If you have a smartphone, laptop, or tablet, you’re carrying a massive amount of data with you at all times. Your social contacts, private communications, personal documents and personal photos (many of which have confidential information of dozens, even thousands of people) are just some examples of things you may store on your digital devices. Because we store and carry so much data, it can be hard to keep it safe—especially because it can be taken from you relatively easily.
Your data can be seized at the border, taken from you in the street, or burgled from your house and copied in seconds. Unfortunately, locking your device with passwords, PINs, or gestures may not protect your data if the device itself is seized. It’s relatively easy to bypass such locks because your data is stored in an easily-readable form within the device. An adversary would just need to access the storage directly in order to copy or examine your data without your password.
With that said, you can make it harder for those who physically steal your data to unlock its secrets. Here are a few ways you can help keep your data safe.
Encrypt Your Data Anchor link
If you use encryption, your adversary needs both your device and your password to unscramble the encrypted data. Therefore, it's safest to encrypt all of your data, not just a few folders. Most smartphones and computers offer complete, full-disk encryption as an option.
For smartphones and tablets:
- Android offers full-disk encryption when you first set up your device on newer devices, or anytime afterwards under its “Security” settings for all devices.
- Apple devices such as the iPhone and iPad describe it as “Data Protection” and turn it on if you set a passcode.
- Apple provides a built-in, full-disk encryption feature on macOS called FileVault.
- Linux distributions usually offer full-disk encryption when you first set up your system.
- Windows Vista or later includes a full-disk encryption feature called BitLocker.
BitLocker's code is closed and proprietary, which means it is hard for external reviewers to know exactly how secure it is. Using BitLocker requires you trust Microsoft provides a secure storage system without hidden vulnerabilities. On the other hand, if you're already using Windows, you are already trusting Microsoft to the same extent. If you are worried about surveillance from the kind of adversaries who might know of or benefit from a backdoor in either Windows or BitLocker, consider an alternative open-source operating system such as GNU/Linux or BSD, especially a version that has been hardened against security attacks, such Tails or Qubes OS. Alternatively, consider installing an alternative disk encryption software, Veracrypt, to encrypt your hard drive.
Remember: Whatever your device calls it, encryption is only as good as your password. If an adversary has your device, they have all the time in the world to figure out your passwords. An effective way of creating a strong and memorable password is to use dice and a word list to randomly choose words. Together, these words form your “passphrase.” A “passphrase” is a type of password that is longer for added security. For disk encryption we recommend selecting a minimum of six words. Check out our guide to Creating Strong Passwords for more information.
It may be unrealistic for you to learn and enter a long passphrase on your smartphone or mobile device. So, while encryption can be useful to prevent casual access, you should preserve truly confidential data by keeping it hidden from physical access by adversaries, or cordoned away on a much more secure device.
Create a Secure Device Anchor link
Maintaining a secure environment can be hard. At best, you have to change passwords, habits, and perhaps the software you use on your main computer or device. At worst, you have to constantly think about whether you're leaking confidential information or using unsafe practices. Even when you know the problems, you may not be able to employ solutions because sometimes people with whom you need to communicate use unsafe digital security practices. For instance, work colleagues might want you to open email attachments from them, even though you know your adversaries could impersonate them and send you malware.
So what’s the solution? Consider cordoning off valuable data and communications onto a more secure device. You can use the secure device to keep the primary copy of your confidential data. Only use this device occasionally and, when you do, consciously take much more care over your actions. If you need to open attachments, or use insecure software, do it on another machine.
An extra, secure computer may not be as expensive an option as you think. A computer that is seldom used, and only runs a few programs, does not need to be particularly fast or new. You can buy an older netbook for a fraction of the price of a modern laptop or phone. Older machines also have the advantage that secure software like Tails may be more likely to work with them than newer models.
When Setting up a Secure Computer, What Steps Can You Take to Make it Secure?
- Keep your device well-hidden and don’t discuss its location—somewhere where you are able to tell if it has been tampered with, such as a locked cabinet.
- Encrypt your computer’s hard drive with a strong passphrase so that if it is stolen, the data will remain unreadable without the passphrase.
- Install a privacy- and security-focused operating system like Tails. You might not be able (or want) to use an open-source operating system in your everyday work, but if you just need to store, edit, and write confidential emails or instant messages from this secure device, Tails will work well and defaults to high security settings.
- Keep your device offline. Unsurprisingly, the best way to protect yourself from Internet attacks or online surveillance is to never connect to the Internet. You could make sure your secure device never connects to a local network or Wifi and only copy files onto the machine using physical media, like DVDs or USB drives. In network security, this is known as having an “air gap” between the computer and the rest of the world. While extreme, this can be an option if you want to protect data that you rarely access, but never want to lose (such as an encryption key, a list of passwords, or a backup copy of someone else's private data that has been entrusted to you). In most of these cases, you might want to consider just having a hidden storage device, rather than a full computer. An encrypted USB key kept safely hidden, for example, is probably as useful (or as useless) as a complete computer unplugged from the Internet.
- Don’t log in to your usual accounts. If you do use your secure device to connect to the Internet, create separate web or email accounts that you use for communications from this device, and use Tor (see guides for Linux, macOS, Windows) to keep your IP address hidden from those services. If someone is choosing to specifically target your identity with malware, or is only intercepting your communications, separate accounts and Tor can help break the link between your identity, and this particular machine.
While having one secure device that contains important, confidential information may help protect it from adversaries, it also creates an obvious target. There’s also a risk of losing the only copy of your data if the machine is destroyed. If your adversary would benefit from you losing all your data, don't keep it in just one place, no matter how secure. Encrypt a copy and keep it somewhere else.
A variation on the idea of a secure machine is to have an insecure machine: a device that you only use when going into a dangerous place or attempting a risky operation. Many journalists and activists, for instance, take a basic netbook with them when they travel. This computer does not have any of their documents or usual contact or email information on it so there’s minimal loss if it is confiscated or scanned. You can apply the same strategy to mobile phones. If you usually use a smartphone, consider buying a cheap throwaway or burner phone when travelling for specific communications.