Zebra Crossing: an easy-to-use digital safety checklist
🦓 Zebra Crossing: an easy-to-use digital safety checklist
🎯 Start here!
🤔 Read this guide if you
- Use the internet daily — for work, social media, and financial transactions.
- Want to secure your digital safety and privacy proactively but aren’t in immediate danger. (If you are, reach out to someone in your community for a one-on-one consultation.)
- Feel comfortable with technology — you feel confident about changing the settings on your computer or smartphone.
🗺 Where this guide is from
- This guide draws from our work helping individuals and groups upgrade their digital safety practices, and from our experiences living and working in Canada, the US, Germany and Hong Kong.
- Wherever possible, we chose apps and tools that are accessible and easy to use over ones that are technically sophisticated but difficult to use. Our decision is based on our observation that people become clumsier in stressful situations, so it is important to keep procedures as simple as possible.
🌱 How to use this guide
- Start from Level 1 and work your way up! Recommendations are sorted by increasing levels of difficulty.
- Level 1 is the quick essentials section. You should be able to work through it within half an hour, and chances are, you're already familiar with many of the recommendations in there — but it never hurts to double check.
- Level 2 digs deeper into your device/app settings. This section will take 1-2 hours, depending on how many accounts and devices you frequently use.
- At a minimum, do everything in Levels 1 and 2. It'll protect you from the most widely-used attacks.
- Between level 2 and 3 is a reading break intermission about developing better digital safety habits and reflexes.
- Level 3 will help you fine tune your privacy online and drastically decrease the amount of personal information you're giving out for free. This section will also take 1-2 hours.
- Level 4 powers up your digital safety practice with the latest tools and tips. Some parts of it might require you to step outside your comfort zone, some parts require you to spend money on things. Most of it should only take half an hour to complete.
- The scenarios shared after Level 4 are for higher-stakes situations. Scan them to see if any of them apply to you. (Because the stakes are higher, they assume you’ve done everything in Levels 1–4.)
- This guide is a living document. Please feel free to submit a pull request or fork your version of this guide on GitHub.
🗣 Read this guide in other languages
- 繁體中文 (Traditional Chinese)
- Deutsch (German)
- العربية (Arabic)
- 日本語 (Japanese, a work-in-progress)
- Türkçe (Turkish, a work-in-progress)
- Italiano (Italian, a work-in-progress)
- Looking to contribute another language? Send us a message to collaborate.
☕️ Support this guide
- Buy us a virtual coffee
- Share this guide with your friends and community!
- Send your feedback or contribute to the guide on GitHub.
🕒 Last updated
- 27 January 2026
🧐 Useful terms to learn
🎯 Threat modeling
Threat modeling is a process that allows us to identify potential threats to safeguard against them. To build your threat model, ask yourself the following:
- “What kind of danger am I in?” E.g. credit card hacks, corporate espionage, or online harassment/doxxing.
- “What kind of assets am I protecting?” E.g. confidential documents, private photos, or personal messages.
🔗 Weakest link
The weakest link is where your digital safety is most vulnerable. For example, if an account’s forgot password function sends a link to your email, attackers only need to access your email to gain access to the account.
🔡 Encryption levels
Encryption is the process of scrambling or encoding information to make it unreadable to passers-by and prevent unauthorized access. People often categorize encryption into these three types:
- No encryption: Any third party can intercept the data and read it as-is. Often called "plaintext."
- Standard encryption: Data is encrypted so that intercepting third parties cannot read it, but the platform being used to send the data (e.g. Facebook Messenger) can unscramble and read it. The platform may hand the unscrambled data to courts if ordered to do so.
- End-to-end encryption: Only the original sender and receiver can read the data. The platform being used to send the data only has the scrambled, unreadable version. So if courts order the platform to hand over the data, there's nothing useful to hand over.
🧩 Metadata
Metadata is the contextual information surrounding your data. For example, the metadata for a phone call includes the number you called and the length of your call (but not the call’s contents). With enough metadata, attackers can piece together a relatively reliable picture of who you are, who you know, and where you’re going.
Unfortunately, legal protections around metadata tend to be weak or nonexistent.
🚶🏽♀️ Level 1: Essential safety in ten minutes
🔍 Identify important accounts
- Imagine that an attacker gains access to all of your online accounts. Which of these accounts would be really painful to lose? List them out and write them down.
- Typically this list includes accounts used for email, online banking, social media, and maybe one or two related to work.
- The list should be short, and have less than 10 items.
