- Description
- Do not use a phone, or leave your phone at home
- Use security-oriented operating systems
- Encrypt your devices
- Use strong passwords
- Use Tor or a VPN
- Use end-to-end encrypted messaging applications
- Back up your digital data
- Store your devices in a tamper-evident way
- Buy your devices anonymously
- If necessary, physically destroy your storage devices
- Other best practices
- Techniques addressed by this mitigation
The foundation of digital best practices is to limit the reach of technology into your life. Try to limit your use of digital devices, in particular for sensitive activities. That said, there are a number of best practices that you can follow when using digital devices.
A phone location is tracked at all times, its hardware identifiers and subscription information are logged by cell towers with every connection, and it can be hacked. If possible, do not use a phone. If you must use a phone:
- Use a GrapheneOS[1] smartphone with end-to-end encrypted messaging applications. Do not use traditional SMS and calls.
- Do not carry the phone with you, leave it at home at all times.
See AnarSec's guide “Kill the Cop in Your Pocket”[2] on the dangers of using a phone.
Use:
- Debian[3] or Qubes OS[4] for daily computer use. See AnarSec's guide “Qubes OS for Anarchists”[5] on Qubes OS.
- Tails[6] for sensitive computer use, such as reading a sensitive article, researching for an action, writing and sending an action claim, and moderating a sketchy website. See AnarSec's guides “Tails for Anarchists”[7] and “Tails Best Practices”[8].
- GrapheneOS[1] for phones. See AnarSec's guide “GrapheneOS for Anarchists”[9].
Do not use Windows, macOS, or iOS, as they are not open-source. Do not use stock Android as it is not as secure as GrapheneOS.
Enable Full Disk Encryption on all your digital devices.
Most of your passwords (e.g. passwords you use to log in to websites) should be generated by and stored in a password manager — we recommend KeePassXC[10] — so that you don't have to remember them or even type them. They can be very long and random, say 40 random characters. You can generate such passwords with KeePassXC (select the “Password” tab when generating a password).
The passwords you enter when booting your encrypted devices and KeePassXC's password must be memorized. We recommend using Diceware[11] passwords of 5 to 10 words[12]. You can generate such passwords with KeePassXC (select the “Passphrase” tab when generating a password) or with physical dice[13]. You should use different passwords for each of your encrypted devices, but we recommend using the same password for all your KeePassXC databases (so that you have less passwords to memorize).
For example, if you have an encrypted laptop, a Tails stick and an encrypted phone, you will have to remember 4 passwords of 5 to 10 words (one for each device and one for the KeePassXC databases). This is a lot! To make sure you don't forget all those passwords, you can:
- Use memorization techniques, such as repeating the passwords in your head every day when you wake up.
- Store a copy of the passwords on a USB stick that you keep in a hidden place outside your home, and that is encrypted with a 10-word Diceware password. You don't memorize this 10-word password, you store it in the KeePassXC databases of one or two trusted comrades who also follow these digital best practices. This way, if you forget a password, you can ask the trusted comrades for the 10-word password and retrieve the USB stick: on it, you will find the forgotten password.
- Store a copy of the passwords on a USB stick that you keep in a hidden place outside your home, and that is encrypted with a 20-word Diceware password. You don't memorize this 20-word password, you split it into two halves of 10 words each, write each half on a piece of paper, and store each piece of paper in a different hidden place (not with the USB stick). This way, if you forget a password, you can retrieve the two pieces of paper, reconstruct the 20-word password, and retrieve the USB stick: on it, you will find the forgotten password.
Use Tor[14] or a reputable Virtual Private Network (VPN) for your Internet activity. If you use Tor or a VPN and an adversary is monitoring your network traffic, it is harder for them to obtain data about your Internet activity, such as what websites you visit or what you do on those websites (it is also harder for them to target you with malware).
However, note that Tor and VPNs are not equivalent:
- If you use Tor, it is very difficult, even for the State, to obtain data about your Internet activity (as long as you otherwise follow digital best practices).
- If you use a VPN, it can be either difficult or easy for the State to obtain data about your Internet activity, depending on your context, on the monitoring capabilities of the State, and on the VPN you use.
Therefore:
- You should use Tor for all your sensitive Internet activity, and as much of your non-sensitive Internet activity as possible.
- If you cannot use Tor for a given non-sensitive Internet activity (for example because you need to use a website that blocks Tor), you can use a VPN for it.
- You should not conduct any Internet activity without Tor or a VPN.
You can use both Tor and a VPN simultaneously by connecting to a VPN before Tor: this has several security benefits[15]. You should not connect to a VPN after Tor unless you really know what you are doing[16].
Use end-to-end encrypted messaging applications for all your digital communications:
- Ideally, use peer-to-peer and metadata-resistant applications such as Cwtch[17] or Briar[18]. Otherwise, use metadata-resistant applications such as SimpleX[19] or Signal[20].
- Email is not metadata-resistant and should be avoided if possible. If you must use email, use PGP encryption and register an address with a trusted service provider[21].
Do not use Telegram as not all messages are end-to-end encrypted. Do not use Matrix as it is not metadata-resistant[22].
See AnarSec's guide “Encrypted Messaging for Anarchists”[23] for recommendations of end-to-end messaging applications.
Back up your digital data regularly, especially data you really don't want to lose, such as your password manager database. Encrypt your backups with Full Disk Encryption. A typical practice is to have two backups:
- An “on-site” backup that you keep at home and update frequently, such as once a week.
