OS X before 10.7.5 or "Lion").

    Last reviewed: 
    2014-11-04
  • How to: Circumvent Online Censorship

    This is a short overview to circumventing online censorship, but is by no means comprehensive. For a more in-depth guide on how to circumvent online censorship, check out FLOSS Manuals’ guide, Bypassing Censorship.

    Many governments, companies, schools, and public access points use software to prevent Internet users from accessing certain websites and Internet services. This is called Internet filtering or blocking and is a form of censorship. Content filtering comes in different forms. Sometimes entire websites are blocked, sometimes individual web pages, and sometimes content is blocked based on keywords contained in it. One country might block Facebook entirely, or only block particular Facebook group pages—or it might block any page or web search with the words “falun gong” in it.

    Regardless of how content is filtered or blocked, you can almost always get the information you need by using a circumvention tool. Circumvention tools usually work by diverting your web or other traffic through another computer, so that it bypasses the machines conducting the censorship. An intermediary service through which you channel your communications in this process is called a proxy.

    Circumvention tools do not necessarily provide additional security or anonymity, even those that promise privacy or security, even ones that have terms like “anonymizer” in their names.

    There are different ways of circumventing Internet censorship, some of which provide additional layers of security. The tool that is most appropriate for you depends on your threat model.

    If you’re not sure what your threat model is, start here.

    Basic Techniques Anchor link

    HTTPS is the secure version of the HTTP protocol used to access websites. Sometimes a censor will block the insecure version of a site only, allowing you to access that site simply by entering the version of the domain that starts with HTTPS. This is particularly useful if the filtering you're experiencing is based on keywords or only blocks individual web pages. HTTPS stops censors from reading your web traffic, so they cannot tell what keywords are being sent, or which individual web page you are visiting (censors can still see the domain names of all websites you visit).

    If you suspect this type of simple blocking, try entering https:// before the domain in place of http://.

    Try EFF’s HTTPS Everywhere plug-in to automatically turn on HTTPS for those sites that support it.

    Another way that you may be able to circumvent basic censorship techniques is by trying an alternate domain name or URL. For example, instead of visiting http://twitter.com, you might visit http://m.twitter.com, the mobile version of the site. Censors that block websites or web pages usually work from a blacklist of banned websites, so anything that is not on that blacklist will get through. They might not know of all the variations of a particular website's domain name—especially if the site knows it is blocked and registers more than one name.

    Web-based Proxies Anchor link

    A web-based proxy (such as http://proxy.org/) is a good way of circumventing censorship. In order to use a web-based proxy, all you need to do is enter the filtered address that you wish to use; the proxy will then display the requested content.

    Web-based proxies a good way to quickly access blocked websites, but often don’t provide any security and will be a poor choice if your threat model includes someone monitoring your internet connection. Additionally, they will not help you to use other blocked non-webpage services such as your instant messaging program. Finally, web-based proxies themselves pose a privacy risk for many users, depending on their threat model, since the proxy will have a complete record of everything you do online.

    Encrypted Proxies Anchor link

    There are numerous proxy tools that utilize encryption, providing an additional layer of security, as well as the ability to bypass filtering. Although the connection is encrypted, the tool provider may have your personal data, meaning that these tools do not provide anonymity. They are, however, more secure than a plain web-based proxy.

    The simplest form of an encrypted web proxy is one that starts with “https”—this will use the encryption usually provided by secure websites. Ironically, in the process, the owners of these proxies will get to see the data you send to and from other secure websites, so be cautious.

    Other tools use a hybrid approach—they act like a proxy, but contain elements of the encrypted services listed below. Examples of these tools include Ultrasurf and Psiphon.

    Virtual Private Networks Anchor link

    A Virtual Private Network (VPN) encrypts and sends all Internet data between your computer and another computer. This computer could belong to a commercial or nonprofit VPN service, your company, or a trusted contact. Once a VPN service is correctly configured, you can use it to access webpages, e-mail, instant messaging, VoIP and any other Internet service. A VPN protects your traffic from being intercepted locally, but your VPN provider can keep logs of your traffic (websites you access, and when you access them) or even provide a third party with the ability to snoop directly on your web browsing. Depending on your threat model, the possibility of a government listening in on your VPN connection or obtaining the logs may be a significant risk and, for some users, could outweigh the short-term benefits of using a VPN.

