narwhalacademy
zebra-crossing

Zebra Crossing: an easy-to-use digital safety checklist

Last updated Jul 2, 2026
473
Stars
36
Forks
1
Issues
0
Stars/day
Attention Score
87
Language breakdown
No language data available.
Files click to expand
README

🦓 Zebra Crossing: an easy-to-use digital safety checklist

🎯 Start here!

🤔 Read this guide if you

  • Use the internet daily — for work, social media, and financial transactions.
  • Want to secure your digital safety and privacy proactively but aren’t in immediate danger. (If you are, reach out to someone in your community for a one-on-one consultation.)
  • Feel comfortable with technology — you feel confident about changing the settings on your computer or smartphone.

🗺 Where this guide is from

  • This guide draws from our work helping individuals and groups upgrade their digital safety practices, and from our experiences living and working in Canada, the US, Germany and Hong Kong.
  • Wherever possible, we chose apps and tools that are accessible and easy to use over ones that are technically sophisticated but difficult to use. Our decision is based on our observation that people become clumsier in stressful situations, so it is important to keep procedures as simple as possible.

🌱 How to use this guide

  • Start from Level 1 and work your way up! Recommendations are sorted by increasing levels of difficulty.
  • Level 1 is the quick essentials section. You should be able to work through it within half an hour, and chances are, you're already familiar with many of the recommendations in there — but it never hurts to double check.
  • Level 2 digs deeper into your device/app settings. This section will take 1-2 hours, depending on how many accounts and devices you frequently use.
  • At a minimum, do everything in Levels 1 and 2. It'll protect you from the most widely-used attacks.
  • Between level 2 and 3 is a reading break intermission about developing better digital safety habits and reflexes.
  • Level 3 will help you fine tune your privacy online and drastically decrease the amount of personal information you're giving out for free. This section will also take 1-2 hours.
  • Level 4 powers up your digital safety practice with the latest tools and tips. Some parts of it might require you to step outside your comfort zone, some parts require you to spend money on things. Most of it should only take half an hour to complete.
  • The scenarios shared after Level 4 are for higher-stakes situations. Scan them to see if any of them apply to you. (Because the stakes are higher, they assume you’ve done everything in Levels 1–4.)
  • This guide is a living document. Please feel free to submit a pull request or fork your version of this guide on GitHub.

🗣 Read this guide in other languages

☕️ Support this guide

🕒 Last updated

  • 27 January 2026

🧐 Useful terms to learn

🎯 Threat modeling

Threat modeling is a process that allows us to identify potential threats to safeguard against them. To build your threat model, ask yourself the following:

  • “What kind of danger am I in?” E.g. credit card hacks, corporate espionage, or online harassment/doxxing.
  • “What kind of assets am I protecting?” E.g. confidential documents, private photos, or personal messages.
Remember though, your threat model can change — either gradually over time or abruptly, say, when a new law is suddenly passed.

🔗 Weakest link

The weakest link is where your digital safety is most vulnerable. For example, if an account’s forgot password function sends a link to your email, attackers only need to access your email to gain access to the account.

🔡 Encryption levels

Encryption is the process of scrambling or encoding information to make it unreadable to passers-by and prevent unauthorized access. People often categorize encryption into these three types:

  • No encryption: Any third party can intercept the data and read it as-is. Often called "plaintext."
  • Standard encryption: Data is encrypted so that intercepting third parties cannot read it, but the platform being used to send the data (e.g. Facebook Messenger) can unscramble and read it. The platform may hand the unscrambled data to courts if ordered to do so.
  • End-to-end encryption: Only the original sender and receiver can read the data. The platform being used to send the data only has the scrambled, unreadable version. So if courts order the platform to hand over the data, there's nothing useful to hand over.

🧩 Metadata

Metadata is the contextual information surrounding your data. For example, the metadata for a phone call includes the number you called and the length of your call (but not the call’s contents). With enough metadata, attackers can piece together a relatively reliable picture of who you are, who you know, and where you’re going.

Unfortunately, legal protections around metadata tend to be weak or nonexistent.


🚶🏽‍♀️ Level 1: Essential safety in ten minutes

🔍 Identify important accounts

  • Imagine that an attacker gains access to all of your online accounts. Which of these accounts would be really painful to lose? List them out and write them down.
  • Typically this list includes accounts used for email, online banking, social media, and maybe one or two related to work.
  • The list should be short, and have less than 10 items.

🔒 Double-lock important accounts

The first lock is usually your account password. The second lock takes on a different form and/or comes via a different channel — most often as a code sent to your phone via an app or text message (SMS). This additional lock is usually called two-factor authentication (abbreviated as 2FA) or two-step verification.