- An “off-site” backup that you keep outside your home and update less frequently, such as once a month.
The advantage of the on-site backup is that it has a more recent version of your data. The advantage of the off-site backup is that it cannot be seized in the event of a house raid against your home.
If an adversary physically accesses one of your digital devices, they could tamper with it, making it unsafe to use. To detect when an adversary has physically accessed a device, you can use tamper-evident preparation.
Buying digital devices anonymously has two advantages:
- If one of your digital devices is seized by an adversary, the adversary may recover information from the device using digital forensics. If you bought the device anonymously, the adversary may not be able to link the device, and thus the information they recovered, to you.
- If you buy a digital device in a way that doesn't give you immediate access to the device (e.g. if you order a laptop online), buying anonymously can prevent an adversary that is targeting you from tampering with the device before you gain access to it (e.g. between the purchase and the delivery of the laptop).
If you want to ensure that an adversary can never access the data stored on a storage device (e.g. a laptop's hard drive, a USB stick, a SD card), the only solution is to physically destroy the storage device. This is because:
- Even if the storage device is encrypted with Full Disk Encryption using a strong password, an adversary could bypass the encryption.
- Modern storage devices can store a hidden copy of their data in spare memory cells[24], so overwriting the entire device is not sufficient.
To physically destroy a storage device:
- First, reformat and overwrite the entire storage device as an additional safety precaution.
- Then, use a high-quality household blender or an angle grinder to shred it into pieces, ideally less than two millimeters in size.
- Phishing is when an adversary tricks you into revealing sensitive information or installing malware on one of your digital devices. To mitigate this, do not open files or click links sent to you by people you don't trust. See AnarSec's “Phishing Awareness” section[25] on the measures you can take against phishing.
- Doxing is when an adversary publishes your personal information without your consent. See Doxcare: Prevention and Aftercare for Those Targeted by Doxxing and Political Harassment on the measures you can take against doxing.
Techniques addressed by this mitigation
| Name | Description | |
|---|---|---|
| Alarm systems | When carrying out a cyber action, you can use digital evasion techniques[26] to prevent intrusion detection systems from detecting the action. | |
| Biased interpretation of evidence | You can follow digital best practices to limit the information an adversary has about you, and therefore limit the information they can interpret in a biased way. | |
| Covert surveillance devices | ||
| Video | An adversary can install covert video surveillance devices that can film a computer or phone screen, or a computer keyboard. To mitigate this, when using a computer or phone for sensitive activities, you can:
| |
| Door knocks | You can follow digital best practices to make it harder for an adversary to log who you contact after they knock on your door. | |
| Doxing | You can follow digital best practices to make it harder for an adversary to dox you. | |
| Forensics | ||
| Digital | An adversary can use digital forensics to retrieve data from a digital device you have used. To mitigate this, you can follow digital best practices and, in particular, use Tails[6], an “amnesic” operating system designed to leave no trace on the computer it runs on. When investigating a cyber action, an adversary can use digital forensics to analyze the targets of the action to determine where the action came from, a process called attribution which may include determining what tools were used in the action and any other digital “signatures”. When carrying out a cyber action, you can follow digital best practices to make it harder for an adversary to achieve attribution. For example, you can:
| |
| Mass surveillance | ||
| Mass digital surveillance | You can follow digital best practices to make mass digital surveillance ineffective. For example, you can use Tor[14] to anonymize your Internet activity, and you can use security-oriented operating systems and applications that limit the data they store or collect about you. | |
| Network mapping | You can follow digital best practices, and in particular use end-to-end encrypted messaging applications on encrypted devices, to obscure your social networks and make it harder for an adversary to map your network. | |
| Service provider collaboration | ||
| Mobile network operators | You can follow digital best practices to make it harder for mobile network operators to provide useful information to an adversary. For example, you can:
| |
| Other | You can follow digital best practices to make it harder for service providers to provide useful information to an adversary. For example, you can:
| |
| Targeted digital surveillance | ||
| Authentication bypass | You can follow digital best practices, and in particular use security-oriented operating systems with Full Disk Encryption (FDE) and strong passwords, to make it harder for an adversary to bypass authentication on your digital devices. For example:
| |
| Malware | You can follow digital best practices, and in particular use security-oriented operating systems to make it harder for an adversary to install malware on your digital devices. | |
| Network forensics | You can follow digital best practices, and in particular use Tor[14], to make it harder for an adversary to monitor and analyze your network traffic. | |
| Physical access | You can follow digital best practices to mitigate the risk of an adversary physically accessing your digital devices. For example, if you are going to an event or demonstration and you think that you could be arrested, you should not take your phone with you. | |
If an adversary physically accesses one of your digital devices, they can try to guess its password through repeated, automated authentication attempts (a process called “brute force”). They can also copy the device's data and wait years or decades until new technologies are invented that allow them to guess a password they cannot guess today. To mitigate this, you should use strong passwords. Assuming you are using the operating systems we recommend, and based on our best knowledge of the capabilities of State adversaries, we recommend that you use Diceware passwords of:
- 5 words to be safer today.
- 7 words to be safer in the near future.
- 10 words to be safer in the distant future.
If you connect to a VPN before Tor, it is harder for the State to know that you are using Tor, and it can be harder for the State to obtain data about your Internet activity through advanced attacks such as traffic fingerprinting.