DIGITAL SECURITY CHECKLIST
- Identify a trusted security expert or advisor for your group if possible.
- Take an inventory of your main communications systems and assess what your top information security priorities and risks might be.
- Keep all your systems up to date; install legitimate security patches.
- Review the privacy settings on your social media accounts.
- Use strong passwords on all your important accounts.
- Enable 2-Factor Authentication whenever possible.
- No security system is perfect; assume anything you write or send online may become public.
THINKING ABOUT SECURITY
Different groups communicate with each other or store information in different ways. And just like steps to ensure physical security, it’s important to consider the risks you and your group might be facing—or might not. Many security measures require compromises in terms of the ease of communication or cost to an organization’s institutional memory. Being secure is less convenient than just doing nothing, and the goal should be to identify what’s most important to you and your group, and focus on what you can effectively do to secure that, rather than devising an iron-clad system that’s impossible to use.
In the end there are no guarantees of perfect security, especially in online communications. The safest approach is to assume that anything you write online could at some point become public, attributed to you. Truly sensitive discussions may need to be restricted to in-person or over the phone conversations. But at the end of the day, you are planning local advocacy focused on your members of congress to insist that they represent you and your values: that is a fundamental American right.
KEEPING UP TO DATE
Online security is an incredibly complex and rapidly evolving subject, so our first recommendation is to identify members of your group or in your community who have professional technical skills in this area and consult with them directly about your particular needs and situation. We cannot provide detailed technical guidance without knowing your unique situation; trusted expert help is always valuable if it’s available.
Short of this, the most important basic security step you can take is to make sure all of your digital systems are up to date with the latest patches and updates from their respective companies (Microsoft, Apple, Android, etc). In almost all cases today, these updates are distributed for free whenever companies identify significant vulnerabilities in their systems or software—provided you are certain they are being distributed authentically from the company, they should always be installed as soon as possible.
PROTECTING YOUR PRIVACY
Most of the steps we think of when we first think of online security involve seeking to restrict access to our private correspondence and information, to prevent others from observing them. While it’s important to take what steps you can in this area, a bigger concern may come from opponents who might seek to harass or intimidate you or your fellow activists on the basis of information available in the public sphere. In almost all cases, these are nuisance actions that seek to drain your energy for activism and distract you from other things, and the best response is to block and ignore them as best you can. But online harassment can still have a real impact and in some rare cases may escalate into physical threats.
As much as possible, we recommend reviewing in detail the privacy settings on your social media accounts, and being conscious about what information you share about yourself with the public and how easy you make it for people to contact you. (In many cases, information like home addresses or phone records may already be public.) You should especially be mindful of any high-profile group leaders or spokespeople, or members of minority communities, who may find themselves the first target of harassment. As part of your initial security assessment, you might consider tasking some volunteers to conduct “opposition research” on public-facing members of your group, to understand what information is or is not already out there for others to find.
PROTECTING YOUR ACCOUNTS
Beyond your privacy, the main priority is inventorying the most important services and accounts you use online and to make it as difficult as possible for others to break into them. In most cases, your email account will be the first and most important service to secure, as it is often used as a means of gaining access to other services; beyond this, social media (Facebook, LinkedIn, Twitter), banking, and other key services (Apple or Microsoft IDs, Paypal, etc) should also be part of your review.
In almost all cases, these services encrypt their traffic, so that (barring a high degree of sophistication and resources) the content of a message is only visible to the sender and recipient (or whoever that recipient passes it along to). That means your first priority should be developing strong passwords that prevent anyone from breaking into accounts and bypassing encryption entirely. (Use of online services like these inevitably requires placing trust in the security of the service providers. While many place a high priority on customer data security, breaches are not uncommon. Again, you should assess how sensitive the information you may be storing online is, and consider alternatives in extreme situations.)
There are many guides to create strong passwords—essentially, the longer and more complex and regularly changed the better, which makes remembering them more difficult for the actual user. Password manager services can help with this; this review describes some of the more popular options. Regardless of what you use to create passwords, as a general rule:
- Do not reuse passwords between sites.
- Do not give answers to password recovery questions (your mother’s maiden name, your high school football team) that are discoverable by a basic Google search. Best practice for sites that require this is to make your answer itself a strong password.
- Never email passwords or write them down in a document stored anywhere on the web.
Enabling two-factor authentication on all of your accounts is another key step that should dramatically reduce the risk of someone breaking into your account. The steps for doing so vary depending on the account in question, but this site offers a step-by-step guide to many services.
Many hacks seek to impersonate security programs, services, or warnings in order to exploit users’ anxieties and induce them to open up their systems to an attacker—this falls under a general category of attacks known as “phishing”. Always be careful when receiving file attachments from suspicious sources—opening these in an online service like Google Docs significantly reduces risks—and if you are ever asked to re-enter your password, be very careful to confirm that you have been directed to the legitimate website and not a fake portal seeking to capture your login details.
A recent variation on this attack targeted Google Account users, seeking to trick them into giving access to a fake application that would in turn gain access to a user’s email contacts. Many internet services now allow you to use logins from major service providers like Google instead of creating a separate sign-in, a process which involves you linking their applications to your login. It’s good to periodically review any associated applications you have linked to your main accounts and confirm that nothing there is out of place and they have not been granted improper access to account information—in the case of Google, this can be done by reviewing the “Connected Apps and Sites” section of your account’s security page.
Again, this is a very complex and frequently changing subject; there are lots of organizations and resources out there with more expertise on it than us. A few other places you can look for guidance include:
- Ars Technica: A beginner’s guide to beefing up your privacy and security online
- EFF: Surveillance Self-Defense—especially check out the sections on:
- Security in a Box—Digital Security Tools and Tactics
- Digital Defenders Partnership: Digital First Aid Kit