  • Turn on two-factor authentication for the important accounts you just identified. To find instructions on how to do so:
- Run an internet search for two-factor authentication and the account name - Look up the account provider on 2fa.directory
  • Use an authenticator app if one is available. They're more secure than using SMS to receive your 2FA code.
- Recommended apps: - 2FAS (if you only use one device to get authentication codes) - Ente Auth (if you want the codes to sync across multiple devices) - Most banking accounts will force you to use their own app, so don't worry if you can't use one of the above apps for that.
  • Turn on cloud-backup for your authenticator app in case you ever lose your phone.
- Instructions for: - 2FAS: Go to Settings → 2FAS Backup - Ente Auth: Create an account in the app

🔁 Turn on automatic software updates

Most new devices these days have automatic updates turned on by default, but it’s worth double checking:

  • Check the update settings on your device operating system:
- On phones and tablets: - iOS: Settings → General → Software Update → Automatic Updates - Android: Settings → System → System update - On computers: - macOS: System Settings… → General → Software Update → Automatic Updates - Windows 11: Start → Settings → Windows Update → Advanced options - Windows 10: Settings → Update & Security → Windows Update → Advanced options
  • Check the update settings on your device’s main app store:
- iOS: Settings → App Store → Automatic Downloads: App Updates - Android: Open Play Store, then go to Settings → Auto-update apps - macOS: Open App Store, then go to Settings → Automatic Updates - Windows 10/11: Open the Microsoft Store, then go to Profile → Settings → App updates.
  • Make sure your device's operating system can still receive updates:
- If it's been more than three years since you bought your phone or computer, it's worth double checking that you are still getting updates. - For phones: Look up your device on endoflife.date, and make sure it's still listed as "supported." - For macOS: Find out what operating system you are running. Click the Apple logo on the top left corner, then About This Mac. Then make sure it's still "Service Status: Yes" on this endoflife.date page. - For Windows: Find out what operating system you are running. Start → Settings → System → About Then make sure that it's still receiving security support on this endoflife.date page. - If it's no longer getting updates: - Make sure you have updated to the latest operating system that works on your device. Sometimes an update stalls because of a lack of disk space. (You will have gotten notices about this if you followed the steps above.) Or in the case of Windows, you may need to buy the new edition. - Start looking into what device you want to get. For now though, work through the rest of this checklist to patch everything else up.

👍 Excellent! These simple steps will actually keep you safe "most" of the time. Think of it as having a good, solid lock on your front door. It's not foolproof, but it will keep your home safe most of the time. Continue on to secure the little things that may become vulnerabilities down the line.


🏃🏻‍♂️ Level 2: Secure all the little things

🧠 Use hard-to-guess passwords for important accounts

Attackers commonly gain access to your account is if your password is:

  • Too short.
  • Too easy to guess.
  • It’s already been leaked as a part of a data breach/hacking incident and you’re use the same password in different places.
So it is crucial to use a different password for every account, and make sure that those passwords are very long and very hard to guess. To help come up with and store these long passwords, you can:
  • Use password managers apps.
  • Invent your own formula that’s a wordplay on the service you’re logging into.
  • Write them down with pen and paper.
What works best is different for everyone, and you don’t have to stick to just one option — feel free to mix and match. For a longer walkthrough and explainer on the three options, see Michael Horowitz’s The world's BEST password advice article.

For now, focus on making sure the important accounts you identified in Level 1 have long, unique, hard-to-guess passwords . Here is a walkthrough of the three options:

Option 1: Install a password manager (recommended)

This is a popular option for people who are comfortable navigating extra settings and dialog boxes. A password manager app helps generate long passwords, stores them, and fills them in almost automatically when you log into a website.

  • Recommended password managers:
- 1Password 💰 - Bitwarden
  • We do not recommend password managers that come with your operating system or web browser because they do not work outside of their ecosystem (e.g. Apple Passwords won’t work on an Android phone).
  • Install the password manager app on both your phone and computer.
  • Install the password manager browser extension on your desktop web browser.
  • Only create passwords with more than 12 characters. We recommend using the option in the password manager that strings together random, unrelated words (e.g. plant-truck-nose-frame-lace) so that it's easy to type in those rare instances when the autofill isn't working.
  • Next time you have to type in your password for another account, create an entry for it. This way, you will gradually add any frequently used accounts into the password manager. If you do this on the computer, the password manager's browser extension/add-on will capture the details automatically after you type them in.
  • Notice that the app ties the login information to the URL. So if you're on a website and the password manager has no entry for it, be extra careful it's not a phishing website.
  • Transfer all of your accounts later. Entering all of your accounts into the password manager will take a while, and is a task best saved for another day. (We've placed this time-consuming task in our Level 3.)
  • Don't use your password manager as a two-factor authentication app. It's better to not put all your eggs in one basket.
Option 2: Use a formula

This option is commonly used by people who have strong memorization skills and people who prefer having less apps to manage and dialog boxes to tap on their devices.

Here’s an example of a simple formula from A Defensive Computing Checklist:

…a baseball fan might start every password with "BaseballRules!" Then, if "jungle" was their password for Amazon.com, the actual password is "BaseballRules!jungle" And, all you would have to remember would be that your Amazon password is "jungle". Pretty easy. Amazon. Jungle. And, the miserable password "book" for Barnes and Noble, becomes a good password ("BaseballRules!book") when run through the formula.

Add some extra punctuation marks, dashes and numbers to make the password a little longer and more irregular, and you have a pretty solid password formula.

Option 3: Use pen and paper

This option usually supplements the other two options, and is useful for people who rarely ever lose (physical) things. Writing on paper is especially useful if you use a formula and want to note down some hints about the formulas you’ve used.

In fact, password manager apps encourage people to print a sheet of paper with an account recovery code, and then write their master password on it. Here are the instructions for:

Try to have a backup copy of these papers in a second location.

