Digital information and communications security

A guide to help potential contributors develop their skills.

If you are considering contributing to Exeter Observer please see our contributors guide.

More guides:

• News writing
• What is news?
• Objectivity, neutrality, impartiality & balance
• Style
• Multimedia collateral & copyright
• Sources & interviews
• Subediting
• Feature writing
• Research resources
• Local government transparency & information access rights
• Data protection & media law

If you want to reduce the likelihood of anyone accessing your digital information or monitoring or intercepting your communications, there are steps you can take to increase your security.

These notes introduce some techniques and tools for those using common operating systems. Others are available, some of which are listed in the advanced section.

A basic approach

1. No such thing as perfect security
2. Understand your situation cf. threat model
3. Think weakest link cf. end to end encryption
4. Keep it simple
5. Keep it free? cf. open source software
6. Know who to trust
7. Update!

Guides

• Electronic Frontier Foundation Surveillance Self-Defense
• Freedom of the Press Foundation
• Data Journalism
• Centre for Investigative Journalism handbook
• Centre for Investigative Journalism handbook videos
• Crytoparty
• Security in a Box
• Security planner
• Digital Defenders
• Rise Up
• PRISM Break
• Restore Privacy
• Securing Your Digital Life Like a Normal Person
• Cybersecurity for lawyers
• The Tin Hat
• Privacy and security conscious browsing
• Browserleaks
• MacOS security and privacy guide
• How DNS works
• Greycoder

Device security

• Cover microphones and cameras with electrical tape … whenever possible
• Encrypt startup and storage drives: Mac, Windows
• Delete data securely

• Use strong passwords

  • Online password generator
  • Dice
  • KeePassXC
  • Using KeePassXC
  • Choosing secure passwords
  • Password usability
  • Password usability FAQ
  • Password usability redux
• Verify signatures

Communications security

Email

Mozilla Thunderbird is a free and open source email client that supports OpenPGP encryption by default.

K-9 Mail is a free and open source email client for Android that supports PGP encryption via the OpenKeychain add-on. Both are available via F-Droid, an open source software repository.

It is important to note that PGP encryption doesn’t secure the sender and receiver information that are necessary for email to work, or the subject line. Using a generic subject line helps address this latter issue.

Several webmail providers are also available which offer more privacy-focussed services.

• Windows/Mac/Linux

  • Thunderbird
  • OpenPGP in Thunderbird
  • Enigmail - PGP add-on for Thunderbird version 68 and earlier
  • GnuPG
  • Using PGP on Windows
  • Using PGP on Mac
  • Using PGP on Linux

• Android

  • K-9 mail
  • OpenKeychain
  • Using OpenKeychain with K-9 mail

cf. key verification

• Webmail+

  • Protonmail - Switzerland, Android/iOS apps, automagical encryption to other Protonmail accounts, freemium
  • Tutanota - Germany, green data centres, automagical encryption to other Tutanota accounts, freemium
  • Runbox - Norway, hydro data centre, workers co-operative, multiple domains/aliases
  • Autistici - Italy, autonomous anti-capitalist collective, account on request
  • Riseup - US, autonomous anti-capitalist collective, IMAP/XMPP/VPN services, account by invitation
  • Fastmail - Austrian company with US data centres, see security info, free trail only

Instant messaging inc. audio/video

Signal is end-to-end encrypted, available for Android, iOS, Windows, Mac and Linux and is open source software, which means its code can be audited by privacy experts to confirm its authenticity, among other things. It can be also be used to make secure voice (and video) calls, as can Jitsi.

• Signal (Windows/Mac/Linux + Android/iOS)

  • Signal
  • Signal for beginners
  • Locking down Signal
  • Signal audit reveals protocol cryptographically sound

• Jitsi (Windows/Mac/Linux + Android/iOS)

  • Jitsi Meet
  • Jitsi Meet self-hosted

• Element (Windows/Mac/Linux + Android/iOS)

  • Element
  • Matrix

• Pidgin (Windows/Linux + Mac)

  • Pidgin
  • Adium

Teams

• Wire
• Wickr
• SecureDrop

Network security

• Windows/Mac browsers

  • Firefox
  • Firefox Developer Edition
  • Chromium
  • Epic
  • Brave
  • Vivaldi
  • Iridium

• Firefox extensions

  • https everywhere
  • Privacy badger
  • Privacy possum
  • DuckDuckGo
  • Startpage
  • uBlock origin
  • Disconnect
  • Cookie autodelete
  • Clear flash cookies
  • Decentraleyes
  • Disable WebRTC
  • Multi-account containers
  • Firefox privacy guide
  • Ad Nauseam

cf. Panopticlick

• Multi-factor authentication

cf. 2FA, Fido alliance

• Firewalls (incoming & outgoing)

Using a Virtual Private Network (VPN) is an effective way of preventing websites you visit and email systems you use recording your IP address (akin to an internet postcode) and using it to identify your physical location. It can also help prevent your internet service provider monitoring your online activity.

• VPNs (DNS & proxies)

  • Choosing a VPN
  • Best VPN services
  • Best VPN services
  • VPN comparison
  • How DNS works
  • 1.1.1.1
  • DNSCrypt
  • Proxy servers
  • DNSCrypt Proxy

Using Tor Browser is another effective way of defending yourself against tracking and surveillance. Using TAILS (see advanced secion below) is a another way of routing your internet connection via the Tor network from almost any computer and Orbot supports using Tor on Android.

• TOR

  • TOR browser
  • Using TOR on Windows
  • Using TOR on Mac
  • Using TOR on Linux
  • TorBirdy

• Android

  • F-Droid
  • AF-Wall
  • OpenVPN for Android
  • Orbot
  • OrWall
  • Adaway
  • Exodus
  • IceCat
  • NoRoot Firewall
  • Briar

cf. Guardian Project

cf. LineageOS

• iOS

More advanced security

• Hosts file generator
• SpoofMAC
• 1984 hosting
• Nextcloud

• I2P

• Testing

  • Whoer
  • What is my IP address?
  • IP location
  • IP leak test
  • Can you see me?
  • SSL tools
  • How’s my SSL?
  • DNS leak test
  • Portforward
  • Wireshark
  • Kali
  • Parrot

• Security-oriented Linux distros

  • TAILS - amnesiac, incognito, portable
  • Whonix via VirtualBox
  • Qubes - preconfigured for high security levels

cf. EU Google Personal Information Removal Request Form