Skip to main content
Surveillance
Self-Defense

< Basics

Choosing Your Tools

This page was translated from English. The English version may be more up-to-date.

With so many companies and websites offering tools geared towards helping individuals improve their own digital security, how do you choose the tools that are right for you?

We don’t have a foolproof list of tools that can defend you (though you can see some common choices in our Tool Guides). But if you have a good idea of what you want to protect, and who you want to protect it from, this guide can help you choose the appropriate tools using some basic guidelines.

Remember, security isn't about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats. Check out our security planning guide for more information.

Security Is a Process, Not a PurchaseAnchor anchor link

The first thing to remember before changing the software you use or buying new tools is that no tool or piece of software will give you absolute protection from surveillance in all circumstances. Therefore, it’s important to think about your digital security practices holistically. For example, if you use secure tools on your phone, but don’t put a password on your computer, the tools on your phone might not help you much. If someone wants to find out information about you, they will choose the easiest way to obtain that information, not the hardest.

It’s impossible to protect against every kind of trick or attacker, so you should concentrate on who might want your data , what they might want from it, and how they might get it. If your biggest threat is physical surveillance from a private investigator with no access to internet surveillance tools, you don't need to buy some expensive encrypted phone system that claims to be "NSA-proof." Alternatively, if you face a government that regularly jails dissidents because they use encryption tools, it may make sense to use simpler tactics—like arranging a set of harmless-sounding, pre-arranged codes to convey messages—rather than risk leaving evidence that you use encryption software on your laptop. Coming up with a set of possible attacks you plan to protect against is called threat modeling.

Given all that, here are some questions you can ask about a tool before downloading, purchasing, or using it.

How Transparent Is it? anchor link

There's a strong belief among security researchers that openness and transparency leads to more secure tools.

Much of the software the digital security community uses and recommends is open-source. This means the code that defines how it works is publicly available for others to examine, modify, and share. By being transparent about how their program works, the creators of these tools invite others to look for security flaws and help improve the program.

Open-source software provides the opportunity for better security, but does not guarantee it. The open source advantage relies, in part, on a community of technologists actually checking the code, which, for small projects (and even for popular, complex ones), may be hard to achieve.

When considering a tool, see if its source code is available and whether it has an independent security audit to confirm the quality of its security. At the very least, software or hardware should have a detailed technical explanation of how it functions for other experts to inspect.

How Clear Are its Creators About its Advantages and Disadvantages? anchor link

No software or hardware is entirely secure. Seek out tools with creators or sellers who are honest about the limitations of their product.

Blanket statements that say that the code is “military (or bank)-grade” or “NSA-proof” are red flags. These statements indicate that the creators are overconfident or unwilling to consider the possible failings in their product.

Because attackers try to discover new ways to break the security of tools, software and hardware needs updates to fix vulnerabilities. It can be a serious problem if the creators are unwilling to do this, either because they fear bad publicity or because they did not build the infrastructure to do so. Look for creators who release these updates, and who are honest and clear about why they do so.

A good indicator of how toolmakers will behave in the future is their past activity. If the tool's website lists previous issues and links to regular updates and information—like specifically how long it has been since the software was last updated—you can be more confident that they will continue to provide this service in the future. You can often look at a history of updates in either official app stores, Apple’s App Store or Google Play, on GitHub, or on the developer’s website. This alone can show a developer is working on the software with some regularity, but it’s an even better indicator if they include detailed notes about what’s included in each update.

What Happens if the Creators Are Compromised? anchor link

When security toolmakers build software and hardware, they (just like you) must have a clear security plan. The best creators explicitly describe what kind of adversaries they can protect you from in their documentation.

But there's one attacker that many manufacturers do not want to think about: themselves. What if they are compromised or decide to attack their own users? For instance, a court or government may compel a company to hand over personal data or create a “backdoor” that will remove all the protections their tool offers. So consider the jurisdiction(s) where the creators are based. If you’re worried about protecting yourself from the government of Iran, for example, a US-based company will be able to resist Iranian court orders, even if it must comply with US orders.

Even if a creator is able to resist government pressure, an attacker may attempt to break into the toolmakers' own systems in order to attack its customers.

The most resilient tools are those that consider this as a possible attack and are designed to defend against this. Look for language that asserts that a creator cannot access private data, rather than promises that a creator will not. Likewise, search the tool’s website or privacy policy for information about data encryption, data retention policies, sale to third parties, and any details about how the company might handle law enforcement requests. This guide from the Washington Post includes some tips for reading a company privacy policy that is useful to get an idea of what information a company might store or share.

Has it Been Recalled or Criticized Online? anchor link

Companies selling products and enthusiasts advertising their latest software can be misled, be misleading, or even outright lie. A product that was originally secure might have terrible flaws in the future. Make sure you stay well-informed on the latest news about the tools that you use.

It's a lot of work for one person to keep up with the latest news about a tool. If you have colleagues who use a particular product or service, work with them to stay informed.

Which Phone Should I Buy? Which Computer? anchor link

Security trainers are often asked: “Should I buy an Android device or an iPhone?” or “Should I use a PC or a Mac?” or “What operating system should I use?” There aren’t simple answers to these questions. The relative safety of software and devices is constantly shifting as researchers discover new flaws and old bugs. Companies may compete with each other to provide you with better security, or they may all be under pressure from governments to weaken that security.

Some general advice is almost always true, however. When you buy a device or an operating system, keep it up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older phones and operating systems may no longer be supported, even for security updates. 

With mobile phones, there are some key differences between the two operating systems. Android is open-source, and has several different versions focused specifically on privacy and security, like CalyxOS and GrapheneOS. The iPhone operating system, iOS, is not open-source, but has proven strong against forensic tools. Like any security tool, one isn’t universally better than the other for everyone.

Now that you’ve considered the threats you face, and know what to look for in a digital security tool, you can more confidently choose tools that are most appropriate for your unique situation.

AnchorProducts Mentioned in Surveillance Self-Defense anchor link

We try to ensure that the software and hardware mentioned in SSD complies with the criteria listed above. We have made a good faith effort to only list products that:

  • Have a solid grounding in what we currently know about digital security
  • Are generally transparent about their operation (and their failings)
  • Have defenses against the possibility that the creators themselves will be compromised
  • Are currently maintained, with a large and technically-knowledgeable user base that examines them for flaws

Please understand that we do not have the resources to examine or make independent assurances about their security. We do not endorse these products and cannot guarantee complete security.