🧑‍🔬 Set up backup codes for your important accounts

These codes are single-use, super long passwords that let you login to your account if you lose your devices. You might have been prompted to create a backup code when you set up two-factor authentication. They are useful to have in case of emergencies. Safe ways to store them include:

  • Printing a paper copy and storing it in a private location
  • Copying and pasting into a file that is then password locked folder on your computer (if you don't know how to do this, we will teach you our favorite method in Level 4)
  • If you use a password manager, you can store it there as a note
Find out if your account supports backup codes by running an internet search for "backup codes" along with your account name. Instructions for:

📱 Secure your devices

Secure your phone

  • Use a non-common/obvious unlock code for your phone with at least 10 digits. We recommend using a long string of numbers as it's easier to tap, but using both letters and numbers works too. Swipe patterns are not recommended, however, as they are too easy replicated by onlookers.
- To change it: - iOS: Settings → Face ID & Passcode → Change Passcode - Android: Settings → Security → Screen lock
  • Set up a pin code for your mobile phone SIM card:
- Instructions for: - iPhone - Android. - If it asks you for a SIM pin code and you don't remember setting one, then the phone company might have set one by default. Go to your phone provider’s website to find out what it is.
  • Don’t allow USB accessories to control a locked device:
- iOS: Turn off Settings → Face ID & Passcode → Allow Access When Locked: USB Accessories. - Android: Setting is off by default and is only available if Developer Options are turned on.
  • Turn on your phone's anti-theft features:
- iOS: Settings Face ID & Passcode → Stolen Device Protection - Android: Settings → Security & Privacy → Other settings: More security and privacy → Security: Theft protection
  • Turn on tracking for your devices in case you lose them, which allows you to remotely find and wipe your devices by logging into a website if you ever lose them.
- Instructions for: - iOS & macOS (Find My) - Android (Find Hub) - Windows (Find My Device)
  • Disable 2G connectivity on your phone (Android only). 2G cellular network technology is outdated and has security vulunerabilities that allow fraudsters to send fake text messages. To disable it on Android:
- Settings → Network and Internet → SIMs → [Your carrier name] → Allow 2G: Off - If that option doesn’t appear, open the Phone app and enter ##4636##. A Testing screen will pop up. Select Phone information and then change the Set Preferred Network Type to the same as the current selection minus GSM. To see what each acronymn stands for, see Wikipedia’s Comparison of wireless standards page.
  • For Android devices, make sure Google Play Protect is turned on if you use the Google Play Store:
- In the Google Play app: Profile icon → Play Protect → Settings → Scan apps with Play Protect

Secure your computer

  • Turn on your computer’s firewall:
- macOS: System Preferences → Security & Privacy → Firewall. - Windows 10/11: Start → Settings → Update & Security → Windows Security → Firewall & network protection → Microsoft Defender Firewall: On
  • Turn off your computer’s remote access:
- macOS: System Preferences → Sharing → Remote Login, Remote Management. - Windows 10/11: Settings → System → Remote Desktop → Remote desktop: Off.
  • Set up basic anti-virus software on your computer:
- macOS: None required. - Windows 10/11: Start → Settings → Update & Security → Windows Security → Virus & threat protection
  • If you use Microsoft Office: disable macros. Macros are small bits of code that automate actions which can be exploited by attackers. They can still be useful sometimes, which is why we recommend the Disable all macros with notification, which allows you to manually allow macros from trusted sources to run.
- Instructions for: - macOS - Windows, which may require special settings for Excel

Secure your home wifi router

  • Log into the administration and settings dashboard. It’s usually accessible by going to http://192.168.0.1 in your web browser. Otherwise, check your instructions that came with your router.
  • Update the dashboard login if the password is simple.
  • Review the devices currently connect to your network. You may have to explore until you find the access control. Make sure you know what every device on the list is.
  • Turn off the following options if you see them. (Look for them under advanced settings or gateway functions):
- UPnP (Universal Plug and Play) - WPS (Wi-Fi Protected Setup) - Remote Management
  • Check for any software updates. Look for sections labeled maintenance, firmware or system update. Don’t worry if you don’t see it — that means it’s either up to date or automatic updates are hard set to on.

🔑 Encrypt the data on your devices

Remember, encryption is only fully effective when the device is off!

  • Encrypt your computer hard drive.
- Instructions for: - macOS. - Microsoft Windows (use BitLocker if it’s available).
  • Encrypt your phone storage.
- iOS: Automatically encrypts. - Android: Almost always automatically encrypts. Double-check by going to Settings → Security → Encryption.
  • Encrypt your backup hard drives.
- Instructions for: - macOS (if you use Time Machine) - Microsoft Windows

🗓️ Stop malicious calendar invitations

Prevent calendar invitations from people you don't know from showing up automatically in your calendar; these invitations can be used to send malicious links.

  • Google Calendar Settings → Event Settings → Add invitations to my calendar: When I respond to the invitation in email
  • Outlook: File → Options → Calendar → Automatic accept or decline → Auto Accept/Decline: Automatically Accept Meeting Requests and Remove Canceled Meetings
  • iCloud: On iOS: Go to Settings → [Your name] → iCloud → Saved to iCloud: See All → iCloud Calendar → Send & Receive → Receiving and select Email for each account.

👍👍 Congratulations! You dove fearlessly into your settings — clicking, tapping, and swiping your way through — to close up the safety loopholes on your accounts and devices. Now the next section is all about learning and reviewing your habits and reflexes when it comes to digital safety, so it'll be mostly reading and reflecting (rather than tapping/clicking on your devices). Nevertheless, we still recommend taking a break for now because you definitely deserve the rest of the day off.