🔒 Double-lock important accounts
The first lock is usually your account password. The second lock takes on a different form and/or comes via a different channel — most often as a code sent to your phone via an app or text message (SMS). This additional lock is usually called two-factor authentication (abbreviated as 2FA) or two-step verification.
- Turn on two-factor authentication for the important accounts you just identified. To find instructions on how to do so:
two-factor authentication and the account name
- Look up the account provider on 2fa.directory
- Use an authenticator app if one is available. They're more secure than using SMS to receive your 2FA code.
- Turn on cloud-backup for your authenticator app in case you ever lose your phone.
Settings → 2FAS Backup
- Ente Auth: Create an account in the app
🔁 Turn on automatic software updates
Most new devices these days have automatic updates turned on by default, but it’s worth double checking:
- Check the update settings on your device operating system:
Settings → General → Software Update → Automatic Updates
- Android: Settings → System → System update
- On computers:
- macOS: System Settings… → General → Software Update → Automatic Updates
- Windows 11: Start → Settings → Windows Update → Advanced options
- Windows 10: Settings → Update & Security → Windows Update → Advanced options
- Check the update settings on your device’s main app store:
Settings → App Store → Automatic Downloads: App Updates
- Android: Open Play Store, then go to Settings → Auto-update apps
- macOS: Open App Store, then go to Settings → Automatic Updates
- Windows 10/11: Open the Microsoft Store, then go to Profile → Settings → App updates.
- Make sure your device's operating system can still receive updates:
About This Mac. Then make sure it's still "Service Status: Yes" on this endoflife.date page.
- For Windows: Find out what operating system you are running. Start → Settings → System → About Then make sure that it's still receiving security support on this endoflife.date page.
- If it's no longer getting updates:
- Make sure you have updated to the latest operating system that works on your device. Sometimes an update stalls because of a lack of disk space. (You will have gotten notices about this if you followed the steps above.) Or in the case of Windows, you may need to buy the new edition.
- Start looking into what device you want to get. For now though, work through the rest of this checklist to patch everything else up.
👍 Excellent! These simple steps will actually keep you safe "most" of the time. Think of it as having a good, solid lock on your front door. It's not foolproof, but it will keep your home safe most of the time. Continue on to secure the little things that may become vulnerabilities down the line.
🏃🏻♂️ Level 2: Secure all the little things
🧠 Use hard-to-guess passwords for important accounts
Attackers commonly gain access to your account is if your password is:
- Too short.
- Too easy to guess.
- It’s already been leaked as a part of a data breach/hacking incident and you’re use the same password in different places.
- Use password managers apps.
- Invent your own formula that’s a wordplay on the service you’re logging into.
- Write them down with pen and paper.
For now, focus on making sure the important accounts you identified in Level 1 have long, unique, hard-to-guess passwords . Here is a walkthrough of the three options:
Option 1: Install a password manager (recommended)
This is a popular option for people who are comfortable navigating extra settings and dialog boxes. A password manager app helps generate long passwords, stores them, and fills them in almost automatically when you log into a website.
- Recommended password managers:
- We do not recommend password managers that come with your operating system or web browser because they do not work outside of their ecosystem (e.g. Apple Passwords won’t work on an Android phone).
- Install the password manager app on both your phone and computer.
- Install the password manager browser extension on your desktop web browser.
- Only create passwords with more than 12 characters. We recommend using the option in the password manager that strings together random, unrelated words (e.g.
plant-truck-nose-frame-lace) so that it's easy to type in those rare instances when the autofill isn't working. - Next time you have to type in your password for another account, create an entry for it. This way, you will gradually add any frequently used accounts into the password manager. If you do this on the computer, the password manager's browser extension/add-on will capture the details automatically after you type them in.
- Notice that the app ties the login information to the URL. So if you're on a website and the password manager has no entry for it, be extra careful it's not a phishing website.
- Transfer all of your accounts later. Entering all of your accounts into the password manager will take a while, and is a task best saved for another day. (We've placed this time-consuming task in our
Level 3.) - Don't use your password manager as a two-factor authentication app. It's better to not put all your eggs in one basket.
Option 2: Use a formula
This option is commonly used by people who have strong memorization skills and people who prefer having less apps to manage and dialog boxes to tap on their devices.
Here’s an example of a simple formula from A Defensive Computing Checklist:
…a baseball fan might start every password with "BaseballRules!" Then, if "jungle" was their password for Amazon.com, the actual password is "BaseballRules!jungle" And, all you would have to remember would be that your Amazon password is "jungle". Pretty easy. Amazon. Jungle. And, the miserable password "book" for Barnes and Noble, becomes a good password ("BaseballRules!book") when run through the formula.
