Security Essentials

 Last reviewed on March 17, 2025
 Takes about 45 minutes

Every click, message, and location ping creates a digital trail that can be used against activists and organizers. Law enforcement regularly demands data from tech companies to identify and surveil people working for social change.

This guide helps you minimize your digital trail. These steps won't make you invisible, but they'll make it substantially harder for authorities to:

  • Track your location and movement patterns

  • Monitor your communications and political discussions

  • Map your relationships and networks

  • Build profiles of your activities and associations

Baseline security

Use Signal for texts and calls, especially your activism and political conversations

Normal calls and texts are insecure and can be turned over to the cops

DO: Use Signal
DO NOT: Use WhatsApp, FB Messenger, Telegram, regular texts, etc.

How to set up Signal

  1. Install Signal on your phone

  2. You can now message your existing contacts using their phone number (they must have Signal installed as well). If you're messaging someone new who you don't yet have trust with, you should exchange usernames instead of phone numbers when possible.

  3. To start a new message: Press the "Create" icon in the top right of Signal, then type in either the person's phone number or username

  4. Follow the Signal Checklist to make sure you have the most security and privacy

When to use Signal

Some examples of when you would especially want to use Signal

  • Discussing a protest/action that is not public

  • Organizing a protest/action that is public, but the organizers want to protect their privacy

  • Criticizing government and power holders

Use privacy-focused browser for everyday browsing (instead of Chrome)

Minimize tracking, so there’s less of a digital trail.

DO: Use Brave Browser (easiest) or Firefox (more setup required)
DO NOT: Use Google Chrome, Microsoft Edge, etc.

How to set up Brave Borwser

Brave is a privacy-focused browser that allows you to install Google Chrome extensions.

  1. Install Brave on your computer (or phone).

  2. Follow the steps after you launch to import your configuration from Chrome or another browser. (See warning below about how plugins make you more identifiable.)

  3. Configure privacy settings: Go to Brave > Settings > Shields then select the following:

    • Select Aggressive under "Trackers & ads blocking"

    • Select Strict under "Upgrade connections to HTTPS"

    • Uncheck everything under Social media blocking

    • (Optional) Enable Forget me when I close this site. The site won't be able to store anything about you after your reset your browser.

      This will make it harder for sites to track you across the internet. It's good for privacy, but you'll want to manually override this for specific sites. Visit the site > Click the Brave (lion) logo in the URL bar > Advanced controls > Disable "Forget me when I close this site"

Optional:

  1. Disable the annoying new tab page: Brave > Settings > Get started > New Tab Page > Select "Blank page" from the dropdown

  2. Disable toolbar items: Brave > Settings > Appearance > Toolbar > Disable all the toolbar buttons that you don't want (Brave Rewards, VPN, Wallet, Leo AI, etc)

Bonus Brave configuration tips:

Ditch Google Search and use a search engine like Brave Search instead

Your search history tells a lot about your interests and political leanings.

DO: Use a privacy-respecting search engine like Brave Search or DuckDuckGo.
DO NOT: Use Google Search, Bing, Yahoo, etc.

  • Brave Search tends to have better results and we trust them, but some folks don't align with their business model

  • DuckDuckGo results aren't as reliable but it has a slightly stronger privacy record.

How to set up private search

Install the latest software updates for your laptop, phone, and apps

The latest updates for your computer, phone, and apps all contain security fixes that help keep your system safe from attackers.

DO: Run updates as soon as they are offered
DO NOT: Keep pressing the “update later” button

How to run updates

Model
Still eligible for security updates?
Operating System
Apps
iPhone
Check for iPhone models
Update operating system
Make sure you enable automatic updates (enabled by default).
Android
Check for Samsung models
Check for Google Pixel models
Update operating system
Make sure you enable automatic updates (enabled by default).
Mac
Make sure your mac isn’t on this “obselete” list
( > About This Mac)
Update operating system
• App Store apps: Make sure you enable automatic updates (on by default).
• Other apps: Top Menu > [App Name] > Check for updates..
Windows
Try to update, then see if your version is supported here
Update operating system
• Microsoft Store apps: Make sure you enable automatic updates (on by default).
• Other apps: Try Menu bar > Help > Check for Updates. Or look for “Updates” or “About” under settings.

Use a privacy-focused map/navigation app

While Google has recently started to make it harder for police to request location data, they have a terrible record on privacy and shouldn’t be trusted.

