Surveillance Self-Defense: Practical Tips for Digital Activists

Assessing Your Threat Model

Before implementing any security measures, you need to understand your specific threat landscape. Not everyone faces the same risks, and the appropriate level of security depends on who you are trying to protect yourself from and what the consequences of exposure would be.

A threat assessment asks four fundamental questions. What do you want to protect? This could be your communications, your sources, your location, your identity, or specific documents. Who do you want to protect it from? Threats from a stalker, a corporation, local law enforcement, or a nation-state intelligence agency all require different defenses. How likely is it that you will need to defend it? The probability of surveillance varies enormously based on your activities and location. What are the consequences if protection fails? If the consequences are severe, more rigorous protections are warranted.

Activists organizing community events face different threats than journalists investigating government corruption. Human rights workers in authoritarian regimes face different threats than environmental campaigners in democracies. Your security measures should be proportional to your actual risks.

Secure Communications

Signal: The Gold Standard

Signal is the most widely recommended secure messaging application. It provides end-to-end encryption for text messages, voice calls, and video calls. The encryption protocol, developed by Open Whisper Systems, has been audited by security researchers and is considered the strongest available.

Signal's key features for activists include disappearing messages (which automatically delete after a set time), view-once media, screen security (which prevents screenshots on Android), and registration lock (which prevents someone from re-registering your number). Signal also recently introduced usernames, allowing you to communicate without sharing your phone number.

For sensitive conversations, use Signal's disappearing messages feature and verify the safety numbers of your contacts to ensure you are communicating with the right person and not a man-in-the-middle attacker.

What to Avoid

Standard SMS text messages and regular phone calls are not encrypted and can be intercepted with readily available equipment. Email, even with TLS encryption in transit, is stored unencrypted on mail servers. Social media direct messages are typically encrypted in transit but accessible to the platform provider. For any communication where privacy is important, use end-to-end encrypted tools exclusively.

Use our text encryption tool when you need to send encrypted content through channels that do not provide their own encryption.

Device Security

Your phone and laptop are the most vulnerable points in your security chain because they contain the most information about you. Securing them is essential.

Enable full-disk encryption on every device. Modern smartphones encrypt by default when a passcode is set. For laptops, enable BitLocker (Windows), FileVault (macOS), or LUKS (Linux). Encryption protects your data if your device is seized, lost, or stolen.

Use a strong passcode, not biometric authentication alone, for situations where you might be compelled to unlock your device. In many jurisdictions, courts have ruled that you can be compelled to use your fingerprint or face to unlock a device but cannot be forced to reveal a password. Disable biometric unlock before entering high-risk situations.

Keep devices updated with the latest security patches. Enable automatic updates for both the operating system and applications. Unpatched vulnerabilities are the primary entry point for device compromise.

Review application permissions regularly. Revoke access to your camera, microphone, location, and contacts for any application that does not genuinely need them. On both iOS and Android, you can review and modify permissions in the privacy settings.

Safe Browsing

Using Tor

The Tor Browser routes your internet traffic through multiple encrypted relays, making it extremely difficult to trace your browsing activity back to you. For activists facing surveillance threats, Tor provides meaningful anonymity when accessing sensitive information, communicating through web platforms, or researching topics that could attract attention.

Tor is not perfect. Your internet service provider can see that you are using Tor (though not what you are accessing), exit nodes can potentially monitor unencrypted traffic, and browser fingerprinting techniques can sometimes compromise anonymity. For maximum protection, use Tor Browser without modifying its default settings, avoid logging into personal accounts while using Tor, and never open documents downloaded through Tor while online.

VPNs and Their Limitations

A VPN encrypts your internet traffic and routes it through a remote server, hiding your browsing activity from your internet service provider. However, a VPN shifts trust from your ISP to the VPN provider. If the VPN provider logs your activity or cooperates with authorities, your privacy is compromised. For high-risk situations, Tor provides stronger anonymity than any VPN.

Compartmentalization

Compartmentalization is the practice of separating different aspects of your digital life so that a compromise in one area does not expose everything else. Use separate devices or user profiles for activist work and personal life. Use different email addresses, phone numbers, and accounts for different activities. Do not cross-contaminate by logging into personal accounts on your activist device or vice versa.

Use strong, unique passwords for every account to prevent a single credential breach from cascading across your accounts. A password manager secured with a strong master password helps manage this without relying on memory.

Operational Security

Operational security (OPSEC) is the practice of preventing sensitive information from being revealed through patterns of behavior. This includes being mindful of what you share on social media, who you communicate with on observable channels, and what metadata your activities generate.

Before sharing any files publicly, strip metadata using a metadata removal tool. Photos taken at meetings or events can contain GPS coordinates, timestamps, and device identifiers that reveal your location and identity. PDF documents can contain author information and revision history.

Be aware of traffic analysis. Even encrypted communications reveal metadata: who contacted whom, when, for how long, and how often. Patterns of communication can reveal organizational structures and relationships. Vary your communication patterns and timing when dealing with sensitive matters.

Attending Protests Safely

Physical protests present unique digital security challenges. Your phone continuously broadcasts signals that can be used to track your location and identify your presence at a specific event.

Before attending: Back up your phone and remove sensitive data. Disable biometric unlock and set a strong passcode. Turn off WiFi and Bluetooth to prevent tracking through probe requests. Consider enabling airplane mode if you do not need connectivity, or use a dedicated prepaid phone that is not linked to your identity.

During the event: Be cautious about taking photos or videos that show identifiable faces of other participants. If you document the event, review photos afterward and blur faces before sharing. Disable location services for your camera application.

After returning: Review and delete any photos, messages, or data from the event that you do not need to keep. Change passwords for any accounts you accessed during the event. Monitor your accounts for unusual activity.

Security as a Continuous Practice

Digital security for activists is not a one-time setup but an ongoing practice. Threats evolve, new vulnerabilities are discovered, and your own circumstances change. Regularly reassess your threat model, update your tools and practices, and share knowledge with your community. Collective security depends on every member understanding and implementing these practices consistently.