Add some extra punctuation marks, dashes and numbers to make the password a little longer and more irregular, and you have a pretty solid password formula.
Option 3: Use pen and paper
This option usually supplements the other two options, and is useful for people who rarely ever lose (physical) things. Writing on paper is especially useful if you use a formula and want to note down some hints about the formulas you’ve used.
In fact, password manager apps encourage people to print a sheet of paper with an account recovery code, and then write their master password on it. Here are the instructions for:
- 1Password: Get to know your Emergency Kit
- BitWarden: Recovery Codes (add your master password after printing)
🧑🔬 Set up backup codes for your important accounts
These codes are single-use, super long passwords that let you login to your account if you lose your devices. You might have been prompted to create a backup code when you set up two-factor authentication. They are useful to have in case of emergencies. Safe ways to store them include:
- Printing a paper copy and storing it in a private location
- Copying and pasting into a file that is then password locked folder on your computer (if you don't know how to do this, we will teach you our favorite method in Level 4)
- If you use a password manager, you can store it there as a note
📱 Secure your devices
Secure your phone
- Use a non-common/obvious unlock code for your phone with at least 10 digits. We recommend using a long string of numbers as it's easier to tap, but using both letters and numbers works too. Swipe patterns are not recommended, however, as they are too easy replicated by onlookers.
Settings → Face ID & Passcode → Change Passcode
- Android: Settings → Security → Screen lock
- Set up a pin code for your mobile phone SIM card:
- Don’t allow USB accessories to control a locked device:
Settings → Face ID & Passcode → Allow Access When Locked: USB Accessories.
- Android: Setting is off by default and is only available if Developer Options are turned on.
- Turn on your phone's anti-theft features:
Settings Face ID & Passcode → Stolen Device Protection
- Android: Settings → Security & Privacy → Other settings: More security and privacy → Security: Theft protection
- Turn on tracking for your devices in case you lose them, which allows you to remotely find and wipe your devices by logging into a website if you ever lose them.
- Disable 2G connectivity on your phone (Android only). 2G cellular network technology is outdated and has security vulunerabilities that allow fraudsters to send fake text messages. To disable it on Android:
Settings → Network and Internet → SIMs → [Your carrier name] → Allow 2G: Off
- If that option doesn’t appear, open the Phone app and enter ##4636##. A Testing screen will pop up. Select Phone information and then change the Set Preferred Network Type to the same as the current selection minus GSM. To see what each acronymn stands for, see Wikipedia’s Comparison of wireless standards page.
- For Android devices, make sure Google Play Protect is turned on if you use the Google Play Store:
→ Play Protect → Settings → Scan apps with Play Protect
Secure your computer
- Turn on your computer’s firewall:
System Preferences → Security & Privacy → Firewall.
- Windows 10/11: Start → Settings → Update & Security → Windows Security → Firewall & network protection → Microsoft Defender Firewall: On
- Turn off your computer’s remote access:
System Preferences → Sharing → Remote Login, Remote Management.
- Windows 10/11: Settings → System → Remote Desktop → Remote desktop: Off.
- Set up basic anti-virus software on your computer:
Start → Settings → Update & Security → Windows Security → Virus & threat protection
- If you use Microsoft Office: disable macros. Macros are small bits of code that automate actions which can be exploited by attackers. They can still be useful sometimes, which is why we recommend the
Disable all macros with notification, which allows you to manually allow macros from trusted sources to run.
Secure your home wifi router
- Log into the administration and settings dashboard. It’s usually accessible by going to
http://192.168.0.1in your web browser. Otherwise, check your instructions that came with your router. - Update the dashboard login if the password is simple.
- Review the devices currently connect to your network. You may have to explore until you find the
access control. Make sure you know what every device on the list is. - Turn off the following options if you see them. (Look for them under
advanced settingsorgateway functions):
- Check for any software updates. Look for sections labeled
maintenance,firmwareorsystem update. Don’t worry if you don’t see it — that means it’s either up to date or automatic updates are hard set to on.
🔑 Encrypt the data on your devices
Remember, encryption is only fully effective when the device is off!
- Encrypt your computer hard drive.
- Encrypt your phone storage.
Settings → Security → Encryption.
- Encrypt your backup hard drives.
