Safety First!

https://cdn.ttc.io/i/fit/1000/0/sm/0/plain/kit.exposingtheinvisible.org/il/Safety-cik-illustration.png


IN SHORT: Stay digitally, physically and psychologically safe and aware of potential risks at all times by adopting some basic good practices and tools to keep your human sources, yourself and your evidence protected.

Staying safe and aware is an integral part of any investigation. When embarking upon an investigation, the safety of your sources and collaborators, your own safety and the safety of your data should always be a priority.

Think of safety as integral to the investigative mindset, as something you need to plan for and think about. Not just that, but think of it as something that can give you insight into how your digital and physical data traces may expose information. Safety should not be a simple checklist that you need to tick off before you proceed with your investigation. If you think of safety as a checklist, you may end up having a false sense of security.

Here, we will focus on the main principles and steps you need to consider before setting out to collect information, verify it and investigate more thoroughly both online and offline. Take this section as a starting point to what will become part of your investigator mindset, a set of behaviours and attitudes that should slowly become embedded and adapted to your own context, work style and goals. If you master the basics, you will easily be able to advance and adopt more safety techniques and tools relevant to your particular profile.

Do No Harm

Always think of and plan your research and actions in a way that increases positive impact and reduces potential negative impact on the people you work with, on the issues you investigate and on yourself, among others. This is part of the “Do No Harm” principle and as an investigator (or an activist, or a researcher, etc.), you need to integrate it into your assessments and decisions at all times.

The Do No Harm principle was developed in the humanitarian support and intervention sector but it’s as valid everywhere else. It assumes that all your behaviours and actions have consequences of some sort, be they positive or negative, or both. The idea is to NOT cause more risk and harm than was initially there.

There is a very simple formula you can keep in mind with regard to safety:

Actions + Behaviours = Consequences

Stick to this when planning your own work and when assessing your next step. It is an essential formula that helps you analyse the ways in which our actions and behaviours can impact the safety and condition of others, of yourself and of the information you work with.

Read more about the Do Not Harm principle and related assessments that may help your planning and actions in Tactical Tech’s “Holistic Security Manual” - “Security and the Do-Not-Harm approach”.

What are you keeping safe?

The most important question when it comes to staying safe is: “What exactly are you protecting?”

The list can be summarised as follows:

  • Contacts – People you engage with (sources, collaborators, colleagues, close ones, etc.) and whose information you have access to / collect / use / store .
  • Yourself – It’s important to stay safe and minimise risks and mitigate threats to yourself.
  • Data – Information that you collect should be safe from being accessed by others without consent or authorisation and must be recoverable in case of loss, damage or theft.

Context is everything / One size does not fit all

It helps to think of safety as something that relates to the specific context you are working in and what you are trying to do. For example, engaging with an online search like google dorking has different risks compared to conducting field research. At the same time, not all field research is as risky; it comes down to a number of factors, which you can read about in our field research guide.

When thinking about safety, first consider the function that you are performing by asking yourself a few questions such as:

  • Who/what is the focus of your investigation?
  • Are you investigating a website?
  • Investigating a company?
  • Going out into the field?
  • Conducting interviews?

The nature of what you are trying to do is important because it will greatly determine the threats that you may encounter. Addressing these threats is deciding what measures you take to keep yourself and those you interact with safe.

Safety cannot be divided neatly into digital and non-digital. The end goal is for you to do your work while making sure that people are safe. What you do in your digital life can easily spill out into your physical life, and vice versa. That’s why it’s important to approach safety holistically and to understand where the threats may arise.

In short:

  1. Safety is about the function you perform and the context in which the function is performed.
  2. Safety cannot be neatly divided into digital and non digital.
  3. Safety cannot be approached in isolation from that of other people you work and communicate with.

Risk assessment and risk mitigation

It’s vital to think of the risks and possible threats associated with the type of research or investigation activity you are undertaking in any context - online and offline, friendly or hostile environment, etc - and to list those anticipated risks every time before you start an investigation, as well as to revisit them during the investigation process. This is called risk assessment. The purpose of undergoing this assessment is to try to reduce the risks you anticipate by taking appropriate precautions. The effort of reducing risk is called risk mitigation.


