Security Essentials

1. Install Signal on your phone

2. You can now message your existing contacts using their phone number (they must have Signal installed as well). If you're messaging someone new who you don't yet have trust with, you should exchange usernames instead of phone numbers when possible.

3. To start a new message: Press the "Create" icon in the top right of Signal, then type in either the person's phone number or username

4. Follow the Signal Checklist to make sure you have the most security and privacy

Brave is a privacy-focused browser that allows you to install Google Chrome extensions.

1. Install Brave on your computer (or phone).

2. Follow the steps after you launch to import your configuration from Chrome or another browser. (See warning below about how plugins make you more identifiable.)

3. Configure privacy settings: On the desktop browser, go to Brave > Settings > Shields then select the following: (The mobile app will not have all these settings)

   • Select Aggressive under "Trackers & ads blocking"

   • Select Strict under "Upgrade connections to HTTPS"

   • Uncheck everything under Social media blocking

   • (Optional) Enable Forget me when I close this site. (On the mobile app, the settings is called "Shred Site Data") The site won't be able to store anything about you after your reset your browser.

     This will make it harder for sites to track you across the internet. It's good for privacy, but you'll want to manually override this for specific sites. Visit the site > Click the Brave (lion) logo in the URL bar > Advanced controls > Disable "Forget me when I close this site"

Optional:

1. Disable the annoying new tab page: Brave > Settings > Get started > New Tab Page > Select "Blank page" from the dropdown

2. Disable toolbar items: Brave > Settings > Appearance > Toolbar > Disable all the toolbar buttons that you don't want (Brave Rewards, VPN, Wallet, Leo AI, etc)

iPhone

1. Verify your device is still supported: Check for iPhone models. Make sure there is a "Yes" in the "Supported" column.

2. Operating System: Settings → General → Software Update

3. Apps should already be automatically updated unless you have disabled this option.

Mac

1. Verify your device is still supported: Make sure your Mac isn't on this "obsolete" list. You can check your Mac model by going to the Apple menu  → About This Mac.

2. Operating System: Apple menu → System Preferences → Software Update

3. Apps installed via the Mac App Store: These apps should already be automatically updated unless you have disabled this option.

4. Other apps: Check for updates by going to the top menu bar → Click on the app name → Click either "Check for updates" or "About [APP NAME]" or look inside "Settings...". If you don't see an option to update, it may be set to automatically update in the background.

Android

1. Verify your device is still supported: Checking Samsung models or Google Pixel models depending on your manufacturer. Make sure there is a "Yes" in the "Security Updates" column.

2. Operating System: Settings → System → System Update (may vary by manufacturer)

3. Apps should already be automatically updated unless you have disabled this option.

Windows

1. Update your system: Start → Settings → Update & Security → Windows Update

2. Verify your device is still supported: After attempting an update, you should be able to see your current operating system version number. Check that version number against this list of Windows versions that are still receiving security updates.

3. Microsoft Store apps: Make sure you enable automatic updates (on by default).

4. Other apps: Look for updates in the menu bar under Help > Check for Updates, or search for "Updates" or "About" in the app's settings.

• Brave Search: If you're using Brave browser, it's the default. If you’re using another browser, you can follow these instructions.

• DuckDuckGo: Follow these instructions to make DuckDuckGo your default search engine.

1. Apple Maps is installed by default (you can re-install it if you removed it).

2. Go to Settings > Privacy & Security > Location Services > System Services, then disable iPhone Analytics, Routing & Traffic, and Improve Maps.

1. Install Magic Earth (Cost $1/year)

2. It functions mostly like Google Maps or Apple Maps!

1. Install CoMaps

2. Open the app once in your area and it will automatically prompt you to download the data for offline navigation

1. Go to Settings > Privacy & Security > Location Services

2. Review each app and set to one of these options:

   • Never: Best choice for most apps

   • Ask Next Time Or When I Share: Good for apps you rarely need location for

   • While Using the App: Only for essential navigation apps

   • Always: Almost no app should have this permission

3. Make sure to set the Camera app to “Never” so you don’t risk revealing your location when you share or upload photos.

4. Go to the app labeled System Services > Disable Significant Locations

1. Go to Settings > Privacy > Permission manager > Location

2. Review each app and set to one of these options:

   • Don't allow: Best choice for most apps

   • Ask every time: Good for apps you rarely need location for

   • Allow only while using the app: Only for essential navigation apps

   • Allow all the time: Almost no app should have this permission

This process can be very time consuming if you do it manually, so we recommend paying to have it automated.

1. Sign up for EasyOptOuts ($20/year)

2. Fill out their online form: current and past phone numbers, emails, addresses, housemates, etc.

3. After 1-2 weeks, you will receive an email with the details of the sites you were removed from

4. Do separate google searches for your name, email address, phone number, home address to see if there are any locations that still have this information attached to you. See if you can manually remove yourself.

1. Download: Download and install 1Password ($3/month)

2. Master password: Create a strong, random "master password" using a passphrase generator. It should be memorable, but not a password you use anywhere else. Write your master password down on paper rather than storing it digitally. Set a reminder to destroy the paper in a few weeks once you have it memorized.

3. Import: Import your existing passwords from your computer or browser

4. Apps: Install the browser extension and mobile app (iPhone, Android) to help you save and auto-fill passwords

5. Change passwords: If you had been re-using similar passwords, update your most important ones using the random password generator built-in to 1Password.

See 1Password's getting started guide for a video of these steps.