🗓️ Stop malicious calendar invitations
Prevent calendar invitations from people you don't know from showing up automatically in your calendar; these invitations can be used to send malicious links.
- Google Calendar Settings
→ Event Settings → Add invitations to my calendar: When I respond to the invitation in email - Outlook:
File → Options → Calendar → Automatic accept or decline → Auto Accept/Decline: Automatically Accept Meeting Requests and Remove Canceled Meetings - iCloud: On iOS: Go to
Settings → [Your name] → iCloud → Saved to iCloud: See All → iCloud Calendar → Send & Receive → Receivingand selectEmailfor each account.
👍👍 Congratulations! You dove fearlessly into your settings — clicking, tapping, and swiping your way through — to close up the safety loopholes on your accounts and devices. Now the next section is all about learning and reviewing your habits and reflexes when it comes to digital safety, so it'll be mostly reading and reflecting (rather than tapping/clicking on your devices). Nevertheless, we still recommend taking a break for now because you definitely deserve the rest of the day off.
💪🏽 Intermission: Habits & reflexes review
🎣 Watch out for phishing scams
A phishing scam is an email or text message where an attacker is trying to trick you into giving your password or other login details. To defend yourself:
- Trust your instincts. If you feel like something is off — whether it's the way the text is written, the way the graphics look, or an unusual, first-time request from a service provider — it probably is.
- Check who it's from. Look over the sender's name and phone number or email address. If it's an email, be sure to closely read the bit after the
@symbol. - But remember sender details can be faked. It happens rarely, but it is technically possible to put on a fake sender name, email or phone number. So checking the sender details is a not 100% foolproof process.
- Think twice before clicking a link. When in doubt, carefully examine the domain in the link. To look at it without opening the link:
Hide preview. From then on, iOS will show the full URL whenever you tap and hold on a link.
- Android: Tap and hold on a link.
- On desktop:
- Firefox, Chrome, Edge: When your mouse cursor hovers over a link or button, the full URL will show up on the bottom left.
- macOS Safari: To turn on the above feature, go to View → Show Status Bar
- macOS Mail: Hover your mouse cursor over a link and wait for a few seconds for a pop-up to appear.
- After clicking links, scan the URL address bar in your web browser.
http (rather than https).
- Is the domain spelled incorrectly?
- So if there’s any lingering doubt, don’t click the link. In almost all cases, you don’t actually need to click the link. If the message is linked to a transaction or account, you can always go to the original website to look up the details.
🗄️ Beware of file attachments
- Don’t download/open unnecessary attachments.
- Upload suspicious attachments to VirusTotal to have them analyze it. Keep in mind files submitted to VirusTotal may be shared with multiple security researchers, so don’t submit sensitive information.
🫡 Say yes to updates
- Device operating systems: If you get a notification on your devices to update the operating system, do it as soon as possible.
- Apps: If you see notifications about available updates, follow through and update the app.
- Firmware updates: Check occasionally for firmware updates for your router and other internet-connected devices.
🙅🏾 Don't do this at home (or anywhere)
- Don’t charge your phone at public charging stations/ports. They present a risk because attackers might steal your data. Instead, use a portable battery or bring our own adapter to plug directly into the power outlet.
- Don’t plug in USB sticks/drives that you don’t know into your computer. It might have malicious software on it.
- Don’t enter passwords into in-app browsers. When a mobile app lets you browse a webpage without opening your web browser (i.e. an in-app browser), the app can record what websites you visit and what you type in them. So don’t type anything sensitive in there.
- Don’t use Google/X/Twitter/Facebook to sign up or log into other services, which gives these platforms unnecessary data about you. Each service should have its account.
🏊🏼♀️ Other healthy habits
- Restart your phone and computer once a week by turning it off and then back on to clean up its temporary memory (RAM) and so it runs smoother.
- When downloading a new mobile app, double-check to confirm it’s the right one. Many fake apps trick people by using a slightly modified name or icon of an existing, popular app.
- Regularly check the installed apps on your phone. Delete the ones you’re no longer using.
- Wipe your devices properly before donating or giving them away. If you’ve encrypted your phones and computers (as suggested earlier), a standard factory reset will work for most use cases.
- Need to send someone a password? Split it in half and send it via two different channels. For example, send half of the password through email and the other half via a voice call.