Note:

The more complicated and risky your activity, the more comprehensive your risk assessment and risk mitigation should be.

Risk assessment and mitigation are common exercises in a number of disciplines involving online and field activities, including scientific research, journalistic investigations, law enforcement investigations or humanitarian field missions.

Before starting your work, make sure you always have a risk mitigation plan. This involves coming up with ways you could prevent, respond to and resolve problems that might arise. This plan can help you navigate the potential issues highlighted in your risk assessment.


Tip:

There is no particular risk assessment and risk mitigation template that you should follow as a rule, you will need to adapt this process to your own research methods and your context as well as to the topics and subjects of your investigation. You would have different degrees and kinds of risk or threat if you search the internet for NGO reports about human rights abuses by corporations from your home, or if you conduct field research to observe facts and interview affected people. Similarly, you would have to plan for different kinds of risk if you take photos of the town hall building in the centre of a peaceful town than if you need to photograph an area where deforestation is on-going, in an isolated place at the edge of the same town.

These are just limited examples, the better you can anticipate and analyse your situation(s), the better you will be at assessing and and mitigating related risks. Your assessment and planning will also differ if you research individually or in an informal group or as part of an organisation. An organisation will likely have some standard procedures for how you should plan, act and behave, whereas if you act alone, you will need to be extra careful with your assessment and precautions. We’d never recommend that you take an initiative alone or investigate in isolation. Collaboration with trusted others will always offer you a better risk mitigation plan.

At Tactical Tech, we have addressed this aspect of threat assessment in our online manual “Holistic Security”, which looks at safety and security from a broader perspective, which includes physical and mental well-being while working individually or in groups. You can read about risk and threat perceptions and assessments in the chapter Explore - Identifying and Analysing Threats.

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/safety/threat-matrix.png Image of threat matrix from Tactical Tech’s Holistic Security manual, source: https://holistic-security.tacticaltech.org/chapters/explore/2-8-identifying-and-analysing-threats.html. The idea behind this matrix is that threats can be viewed and categorised in light of the following: 1. - the likelihood that the threat will take place, and 2. - the impact if and when it does take place. Likelihood and impact are concepts which help us determine risk: the higher the likelihood or impact of a threat, the higher the risk. If a threat is less likely or would have a lower impact, the risk is lower.

There are many risk assessment and risk mitigation templates and guides out there. Consulting more of them can help you understand the process better in order to apply it to your specific situation.

Here are some suggestions to get you started, but be aware that each guide is written from a particular perspective or for a particular group, so try to extrapolate from the specific vocabulary or tasks mentioned in some of them, they can be applied to many other contexts not mentioned there:

  • Surveillance Self-Defence(archived copy from Wayback Machine available here), from the Electronic Frontier Foundation - a resource with advice, tools and methods to stay aware and address risks in potential surveillance situations.
  • Pre-assignment Preparation: emergency response (archived copy from Wayback Machine available here), from Committee to Protect Journalists (CPJ) - a list of available resources that can help you learn and prepare the safety elements of your field investigations. It is relevant for any researcher, not only journalists working on their assignments.
  • Risk management for NGOs (archived copy from Wayback Machine available here), from United Nations Somalia. Note that the guide is generally applicable, not only for Somalia.
  • De-escalate Anyone, Anywhere, Anytime” - this is a direct PDF download (archived copy from Wayback Machine available here), from RightResponse.org - a general introduction and was not written for investigators specifically but can be used as a starting point.
  • DSD Working Papers on Research Security series (archived copy from Wayback Machine available here) - advanced guides about safety while on field research in dangerous areas so consult it with that in mind.

In order to make your planning a bit easier, and admitting that we cannot anticipate and assess all the risks for you here – remember, each investigation is different! - we will address some concrete ways you can mitigate potential risks while researching online and offline/in the field. In each of this Kit’s sections (from How To Investigate and What to Investigate), you will find much more detail about risk assessment and risk mitigation as well as recommended methods and tools to adopt in specific situations.