    For information about specific VPN services, click here. Disclaimer: some VPNs with exemplary privacy policies could well be run by devious people. Do not use a VPN that you do not trust.

    Tor Anchor link

    Tor is free and open-source software that is intended to provide you with anonymity, but which also allows you to circumvent censorship. When you use Tor, the information you transmit is safer because your traffic is bounced around a distributed network of servers, called relays. This could provide anonymity, since the computer with which you’re communicating will never see your IP address, but instead will see the IP address of the last Tor router through which your traffic traveled.

    When used with a couple of optional features (bridges and pluggable transports) Tor is the gold standard for secure censorship circumvention against a local state, since it will both bypass almost all national censorship, and if properly configured, protect your identity from an adversary listening in on your country’s networks. It can be slow and hard to use, however.

    To learn how to use Tor, click here

    Last reviewed: 
    2015-08-14
  • Protecting Yourself on Social Networks

    Social networking sites are some of the most popular websites and tools we use on the Internet. Facebook, Google+, and Twitter have hundreds of millions of users each.

    Social networks are often built on the idea of sharing posts, photographs, and personal information. Yet they have also become forums for organizing and speech—much of which relies on privacy and pseudonymity. Thus, the following questions are important to consider when using social networks: How can I interact with these sites while protecting myself? My basic privacy? My identity? My contacts and associations? What information do I want keep private and who do I want to keep it private from?

    Depending on your circumstances, you may need to protect yourself against the social media site itself, against other users of the site, or both.

    Here are some tips to keep in mind when you’re setting up your account:

    Registering for a Social Media Site Anchor link

    • Do you want to use your real name? Some social media sites have so-called "real name policies," but these have become more lax over time. If you do not want to use your real name when registering for a social media site, do not.
    • When you register, don't provide more information than is necessary. If you are concerned with hiding your identity, use a separate email address. Be aware that your IP address may be logged at registration.
    • Choose a strong password and, if possible, enable two-factor authentication.
    • Beware of password recovery questions whose answers can be mined from your social media details. For example: “What city were you born in?” or “What is the name of your pet?” You may want to choose password recovery answers that are false. One good way to remember the answers to password recovery questions, should you choose to use false answers for added security, is to note your chosen answers in a password safe.

    Check the Social Media Site's Privacy Policy Anchor link

    Remember that information stored by third parties is subject to their own policies and may be used for commercial purposes or shared with other companies, for example, marketing firms. We know that reading privacy policies is a near-impossible task, but you may want to take a look at sections on how your data is used, when it is shared with other parties, and how the service responds to law enforcement requests.

    Social networking sites, usually for-profit businesses, often collect sensitive information beyond what you explicitly input—where you are, what interests and advertisements you react to, what other sites you've visited (e.g. through "Like" buttons). It can be helpful to block third-party cookies and use tracker-blocking browser extensions to make sure extraneous information isn't being passively transmitted to third parties.

    Some social networking sites, like Facebook and Twitter, have business relationships with data brokers in order to target advertisements more effectively. EFF has guides that walk you through how to opt-out of these tracking schemes:

    Change Your Privacy Settings Anchor link

    Specifically, change the default settings. For example, do you want to share your posts with the public, or only with a specific group of people? Should people be able to find you using your email address or phone number? Do you want your location shared automatically?

    Remember, privacy settings are subject to change. Sometimes, these privacy settings get stronger and more granular; sometimes not. Be sure to pay attention to these changes closely to see if any information that was once private will be shared, or if any additional settings will allow you to take more control of your privacy.

    Your Social Graph Anchor link

    Remember that you’re not the only person who can give away potentially sensitive data about yourself. Your friends can tag you in photos, report your location, and make their connections to you public in a variety of ways. You may have the option of untagging yourself from these posts, but privacy does not work retroactively. You may want to talk to your friends about what you do and do not feel comfortable having them share about you in public.

    Last reviewed: 
    2015-02-10
JavaScript license information