Basic security precautions for non-profits and journalists in the United States, early 2019.

Don't:

  1. Don't send any sensitive information by email.
  2. Don't store sensitive information in cloud services like Evernote or Dropbox.
  3. Don't use your fingerprint to lock/unlock devices.
  4. Don't back up mobile messages to the cloud/iCloud/Google Drive.
  5. Don't use your phone number for password recovery.
  6. Don't use an Android phone, use an iPhone instead.
  7. Don't take the devices you work on across the US border.
  8. Don't plug your device directly into an unknown port (such as an airport charger) without the safeguards outlined below.

Do:

  1. Use a long passphrase to lock your devices.
  2. Make sure you apply all software updates. Turn on auto-updates where possible.
  3. Use an iPhone 6 or later. Don't use an Android phone.
  4. Set a keycode for your phone at least six digits long, or use a hard-to-guess passphrase
  5. Use Gmail, with a physical security key on your laptop and Google Authenticator on your phone.
  6. Use a password manager and have it generate random passwords for every site you use. A good password manager is 1password.
  7. Turn on two-factor authentication on Twitter, Facebook, Github and anywhere else that supports it.
    Don't use SMS to your phone number as the second factor.
  8. Use Signal or WhatsApp on your phone to communicate with other people, rather than SMS or iMessage.
    • Follow this guide to secure your WhatsApp settings.
    • Follow this guide to secure your Signal settings.
  9. Do as much of your work as possible on an iPhone or iPad rather than on a laptop. Use a bluetooth keyboard for easier typing.
  10. Consider using a Chromebook. Chromebooks are secure options especially for opening attachments: you can safely open them on it.
  11. If you have a Windows laptop, uninstall any antivirus products except for Windows Defender (from Microsoft).
  12. Use Chrome as your browser. Avoid installing spurious, unknown or unnecessary extensions.
  13. Turn on full-disk encryption on all devices.

When Traveling:

  1. Don't take devices across the US border. Have a dedicated laptop and phone for travel abroad, don't keep sensitive information on them, and don't use them anywhere else.
  2. Never plug your device into an unknown port. Never plug an unknown device into your computer or mobile device. Carry a “USB data blocker” (either the whole cable or an adapter that plugs into your cable like this) to charge at airport or hotel chargers.
  3. If you believe your hotel room is monitored, work under the covers on the bed. It is less conspicuous, and prevents video surveillance of what you’re typing and viewing.
  4. Don’t use hotel phones for calls to sources. Assume that anything you say inside a hotel room may be recorded.
  5. Don’t leave your phone or laptop unattended; always carry them with you.


Last updated: April 5, 2019