With so many companies and websites offering tools geared towards helping individuals improve their own digital security, how do you choose the tools that are right for you?
We don’t have a foolproof list of tools that can defend you (though you can see some common choices in our Tool Guides). But if you have a good idea of what you are trying to protect, and who you are trying to protect it from, this guide can help you choose the appropriate tools using some basic guidelines.
Remember, security isn't about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats. Check out our Assessing your Risks guide for more information.
Security is a Process, not a Purchase Anchor link
The first thing to remember before changing the software you use or buying new tools is that no tool or piece of software will give you absolute protection from surveillance in all circumstances. Therefore, it’s important to think about your digital security practices holistically. For example, if you use secure tools on your phone, but don’t put a password on your computer, the tools on your phone might not help you much. If someone wants to find out information about you, they will choose the easiest way to obtain that information, not the hardest.
Secondly, it’s impossible to protect against every kind of trick or attacker, so you should concentrate on which people might want your data, what they might want from it, and how they might get it. If your biggest threat is physical surveillance from a private investigator with no access to internet surveillance tools, you don't need to buy some expensive encrypted phone system that claims to be "NSA-proof." Alternatively, if you face a government that regularly jails dissidents because they use encryption tools, it may make sense to use simpler tactics—like arranging a set of harmless-sounding, pre-arranged codes to convey messages—rather than risk leaving evidence that you use encryption software on your laptop. Coming up with a set of possible attacks you plan to protect against is called threat modeling.
Given all that, here are some questions you can ask about a tool before downloading, purchasing, or using it.
How Transparent is it? Anchor link
There's a strong belief among security researchers that openness and transparency leads to more secure tools.
Much of the software the digital security community uses and recommends is open-source. This means the code that defines how it works is publicly available for others to examine, modify, and share. By being transparent about how their program works, the creators of these tools invite others to look for security flaws and help improve the program.
Open-source software provides the opportunity for better security, but does not guarantee it. The open source advantage relies, in part, on a community of technologists actually checking the code, which, for small projects (and even for popular, complex ones), may be hard to achieve.
When considering a tool, see if its source code is available and whether it has an independent security audit to confirm the quality of its security. At the very least, software or hardware should have a detailed technical explanation of how it functions for other experts to inspect.
How Clear are its Creators About its Advantages and Disadvantages? Anchor link
No software or hardware is entirely secure. Seek out tools with creators or sellers who are honest about the limitations of their product.
Blanket statements that say that the code is “military-grade” or “NSA-proof” are red flags. These statements indicate that the creators are overconfident or unwilling to consider the possible failings in their product.
Because attackers are always trying to discover new ways to break the security of tools, software and hardware needs to be updated to fix vulnerabilities. It can be a serious problem if the creators are unwilling to do this, either because they fear bad publicity or because they have not built the infrastructure to do so. Look for creators who are willing to make these updates, and who are honest and clear about why they are doing so.
A good indicator of how toolmakers will behave in the future is their past activity. If the tool's website lists previous issues and links to regular updates and information—like specifically how long it has been since the software was last updated—you can be more confident that they will continue to provide this service in the future.
What Happens if the Creators are Compromised? Anchor link
When security toolmakers build software and hardware, they (just like you) must have a clear threat model. The best creators explicitly describe what kind of adversaries they can protect you from in their documentation.
But there's one attacker that many manufacturers do not want to think about: themselves! What if they are compromised or decide to attack their own users? For instance, a court or government may compel a company to hand over personal data or create a “backdoor” that will remove all the protections their tool offers. So consider the jurisdiction(s) where the creators are based. If you’re worried about protecting yourself from the government of Iran, for example, a US-based company will be able to resist Iranian court orders, even if it must comply with US orders.
Even if a creator is able to resist government pressure, an attacker may attempt to break into the toolmakers' own systems in order to attack its customers.
The most resilient tools are those that consider this as a possible attack and are designed to defend against this. Look for language that asserts that a creator cannot access private data, rather than promises that a creator will not. Look for institutions with a reputation for fighting court orders for personal data.
Has it Been Recalled or Criticized Online? Anchor link
Companies selling products and enthusiasts advertising their latest software can be misled, be misleading, or even outright lie. A product that was originally secure might have terrible flaws in the future. Make sure you stay well-informed on the latest news about the tools that you use.
It's a lot of work for one person to keep up with the latest news about a tool. If you have colleagues who use a particular product or service, work with them to stay informed.
Which Phone Should I Buy? Which Computer? Anchor link
Security trainers are often asked: “Should I buy Android or an iPhone?” or “Should I use a PC or a Mac?” or “What operating system should I use?” There are no simple answers to these questions. The relative safety of software and devices is constantly shifting as new flaws are discovered and old bugs are fixed. Companies may compete with each other to provide you with better security, or they may all be under pressure from governments to weaken that security.
Some general advice is almost always true, however. When you buy a device or an operating system, keep your device up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older phones and operating systems may no longer be supported, even for security updates. In particular, Microsoft has made it clear that versions of Windows Vista, XP, and below will not receive fixes for even severe security problems. This means that if you use these, you cannot expect them to be secure from attackers. The same is true for OS X before 10.11 or El Capitan.
Now that you’ve considered the threats you face, and know what to look for in a digital security tool, you can more confidently choose tools that are most appropriate for your unique situation.
Products Mentioned in Surveillance Self-Defense Anchor link
We try to ensure that the software and hardware mentioned in SSD complies with the criteria listed above. We have made a good faith effort to only list products that:
- have a solid grounding in what we currently know about digital security,
- are generally transparent about their operation (and their failings),
- have defenses against the possibility that the creators themselves will be compromised, and
- are currently maintained, with a large and technically-knowledgeable user base.
We believe that they have, at the time of writing, a wide audience who is examining them for flaws, and would raise concerns to the public quickly. Please understand that we do not have the resources to examine or make independent assurances about their security. We do not endorse these products and cannot guarantee complete security.