🆘 Learn about your phone’s Emergency SOS feature
- iOS:
Settings → Emergency SOS - Android:
Settings → Safety & emergency → Emergency SOS
🥳 Digital safety is as much about things you do on a daily basis as it is about how you set up your devices and apps. Feel free to come back and review these habits and reflexes later; we don't expect anyone to memorize them on their first read. Now, our next section is about how to upgrade your digital privacy, and it's a dense topic because everywhere we turn, some company is trying to harvest and sell our data to the highest bidder. Hope you're ready to take back (some) control of your data!
🧗🏿♀️ Level 3: Upgrade your digital privacy
⚙️ Fine tune your privacy settings
On social media & messaging apps
- Review the privacy settings on social media platforms and messaging apps you frequently use. Check who can see your content, what information about you is being made public, and what you are sharing with third-party apps/advertisers.
- Wherever possible, turn off read receipts for messaging apps. It may seem inconvenient at first, but in the long run you will have more privacy and freedom when people don't know if you've read their messages or not.
- Here are links to and instructions for the most commonly-used platforms/apps:
Settings → Privacy
- WhatsApp: Settings → Account → Privacy
- Snapchat: Settings → Privacy controls
- TikTok: Profile → Settings and privacy → Privacy
- Telegram: Settings → Privacy and Security
- Limit how Facebook tracks you on other websites by clearing and disconnecting Off-Facebook activity.
On email & social media accounts
- Review
Third-Party AppsorConnected Appslinked to major social media/email platforms. These third-party/connected apps have access to your data, and they might be selling it. Instructions for:
On email accounts
- Stop images from automatically loading in your emails, because companies use them as a way of tracking you.
⚙️ → All settings → General: Images: Ask before displaying external images. For email senders you trust, you can always click Always display images from on an email from them. To reverse this decision, you have to click the tiny downwards-pointing triangle next to to me at the top of your email.
- Proton Mail: Not necessary, as they have a feature that loads images on their own servers before sending it to you. More information here.
- Tuta Mail: Image loading is off by default, but you can turn on auto loading one sender at a time. In the automatic image loading disclaimer message that appears below the sender information, click Always trust sender (on mobile first click More). To reverse this decision, click/tap the three dots on the upper right corner and then click/tap Block external content.
On your phone
- Review which apps on your smartphone have access to your location data. Turn off access for the apps that don’t need it, and minimize the number of apps tracking your location.
Settings → Privacy & Security → Location Services
- Android: Settings → Location → App location permissions
- Turn off your unique advertising ID number so that advertisers can't pinpoint you as easily:
Settings → Privacy & Security → Tracking → Allow Apps to Request to Track: Off
- iOS: Settings → Privacy & Security → Apple Advertising → Personalized Ads: Off
- Android: Settings → Security & Privacy → Privacy → Ads → Delete advertising ID
- On iOS, turn off the setting that allows apps to track your activity across other apps and websites:
Settings → Privacy & Security → Tracking → Allow Apps to Request to Track: Off
- On Android, turn off passive Wi-Fi and Bluetooth scanning.
Settings → Location → Location services → Wi-Fi scanning
- Settings → Location → Location services → Bluetooth scanning
- Delete any apps that you don’t recognize or haven’t used in a long time. You can always re-download any of them if need be, though there will be a few apps that come with the operating system that cannot be deleted.
App Library screen. Scroll to the bottom to the Hidden group. Tap to open and unlock using Face ID or passcode.
- Android: See all apps including hidden ones in Settings → Apps → See all apps
- Delete third-party keyboards on your phone. They often share what you type with the software maker.
On your computer
- Disable ad tracking for computers running Windows. Instructions for:
On other internet-connected devices
- If you are concerend about privacy, don't use Amazon Echo (speakers) or Ring (home security system). They both have a track record of privacy violations. If you already own them, here are some mitigation measures:
- Consider disabling voice commands on your smart speakers. Voice commands can be a convenience, but the commands only work because audio clips are sent to the device maker's servers to process what you said.
- If voice commands are important to you, here are some ways to have some privacy with them:
Include audio recordings.
- Apple HomePod: on your phone linked to the speaker, go to: Home app → [Homepod icon] → Accessory Settings → Analytics & Improvement and disable all the options.
- Sonos: See Mozilla Foundation's suggestions.
- For smart TVs, make sure to turn off the manufacturer's data tracking functionality, also known as automatic content recognition (ACR).
🕸️ Upgrade the web browser on your phone and computer
- Change your browser if you are using Chrome or Edge, they both have terrible track records when it comes to protecting your privacy.
- Review your web browser's privacy settings
[iOS] Settings → Apps → Safari → Privacy & Security. Make sure Prevent Cross-Site Tracking , Hide IP Address and Fraudulent Website Warning are on.