💪🏽 Intermission: Habits & reflexes review

🎣 Watch out for phishing scams

A phishing scam is an email or text message where an attacker is trying to trick you into giving your password or other login details. To defend yourself:

  • Trust your instincts. If you feel like something is off — whether it's the way the text is written, the way the graphics look, or an unusual, first-time request from a service provider — it probably is.
  • Check who it's from. Look over the sender's name and phone number or email address. If it's an email, be sure to closely read the bit after the @ symbol.
  • But remember sender details can be faked. It happens rarely, but it is technically possible to put on a fake sender name, email or phone number. So checking the sender details is a not 100% foolproof process.
  • Think twice before clicking a link. When in doubt, carefully examine the domain in the link. To look at it without opening the link:
- On mobile: - iOS: Tap and hold on a link. A mini preview of the destination will appear. On the top right of this mini-window, tap Hide preview. From then on, iOS will show the full URL whenever you tap and hold on a link. - Android: Tap and hold on a link. - On desktop: - Firefox, Chrome, Edge: When your mouse cursor hovers over a link or button, the full URL will show up on the bottom left. - macOS Safari: To turn on the above feature, go to View → Show Status Bar - macOS Mail: Hover your mouse cursor over a link and wait for a few seconds for a pop-up to appear.
  • After clicking links, scan the URL address bar in your web browser.
- Is there a red warning icon or 'Not Secure' label? This means the website is running unencrypted on http (rather than https). - Is the domain spelled incorrectly?
  • So if there’s any lingering doubt, don’t click the link. In almost all cases, you don’t actually need to click the link. If the message is linked to a transaction or account, you can always go to the original website to look up the details.

🗄️ Beware of file attachments

  • Don’t download/open unnecessary attachments.
- When in doubt, reply to the original sender to ask what it is. - On email, preview attachments within the app or website. On Gmail and Proton Mail, simply clicking the attachment brings up its preview, which runs in a safe environment inside the mail program. - Ask the sender to use a file sharing service (Dropbox, Google Drive, Tresorit), which also have their own online preview system.
  • Upload suspicious attachments to VirusTotal to have them analyze it. Keep in mind files submitted to VirusTotal may be shared with multiple security researchers, so don’t submit sensitive information.

🫡 Say yes to updates

  • Device operating systems: If you get a notification on your devices to update the operating system, do it as soon as possible.
  • Apps: If you see notifications about available updates, follow through and update the app.
  • Firmware updates: Check occasionally for firmware updates for your router and other internet-connected devices.

🙅🏾 Don't do this at home (or anywhere)

  • Don’t charge your phone at public charging stations/ports. They present a risk because attackers might steal your data. Instead, use a portable battery or bring our own adapter to plug directly into the power outlet.
  • Don’t plug in USB sticks/drives that you don’t know into your computer. It might have malicious software on it.
  • Don’t enter passwords into in-app browsers. When a mobile app lets you browse a webpage without opening your web browser (i.e. an in-app browser), the app can record what websites you visit and what you type in them. So don’t type anything sensitive in there.
  • Don’t use Google/X/Twitter/Facebook to sign up or log into other services, which gives these platforms unnecessary data about you. Each service should have its account.

🏊🏼‍♀️ Other healthy habits

  • Restart your phone and computer once a week by turning it off and then back on to clean up its temporary memory (RAM) and so it runs smoother.
  • When downloading a new mobile app, double-check to confirm it’s the right one. Many fake apps trick people by using a slightly modified name or icon of an existing, popular app.
  • Regularly check the installed apps on your phone. Delete the ones you’re no longer using.
  • Wipe your devices properly before donating or giving them away. If you’ve encrypted your phones and computers (as suggested earlier), a standard factory reset will work for most use cases.
- If you want an extra layer of security for your computer hard drives, see Wired’s guide on this topic.
  • Need to send someone a password? Split it in half and send it via two different channels. For example, send half of the password through email and the other half via a voice call.

🆘 Learn about your phone’s Emergency SOS feature

  • iOS: Settings → Emergency SOS
  • Android: Settings → Safety & emergency → Emergency SOS

🥳 Digital safety is as much about things you do on a daily basis as it is about how you set up your devices and apps. Feel free to come back and review these habits and reflexes later; we don't expect anyone to memorize them on their first read. Now, our next section is about how to upgrade your digital privacy, and it's a dense topic because everywhere we turn, some company is trying to harvest and sell our data to the highest bidder. Hope you're ready to take back (some) control of your data!


🧗🏿‍♀️ Level 3: Upgrade your digital privacy

⚙️ Fine tune your privacy settings

On social media & messaging apps

  • Review the privacy settings on social media platforms and messaging apps you frequently use. Check who can see your content, what information about you is being made public, and what you are sharing with third-party apps/advertisers.
  • Wherever possible, turn off read receipts for messaging apps. It may seem inconvenient at first, but in the long run you will have more privacy and freedom when people don't know if you've read their messages or not.
  • Here are links to and instructions for the most commonly-used platforms/apps:
- Platforms/apps with privacy settings available through a desktop browser: - Facebook: Privacy checkup - Google: Privacy checkup - Youtube: Account privacy - X/Twitter: Privacy and safety - Reddit: Safety & privacy - Platforms/apps with privacy settings only fully available through their mobile app: - Instagram: Settings → Privacy - WhatsApp: Settings → Account → Privacy - Snapchat: Settings → Privacy controls - TikTok: Profile → Settings and privacy → Privacy - Telegram: Settings → Privacy and Security