Digital Safety

https://cdn.ttc.io/i/fit/1000/0/sm/0/plain/kit.exposingtheinvisible.org/il/Safety-01-cik-illustration.png

When thinking about keeping your data and information safe you may be thinking about two separate things:

  1. The first is about safeguarding your data so that it cannot be used by a malicious actor to cause harm or does not constitute a breach of privacy.
  2. The second is about keeping it safe so that you can recover it in case it is damaged or lost.

Digital safety is about safeguarding your data. This data can be your:

  • contacts
  • location
  • passwords
  • digital habits

This data can be available in your:

  • devices
  • communications
  • online accounts
  • internet traffic

But remember that safety doesn’t just mean tools. Most of what compromises us is not the technical tools we choose but our behaviour. Humans are often the weakest link and even if you are using the most secure tools, you can still be breached.

Some things to keep in mind when thinking about safety:

  • what you choose to share,
  • how you communicate,
  • what you click (phishing attacks),
  • which services you choose,
  • who you choose to share with.

It is important to note that digital safety is not just about your own understanding of risks but the steps you take to mitigate these risks. Think of safety as a group sport, where we all depend on each other. The more we are all collectively aware of the risks and vulnerabilities the better we can be at taking steps to mitigate these risks.

If data is breached by someone accessing your devices or someone else’s who has the same data, then the risks are still similar even if you have taken every step to ensure data is secured at your end. For this reason you have to pay attentions to the digital safety awareness of other people or platforms and services you interact with.


Note:

It is not often easy to put digital safety on the table, but make sure that people who work with you understand the threats the same way as you do and have a plan if things goes wrong. Share your safety plans and your evaluations with collaborators who are working with you on an investigation, and make sure that that your sources are also made aware of the risks.

Some practices to help keep your credentials and data safe

  • Use long passphrases,
  • Use two factor authentication,
  • Safeguard passwords using password managers,
  • Ensure having recovery tools set up where possible, like adding a recovery email,
  • Backup data,
  • Encrypt data,
  • End-to-end encryption helps guarantee that the service provider cannot access your content,
  • Be aware of who has access to your data,
  • Assess tools you use.

Some criteria to help you assess a digital tool

Check if the tool:

  • Is Open source - Is the source code publicly available for you or others to see? Even if you cannot read or assess code, being open source means it can be verified and audited by those with expertise.
  • Provides end-to-end encryption - This means that data is encrypted before sending to the receiving party, and only they can decrypt the data, not even the service provider.
  • Does not store data unnecessarily - Tools that keep track of more data than they need in order to preform their function risk exposing this data in the future.
  • Does not leak data - When performing functions with that tool, no unnecessary data is inadvertently exposed to the public or third parties.
  • Does not share data - Some tools or services share your data or sell them to third parties; you can often find out about this if you read a tool’s (app, software, etc.) Terms of Use and/or Data Policy.

The Security Trade-off

When choosing tools, you often have a trade-off between what is useful, easy to use and secure.

While many tools have focused a lot more on security, you still have to weigh your security against functionality and usability. The key here is to understand the context you are in, and what you are gaining or giving up by using a particular tool. It is important to identify your weaknesses rather than reinforce your strengths. Usually your weakest points are those that are exploited, and for these weaknesses it makes sense to invest in security aspects over functionality or usability at times.

For example, a very secure tool might require entering a password every time you use it, while another is more easily usable by saving the password for you. The trade-off is between simply using the application, which takes less time, but making it susceptible to being accessed if your device is stolen.

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/safety/triangle.png Security Tradeoffs - Tactical Tech

Using tools for investigation

What ever the tools one decides to use, tools that find traces also leave traces - on internet everything is traceable , it is important to understand that the devil is in the defaults - always double check settings and read the term and conditions - and test before using.

Data and Devices

Make sure that you have your data and devices secure, you can do so by ensuring that your devices are encrypted. Some recommended practices and tools are:

Sending Data

Use secure trusted services to send data, such as:

Online safety

Searching and collecting evidence online - whether it’s about social media data, online company records, domain ownership details, website history, image metadata, etc. - involves navigating a large number of platforms, tools and services. Some of these work with the Tor Browser and that allows you to protect your privacy to a certain extent. Others not only do not work on Tor but they also require you to sign up with an email address, name and other personal details. Depending on your investigation subject, your context and that of the people you work with, leaving digital traces while you investigate online might put you at higher risk.