DO: Use Apple Maps (iPhone) or Magic Earth (iPhone/Android) for navigation
DO NOT: Use Google Maps

Apple Maps (iPhone only) goes to surprising lengths to protect your privacy. Apple has a much better privacy track record than Google, but they are a big tech company so we should think of Apple Maps as a “harm reduction” choice that is good for every day use but not for sensitive organizing. We include Apple Maps as a recommendation here because it offers feature that's are missing in other apps: live traffic and public transportation.

How to set up Apple Maps (iPhone only)

  1. Apple Maps is installed by default (you can re-install it if you removed it).

  2. Go to Settings > Privacy & Security > Location Services > System Services, then disable iPhone Analytics, Routing & Traffic, and Improve Maps.

Magic Earth (iPhone or Android; $1/year) is a paid app that offers strong privacy. It does cost $1/year, though. It is much easier to use than our other Android option (CoMaps) and has live traffic data and public transportation routs..

How to set up Organic Maps (iPhone or Android)

  1. Install Magic Earth (Cost $0.99/year)

  2. It functions mostly like Google Maps or Apple Maps!

CoMaps (iPhone or Android; free) is a less user friendly than Magic Earth or Apple Maps, but has the strongest privacy promises. You can operate it entirely offline, which is especially helpful for activists. That said, it doesn't have live traffic data or public transit routes, which makes it hard to use as your main mapping solution.

How to set up CoMaps (iPhone or Android)

  1. Install CoMaps

  2. Open the app once in your area and it will automatically prompt you to download the data for offline navigation

Turn off location tracking for most apps

Apps with location access can create a detailed map of your movements, which can be accessed by law enforcement through legal demands or data brokers through purchase.

DO: Turn off location tracking for most apps
DO NOT: Let every app know where you are

How to review location permissions on iPhone

  1. Go to Settings > Privacy & Security > Location Services

  2. Review each app and set to one of these options:

    • Never: Best choice for most apps

    • Ask Next Time Or When I Share: Good for apps you rarely need location for

    • While Using the App: Only for essential navigation apps

    • Always: Almost no app should have this permission

  3. Make sure to set the Photos app to “Never” so you don’t risk revealing your location when sending photos.

  4. Go to the app labeled System Services > Disable Significant Locations

How to review location permissions on Android

  1. Go to Settings > Privacy > Permission manager > Location

  2. Review each app and set to one of these options:

    • Don't allow: Best choice for most apps

    • Ask every time: Good for apps you rarely need location for

    • Allow only while using the app: Only for essential navigation apps

    • Allow all the time: Almost no app should have this permission

These apps might genuinely need location while in use:

  • Navigation (Apple Maps, Organic Maps)

  • Ride-sharing (but only while actively using)

Some apps might need temporary permission:

  • Food delivery apps only need location when you're actually ordering

Apps that definitely do NOT need location access:

  • Photo apps

  • Social media apps

  • Games

  • Most shopping apps

  • Banking apps

  • News apps

  • Most productivity apps

Remember: Every app with location access is a potential privacy leak. When in doubt, disable location and only re-enable if you find you actually need it.

Remove your private information from data broker websites

Protect yourself from doxxing and online harassment by removing your personal information

DO: Automate the data broker opt out process with EasyOptOuts ($20/year) or do it manually

Data brokers collect and publish profiles on all of us including our name, addresses, phone numbers, profile photos, email addresses, and social media accounts.

Doxxing is an increasingly common tactic used against activists where an adversary posts your email/phone/address/etc with an intent to get others to harass you online and sometimes in real life.

There are many steps involved in scrubbing your personal information from the internet (we have a full guide coming soon). The easiest first step is to submit "opt out" requests to data broker websites.

How to opt out of data broker websites

This process can be very time consuming if you do it manually, so we recommend paying to have it automated.

  1. Sign up for EasyOptOuts ($20/year)

  2. Fill out their online form: current and past phone numbers, emails, addresses, housemates, etc.

  3. After 1-2 weeks, you will receive an email with the details of the sites you were removed from

  4. Do separate google searches for your name, email address, phone number, home address to see if there are any locations that still have this information attached to you. See if you can manually remove yourself.

If you want to do this process manually, read Yael's Big Ass Data Broker Opt Out List.

Install a trusted VPN (IVPN or Mullvad)

A VPN makes it harder for websites to track you and prevents your internet provider from logging your traffic.

DO: Install a trust VPN and keep it on. We recommend IVPN ($6/mo) or Mullvad VPN ($5/mo)
DO NOT: Use a random VPN you find online.

A VPN (Virtual Private Network) encrypts your internet traffic and masks your location. This means your Internet Service Provider can't see what sites you visit - they only see you connecting to a VPN. Websites you visit will see the VPN's location and IP address instead of yours. This makes it harder for authorities to build a record of your political activities.