On email & social media accounts

  • Review Third-Party Apps or Connected Apps linked to major social media/email platforms. These third-party/connected apps have access to your data, and they might be selling it. Instructions for:
- Google - Facebook - Instagram - X/Twitter

On email accounts

  • Stop images from automatically loading in your emails, because companies use them as a way of tracking you.
- Gmail: On your computer, click the settings ⚙️ → All settings → General: Images: Ask before displaying external images. For email senders you trust, you can always click Always display images from on an email from them. To reverse this decision, you have to click the tiny downwards-pointing triangle next to to me at the top of your email. - Proton Mail: Not necessary, as they have a feature that loads images on their own servers before sending it to you. More information here. - Tuta Mail: Image loading is off by default, but you can turn on auto loading one sender at a time. In the automatic image loading disclaimer message that appears below the sender information, click Always trust sender (on mobile first click More). To reverse this decision, click/tap the three dots on the upper right corner and then click/tap Block external content.

On your phone

  • Review which apps on your smartphone have access to your location data. Turn off access for the apps that don’t need it, and minimize the number of apps tracking your location.
- iOS: Settings → Privacy & Security → Location Services - Android: Settings → Location → App location permissions
  • Turn off your unique advertising ID number so that advertisers can't pinpoint you as easily:
- iOS: Settings → Privacy & Security → Tracking → Allow Apps to Request to Track: Off - iOS: Settings → Privacy & Security → Apple Advertising → Personalized Ads: Off - Android: Settings → Security & Privacy → Privacy → Ads → Delete advertising ID
  • On iOS, turn off the setting that allows apps to track your activity across other apps and websites:
- Settings → Privacy & Security → Tracking → Allow Apps to Request to Track: Off
  • On Android, turn off passive Wi-Fi and Bluetooth scanning.
- Settings → Location → Location services → Wi-Fi scanning - Settings → Location → Location services → Bluetooth scanning
  • Delete any apps that you don’t recognize or haven’t used in a long time. You can always re-download any of them if need be, though there will be a few apps that come with the operating system that cannot be deleted.
- Make sure to look for hidden apps as well. Instructions for: - iOS: On the home screen, keep swiping left until you get to the App Library screen. Scroll to the bottom to the Hidden group. Tap to open and unlock using Face ID or passcode. - Android: See all apps including hidden ones in Settings → Apps → See all apps
  • Delete third-party keyboards on your phone. They often share what you type with the software maker.
- These keyboards are installed as apps on iOS and Android, so take the time to scan through all of your installed apps to find and delete them. - If you need to use a third-party keyboard, make sure it’s an open-source project that others have verified and does not share your data with third parties.

On your computer

  • Disable ad tracking for computers running Windows. Instructions for:
- Windows 10 - Windows 11

On other internet-connected devices

  • If you are concerend about privacy, don't use Amazon Echo (speakers) or Ring (home security system). They both have a track record of privacy violations. If you already own them, here are some mitigation measures:
- Amazon Echo: Turn off voice commands by pressing the physical button that looks like a circle with a line through it. Otherwise, anything you say will be uploaded to their cloud systems for analysis. - Amazon Echo and Ring: Turn off the "Amazon Sidewalk" feature that shares your internet with strangers by following these instructions.
  • Consider disabling voice commands on your smart speakers. Voice commands can be a convenience, but the commands only work because audio clips are sent to the device maker's servers to process what you said.
  • If voice commands are important to you, here are some ways to have some privacy with them:
- Google Nest: go to Google Home's Activity Controls and uncheck Include audio recordings. - Apple HomePod: on your phone linked to the speaker, go to: Home app → [Homepod icon] → Accessory Settings → Analytics & Improvement and disable all the options. - Sonos: See Mozilla Foundation's suggestions.
  • For smart TVs, make sure to turn off the manufacturer's data tracking functionality, also known as automatic content recognition (ACR).
- Instructions from: Consumer Reports

🕸️ Upgrade the web browser on your phone and computer

  • Change your browser if you are using Chrome or Edge, they both have terrible track records when it comes to protecting your privacy.
- For iOS: Use Safari. - For macOS: install Firefox or use Safari. - For Android/Windows: install Firefox.
  • Review your web browser's privacy settings
- On your mobile: - iOS Safari: [iOS] Settings → Apps → Safari → Privacy & Security. Make sure Prevent Cross-Site Tracking , Hide IP Address and Fraudulent Website Warning are on. - Android Firefox: [Firefox] Settings → Privacy and security, turn on HTTPS-Only Mode, Enhanced Tracking Protection - On your computer: - macOS Safari: Preferences → Privacy, tick the checkboxes for Website tracking and Hide IP address - macOS/Windows Firefox: Preferences → Privacy & Security, turn on Enhanced Tracking Protection (any option), Do Not Track and HTTPS-Only Mode (scroll to the bottom)
  • Install these web browser extensions/add-ons to block invasive ads and trackers if your if your browser supports them. Make sure they’re on even in private/incognito mode.
- uBlock Origin - uBlock Origin Lite (if your browser doesn't support uBlock Origin) - Privacy Badger
  • Review your other web browser extensions/add-ons.
- Check what permissions/access each of them have: - iOS Safari: [iOS] Settings → Apps → Safari → General: Extensions, then tap on extension to see details. - Android Firefox: [Firefox] Settings → Advanced: Extensions, then tap on extension, then tap on Permissions. - macOS Safari: Top menu bar: Safari → Settings... → Extensions - macOS Firefox: Top menu bar: Tools → Extensions and Themes, then click on each extension to see more, and then click on the Permissions and data tab. - Windows Firefox: → Extensions and themes, then click on each extension to see more, and then click on the Permissions and data tab.

