Digital Security and Privacy for Normal People

This is a guide for individuals who are interested in improving their digital security/privacy. Only basic knowledge of how to use your computer and mobile device is required.

Low-hanging fruit

Everyone should do these. You only need to set them up once, are high value for relatively low effort, and there is little/no downside. Instructions are linked, where possible. You can of course skip any that aren’t relevant to you.

Browser(s)

• Enable HTTPS-only mode in all browsers you use regularly
  • “Turn on Always use secure connections” in Chrome on Android
• Delete extensions you don’t use.
  • Chrome
  • Edge
  • Firefox
  • Safari

Devices

Do these for all of your computers, phones, tablets, etc.

• Lock your device, using fingerprint/PIN/passcode/whatever.
  • Android
  • iOS
• Set them to auto-lock after a short period of time (less than five minutes).
  • Android
  • iOS
  • Mac
  • Windows
• Enable automatic updates. Update your operating systems and software early and often.
• Enable automatic backups.
  • Android
  • iOS
  • Mac
  • Windows
• Delete apps you don’t use.
  • Android
  • iOS

Messaging

• iPhone: Enable RCS on the devices you use the Messages app from.
  • iOS
  • Mac

Important accounts

Prioritize securing services that you frequently use for communication, or that have sensitive information like your contacts, financial, payment, or health information. In other words, which accounts do you have that, if hacked, would be a Big Deal? Examples of services that might be at the top of that list:

• Bank(s)
• Ecommerce
• Email
• Social media

We’ll refer to this in subsequent sections.

Security Checkups

Some services have a built-in Security Checkup tools, walking you through various account settings. Go through them for:

• Google
  • Review My Google Activity. Are you ok with Google knowing all of that about you?
  • Remove the Results About You
• Meta (Facebook, Instagram, etc.)

Passwords

• Set strong passwords on all of your important accounts and devices.
  • Otherwise, hackers can get into your account(s) extremely easily. Different services have different requirements around passwords.
  • This is easier if you set up a password manager.

Multi-factor authentication

• Enable multi-factor authentication (MFA) on all of your important accounts.

Also known as two-factor authentication, or 2FA. All major services offer MFA — see this list.

When enabling MFA, using one or more of the following is recommended:

• An app to generate codes that synchronizes:
  • 1Password - paid, but is a full-fledged password manager
  • Authy - free
  • Google Authenticator - free
• The service’s app, when it supports push notification for MFA. For example:
  • Apple ID
  • Google
• Text messages (SMS)

---

Next steps

These tips require a bit more commitment or technical comfort, but are worth the effort.

Messaging

• Use a messaging app with end-to-end encryption (E2EE).

For more information, see the Freedom of the Press Foundation’s Secure Communication guide.

Accounts

• Google: Go through their Privacy Checkup.
• Meta (Facebook, Instagram, etc.): Go through their:
  • Privacy Checkup
  • Ad preferences
• Try Privacy Party.

Sensitive information

Examples of sensitive information:

• Credit card numbers
• Passwords
• Social security numbers
• Photos or messages you don’t want other people to see

Who to share it with

If someone contacts you via phone or email and asks for sensitive information, don’t give it to them. This often comes up as fake customer support or debt collectors. If this happens and you think it might be legitimate, follow up via official channels (the customer service number on the back of your credit card, etc.)

How to send

Don’t share sensitive information in SMS or (unencrypted) email directly. See more info for Gmail and Outlook. An easy alternative is putting the information in a file/document in Google Drive / Dropbox / etc. and sharing that.

Personal information

Your personal information is constantly being sold by data brokers.

• Sign up for a data removal service to get your information automatically removed from people-search sites.

Leaks

Your personal/contact information, passwords, etc. may have become available to people that shouldn’t have it.

• Sign up for data breach alerts through one of the following services:
  • 1Password Watchtower
  • Have I Been Pwned notifications
    • Can do a one-time check without signing up
  • Mozilla Monitor

Passwords

• Use different (strong) passwords for every service.
  • If you use the same password across services, one service getting hacked means your accounts with other services could be compromised. This happens all the time.
  • The best way to do this is with a password manager.

Password manager

• Set up a password manager.

A password manager solves a number of problems:

• You don’t have to remember all of your different passwords for different services.
• Your list of passwords can’t be stolen as easily as if they are written on paper, a Word document, or a spreadsheet.
• Most can generate a random, non-trivial password.
  • This often means you won’t know your own password for a given service…which is not a bad thing!

It’s worth paying for one of the top-recommended options, but if you’re cost-conscious or want minimal hassle, you can use one that comes built into your browser:

• Edge
• Firefox Password Manager
• Google (Chrome) Password Manager
• Safari

Devices

Do these for all of your computers, phones, tablets, etc.

• Go through the Wirecutter Secure Your Smartphone guide.
• Enable full disk encryption.
  • Back up your system first
  • Computer
    • Windows: BitLocker
    • Mac: FileVault
  • Phone
    • Android
    • iOS: just set a password
• iOS/Mac: Review your personalized ads setting.
• iOS: Go through the built-in privacy and security protections page.
  • iOS: Review app tracking permissions.

Payments

• When paying in-person using a credit or debit card, use the chip or contactless/tap-to-pay instead of swiping.
• Use disposable/one-time/virtual credit card numbers for payments, especially if you are wary of the vendor.
• Make online payments through PayPal or another trusted service instead of entering your payment information into a third-party site directly.
• Don’t let vendors store your credit card details.
  • Many will have an option like “save for later” — don’t check that box.

Credit

• Freeze your credit.

Networking

• Make sure there is a password on your wifi network. If you like having an open network, you can buy a router with a built-in public hotspot.
• Set up DNS over HTTPS.
  • This can cause issues when you’re on some networks, like in a corporate office or on airplane WiFi. You may need to disable now and then.
• Check for upgrades to your router firmware.

---

Privacy vs. security

In short, security is like having bars on your windows: hackers can’t get in, but they can see through. Privacy is like having blinds, where they can’t see in, but they can reach their hand in and unlock the door. You’ll need a combination of protections to address both.

Glossary

• Data breach: TODO
• Data broker: TODO
• Hack: TODO
• Multi-factor authentication (MFA): A service requiring more than just a password to log in.
• Passphrase: Synonym for password.
• Personal health information (PHI): TODO
• Personally identifiable information (PII): TODO
• Privacy: TODO
• Pwned
• Security: TODO
• SMS: Short Message Service, also known as “text messages”.
• Two-factor authentication (2FA): See multi-factor authentication.

Disclaimer

This guide makes no guarantees that, even with following all steps of this guide, that your digital security/privacy will not be compromised. If you are a high-value target for hackers, such as:

• An activist
• A celebrity
• An executive
• A journalist
• A politician
• A system administrator

…then this guide will not be enough. You should consult a security professional for additional actions.

See also

• A workshop version of this page as slides
• Electronic Frontier Foundation (EFF)’s Surevillance Self-Defense Guide
• Wirecutter’s Every Step to Simple Online Security
• Elana Hashman’s Cryptoparty Workshop at Protect Yo’Self!
  • The inspiration for this guide
• Tech Solidarity’s Security Guide
• Windows Security From The Ground Up
• Mozilla’s Privacy Not Included buying guide
• Freedom of the Press Foundation’s Online Account Security guide
• Brian Lovin’s Security Checklist
• Smart Girl’s Guide to Privacy (book)
• New York Times’s How to Dox Yourself on the Internet