Note:

Make sure that using encryption is legal in the jurisdiction you’re using it. There are some places which impose restrictions on the use of encryption and using it may put you at risk

Consider these suggestions for digital safety techniques and tools that can help protect your digital privacy and enhance the security of your devices and data.

Accounts

Some online services require you to create an account, to choose a username, to provide payment information, to verify an email addresses or to sign up with your social media profile to gain access to their platforms. Try to limit your exposure by considering these options:

  • Create a more secure, compartmentalised email account, which you can do easily with services like Tutanota or Protonmail.
  • Establish a separate set of social media accounts to use with services that require your data, in order to compartmentalise (separate) your investigative work from your personal online identity.
  • Create a single-use “identity” for a particular investigation, and dispose of it once research is done. This may be needed especially when doing sensitive work.

Browsers

As someone who is looking to uncover hidden truths, you probably already use the internet for personal communication and for some of your research.


Note:

It’s a good idea to use different browsers for your research and for casual web browsing. By doing so, you are again practicing “compartmentalisation” - using one browser for research and another for everything else.

We recommend you choose a “privacy aware” browser for your research and avoid logging in to web-based email and social media on that browser. This will prevent a lot of your personal data from being sent to the websites you visit.

Before using any of the online tools we talk about here or in the online Kit, it’s a good idea to download and install one of these browsers. Then, add an extra layer of certainty by testing the browser with a tool like Panopticlick or Browser Leaks. The results of what you see when using a privacy aware browser should look different from when you visit Panopticlick or Browserleaks with a normal browser, which would usually reveal more weaknesses.


Note: Fingerprinting

Browsers can easily be fingerprinted, which means that even if you are not logged in to services that track you, you can be identified by the various settings on your browser.

You can mitigate this by changing your behviour (like opening different size windows) or using tools obfuscating basing system information.

These are some examples of tools that can help protect your privacy while researching online, with pros and cons of using them:

Tor Browser

  • Pros: This is the best privacy aware browser. The code is published openly so anyone can see how it works. It has a built-in way of changing your IP address and encrypting your traffic.
  • Cons: There are places in the world where Tor Browser usage is blocked or banned. While there are ways around these blocks, such as Tor Bridges, using Tor may also flag your traffic as suspicious in such places.

Note:

Some webpages block Tor by default and you will have to decide whether or not to visit them with Tor turned off.

Firefox

  • Pros: It blocks trackers and cookies with a setting called “Enhanced Tracking Protection”, which is automatically turned on when you set “Content Blocking” to “strict”.
  • Cons: You need to turn on this option, it’s off by default. When you use Firefox, it’s important to remember that your IP address is still visible to the sites you visit.

Brave

  • Pros: It tries to protect privacy without the need for turning options on or adding add-ons or extensions. Brave has a security setting to erase all Private Data when the browser is closed. It has a feature called ‘Shields’ where you can block ads and trackers. It also allows you to create a new “Private Tab with Tor”, which uses the Tor network to protect your IP address (regular use doesn’t protect it).

Note:

Brave’s “Private Tab with Tor” also allows you to visit Tor hidden service sites - which are sites that end in .onion and are configured to be securely accessed only by Tor-enabled browsers.

  • Cons: The “payments” or “Brave payments” feature that allows donations should be kept off as it sends data that could be used to identify you. When using use Brave, you should use the ‘Private Tab with Tor’ feature to protect your IP address.

DuckDuckGo

  • Pros: This is a privacy-aware search engine (not a browser) that claims not to collect any personal data about its users. You can use DuckDuckGo in combination with the Tor Browser to further preserve your privacy.
  • Cons: DuckDuckGo does save your search queries but it doesn’t collect data that can identify you personally.

Note:

Be sure to check out the default settings on duckduckgo and customizing your usage by visiting : https://duckduckgo.com/settings

Virtual Private Networks (VPNs)

If you cannot use Tor, another option, though less effective in preserving your anonymity, would be using a VPN (Virtual Private Network).