- The only ones that should be able to read your webpage data are: - Our recommendations above (uBlock Origin/uBlock Origin Lite, Privacy Badger) - Your password manager extension (if you use a password manager on your computer) - Extensions/add-ons made by the same company as the browser (e.g. Firefox's Facebook Container)

- Deactivate or delete any other extensions/add-ons that have read access.

  • Instead of opening a New Private/Incognito Window in your normal browser, use a separate privacy-enhanced browser when you want minimal tracking. These browsers might not work as well for everyday use, but that's because they have extra protections. Plus, when there are two separate apps, it's less likely you will mix up the private and non-private windows.
- For macOS/Windows: Mullvad Browser - For iOS/Android: Firefox Focus

📊 Review what data these big tech platforms have on you

Delete out anything you don't need, if there are options to do so:

💪🏽 Habits & reflexes review (digital privacy edition)

The golden rule

Post less personal information online. This includes information that can be used to identify/track/scam you (addresses, phone numbers, birthday, etc.) as well as photos of your home and neighborhood.

Watch what you say in online groups

Don’t say anything you’d regret on in a “private” group on Slack, Discord, Facebook, WhatsApp group chat, Telegram channel, or any “private” online forum. Here’s why:

  • Anyone in the group can leak the data.
  • Administrators usually have access to everything within the group, including deleted messages and private direct messages between two people.
  • What you say can be traced back to your account's phone number or email. Even if you're not using your real name or photo.
- To prevent this in Telegram, go into Settings → Privacy and Security → Phone Number, and then set: - Who can see my phone number to Nobody. - Who can find me by my number to My Contacts.

Know when your name publicly appears as a supporter or donor

Always check whether your name appears publicly online for subscriptions, crowdfunds, petitions and donations. This is especially relevant if you have a unique name.

Some platforms that facilitate these things often have privacy settings, so it’s best to create an account with them to gain some control over what appears publicly. Some examples of important but often overlooked privacy settings:

  • Patreon: Settings → Accounts → Privacy: Turn off both Full public profile and Community profile.
  • Indiegogo: In the menu, go to My Campaigns. If you want to hide a project from your public profile:
- Under Campaigns I've Funded, select Actions: Hide contribution. - Then the page refreshes, but the project has simply moved down to Campaigns I’m Following. There, select Actions: Unfollow.
  • GoFundMe: In the menu, go to Your impact. Then go to any campaign you’ve supported. There, under Your donations, you can change whether your name appears publicly.

Other recommendations

  • Set up a separate account under a pen name to leave local business reviews (on Google Maps, Yelp, etc.) if you write many of them. Otherwise, reviews will be shown under your real name and possibly give away your home location.
  • If you have a website domain, make sure WHOIS/domain privacy is turned on. Many domain name registrars and webhosts offer this feature for free and turn it on by default.

👍👍👍 Whew! Give yourself a pat on the back, because navigating all of that was not easy at all. But we hope you're feeling much more in control of what data you're sending out into the world. Our recommendations are by no means exhaustive, but they should provide you with a reasonable level of privacy without having to sacrifice the convenience and joy of technology. Again, we recommend taking a nice long break before moving onto the next section, where we introduce our favorite tips and tools to be more safe and private online.


🤾🏻‍♀️ Level 4: Tips & tools to do more

🔐 Put an extra lock on sensitive files

  • Identify files you don’t want others to access. This may include private photos, passport scans, and financial documents.
  • For files on your computer, create an encrypted, password-protected vault for your files:
- Recommended tool: Cryptomator. - Storing your vault on the cloud or on your computer are both fine. Decide based on how you’d like to backup the vault. - Move your files into this secure vault. Make sure to delete the original copies after they’ve been moved into the vault.
  • For documents on your phone, there are several options:
- Create a similar vault using an app like Cryptomator(💰 for mobile). - If you’re on a paid plan for a password manager, the apps also let you store files in a section called documents or attachments. 💰 - iOS Files app has a Lock PDF feature for individual files. - Android Files by Google allows you to create a Safe Folder by following these instructions.
  • For photos and videos on your phone, use the features in your default photos apps:
- iOS Photos: Open the photo and tap the button on the top right. Tap Hide. This will put the photo in a Hidden folder in the Photos app (under Utilites) that can only be unlocked with FaceID or a passcode. - Android Google Photos: Follow these instructions and read the section about automatic backups carefully. - Android Gallery: The basic Gallery app doesn’t support hidden photos, so download an alternative gallery app like Fossify Gallery and turn on password protection for hidden items in the settings.

