Online security 101

Privacy is what sets us apart from the animals. It’s also what sets many countries and citizens apart from dictatorships and despots. People often don’t think about their rights until they need them — whether it’s when they’re arrested at a protest or pulled over for a routine traffic stop.

Now, with a new president in the Oval Office, many are concerned about the future of their fundamental freedoms and constitutional rights.

There is no such thing as perfect security. But no matter who you are or where you are in the world, there are a lot of things you can do — many of which are simple — to protect yourself in this turbulent time.

Your privacy, at its core, relies on your data being secure.

While most apps and services nowadays secure your data with encryption on their servers to prevent data from being readable if hacked or served with a government subpoena, many more now are providing it “end-to-end.” In other words, nobody else can see what’s sent, stored, or received, other than you and the person you’re talking to — not even the companies themselves.

If you secure each of those points, you’re well on the way in keeping your data private.

Your phone is your ultimate endpoint. You carry it everywhere and it usually holds your most personal secrets and sensitive information.

Here’s a guide on how to secure your iPhone, and here’s another guide for most Android devices.


Turn off Touch ID by going to Settings > Touch ID & Passcode > turn off iPhone Unlock. (Android users can go to Settings > Security > Lock Screen or Nexus Imprint.)

Each time you install an app, it will ask you for permissions to your phone’s features or data, like your contacts, photos, camera, or even the phone dialer itself. Be mindful of apps that you install, as a single rogue app can punch a hole in your privacy protections.


Keeping your devices and apps up to date will significantly reduce attacks. Every app or service you install will increase your vulnerability risks because no software is perfect. If you have preinstalled apps or “bloatware,” you should remove those — and that includes web plugins like Adobe’s Flash, Oracle’s Java, and Apple’s QuickTime. Using ad-blockers can prevent ads from installing tracking cookies and even malware (which happens surprisingly often).

Yes, Windows 10 is more secure than Windows 7, but it’s understandable that many think it’s a privacy nightmare. We have a separate Windows 10 privacy guide that shows you the right options for you.

Now that your device is secure, you should think about your data in-transit — that is, as it traverses the waves of the wireless spectrum and the pipes of the internet.

It’s not just the messages you send that you need to worry about; you also have to think about the data that’s generated as a result — so-called metadata, such as who you’re talking to, when, and sometimes where. That information alone can tell a lot about your life, which is why it’s so important to intelligence services. Metadata is a core pillar of government surveillance.

Let’s get one myth out of the way: There is no secure email solution — at least not yet. While there are systems like PGP encryption, which remains the favorite for scrambling the contents of email messages, it’s not as strong as it used to be and better instant communications exist.


The messaging app and its desktop counterpart are also open-source, meaning anyone can look at and inspect the code to ensure there are no backdoors. And, Signal almost entirely removes itself from the surveillance loop by collecting almost no metadata. Even if a user chooses to upload their contacts list to Signal, each record is scrambled and can’t be used by the intelligence services.

The Intercept has a simple guide on how to verify your contacts in the unlikely event that your communications are being intercepted. You usually only do this only once (unless you or someone you’re talking to changes device).


The end-to-end encrypted messenger, owned by Facebook, works on a range of devices, including desktop. At its core, it uses the same protocols as Signal — so it’s secure and neither Facebook, WhatsApp, or anyone else can read your messages.

Do this by going to WhatsApp then Chats > Chat Backup > then set Auto Backup to Off.

You should also turn off online backups — both on the app and iCloud and Android’s settings — as backups can be cherry-picked out of the cloud by law enforcement with a search warrant.


That said, you should regularly carry out an encrypted local backup your iPhone or iPad on occasion. It’s very simple to do, and can restore your data if you break your device.

Again, encrypted email is a fallacy, so you should get the idea out of your head. Consider services that don’t require you to handle private keys, such as ProtonMail, which now comes with support for the Tor browser (more on that shortly).

Or, if you can get an invite to (you can find some here or by searching Twitter), you can choose to import your PGP private key and use the web-based encrypt and decrypt tools. This has raised some eyebrows, but it’s entirely optional, as it makes scrambling and unscrambling PGP messages and files significantly easier.

Browsing is usually at the heart of what most people do. But just as you’re looking out at the world, you also have a lot trying to look in. Ad networks will track you from site to site, your internet provider will log which pages you visit, and hackers will try to target you.

When it comes to the gold standard of privacy, consider using Tor. It’s like a regular browser with privacy benefits, and it’s often used by the privacy conscious, such as reporters and activists.

The Tor browser lets its users browse the internet anonymously by bouncing traffic through multiple relays. Not only does it hide a user’s internet history, it’s also used to circumvent state-sanctioned network blocks. The service also allows users to browse parts of the dark web, which aren’t accessible through traditional browsers and networks, as well as websites and services that are blocked in your region.

With other browsers, to enhance your security, you can install the HTTPS Everywhere plugin (available for most popular browsers), which forces websites that support website encryption to turn it on by default.

You can also use mobile versions of the Tor browser called Orbot for Android and Onion Browser for iOS, both of which are also open source.



You can usually find your hotspot option in iPhone’s settings or Android’s notification tray.

On that note, be mindful of your connection if you’re at public or high-profile events, including protests or demonstrations. We mentioned earlier that police can use “stingrays” to intercept your phone calls and texts, and possibly your browsing data.

If you’re at a protest or other high-security event and you suddenly lose LTE connectivity and are pushed to 2G, that could be a sign your communications are being monitored. (Image: CNET/CBS Interactive)

Android users can select a “preferred network type” such as LTE only by accessing a hidden Android menu. Here’s a helpful guide which explains how to do it.

Then, use your smarts: If you’re in a busy area, such as a city, and you suddenly lose LTE connectivity in the middle of a protest, your phone may have been tricked into connecting to a stingray.

You’ve secured your phone, your computer, and you can communicate and browse with relative safety. But you still store a wealth of data in the cloud — in other words, other people’s servers.

It’s not only wise to be careful with what you store in the cloud wherever possible, but also to ensure that your various clouds are secure. Some services even allow their staff to read and access your content.

You must use a strong, unique alphanumeric password that is at least in the double-digits of characters for each account you have. Use a password manager like LastPass, 1Password, or Dashlane to generate strong passwords for you.


This helps prevent account takeovers from hackers. CNET has a great explainer on two-factor, and why it’s so important.

You may use many different services, and each process is different. But one website, the aptly-named Turn It On has you covered. It explains how to set up two-factor authentication on dozens of major websites, including Facebook, Google, Twitter, and more.

If you do decide to use an encrypted two-factor app, Google Authenticator is highly recommended, as well as Duo Mobile.


Holding onto these old accounts may expose you to greater hacks or intrusions down the line, even if you long forgot about them.

You should encrypt as much of your data wherever possible. To make life easier, some providers allow you to upload your encryption keys in case you get locked out of your account. Helpful, yes, but a huge risk to your privacy if leaked.

Macs also offer the same option. Once you begin encrypting your Mac hard drive, you are given the option to upload your key to your iCloud. If you choose not to, you’ll be given a recovery key which can you can keep safe, and your encryption key won’t be uploaded to Apple’s servers.

There’s a lot you can do to ensure your personal security and data privacy, but all too often it takes two to tango — in that you should ask your friends, colleagues, and others you communicate with to also jump in.


Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Today’s security might not be what is tomorrow’s, so this guide will be kept as up to date as it can be. While this guide has been poured over to make sure it’s fair and accurate, do take the time to read more (from the various links).


Leave a Reply

Your email address will not be published. Required fields are marked *