Digital best practices

Contents

The foundation of digital best practices is to limit the reach of technology into your life. Try to limit your use of digital devices, in particular for sensitive activities. That said, when using digital devices, you can follow the following best practices.

Do not use a phone, or leave your phone at home

A phone location is tracked at all times, its hardware identifiers and subscription information are logged by cell towers with every connection, and it can be hacked. If possible, do not use a phone. If you must use a phone:

See AnarSec's guide “Kill the Cop in Your Pocket”[2] on the dangers of using a phone.

Use security-oriented operating systems

Use:

Do not use:

Encrypt your devices

Enable Full Disk Encryption on all your digital devices.

Use strong passwords

Most of your passwords (e.g. passwords you use to log in to websites) should be generated by and stored in a password manager — we recommend KeePassXC[10] — so that you don't have to remember them or even type them. They can be very long and random, say 40 random characters. You can generate such passwords with KeePassXC (select the “Password” tab when generating a password).

The passwords you enter when booting your encrypted devices and KeePassXC's password must be memorized. We recommend using Diceware[11] passwords of 5 to 10 words[12]. You can generate such passwords with KeePassXC (select the “Passphrase” tab when generating a password) or with physical dice[13]. You should use different passwords for each of your encrypted devices, but we recommend using the same password for all your KeePassXC databases (so that you have less passwords to memorize).

For example, if you have an encrypted laptop, a Tails stick and an encrypted phone, you will have to remember 4 passwords of 5 to 10 words (one for each device and one for the KeePassXC databases). This is a lot! To make sure you don't forget all those passwords, you can:

Use Tor or a VPN

Use Tor[14] or a reputable Virtual Private Network (VPN) for your Internet activity. If you use Tor or a VPN and an adversary is monitoring your network traffic, it is harder for them to obtain data about your Internet activity, such as what websites you visit or what you do on those websites (it is also harder for them to target you with malware).

However, note that Tor and VPNs are not equivalent:

Therefore:

You can use both Tor and a VPN simultaneously by connecting to a VPN before Tor: this has several security benefits[15]. You should not connect to a VPN after Tor unless you really know what you are doing[16].

Use end-to-end encrypted messaging applications

Use end-to-end encrypted messaging applications for all your digital communications:

Do not use:

See AnarSec's guide “Encrypted Messaging for Anarchists”[22] for recommendations of end-to-end messaging applications.

Back up your digital data

Back up your digital data regularly, especially data you really don't want to lose, such as your password manager database. Encrypt your backups with Full Disk Encryption. A typical practice is to have two backups:

The advantage of the on-site backup is that it has a more recent version of your data. The advantage of the off-site backup is that it cannot be seized in the event of a house raid against your home.

Store your devices in a tamper-evident way

If an adversary physically accesses one of your digital devices, they could tamper with it, making it unsafe to use. To detect when an adversary has physically accessed a device, you can use tamper-evident preparation.

Buy your devices anonymously

Buying digital devices anonymously has two advantages:

If necessary, physically destroy your storage devices

If you want to ensure that an adversary can never access the data stored on a storage device (e.g. a laptop's hard drive, a USB stick, a SD card), the only solution is to physically destroy the storage device. This is because:

To physically destroy a storage device:

Other best practices

Techniques addressed by this mitigation

NameDescription
Alarm systems

When carrying out a cyber action, you can use digital evasion techniques[25] to prevent intrusion detection systems from detecting the action.

Biased interpretation of evidence

You can follow digital best practices to limit the information an adversary has about you, and therefore limit the information they can interpret in a biased way.

Covert surveillance devices
Video

An adversary can install covert video surveillance devices that can film a computer or phone screen, or a computer keyboard. To mitigate this, when using a computer or phone for sensitive activities, you can:

  • Keep the device facing a wall that you can thoroughly search for covert video surveillance devices (rather than facing a window or TV, for example).
  • Enter your passwords while under an opaque sheet or blanket.
Door knocks

You can follow digital best practices to make it harder for an adversary to log who you contact after they knock on your door.

Doxing

You can follow digital best practices to make it harder for an adversary to dox you.

Forensics
Digital

An adversary can use digital forensics to retrieve data from a digital device you have used. To mitigate this, you can follow digital best practices and, in particular, use Tails[6], an “amnesic” operating system designed to leave no trace on the computer it runs on.

When investigating a cyber action, an adversary can use digital forensics to analyze the targets of the action to determine where the action came from, a process called attribution which may include determining what tools were used in the action and any other digital “signatures”. When carrying out a cyber action, you can follow digital best practices to make it harder for an adversary to achieve attribution. For example, you can:

  • Use popular rather than custom tools.
  • If you use a Virtual Private Server (VPS), purchase it anonymously and access it through Tails[6].
Mass surveillance
Mass digital surveillance

You can follow digital best practices to make mass digital surveillance ineffective. For example, you can use Tor[14] to anonymize your Internet activity, and you can use security-oriented operating systems and applications that limit the data they store or collect about you.

Network mapping

You can follow digital best practices, and in particular use end-to-end encrypted messaging applications on encrypted devices, to obscure your social networks and make it harder for an adversary to map your network.

Service provider collaboration
Mobile network operators

You can follow digital best practices to make it harder for mobile network operators to provide useful information to an adversary. For example, you can:

  • Not use a phone, or leave your phone at home.
  • Use end-to-end encrypted messaging applications on your phone, instead of traditional SMS and calls.
Other

You can follow digital best practices to make it harder for service providers to provide useful information to an adversary. For example, you can:

  • Use Tor[14] to make it harder for your Internet Service Provider to provide useful information about your Internet activity to an adversary.
  • Use trusted online services[21] that will refuse to comply with an adversary's requests to access your data, or build their service to make it technically impossible to comply with such requests.
Targeted digital surveillance
Authentication bypass

You can follow digital best practices, and in particular use security-oriented operating systems with Full Disk Encryption (FDE) and strong passwords, to make it harder for an adversary to bypass authentication on your digital devices. For example:

  • On computers, you can use the Linux FDE called LUKS, which is used by many Linux systems, such as Debian[3] and Tails[6], and which the forensics department of the German federal police was unable to decrypt after a year of effort.
  • On phones, you can use GrapheneOS, whose FDE makes it difficult for an adversary to guess the encryption password by brute force: after 140 failed attempts, each is delayed for a full day[26].
Malware

You can follow digital best practices, and in particular use security-oriented operating systems to make it harder for an adversary to install malware on your digital devices.

Network forensics

You can follow digital best practices, and in particular use Tor[14], to make it harder for an adversary to monitor and analyze your network traffic.

Physical access

You can follow digital best practices to mitigate the risk of an adversary physically accessing your digital devices. For example, if you are going to an event or demonstration and you think that you could be arrested, you should not take your phone with you.


12. 

If an adversary physically accesses one of your digital devices, they can try to guess its password through repeated, automated authentication attempts (a process called “brute force”). They can also copy the device's data and wait years or decades until new technologies are invented that allow them to guess a password they cannot guess today. To mitigate this, you should use strong passwords. Assuming you are using the operating systems we recommend, and based on our best knowledge of the capabilities of State adversaries, we recommend that you use Diceware passwords of:

  • 5 words to be safer today.
  • 7 words to be safer in the near future.
  • 10 words to be safer in the distant future.
15. 

If you connect to a VPN before Tor, it is harder for the State to know that you are using Tor, and it can be harder for the State to obtain data about your Internet activity through advanced attacks such as traffic fingerprinting.