Keeping your online accounts safe is critical, especially if you are an activist. There are a countless number of organizations that will try to access your account for profit or for material to smear you or your organizations with. This page is not a comprehensive guide on how to stay safe online, but it is designed to make you much safer than you were before in a very small amount of time.

1. Enable Two-Factor Authentication

What is two-factor authentication?

Two-factor authentication (2FA) means using a second factor when logging into an account; you’re probably using a password as your first factor for most of your accounts. If you’ve ever entered your username and password into a site and then got a text message, that’s two factor authentication. Two-factor authentication can protect your from attacks where hackers have your password (we all re-use password, and sometimes passwords are leaked).

There are three main methods used as “second factors”. One is text message codes, these are the most common. The second is to use an app to generate codes. This is more secure than using text codes, and works when you’re offline. I strongly recommend Authy, which is free and can back up your codes.

The most secure method of two-factor authentication is to use a security key. A security key protects you against nearly all attacks and is strongly recommend, but it costs a small amount of money (~$50).

If you are interesting in purchasing a security key, click here for a short quiz that will help you select the best option for you.

Where should I enable 2FA first?

While you should set 2FA up on all accounts you have, these accounts are critical to your security and you should enable 2FA immediately if you don’t have it on already:

• Email or file storage services – Gmail, Google Drive, Outlook, Microsoft OneDrive
• Chat or social media services – Facebook, Twitter, Instagram, Slack, Discord, Messenger, WeChat, dating/hookup apps, etc
• Banking or financial services – your bank, Venmo, Cashapp, credit card apps, etc

Where can I get more help?

For most sites, you should go to your account settings and then “security” or “login” to view their 2FA options. For detailed instructions, search your provider’s name on twofactorauth.org.

If you want to read more about 2FA or need help, check out the resources from ragtag.org.

2. Keep your devices safe

It’s critical to keep your physical devices – your phone, your laptop – safe. These tips will help you ensure that even if they fall into the wrong hands, your data is safe.

3.1 Set a screen unlock method, preferably a code

Do not leave your phone unlocked. If you have an unlocked device, it is absolutely critical you put some kind of lock on it like face detection, fingerprint detection, a pattern lock, or a PIN code. PIN codes or passwords are preferred – law enforcement can compel you to provide your face or fingerprint to unlock a device but (legally) not your PIN or password. Don’t forget to lock your laptops, desktops, gaming consoles (if available), smart devices, and other things as well.

3.2 Keep your devices up to date.

Ensure all of your devices are up-to-date. Keep auto-update on for your devices and apps. Yes, it’s annoying, but it’s important.

3.3 Ensure encryption is enabled

Encryption refers to the process of storing data on your device in a way that can’t be read without a special key. With encryption, someone can steal your laptop, take out the hard drive, plug it in, and not be able to see a thing. Without encryption, they could see all your files.

Luckily, all Mac computers and iPhones sold in the last few years have encryption enabled by default (when a passcode is used). Nearly all newer Android phones also have encryption enabled (again, when a passcode is used). Windows devices are very hit or miss, so here’s instructions for Windows users on how to encrypt their device.

3. Learn to spot bad actors

This tip isn’t a tech tool – it’s a quiz. An extremely common way to break into accounts is via phishing – the practice of a malicious actor tricking a user into giving them login credentials. Phishing is extremely common and one of the biggest cybersecurity threats due to how simple of an attack it is to execute and how little technical knowledge it requires from the attacker.

For example, John Podesta clicked a fake Gmail link in 2016 and input his Google credentials into a hacker’s web page, giving them full access to his account (a security key, but not other 2FA methods, would have stopped this – security keys only work on the sites they are programmed to work on).

To learn how to protect yourself from phishing, click the first link below to cover the most common set of phishing scams. If you have time, take the other five quizzes to get a thorough test on your phish spotting skills.

• https://phishingquiz.withgoogle.com/
• https://www.phishingbox.com/phishing-test
• https://helpdesk.ragtag.org/hc/en-us/articles/360016148492-How-to-Spot-a-Phishing-Email

In short, look for the following red flags:

• Sites should have their proper domain name highlighted in your browser. paypal.paypalpayments.com is fake, payments.paypal.com is not.
• Email buttons and links can say they’re going to one URL while going to another. Long-press or hover over the link in your email to view the URL
• Make sure your emails are coming from proper domains and not suspicious ones. If you don’t fully trust an email, ignore it.

But phishing isn’t always required to harm an organization. Project Veritas, a right-wing disinformation outfit, regularly use hidden microphones and cameras, outright bribery, paid plants, and more to attack progressive or leftist institutions.

When communicating in public, or even privately over any electronic medium, be aware of what you’re saying and how what you say could be taken out of context. Be wary of media invites from unknown sources, or suspicious invites from known sources. It also wouldn’t hurt to read up more on their past attacks.

FAQ

Why does this exist? Aren’t there a lot of other security guides?

Most other security guides tend to be one of three things:

1) Written by a company with a vested interest in selling something or generating fear to create demand for their something

2) Written by tech people but too long or too complex. I hope the resources here are helpful nut doing these 3 simple steps can save a lot of headache.

3) Written for a non-activist audience and missing things important to them that may not be as important for others.

My hope for this guide is that it is fast, easy to read, and full of just enough relevant information for activists to get them the most protection with the least investment of time.

What about antivirus?

You do not need to pay for antivirus. If you are on Windows, uninstall any antivirus you have and make sure Windows Defender is on. On Android, do not install APKs, only get apps from the Google Play Store. On Mac, get your apps from the Mac App Store. Basically: do not run or install software from sources you do not trust, and you’ll be OK. Antivirus programs can create many more problems than they solve. The best antivirus is knowledge, vigilance, and your other security measures like 2FA.

What about password managers?

Password managers are fantastic, I use one and love it, and strongly recommend them. But they require a non-trivial time commitment to set up, and can be too complex or overwhelming for some users. My hope is that 2FA will help protect against reused password attacks.

What about VPNs?

VPNs can be useful in very specific circumstances, such as when you’re traveling and forced to use open wifi networks, or if you believe you are under some form of more targeted survielance. Generally, they aren’t worth the pain and cost for day to day use for many. No matter what, follow the other parts of this first before getting into VPNs. If you really want a reccomendation, try Mullvad.