Digital Security In Uncertain Times

For the past few weeks, I've been getting frantic texts, calls, and emails from people who are concerned about their own digital security and are seeking guidance—some for the first time.

The guidance I have to give is pretty much the same boring security tips I've been sharing for the past decade. Sadly, it is not infallible. No digital security hardening can fully protect people facing cruel and relentless attacks for being who they are or doing what they do. What I have to offer is so much less than people deserve. That said, there are instances where taking a few steps can be helpful.

Use unique passwords for each account.

If someone gains access to a password for a single account, they can then try combinations of your email or username for every account. You probably have accounts that have already been compromised in a data breach, which you can look up on a site called Have I Been Pwned.

The simplest way to create unique passwords for each account is to use a password manager that does it for you. (I use 1Password myself.) Changing all of your passwords--even with a password manager--is a time-consuming process. Start with the really important ones, like your email address (which can be used to reset all of your other passwords), bank and e-commerce accounts, social media accounts (so someone can't lock you out of your account and send messages to all of your followers), dating accounts, etc.

Use multi-factor authentication.

Using an authentication app like Authy requires you to provide a time-based one-time code in addition to your password to get into your accounts. That can also keep an attacker from accessing those accounts. Using an app for multi-factor authentication (I use Authy) is more secure than getting a text message sent to your phone (and you may lose access to your phone if you lose a job or are removed from a group/family plan). That said, the gold standard is a physical security key. (I use a couple of Yubikeys.) Note that not all services accept all forms of MFA. You can look up the ones you use to see what's available. (In the linked chart, a security key is referred to as "hardware," and an app is "software.")

Use Signal.

Signal is a messaging app that provides end-to-end encryption, which means that even the provider can't read your messages. It also protects metadata, or information about who you're messaging or speaking with, how often, and for how long. And it's free! You can also set up messages to auto-delete at a specific cadence. And you can give away your username so you can message folks without sharing your phone number.

Tighten your account privacy settings.

If you are posting everything publicly on purpose, and are aware of and okay with the risks, you do you! (I personally have a combination of public and friends-only accounts.) But if you're accidentally sharing everything on all of your accounts with everyone, and are considering scaling back a bit, make sure to tweak your settings accordingly. This is something people already know how to do intuitively (like the one time you didn't share information about your location until after you left) so ir's somewhat self-explanatory.

Remove your data from people search sites.

While it's not always possible to get your address off of every place online (especially if you own a home or are a registered voter), you can reduce your exposure by manually removing your data, signing up for a paid service (I use EasyOptOuts), or some combination of the two. Note that this can be a time-consuming process, so start with high-priority sites. (I still dream of having opt-out parties with snacks and DJs to make the process a little less daunting.)

There's more.

Digital security is a marathon, not a sprint. It's okay to work on just a few things at a time.

For more information or specific step-by-step instructions on most of the items in this post, check out Security Planner (disclosure: I work there). You can view all of the security tips or create a personalized plan to work through, one step at a time.

I've also included a link to BADBOOL, a DIY people search removal guide that's personal project I maintain.

Note also that there are resources to reach out to for assistance when facing digital threats. Beyond the linked list, there is a loose network of volunteers across the country providing trainings and assistance—for free and in our personal capacities—to help organizations facing relentless attacks: the LGBTQ+ community, reproductive rights activists, immigrant rights groups, and so forth.

Lastly, I am sharing this information with deep acknowledgement that while it is what I have to offer that I think will be helpful, it is so much less than you– than we all–deserve. Let's keep taking care of ourselves and each other as we continue to fight for a better and juster world.