“A strong security culture will protect others as well as yourself.​​​​​​​” 

Below you will find some tips on how to safely use apps, tools and in person safety.

Signal

Please note: Signal and Simplex are the most secure. DO NOT USE Telegram, SMS, Facebook messenger, WhatsApp etc.

Before using Signal, make a few adjustments in the settings to ensure security for you and others.

1. Set your number to be hidden (in the ‘Privacy’ section, select ‘Phone number’ and tick ‘nobody’)

2. Set your Signal username (tap on your photo which takes you into your Profile, tap on @ to set up or change your username. A Signal username always has to have a number in it, e.g. Eagle.96). Don’t use your actual name, use a code name.

3. Always share your Signal username, not your phone number, for people to reach you.

4. Don’t use a profile identifying Signal profile image.

5. Set disappearing messages to an appropriate time limit (and shorter to disappear on date of any actions)

6. Check your messages regularly because if someone sends you sensitive info it won’t disappear till you’ve checked it!

VPNs

A Virtual Private Network (VPN) helps disguise your identity and activity on the internet. It encrypts your internet traffic and then routes it through your VPN provider’s server before you connect to a website or another online service. 

IMPORTANT: Remember that many VPNs are not trustworthy and actually sell your data!

We recommend using the following VPNs:

  • Mullvad (comparatively fast)
  • IVPN 
  • Proton VPN

Operating Systems (Tails)

For extra security, Tails hides your IP address completely as it provides an anonymous operating system you need to download onto a USB stick. Instructions here – https://tails.net/.

Phones

  • Encrypt your phone with Graphene OS (for this you need a Google Pixel phone, a 4a model or later).
  • Keep your public phone separate from any burners or phones you use for anything sensitive, use a good password.
  • DO NOT use biometric passwords (fingerprints or face recognition).
  • Keep your burner in a Faraday case or equivalent or wrap in tin foil when at home, do not let it near your other phone.
  • Switch off bluetooth and wifi except for when needed.

Encrypting phones – To encrypt an Android smartphone, use Graphene Operating System (OS).

Internet usage

Secure browsers

As mentioned above, use a VPN to browse the internet as well as a secure browser.

  • Tor browser & VPN – use for sensitive research. DO NOT bother using Tor with a VPN to log into any accounts that would give away your identity – eg your personal Instagram / Facebook – once you log into anything insecure you become identifiable. 
  • Brave / hardened Firefox (ideally with a VPN) – Use for logging into insecure accounts that will identify you – or when websites will not load on your Tor browser.
Search engines
  • Best internet search engine (secure Google alternative): Duck Duck Go
  • INSECURE search engines: Basically all other search engines are insecure; Ecosia (Google greenwashed), Google, Brave etc
For phones
  • For Android phones – use Mole
  • Ideally just don’t use an iPhone for sensitive work.​​​​​​​
For laptops 
  • Mullvad VPN with Brave browser (with a Tor option on the top-right of Brave). 
    More info on using Brave here – https://www.youtube.com/watch?v=N67kJLaWtoA
  • Hardened Firefox (one of the few browsers NOT owned by Google – even Brave is Chromium based owned by Google). How to harden Firefox – https://www.youtube.com/watch?v=F7-bW2y6lcI&t=0s
  • Also see the section on Tails above. It is an operating system that runs from a USB stick, specifically designed with anonymity in mind.

Emails

Emails are not secure unless you have emailed from a Proton account to another Proton account (ideally with disappearing emails on). Even then, Proton would still have to give your data to the police if asked.

NOTE: If you email another non-Proton email with a Proton account then your email is no longer secure.

Some rules for Protonmail
  • Never give any identifying information in your emails (e.g. your name in your email address). That will protect you against being linked to the account.
  • Setting up a Protonmail address without a non-Proton email for confirmation – If you set up a new Protonmail with a good VPN (e.g. Mullvad or IVPN) Proton should not recognise you as someone who has set up an account before and will not ask for an email for confirmation.
Email aliasing 

If you still need a non-proton email to create a new Protonmail:

Email aliasing can also be useful to hide your identity in your main email address – An email aliasing service allows you to easily generate a new email address for every website you register for. The email aliases you generate are then forwarded to an email address of your choosing, hiding both your “main” email address and the identity of your email provider.

Keeping a low profile

Don’t tell anyone

Apart from all the tech tips, one major security breach is telling people what you are doing. You are putting others at risk if you tell people who are not doing the action with you about what you are doing. As tempting as it is: keep quiet.

Need-to-know

Even people you are doing something with don’t need to know everything. Code names are good, they don’t need your real phone number, or where you live. If there are different parts to an action, share the information people need, not everything.

Raid-proof your home

Damming evidence like clothes with paint on? Get rid of it. Don’t save stuff on your phone or laptop.