Options: All of these are very trustworthy options.

  • IVPN (our top recommendation) is easier to use. Cheapest if you have 2 devices.

  • Mullvad VPN enhances privacy by not allowing recurring subscriptions, so they can't store payment info about you. However, you have to remember to pay each cycle. It's also cheaper for users with 3+ devices.

  • Proton VPN has a solid free plan, but it is only for 1 device. See our note regarding concerns about the Proton CEO and why we still offer Proton options.

How to set up IVPN

  1. Go to IVPN and click Generate IVPN Account ($6/month or $60/year)

  2. Under "Standard Plan" click Select. You can do the Pro Plan if you have more than 2 devices.

  3. Write down your Account ID somewhere safe, like where you store passwords. You cannot recover it with "forgot password." If lost, no one can help you recover it. Keep it somewhere secure (ex: password manager).

  4. Select monthly/yearly and enter your credit card or payment details.

    • Instead of a credit card, you can also order a voucher card for IVPN or Mullvad so that you identity is even more protected. (Yes, we hate Amazon too, but that's the only place online you can buy these cards.)

  5. Check the Automatic renewal box then click Make Payment.

  6. Download the IVPN app for your computer: Mac, Windows

  7. Follow the instructions to install the app.

  8. Find the app in your toolbar > Show IVPN > Click the gear icon to open settings > General. Enable the following: Launch at login, Autoconnect on launch, and Allow background daemon to manage autoconnect

  9. Install IVPN app on your phone: iPhone, Android

  10. Follow the the same instructions to enter your Account ID and configure the same settings. (iPhones don't offer the "auto-connect" setting, but it does auto-connect by default).

We recommend keeping your VPN on at all times unless you're having trouble connecting to a site (see below).

Downsides to using a VPN

  • You will encounter more CAPTCHAs on websites

  • Some websites may block VPN access

  • Some streaming services might not work

If you experience odd behavior on websites, always try turning off the VPN temporarily to see if it will load. (IVPN offers a "pause for 5 minutes" option, which helps you not have to have to remember to turn it back on later.)

Note: You must use a trusted VPN that doesn't keep logs of your internet traffic and will push back on government requests. We've vetted our top recommendations

Use a password manager with strong passwords

When you use the same password on multiple sites and one site gets hacked, a hacker can gain access to many other accounts. If you use a weak password, the cops will have an easier time targeting you.

DO: We recommend 1Password ($3/month) or Bitwarden (free)
DO NOT: Use weak/identical/similar passwords. We don’t recommend using LastPass.

Our main recommendations are:

  • 1Password: Very user friendly. Slightly more secure. Costs $3/month

  • Bitwarden: Free. Still quite secure.

How to set up 1Password

  1. Download: Download and install 1Password ($3/month)

  2. Master password: Create a strong, random "master password" using a passphrase generator. It should be memorable, but not a password you use anywhere else. Write your master password down on paper rather than storing it digitally. Set a reminder to destroy the paper in a few weeks once you have it memorized.

  3. Import: Import your existing passwords from your computer or browser

  4. Apps: Install the browser extension and mobile app (iPhone, Android) to help you save and auto-fill passwords

  5. Change passwords: If you had been re-using similar passwords, update your most important ones using the random password generator built-in to 1Password.

See 1Password's getting started guide for a video of these steps.

Bonus: Here’s a good introduction on how to get the most out of 1Password.

Alternative options:

  • Proton Pass: has a free option

  • KeyPassXC: Open-source and allows you to store passwords only on your machine instead of the cloud, but the user interface is very clunky.

Enable two-factor authentication

If someone steals your password, two-factor authentication keeps them from being able to get in unless they have your phone too.

DO: Enable two-factor authentication for important sites
DO NOT: Use only a password

After entering your password, you'll need to enter a code from your phone to prove it's really you. Think of it like having both a key and an alarm code to get into your house—someone needs both to get in.

Your email is the most important account to have two-factor authentication. If an attacker gets access to your email, they can reset all your other passwords.

How to set up

Install an authenticator app:

  1. Option 1: 1Password: If you're using 1Password, it has an "authenticator" feature built-in (details here).

  2. Option 2: Ente Auth: Install Ente Auth (iPhone, Android)

    • Optional: You can create an account. Your data is end to end encrypted. Or you can not have an account, but you may lose your one time passwords if your phone is not backed up.

To set up two-factor authentication:

  1. Go to Security/Privacy settings

  2. Look for "2FA" or "two-factor authentication" or "multi-factor authentication"

  3. If an “authenticator app” option is available, select that! (Remember to save the backup codes somewhere secure, like your password manager.)