Install an authenticator app:

1. Option 1: 1Password: If you're using 1Password, it has an "authenticator" feature built-in (details here).

2. Option 2: Ente Auth: Install Ente Auth (iPhone, Android)

   • Optional: You can create an account. Your data is end to end encrypted. Or you can not have an account, but you may lose your one time passwords if your phone is not backed up.

To set up two-factor authentication:

1. Go to Security/Privacy settings

2. Look for "2FA" or "two-factor authentication" or "multi-factor authentication"

3. If an “authenticator app” option is available, select that! (Remember to save the backup codes somewhere secure, like your password manager.)

4. If “text/SMS verification” is the only option, select that and follow the instructions.

1. Links to set up 2FA on common sites:

   • Google

   • Apple ID

   • Facebook

   • Twitter / X

   • Instagram

   • Or look up whether a website/service/app has 2FA on the 2FA Directory.

1. Generate a random 8 to 10-digit passcode using this random passcode generator. (Don't make one up yourself—humans are bad at choosing randomly!)

2. Change your passcode:

   On iPhone: Settings > Face ID & Passcode > Change Passcode > Passcode Options > Custom Numeric Code

   On Android: Settings > Security > Screen Lock > Enter Current Lock > PIN/Password > Enter a Passcode

3. Practice the new passcode at least 10 times in a row right now so are more likely to remember it. (Disabling biometrics will force a passcode request every time you lock the phone.)

4. Write your new passcode on paper and keep it somewhere safe at home until you've memorized it. Then destroy it after 2-3 weeks. Setting a remind on your phone can help.

Creating a Proton Mail account

1. Sign up for a free ProtonMail account

2. Choose a random username that isn't connected to your identity or preferences

3. When asked to verify if you are a human, choose the “CAPTCHA” option rather than the “email” option.

4. When asked to set your phone number / email as a recovery method, choose Maybe later. (Note: This means you must save your password somewhere secure like a password manager.)

Sending emails securely

• Messages between Proton Mail users are automatically end-to-end encrypted.

• Messages to people using a different email provider will not be encrypted, but you can send a password-protected email.

1. Just get rid of the smart speakers and anything that has a microphone and is internet-connected. Look for phrases like "voice control," "works with Alexa/Google Assistant," or "built-in assistant". This includes:

   • Amazon Alexa (Echo, Dot, etc)

   • Google Nest Speaker, Google Home

   • Sonos and other home speakers

   • Smart thermostats (some newer models have microphones and voice assistants built-in)

   • Smart TVs or streaming devices (Look into whether yours has a microphone built-in or not. If so, try to replace it.)

2. If you need a speaker for music, search for something that doesn't include a microphone at all. Or a simple bluetooth portable speaker that might have a microphone, but isn't internet connected (and gets turned off when not in use).

1. Go to IVPN and click Generate IVPN Account ($6/month or $60/year)

2. Under "Standard Plan" click Select. You can do the Pro Plan if you have more than 2 devices.

3. Write down your Account ID somewhere safe, like where you store passwords. You cannot recover it with "forgot password." If lost, no one can help you recover it. Keep it somewhere secure (ex: password manager).

4. Select monthly/yearly and enter your credit card or payment details.

   • Instead of a credit card, you can also order a voucher card for IVPN or Mullvad so that your identity is even more protected. (Yes, we hate Amazon too, but that's the only place online you can buy these cards.)

5. Check the Automatic renewal box then click Make Payment.

6. Download the IVPN app for your computer: Mac, Windows

7. Follow the instructions to install the app.

8. Find the app in your toolbar > Show IVPN > Click the gear icon to open settings > General. Enable the following: Launch at login, Autoconnect on launch, and Allow background daemon to manage autoconnect

9. Install IVPN app on your phone: iPhone, Android

10. Follow the same instructions to enter your Account ID and configure the same settings. (iPhones don't offer the "auto-connect" setting, but it does auto-connect by default).

We recommend keeping your VPN on at all times unless you're having trouble connecting to a site (see below).

iPhone: Settings → Privacy & Security → Lockdown Mode → Enable

Enabling Lockdown Mode introduces some usability tradeoffs on your phone. See list below.

This feature is available for iOS version 16 and above.

Android: Settings → Security & Privacy → under "Other Settings" tap Advanced Protection.

Note: The location of this setting may vary between Android devices, so we recommend searching for 'Advanced Protection' in the Settings search bar.

This feature is available for Android 16 and above.

For added privacy and security on your phone, follow as many of the steps in our Prepare for a Protest guide as you are able to in your daily life, even if you’re not at a protest/action.

When in doubt: Do not click the link!

1. Instead, Contact the sender (whether a business or a friend) through a different method (call them, use a different app) to verify they actually sent it. Taking 2 minutes to verify is always better than clicking and compromising your device.

2. If it is a shortened URL like bit.ly or tinyurl.com, you can use ExpandURL.net to view the destination page, but this provides no guarantee that the page isn't Spyware. It just helps you view the true URL so you can make a better assessment of whether you trust it.

Red flags to watch for:

• Messages from numbers you don't recognize: We all get messages from services that aren't in our contact book often, so it can take work to discern whether this is a legitimate message or not. If it's someone not in your contact book, approach it with more caution.

• Urgency or fear: "Your account will be locked," "Urgent security alert," "Family emergency"

• Unfamiliar domain name: Spyware texts often come from weird domains like adsmetrics[.]co or

• Too personal: References your activism, recent events you attended, or people you know - designed to bypass your critical thinking

• Unexpected messages: A contact sends a link with no context, unusual phrasing, or at a strange time (their account may be compromised)

• Shortened URLs: bit.ly, tinyurl.com, or other link shorteners that hide the real destination

• Slight misspellings in the URL: goog1e.com instead of google.com