Note:

VPNs work by disguising your IP address, which can be used by websites you visit to map where you are coming from. When using a VPN, rather than seeing your real IP address, sites you visit will see the IP of the VPN provider.

Visiting a website is like making a phone call. The website you are visiting can see your “number” - your IP address - which can be used to map where you are coming from.

Think of the VPN as a concrete tunnel between you and the site you want to visit. The VPN creates a tunnel around your traffic so it can’t be observed from the outside, and routes it through an intermediary server owned by your VPN provider, so your traffic looks to any site you visit like it’s coming from a different location than where you actually are. Neither the web browser, your internet service provider nor the site you visit will see your IP or be able to identify you. Sites will only see that your traffic is coming from the IP address of your VPN provider.


Note:

To illustrate, if you are researching a corporation and frequently visit its board of directors webpage – a page that typically gets very little traffic - your repeated visits from your specific location might make the company aware of your research.

There are many VPN options and it can be confusing when deciding which one to pick. To add to the confusion, most VPN reviews and listings are not independent, some are really biased. ThatOnePrivacySite is a VPN review site we can endorse.

It is recommended you choose a VPN company that claims that they do not record logs of your traffic. While you should avoid most free VPNs because they are often funding their operation by selling their log data (records of what sites users visit via the VPN), there are some reputable ones we recommend: Bitmask, Riseup VPN, PsIPhon, Lantern.

Communication

Communicating securely is a vital aspect of investigation and indeed the digital world. Intercepted communication is one of the biggest risks that may endanger your sources, yourself or the secrecy of the information you may be gathering. Choosing the right tools is important particularly as you become reliant on others.

You often communicate via messages through emails and messaging apps. Whenever possible, use encrypted email - PGP / Pretty Good Privacy - in your email communication with collaborators, sources and interviewees.


Note on PGP:

PGP encryptes the contents of an email. It does not however encrypt the metadata, about the email. Metadata can be the sender, reciever, subject line, time of sending and various other email header information. This means that a lot of information can still be extracted from emails that are encrypted with PGP but not the content of the message itself.

For calls and messaging, there are different applications with enhanced levels of encryption and privacy such as Signal or Wire. These are preferred over WhatsApp or Telegram though the later are of more common use and you may encounter people who are not easily accessible on any other (safer) apps. It is worth noting that not all these communication apps are available everywhere and there are regions where using Wire, for instance, would be impossible as it is blocked.


Note:

Check our guide on Keeping Your Digital Communication Private from Security-in-a-Box for details on how PGP works and how to adapt encryption to your situation, as well as for more extensive tips, tools, and methods to keep your digital communication as private as possible.

When you are forced to rely on conventional ways of communication - non-encrypted phone calls, landlines, etc., - make sure that you provide only the minimum information to your interlocutor and try to establish in advance what details are less risky to communicate with the person at the other end of the line, and how. When fearing threats and surveillance, use the above encrypted methods to get in touch with someone close to your sources who can help organise a meeting.


Note:

It’s very important to note that every mobile phone is trackable by default and there is nothing you can do about it. That is how mobile telephony works - signal providers know where all the devices accessing their network are 24h/7. This traceability of devices can also be expanded by enabling location tracking that can use GPS, WIFI, Bluetooth etc - which makes tracking more precise and enables more third parties (other than your provider) to tap into your location data should they wish to.

On occasion, if you think your phone might be monitored, consider using a burner phone - a disposable phone you can use on one or a few occasions and that is not linked to you or that you can discard easily.

Note that bringing devices is not an easy trade off to make, the more devices you bring with you the better you can find, collect and manage information - but with more equipment you increase the risks associated with these devices. A smart phone might be extremely useful but it will always be a tracking device. Decide carefully what you bring and what risks are attached to it - make conscious decisions - and if you take risks don’t take them on behalf of others. A device might take you safely to a meeting and back - but it might expose your source forever.

The Guardian Project creates secure apps that are easy to use as part of their goal of security focused solutions. You can find recommended, viable, vetted apps on their website.