- Android Firefox: [Firefox] Settings → Privacy and security, turn on HTTPS-Only Mode, Enhanced Tracking Protection
- On your computer:
- macOS Safari: Preferences → Privacy, tick the checkboxes for Website tracking and Hide IP address
- macOS/Windows Firefox: Preferences → Privacy & Security, turn on Enhanced Tracking Protection (any option), Do Not Track and HTTPS-Only Mode (scroll to the bottom)
- Install these web browser extensions/add-ons to block invasive ads and trackers if your if your browser supports them. Make sure they’re on even in private/incognito mode.
- Review your other web browser extensions/add-ons.
[iOS] Settings → Apps → Safari → General: Extensions, then tap on extension to see details.
- Android Firefox: [Firefox] Settings → Advanced: Extensions, then tap on extension, then tap on Permissions.
- macOS Safari: Top menu bar: Safari → Settings... → Extensions
- macOS Firefox: Top menu bar: Tools → Extensions and Themes, then click on each extension to see more, and then click on the Permissions and data tab.
- Windows Firefox: → Extensions and themes, then click on each extension to see more, and then click on the Permissions and data tab.
- The only ones that should be able to read your webpage data are: - Our recommendations above (uBlock Origin/uBlock Origin Lite, Privacy Badger) - Your password manager extension (if you use a password manager on your computer) - Extensions/add-ons made by the same company as the browser (e.g. Firefox's Facebook Container)
- Deactivate or delete any other extensions/add-ons that have read access.
- Instead of opening a
New Private/Incognito Windowin your normal browser, use a separate privacy-enhanced browser when you want minimal tracking. These browsers might not work as well for everyday use, but that's because they have extra protections. Plus, when there are two separate apps, it's less likely you will mix up the private and non-private windows.
📊 Review what data these big tech platforms have on you
Delete out anything you don't need, if there are options to do so:
- Google: My Activity
- Facebook: Your Facebook information
- Amazon: Alexa Privacy Settings
- Microsoft: Account Privacy
💪🏽 Habits & reflexes review (digital privacy edition)
The golden rule
Post less personal information online. This includes information that can be used to identify/track/scam you (addresses, phone numbers, birthday, etc.) as well as photos of your home and neighborhood.
Watch what you say in online groups
Don’t say anything you’d regret on in a “private” group on Slack, Discord, Facebook, WhatsApp group chat, Telegram channel, or any “private” online forum. Here’s why:
- Anyone in the group can leak the data.
- Administrators usually have access to everything within the group, including deleted messages and private direct messages between two people.
- What you say can be traced back to your account's phone number or email. Even if you're not using your real name or photo.
Settings → Privacy and Security → Phone Number, and then set:
- Who can see my phone number to Nobody.
- Who can find me by my number to My Contacts.
Know when your name publicly appears as a supporter or donor
Always check whether your name appears publicly online for subscriptions, crowdfunds, petitions and donations. This is especially relevant if you have a unique name.
Some platforms that facilitate these things often have privacy settings, so it’s best to create an account with them to gain some control over what appears publicly. Some examples of important but often overlooked privacy settings:
- Patreon:
Settings → Accounts → Privacy: Turn off bothFull public profileandCommunity profile. - Indiegogo: In the menu, go to
My Campaigns. If you want to hide a project from your public profile:
Campaigns I've Funded, select Actions: Hide contribution.
- Then the page refreshes, but the project has simply moved down to Campaigns I’m Following. There, select Actions: Unfollow.
- GoFundMe: In the menu, go to
Your impact. Then go to any campaign you’ve supported. There, underYour donations, you can change whether your name appears publicly.
Other recommendations
- Set up a separate account under a pen name to leave local business reviews (on Google Maps, Yelp, etc.) if you write many of them. Otherwise, reviews will be shown under your real name and possibly give away your home location.
- If you have a website domain, make sure WHOIS/domain privacy is turned on. Many domain name registrars and webhosts offer this feature for free and turn it on by default.
👍👍👍 Whew! Give yourself a pat on the back, because navigating all of that was not easy at all. But we hope you're feeling much more in control of what data you're sending out into the world. Our recommendations are by no means exhaustive, but they should provide you with a reasonable level of privacy without having to sacrifice the convenience and joy of technology. Again, we recommend taking a nice long break before moving onto the next section, where we introduce our favorite tips and tools to be more safe and private online.
