Digital Security and Privacy for Normal People

This is a guide for individuals who are interested in improving their digital security/privacy. Only basic knowledge of how to use your computer and mobile device is required.

Low-hanging fruit

Everyone should do these. You only need to set them up once, are high value for relatively low effort, and there is little/no downside. Instructions are linked, where possible. You can of course skip any that aren’t relevant to you.

Browser(s)

Devices

Do these for all of your computers, phones, tablets, etc.

Messaging

  • iPhone: Enable RCS on the devices you use the Messages app from.

Important accounts

Prioritize securing services that you frequently use for communication, or that have sensitive information like your contacts, financial, payment, or health information. In other words, which accounts do you have that, if hacked, would be a Big Deal? Examples of services that might be at the top of that list:

  • Bank(s)
  • Ecommerce
  • Email
  • Social media

We’ll refer to this in subsequent sections.

Security Checkups

Some services have a built-in Security Checkup tools, walking you through various account settings. Go through them for:

Passwords

Multi-factor authentication

Also known as two-factor authentication (2FA). All major services offer MFA.

When enabling MFA, using one or more of the following is recommended:


Next steps

These tips require a bit more commitment or technical comfort, but are worth the effort.

Messaging

For more information, see the Freedom of the Press Foundation’s Secure Communication guide.

Accounts

Sensitive information

Examples of sensitive information:

  • Credit card numbers
  • Passwords
  • Social security numbers
  • Photos or messages you don’t want other people to see

Who to share it with

If someone contacts you via phone or email and asks for sensitive information, don’t give it to them. This often comes up as fake customer support or debt collectors. If this happens and you think it might be legitimate, follow up via official channels (the customer service number on the back of your credit card, etc.)

How to send

Don’t share sensitive information in SMS or (unencrypted) email directly. See more info for Gmail and Outlook. An easy alternative is putting the information in a file/document in Google Drive / Dropbox / etc. and sharing that.

Personal information

Your personal information is constantly being sold by data brokers.

Leaks

Your personal/contact information, passwords, etc. may have become available to people that shouldn’t have it.

Passwords

  • Use different (strong) passwords for every service.
    • If you use the same password across services, one service getting hacked means your accounts with other services could be compromised. This happens all the time.
    • The best way to do this is with a password manager.

Password manager

  • Set up a password manager.

A password manager solves a number of problems:

  • You don’t have to remember all of your different passwords for different services.
  • Your list of passwords can’t be stolen as easily as if they are written on paper, a Word document, or a spreadsheet.
  • Most can generate a random, non-trivial password.
    • This often means you won’t know your own password for a given service…which is not a bad thing!

It’s worth paying for one of the top-recommended options, but if you’re cost-conscious or want minimal hassle, you can use one that comes built into your browser:

Devices

Do these for all of your computers, phones, tablets, etc.

Payments

  • When paying in-person using a credit or debit card, use the chip or contactless/tap-to-pay instead of swiping.
  • Use disposable/one-time/virtual credit card numbers for payments, especially if you are wary of the vendor.
  • Make online payments through PayPal or another trusted service instead of entering your payment information into a third-party site directly.
  • Don’t let vendors store your credit card details.
    • Many will have an option like “save for later” — don’t check that box.

Credit

Networking


Privacy vs. security

In short, security is like having bars on your windows: hackers can’t get in, but they can see through. Privacy is like having blinds, where they can’t see in, but they can reach their hand in and unlock the door. You’ll need a combination of protections to address both.

Glossary

  • Data breach: TODO
  • Data broker: TODO
  • Hack: TODO
  • Multi-factor authentication (MFA): A service requiring more than just a password to log in.
  • Passphrase: Synonym for password.
  • Personal health information (PHI): TODO
  • Personally identifiable information (PII): TODO
  • Privacy: TODO
  • Pwned
  • Security: TODO
  • SMS: Short Message Service, also known as “text messages”.
  • Two-factor authentication (2FA): See multi-factor authentication.

Disclaimer

This guide makes no guarantees that, even with following all steps of this guide, that your digital security/privacy will not be compromised. If you are a high-value target for hackers, such as:

  • An activist
  • A celebrity
  • An executive
  • A journalist
  • A politician
  • A system administrator

…then this guide will not be enough. See resource like the Surveillance Technology Oversight Project (STOP)’s Protest Surveillance toolkit. If you’re a high-profile target, you should consult a security professional for additional actions.

See also