💰 Upgrade your gear

  • Buy a privacy screen for your laptop and phone. These stick-on sheets prevent onlookers from seeing what's on your screen. Examples for:
- Laptops: 3M Privacy Filters - iPhone: Spigen EZ FIT GLAS.tR Privacy
  • Place a sticker (or webcam cover) over your laptop’s front-facing camera.
- If you buy a webcam cover for a laptop, make sure it is less than 0.1mm thick so that it doesn't affect how the laptop closes.
  • Don't use devices your workplace gives you for personal things. Either have separate devices for your work and personal lives, or, if it's too troublesome to have multiple devices, use your personal device for everything. Devices set up by workplaces often have monitoring systems that can be misused during disputes.
  • Buy a mobile phone that always gets the latest software updates and, in the case of Android, doesn't install unnecessary apps and system add-ons.
- First choice: Apple iPhone. Apple has a track record of supporting devices for a long time. - Second choice: Google Pixel. Pixel phones get Android updates direct from Google and ships with a more-or-less "vanilla" installation of Android. - For other Android phones: - Research to find a phone that a) doesn't add too much bloat to their installation of Android, b) quickly applies security patches that are released from Google's Android project, and c) will guarantee software updates for their hardware for a long time. - Avoid cheaper Android phones from big companies like Samsung, Xiaomi or OPPO: They have a track record of adding unnecessary and intrusive apps. E.g. Samsung's app platform that installs apps without permission and collects data about you without consent.
  • Use a paid VPN service both when you're on a public network (e.g. café) and when you're at home (to decrease data shared with your internet/phone company).
- Avoid free VPN services because free services often make their money back by selling your data. - Recommended VPNs: Mullvad, IVPN💰 - Note that though the iCloud Private Relay is similar to a VPN, it only applies to traffic through the Safari web browser.

🔡 Use end-to-end encrypted apps

For secure messaging & calls

  • Use apps with open source end-to-end encryption protocols and easy-to-use disappearing message timers.
- Recommended apps: - Signal: Sign up with a phone number. - Wire: Sign up with an email address. - Set messages to disappear. Pick an interval that’s comfortable for you. - Signal: Go to Settings → Privacy → Disappearing Messages → Default Timer for New Chats. - Wire: No app-wide setting exists. You have to set it up for each conversation by tapping/clicking the timer icon ⏱. - These apps also end-to-end encrypt video and voice calls, so continue using them wherever possible.
  • End-to-end encryption for video/voice calls with more than 5 people may not be worth it. There are several reasons:
- Privacy is hard to maintain in large group calls as they often become quasi-public events due to the large number of participants. - Support for end-to-end encrypted video/voice calls for larger groups is limited, and most platforms still collect the metadata around your call even when end-to-end encryption is switched on.

For online file-sharing and backup

  • Store and share files on the cloud using end-to-end encryption.
- Recommended apps: Tresorit, Proton Drive 💰 - For iCloud: Turn on Advanced Data Protection. See Apple’s instructions. - Remember: files stored on Dropbox and Google Drive are not end-to-end encrypted.
  • Backup your files online using an end-to-end encrypted platform.
- Recommended app: Arq 💰

😷 Further secure your messaging apps

Be aware of what other people can see in a group chat

Messaging apps use either your phone number or a username as the unique identifier (which other people use to add you on the platform). As such, your phone number or username is then visible to anyone you're in a group chat with, along with the name and photo in your profile.

Here's a breakdown of what unique identifiers is visible to others in a group chat on popular messaging apps:

  • Signal: phone number by default if you’re the recipient’s address book already, no unique identifier if not (but you can set up a username and stop sharing your phone number altogether)
  • Wire: username (no one else can see the email or phone number you used to register your account)
  • Telegram: phone number by default (but you can set up a username and stop sharing your phone number)
  • WhatsApp: phone number
If you don't want to give out your personal phone number, consider getting a virtual phone number from one of the providers listed in our scenario for Masking your identity for online dating, events, or organizing.

Use app-specific safety & privacy features

Signal
  • Set up a username so people can find you with it rather than your phone number. To create a username:
- Settings → [Tap your profile icon or name] → @ Username
  • Hide your phone number.
- Go to Settings → Privacy → Phone Number, and set both to Nobody.
  • Turn on the extra layer of pin code protection and prevent others from logging in with your phone number.
- Settings → Account → Signal PIN - Settings → Account → Registration Lock: On
  • Hide your messages from your phone's app switcher (so your messages aren't accidentally exposed to other apps) by turning on Screen Security:
- Settings → Privacy → Hide Screen in App Switcher
  • Hide your messages from Microsoft Windows' Recall feature.
- The Signal desktop app hides them by default, but double check by going to Settings → Privacy → Screen Security.
  • Stop messages from showing up in notification boxes.
- Settings → Notificataions → Notifications Content: Show → No Name or Content
Telegram
  • Turn on two-step verification to prevent someone from moving your account without your permission.
- Settings → Privacy and Security → Two-Step Verification
  • Hide your phone number:
- Settings → Privacy and Security → Phone Number, and then set Who can see my phone number to Nobody.
  • Start conversations by using New Secret Chat so that they are end-to-end encrypted. All other conversations and groups are not. Unfortunately, that this means your messages will not show up in your desktop or web app.
WhatsApp
  • Turn on security notifications on WhatsApp to get a notification when a person you're talking to switches to a new device.
- Settings → Account → Security → Show Security Notifications on This Phone: On
  • Turn on two-step verification to prevent someone from moving your account without your permission:
- Settings → Account → Two-Step Verification: Enable
  • If you backup chats, make sure they are end-to-end encrypted, or turn backup off altogether.
- Settings → Chats → Chat Backup → End-to-end Encrypted Backup - For iOS users who use iCloud Backup (not end-to-end encrypted) to backup their entire phone, make sure WhatsApp is not included as part of the process. This iCloud Backup should not be confused with WhatsApp's interal backup feature that also uses iCloud. - [iOS] Settings → Your name → iCloud → Manage Storage → Backups → device → WhatsApp: Off
  • Stop automatically downloading any and all photos and videos your receive:
- Settings → Chats → Save to Camera Roll: Off

🙃 Secure the rest of your accounts

You made unique passwords for important accounts in Level 2, but you should plan out a day to deal with the rest of your online accounts. It's not an urgent task, which is why we've put so far down the list, but it will require quite a bit of time and effort. Feel free to do this now or mark it as a to-do for later.