🤾🏻♀️ Level 4: Tips & tools to do more
🔐 Put an extra lock on sensitive files
- Identify files you don’t want others to access. This may include private photos, passport scans, and financial documents.
- For files on your computer, create an encrypted, password-protected vault for your files:
- For documents on your phone, there are several options:
documents or attachments. 💰
- iOS Files app has a Lock PDF feature for individual files.
- Android Files by Google allows you to create a Safe Folder by following these instructions.
- For photos and videos on your phone, use the features in your default photos apps:
… button on the top right. Tap Hide. This will put the photo in a Hidden folder in the Photos app (under Utilites) that can only be unlocked with FaceID or a passcode.
- Android Google Photos: Follow these instructions and read the section about automatic backups carefully.
- Android Gallery: The basic Gallery app doesn’t support hidden photos, so download an alternative gallery app like Fossify Gallery and turn on password protection for hidden items in the settings.
💰 Upgrade your gear
- Buy a privacy screen for your laptop and phone. These stick-on sheets prevent onlookers from seeing what's on your screen. Examples for:
- Place a sticker (or webcam cover) over your laptop’s front-facing camera.
- Don't use devices your workplace gives you for personal things. Either have separate devices for your work and personal lives, or, if it's too troublesome to have multiple devices, use your personal device for everything. Devices set up by workplaces often have monitoring systems that can be misused during disputes.
- Buy a mobile phone that always gets the latest software updates and, in the case of Android, doesn't install unnecessary apps and system add-ons.
- Use a paid VPN service both when you're on a public network (e.g. café) and when you're at home (to decrease data shared with your internet/phone company).
🔡 Use end-to-end encrypted apps
For secure messaging & calls
- Use apps with open source end-to-end encryption protocols and easy-to-use disappearing message timers.
Settings → Privacy → Disappearing Messages → Default Timer for New Chats.
- Wire: No app-wide setting exists. You have to set it up for each conversation by tapping/clicking the timer icon ⏱.
- These apps also end-to-end encrypt video and voice calls, so continue using them wherever possible.
- End-to-end encryption for video/voice calls with more than 5 people may not be worth it. There are several reasons:
For online file-sharing and backup
- Store and share files on the cloud using end-to-end encryption.
- Backup your files online using an end-to-end encrypted platform.
😷 Further secure your messaging apps
Be aware of what other people can see in a group chat
Messaging apps use either your phone number or a username as the unique identifier (which other people use to add you on the platform). As such, your phone number or username is then visible to anyone you're in a group chat with, along with the name and photo in your profile.
Here's a breakdown of what unique identifiers is visible to others in a group chat on popular messaging apps:
- Signal: phone number by default if you’re the recipient’s address book already, no unique identifier if not (but you can set up a username and stop sharing your phone number altogether)
- Wire: username (no one else can see the email or phone number you used to register your account)
- Telegram: phone number by default (but you can set up a username and stop sharing your phone number)
- WhatsApp: phone number
Masking your identity for online dating, events, or organizing.
Use app-specific safety & privacy features
Signal
- Set up a username so people can find you with it rather than your phone number. To create a username:
Settings → [Tap your profile icon or name] → @ Username
- Hide your phone number.
Settings → Privacy → Phone Number, and set both to Nobody.
- Turn on the extra layer of pin code protection and prevent others from logging in with your phone number.
Settings → Account → Signal PIN
- Settings → Account → Registration Lock: On
- Hide your messages from your phone's app switcher (so your messages aren't accidentally exposed to other apps) by turning on
Screen Security:
Settings → Privacy → Hide Screen in App Switcher
- Hide your messages from Microsoft Windows' Recall feature.
Settings → Privacy → Screen Security.
- Stop messages from showing up in notification boxes.
Settings → Notificataions → Notifications Content: Show → No Name or Content
Telegram
- Turn on two-step verification to prevent someone from moving your account without your permission.
Settings → Privacy and Security → Two-Step Verification
- Hide your phone number:
Settings → Privacy and Security → Phone Number, and then set Who can see my phone number to Nobody.
- Start conversations by using
New Secret Chatso that they are end-to-end encrypted. All other conversations and groups are not. Unfortunately, that this means your messages will not show up in your desktop or web app.
- Turn on security notifications on WhatsApp to get a notification when a person you're talking to switches to a new device.
Settings → Account → Security → Show Security Notifications on This Phone: On
- Turn on two-step verification to prevent someone from moving your account without your permission:
Settings → Account → Two-Step Verification: Enable
- If you backup chats, make sure they are end-to-end encrypted, or turn backup off altogether.