  4. If “text/SMS verification” is the only option, select that and follow the instructions.

  1. Links to set up 2FA on common sites:

Note: When a service allows you to choose between an authenticator app and SMS text message verification codes, opting for the authenticator app is always best. It’s possible for an attacker to intercept your SMS texts.

Set your phone passcode to 8 to 10 random digits

It takes years for cops to crack a 8-digit random passcode. They can probably guess your current passcode in less than 5 minutes with automated tools.

DO: Use a random passcode generator to create a 8 to 10-digit code
DO NOT: Use any passcode you thought of yourself (dates, patterns on the keyboard, etc.). Do not use 6-digit passcodes if possible.

How to change your passcode

  1. Generate a random 8 to 10-digit passcode using this random passcode generator. (Don't make one up yourself—humans are bad at choosing randomly!)

  2. Change your passcode:

    On iPhone: Settings > Face ID & Passcode > Change Passcode > Passcode Options > Custom Numeric Code

    On Android: Settings > Security > Screen Lock > Enter Current Lock > PIN/Password > Enter a Passcode

  3. Practice the new passcode at least 10 times in a row right now so are more likely to remember it. (Disabling biometrics will force a passcode request every time you lock the phone.)

  4. Write your new passcode on paper and keep it somewhere safe at home until you've memorized it. Then destroy it after 2-3 weeks. Setting a remind on your phone can help.

How long does it take to crack a passcode?

Type
Time it takes to crack (average)
Example
6-digit easy-to-guess pattern
Less than 24 hours to crack
333666 (common pattern)
110585 (date pattern for Nov 5, 1982)
6-digit random code
200 days to crack
238253
8-digit random code
40+ years to crack
34780026

Note: These times only apply to phones. Computers can be cracked much more quickly, and need much stronger passwords.

Sources: The estimates in the table above assume real-world observed attempts/second from police forensic hacking tools. If you need more security, use a 10-digit passcode, which will protect you even under the highest-possible cracking scenarios. See the sources linked in the passcode FAQ here.

Don’t click suspicious links in texts

High-profile activists and human rights advocates have been targeted with specific spyware that gets activated when you click a link to a website you don’t trust. (Article from 2021 about “Pegasus”)

Don't use email for secure communications

Email wasn't designed to be private or secure.

DO: Avoid using email for secure communications (but use Proton Mail if you need to)
DO NOT: Send unencrypted emails with sensitive information

Email wasn't designed to be private or secure. For sensitive communications, use Signal instead.

Anonymity vs secure communications: It’s very hard to have truly secure email communication, but if you are looking to protect your message contents, then you can use a service like Proton Mail.

What to use Proton Mail for

  • Creating accounts on websites, signing up for newsletters

  • Public-facing communications that don't need to be secure, but do need to be anonymous

  • Organizing work that isn't sensitive

What NOT to use email for (even encrypted):

  • Truly sensitive or private communications (example: when planning a direct action)

How to use Proton Mail

Creating a Proton Mail account

  1. Sign up for a free ProtonMail account

  2. Choose a random username that isn't connected to your identity or preferences

  3. When asked to verify if you are a human, choose the “CAPTCHA” option rather than the “email” option.

  4. When asked to set your phone number / email as a recovery method, choose Maybe later. (Note: This means you must save your password somewhere secure like a password manager.)

Sending emails securely

  • Messages between Proton Mail users are automatically end-to-end encrypted.

  • Messages to people using a different email provider will not be encrypted, but you can send a password-protected email.

Bonus resources:

  • If you want to send end-to-end encrypted emails from Gmail, check out the FlowCrypt extension.

  • addy.io also offers simple email forwarding to your normal account. It doesn't offer your protection if your normal email account is seized as evidence. But it does prevent the service you signed up with from knowing your main identity.

Enhanced security

If you're taking higher risk actions or are more likely to be a target of government surveillance, follow these steps will help you add additional layers of protection

Follow our phone security checklist

How to secure your phone

For added privacy and security on your phone, follow as many of the steps in our Prepare for a Protest guide as you are able to in your daily life, even if you’re not at a protest/action.

Avoid using “Sign in with [Google, Facebook, etc]”

DO: Create an actual account with your email address when signing up on a new site
DO NOT: Use “Sign in with [Google, Facebook, etc]”

Every time you use "Sign in with Google" (or similar options) you're letting Google track which services you use and connect them to your real identity. Creating separate accounts with unique passwords (using your password manager) makes it harder for corporations and authorities to build a complete picture of your online activities.

Have Questions?

We want to hear your questions/feedback so we can make these guides useful to folks working for change.