  • Make a list of any active accounts and any accounts with your private information. Don’t worry about finding every last account, you can always deal with them later.
  • If you no longer use the account, consider logging in to deactivate/delete it. A few accounts might have sentimental value, but most won’t.
  • For the accounts you want to keep, make sure each of them uses a unique, hard-to-guess password. Review our Level 2 recommendations about making good passwords if need be.
- If you are using a password manager, now is the time to transfer everything onto there: - The fastest way to enter the details is to logout and login to each account on your computer, and let the password manager's browser extension/add-on capture the details automatically. - In some cases, the password manager may warn you that the password you have is weak. If so, spend that extra minute on the account website to change to a new password. - When you’re all done, use your password manager’s monitoring feature to double check stored passwords to see if it's too short, has been reused, or has already been leaked as part of a data breach. In 1Password, this feature is called Watchtower, and in Bitwarden it’s called Vault Health Report.

👍👍👍👍 Wow, you really did it. You finished all four levels! You locked up all the things (big and small), you drastically increased your digital privacy, and got your hands on some super safe tools and tips. You've done all the things that we think are useful for everyone. Treat yourself to something nice as a reward for sure.

From here on out, we're providing recommendations for special cases (scenarios) followed by a small bonus section for technical people. If none of the scenarios apply to you right now, then you're all set. Just remember, the scenarios will be here if you ever need them!


🤹🏻 Scenarios


👤 Masking your identity for online dating, events, or organizing

Don't use your full name

  • Consider using a nickname or only your first name (if your first name is common where you live). This is especially important if your full name is very unique, which makes it very easy to search for online.
  • Consider using a persistent pseudonym or collective identity, especially if you’re a public figure. For more information on how and why, see:
- Tactical Tech: Zen and the art of making tech work for you

Get a secondary phone number

For messaging apps using phone numbers as the primary identifier (e.g. Signal, WhatsApp, Telegram), get a secondary number from:

  • Paid online services 💰 (more reliable)
- Hushed:: Offers US, Canada, and UK numbers - Burner:: Offers US and Canada numbers
  • Free online services 🆓
- TextNow:: Offers ad-supported US and Canada numbers - Google Voice:: Offers a free US number, but is only available in the US
  • Your local phone companies 💰
- Get a prepaid or cheap SIM card plan

Note: If you lose/unsubscribe to your secondary phone number, other people can buy it and impersonate you.

Get an email alias

For sites and services that use email as the primary identifier/username, get a new 🆓 email account or an email alias that forwards to your main account from:

  • SimpleLogin:: Based in Switzerland (as part of the Proton Mail/VPN group)
  • addy.io: Based in the UK and EU

Buy things online anonymously

  • Sign up for a privacy-focused virtual credit card 💰 from Privacy (only available in the US). It helps a) mask who you are to the seller, and b) mask what you've bought from the bank.
  • Buy a prepaid credit card at a local convenience store. But be careful, these cards don’t always work for online shopping depending on where you are.
  • Get a virtual credit card for free trials at Do Not Pay for those cases where you want to sign up for a free service period but not give out your real credit card information.
  • Ask to be paid in gift cards, which can be used in stores without tracking.

Create an untraceable online alias

Even with all the third-party services above, courts can still compel companies to hand over information about you. So if you are really in a high-risk situation, you may need to do all of the above and more. For one example of this, see Matt Mitchell's PRIVACY RECIPE: Creating an online persona.


🗃️ Backing up your data

In case your devices get lost or hacked, it's good to have a recent backup copy of the data on them.

Backing up your phone/tablet

iOS devices

Our recommendations for backing up remotely and locally:

  • Back up to iCloud: An automated process that only works if you have/subscribe to iCloud+ 💰 .
  • Back up to your computer: A manual process (you connect your device to your computer with a cable) that's free as long as you have hard drive space.
See Apple's instructions to do both.
  • If you use iCloud, turn on Advanced Data Protection (which includes end-to-end encryption) afterwards by following these instructions.
  • If you're backing up to computer, remember to check Encrypt local backup to set a password in the process.
Android devices

Android phones can only be backed up on the cloud:

  • Back up to Google One: An automated process that only works if have/subscribe to Google One 💰. Unlike Apple's iCloud however, there is no support for end-to-end encryption. See Google's instructions.
While you can transfer select files if you connect your Android to your computer with a cable, there's no way to back up everything on your phone.

Backing up your computer to an external hard drive

macOS

Apple's default recommendation is to use their Time Machine app, which will automatically backup the full contents of your computer to an external hard drive. Follow their instructions and remember to turn on Encrypt Backups.

Wi

README truncated. View on GitHub
🔗 More in this category

© 2026 GitRepoTrend · narwhalacademy/zebra-crossing · Updated daily from GitHub