Settings → Chats → Chat Backup → End-to-end Encrypted Backup
- For iOS users who use iCloud Backup (not end-to-end encrypted) to backup their entire phone, make sure WhatsApp is not included as part of the process. This iCloud Backup should not be confused with WhatsApp's interal backup feature that also uses iCloud.
- [iOS] Settings → Your name → iCloud → Manage Storage → Backups → device → WhatsApp: Off
- Stop automatically downloading any and all photos and videos your receive:
Settings → Chats → Save to Camera Roll: Off
🙃 Secure the rest of your accounts
You made unique passwords for important accounts in Level 2, but you should plan out a day to deal with the rest of your online accounts. It's not an urgent task, which is why we've put so far down the list, but it will require quite a bit of time and effort. Feel free to do this now or mark it as a to-do for later.
- Make a list of any active accounts and any accounts with your private information. Don’t worry about finding every last account, you can always deal with them later.
- If you no longer use the account, consider logging in to deactivate/delete it. A few accounts might have sentimental value, but most won’t.
- For the accounts you want to keep, make sure each of them uses a unique, hard-to-guess password. Review our
Level 2recommendations about making good passwords if need be.
Watchtower, and in Bitwarden it’s called Vault Health Report.
👍👍👍👍 Wow, you really did it. You finished all four levels! You locked up all the things (big and small), you drastically increased your digital privacy, and got your hands on some super safe tools and tips. You've done all the things that we think are useful for everyone. Treat yourself to something nice as a reward for sure.
From here on out, we're providing recommendations for special cases (scenarios) followed by a small bonus section for technical people. If none of the scenarios apply to you right now, then you're all set. Just remember, the scenarios will be here if you ever need them!
🤹🏻 Scenarios
👤 Masking your identity for online dating, events, or organizing
Don't use your full name
- Consider using a nickname or only your first name (if your first name is common where you live). This is especially important if your full name is very unique, which makes it very easy to search for online.
- Consider using a persistent pseudonym or collective identity, especially if you’re a public figure. For more information on how and why, see:
Get a secondary phone number
For messaging apps using phone numbers as the primary identifier (e.g. Signal, WhatsApp, Telegram), get a secondary number from:
- Paid online services 💰 (more reliable)
- Free online services 🆓
- Your local phone companies 💰
Note: If you lose/unsubscribe to your secondary phone number, other people can buy it and impersonate you.
Get an email alias
For sites and services that use email as the primary identifier/username, get a new 🆓 email account or an email alias that forwards to your main account from:
- SimpleLogin:: Based in Switzerland (as part of the Proton Mail/VPN group)
- addy.io: Based in the UK and EU
Buy things online anonymously
- Sign up for a privacy-focused virtual credit card 💰 from Privacy (only available in the US). It helps a) mask who you are to the seller, and b) mask what you've bought from the bank.
- Buy a prepaid credit card at a local convenience store. But be careful, these cards don’t always work for online shopping depending on where you are.
- Get a virtual credit card for free trials at Do Not Pay for those cases where you want to sign up for a free service period but not give out your real credit card information.
- Ask to be paid in gift cards, which can be used in stores without tracking.
Create an untraceable online alias
Even with all the third-party services above, courts can still compel companies to hand over information about you. So if you are really in a high-risk situation, you may need to do all of the above and more. For one example of this, see Matt Mitchell's PRIVACY RECIPE: Creating an online persona.
🗃️ Backing up your data
In case your devices get lost or hacked, it's good to have a recent backup copy of the data on them.
Backing up your phone/tablet
iOS devices
Our recommendations for backing up remotely and locally:
- Back up to iCloud: An automated process that only works if you have/subscribe to iCloud+ 💰 .
- Back up to your computer: A manual process (you connect your device to your computer with a cable) that's free as long as you have hard drive space.
- If you use iCloud, turn on Advanced Data Protection (which includes end-to-end encryption) afterwards by following these instructions.
- If you're backing up to computer, remember to check
Encrypt local backupto set a password in the process.
Android devices
Android phones can only be backed up on the cloud:
- Back up to Google One: An automated process that only works if have/subscribe to Google One 💰. Unlike Apple's iCloud however, there is no support for end-to-end encryption. See Google's instructions.
Backing up your computer to an external hard drive
macOS
Apple's default recommendation is to use their Time Machine app, which will automatically backup the full contents of your computer to an external hard drive. Follow their instructions and remember to turn on Encrypt Backups.
Wi
README truncated. View on GitHub