Field Safety

https://cdn.ttc.io/i/fit/1000/0/sm/0/plain/kit.exposingtheinvisible.org/il/Safety-02-cik-illustration.png

Field investigations carry more physical risk than working from behind a computer. Traveling to new places, talking to people, filming, or using certain equipment can make you look suspicious in some contexts. This is why planning, carrying out a risk assessment, and considering the possible consequences of your actions is vital even if you are certain your activity is low-risk. There are no strict rules for a risk assessment but make sure you have a clear plan established in advance, know who your important contacts are and which individuals or organisations could provide assistance in the field.

Here are some essential aspects to consider when assessing your situation:

  • If your activity includes interviews with confidential or vulnerable sources, address the risks they are exposed to in your assessment. Discuss with them any vulnerabilities they might face while collaborating with you.
  • Take care when deciding the order in which you collect information, the people that you share it with, when/where you arrange to meet them and where and how you store the information you’ve gathered. Start with background research and less risky interviews or field work first, advance as you gather more information and always reassess the risks.
  • Beware of disclosing confidential or sensitive information about your investigation and sources. This might put you and your collaborators at risk depending on the context and issues you are researching.

Note:

Risk is inherited. If you are someone with little to no risk (you may live and work in a safe area) but you are interviewing a person experiencing high risk (living in a dangerous area, being under pressure, working on controversial issues), you inherit that risk. Your risk level will be higher for a period of time before and after the interview. If you interview someone for a report or an article that will be published, be prepared for your risk to increase at the time of publication. When investigating individuals in positions of power and influence, be prepared for a prolonged higher risk if they become aware of your investigation.

On the other hand, much like how you inherit other people’s risks, they inherit yours. Operating in a low risk area, or having a low risk profile does not mean you pose no risk to others. On the contrary you may contribute to increasing the risk of others you interact with. This can happen when your usual behavior in a low risk area may very well put you at risk in other areas. Very simple and normal acts such as communicating using a mobile phone on a mobile network may be safe and not concerning to someone in a low risk area but can easily subject someone to danger in a high risk area. Hence what can often happen is that one can expose others simply by not recognizing the context of those with whom they interact.

Keeping your location safe

A number of common apps, including Google Maps and WhatsApp, allow you to share your real-time location with specific people for a limited period of time. This feature could potentially be helpful when conducting field research because it can allow a trusted colleague to monitor where you are, as a safety measure.

On the other hand, sharing your location in real time can put you at risk if others who are interested in your whereabouts are able to access the data you share. When researching sensitive topics, or if you suspect that you might be under surveillance, you should avoid sharing or storing your location without using encryption.

Instead, consider finding alternative ways of tracking your daily movements while investigating, such as marking places and details manually, or using a printed map. In many cases, it is wiser to disable such location sharing features from your mobile phone and other devices with location tracking functions. Most smartphones allow you to do so under “Location Settings.”

Also, remember that digital threats and weaknesses are closely connected to physical safety and can have an effect on it, as well as on the physical safety of other people connected to you.


Note:

Image metadata can reveal more than you want it to. It may be possible for someone to use it to locate other photos on the internet that you or someone else took with the same camera, or figure out where you live if any of the photographs were taken in your home. While you may wish to preserve location information as part of your evidence, especially during field research, you should also be cautious about where and how you share images and other location-based data you collect.

For more readings related to metadata, related safety and research methods, see these resources:

For a full overview of the actions and related risks when conducting field investigations, read our Kit guide “Away from your screen, out in the field.”

More important factors

You will encounter situations where your perceived gender, race, religion and other personal aspects will have an effect on your safety, on how you can do your work and how other people accept or address you. Be aware of this and make sure you establish clear boundaries from the beginning to avoid unwanted or unexpected reactions. Research the place, culture, beliefs, and social norms of the places, communities, and people you visit or plan to talk to.

Visit the “Safety First!” sections of the online Kit for detailed advice applied to each investigation context: kit.exposingtheinvisible.org.


Published August 2020

Resources

Articles and Guides

  • Asi Que Necesitas Hacer Una Videollamada, from Derechos Digitales. A brief guide in Spanish on how to chose the optimal videoconferencing tools for your needs and risk level.
  • Data Detox Kit from Tactical Tech – online step-by-step guide that and interactive materials that help you clean your online traces and be more aware about your online practices (see the privacy essentials here:https://datadetoxkit.org/en/privacy/essentials)
  • Digital Security Checklist – helpful checklist of tools you should/could have or use to stay safer online (browsing, communications, data storage/sharing etc.)
  • Guide to Secure Group Chat and Conferencing Tools, from Frontline Defenders.
  • Holistic Security, from Tactical Tech – a resource about physical and digital security and wellbeing when researching and investigating in action.
  • Ononymous, from Tactical Tech – Videos and resources about security for beginners.
  • Security in a Box from Tactical Tech (in multiple languages) – guides and recommendations on tools and practices to keep you safe online (except for the sections labeled ‘unmaintained’)
  • Surveillance Self-Defense, from the Electronic Frontier Foundation (EFF) - basics on how surveillance works, and tips, tools, tutorials for safer online communications.
  • Technology is Stupid, from Tactical Tech – A discussion on the security and ethics of choosing software.

Tools and Databases

Browsers and search engines

  • TOR browser - for private Internet browsing
  • Brave browser - privacy respecting browser that blocks trackers:
  • DuckDuckGo - search engine that doesn not track your searches and does not keep a history of them
  • Searx - privacy-respecting search engine
  • Https everywhere - Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure
  • PrivacyBadger - add-on that blocks invisible trackers you interact with on the web

VPN - Virtual Private Network

  • ThatOnePrivacySite - a VPN review site to check when deciding what VPN to use. It is recommended you choose a VPN company that claims that they do not record logs of your traffic.
  • ! Most free VPNs should be avoided because they are often funding their operation by selling their log data (records of what sites users visit via the VPN), However, there are some reputable ones we can endorse, such as: Bitmask, Riseup VPN, PsIPhon, Lantern, ProtonVPN.

Disk and file encryption

  • VeraCrypt - free open source disk encryption software for Windows, Mac OSX and Linux
  • Cryptomator - free open source file encryption tool, for online use only, encrypts your data and makes it possible to upload it protected to your cloud service, drive etc…

Email encryption

  • GPG - for email encryption
  • Mailvelope - a browser add-on that you can use in Firefox or Chrometo securely encrypt your emails with PGP / Pretty Good Privacy
  • Thunderbird - A free email client that can be used with a plugin called Enigmail to offer seamless PGP integration

Password managers

  • KeepasXC - manager for secure password storage offline
  • LastPass - for secure password management online
  • Firefox Lockwise - for secure password management online

Communications

  • Signal - encrypted communication app for phone and desktop
  • WIRE - encrypted communication app available for free on android devices and iphones, also available for desktop

Other

  • What is My IP Address - shows you your IP address, location and other details as seen by websites you visit, and also allows you to locate details of others by their IP addresses
  • MyLocation - similar as above, helping with IP tracking
  • Panopticlick - shows you how traceable your browser is and where are your vulnerabilities, so you can take better safety measures
  • Lightbeam - Mozilla Firefox add-on that allows you to see the first and third party sites and trackers you interact with while on the web
  • Have I Been Pwned - shows you if your email and other password-protected services have been hacked and where the vulnerabilities are.
  • How Secure is My Password - website that allows you to test password/passphrases for strength, also shows you how easy/difficult to break they are. Do not use your real passwords there

Glossary

term-fde

Full Disk Encryption - Encrypting your hard drives or storage fully not just a portion of them, so that the entire storage is not accessible without decrypting it first.

term-metadata

Metadata – Also called ‘data about data’, is information that describes the properties of a file, be it an image, a document, a sound recording, a map, etc. For example the contents of an image are the visible elements in it, while the date when the image was taken, the location and device information constitute its metadata.

term-open-source

Open source - The ‘code’ or instructions that constitute a software program or application on a device is made available to read.

term-source-code

Source code - The instruction set to run a program on a computing device in a format that is human readable.

term-tor-browser

The Tor Browser - A browser that keeps your online activities private. It disguises your identity and protects your web traffic from many forms of internet surveillance. It can also be used to bypass internet filters.