An illustration of three people with zebra heads crossing a zebra crossing in a 3D voxel art style on a blue background

Zebra Crossing

An easy-to-use digital safety checklist

🦓 Zebra Crossing: an easy-to-use digital safety checklist

🎯 Start here!

🤔 Read this guide if you

🗺 Where this guide is from

🌱 How to use this guide

🗣 Read this guide in other languages

☕️ Support this guide

🕒 Last updated


🧐 Useful terms to learn

🎯 Threat modeling

Threat modeling is a process that allows us to identify potential threats to safeguard against them. To build your threat model, ask yourself the following:

Remember though, your threat model can change — either gradually over time or abruptly, say, when a new law is suddenly passed.

🔗 Weakest link

The weakest link is where your digital safety is most vulnerable. For example, if an account’s forgot password function sends a link to your email, attackers only need to access your email to gain access to the account.

🔡 Encryption levels

Encryption is the process of scrambling or encoding information to make it unreadable to passers-by and prevent unauthorized access. People often categorize encryption into these three types:

  1. No encryption: Any third party can intercept the data and read it as-is. Often called "plaintext."
  2. Standard encryption: Data is encrypted so that intercepting third parties cannot read it, but the platform being used to send the data (e.g. Facebook Messenger) can unscramble and read it. The platform may hand the unscrambled data to courts if ordered to do so.
  3. End-to-end encryption: Only the original sender and receiver can read the data. The platform being used to send the data only has the scrambled, unreadable version. So if courts order the platform to hand over the data, there's nothing useful to hand over.

🧩 Metadata

Metadata is the contextual information surrounding your data. For example, the metadata for a phone call includes the number you called and the length of your call (but not the call’s contents). With enough metadata, attackers can piece together a relatively reliable picture of who you are, who you know, and where you’re going.

Unfortunately, legal protections around metadata tend to be weak or nonexistent.


🚶🏽‍♀️ Level 1

✅ Things to do

Identify important accounts

Double-lock important accounts

The first lock is usually your account password. The second lock takes on a different form and/or comes via a different channel — most often as a code sent to your phone via an app or text message (SMS). This additional lock is usually called two-factor authentication (abbreviated as 2FA) or two-step verification.

Double-check backup security questions on important accounts

Secure your email

Secure your phone

Secure your computer

Other considerations

💪🏽 Habits to grow

Watch out for phishing scams

A phishing scam is an email or text message where an attacker is trying to trick you into giving your password or other login details. To defend yourself:

Beware of file attachments

Update all the things

Other considerations


👍 Great job! You've secured
👍 some important quick wins
👍 for your online safety & privacy.
👍 Please, do treat yourself to
👍 a cup of tea and a stretch.
👍
👍 Now, ready for Level 2?


🏃🏻‍♂️ Level 2

✅ Things to do

Install a password manager

One common way attackers gain access to your account is if your password is too easy: it's too short, too obvious, or — if you use the same password on multiple accounts — already been leaked as a part of a data breach/hacking incident.

The best way to counteract this problem is to install and use a password manager, which helps you generate long passwords, store them, and fill them in automatically when you're logging into a website.

Encrypt your devices

Remember, encryption is only fully effective when the device is off!

Make sure your home wifi router is set up right

Track your devices in case you lose them

Enhance your privacy

On social media & messaging apps
On email & social media accounts
On your phone
On your computer
On your mobile/computer web browsers
On other internet-connected devices
Other considerations

💪🏽 Habits to grow

Enhance your privacy

Watch what you say in online groups

Don’t say anything you’d regret on in a “private” group on Slack, Discord, Facebook, WhatsApp group chat, Telegram channel, or any “private” online forum. Here’s why:

  1. Any member can leak all of the data.
  2. Administrators usually have access to everything within the group, including deleted messages and private direct messages between two people.
  3. What you say can be traced back to your account's phone number or email. Even if you're not using your real name or photo.
    • To prevent this in Telegram, go into Settings → Privacy and Security → Phone Number, and then set:
      • Who can see my phone number to Nobody.
      • Who can find me by my number to My Contacts.

Know when your name publicly appears as a supporter or donor

Always check whether your name appears publicly online for subscriptions, crowdfunds, petitions and donations. This is especially relevant if you have a unique name.

Some platforms that facilitate these things often have privacy settings, so it’s best to create an account with them to gain some control over what appears publicly. Some examples of important but often overlooked privacy settings:

Other considerations


🎉 Congratulations! You dove
🎉 fearlessly into your settings,
🎉 clicking, tapping, swiping,
🎉 which makes you a very, very
🎉 above average human being.
🎉 Now, you deserve a day off.
🎉
🎉 When you come back,
🎉 be prepared to join
🎉 the upper ranks of safety
🎉 as you enter Level 3.


🧗🏿‍♀️ Level 3

✅ Things to do

Put an extra lock on sensitive files

Upgrade your gear 💰

Use end-to-end encrypted apps

For secure messaging & calls
For online file-sharing and backup

Further secure your messaging apps

Be aware of what other people can see in a group chat

Messaging apps use either your phone number or a username as the unique identifier (which other people use to add you on the platform). As such, your phone number or username is then visible to anyone you're in a group chat with, along with the name and photo in your profile.

Here's a breakdown of what unique identifiers are used for some popular messaging apps that offer some form of end-to-end encryption:

If you don't want to give out your personal phone number, consider getting a virtual phone number from one of the providers listed in our scenario for Masking your identity for online dating, events, or organizing.

Use app-specific safety & privacy features
Signal
Telegram
WhatsApp

Fully utilize your password manager


😲 Wow, you really did it.
😲 You finished all 3 levels!
😲 You deserve a reward —
😲 a cookie, perhaps,
😲 but not the tracking type.
😲
😲 Rest for the rest of the week
😲 and when you're well rested,
😲 come back and check out
😲 the scenarios below.


🤹🏻 Scenarios


👤 Masking your identity for online dating, events, or organizing

Don't use your full name

Get a secondary phone number

For messaging apps using phone numbers as the primary identifier (e.g. Signal, WhatsApp, Telegram), get a secondary number from:

Note: If you lose/unsubscribe to your secondary phone number, other people can buy it and impersonate you.

Get an email alias

For sites and services that use email as the primary identifier/username, get a new 🆓 email account or an email alias that forwards to your main account from:

Buy things online anonymously

Create an untraceable online alias

Even with all the third-party services above, courts can still compel companies to hand over information about you. So if you are really in a high-risk situation, you may need to do all of the above and more. For one example of this, see Matt Mitchell's PRIVACY RECIPE: Creating an online persona.


✊🏾 Attending a protest

When it comes to attending a protest, there are many, many considerations depending on where you are and who you are. In this guide, we are only going to make recommendations related to uses of technology.

Things to do before you go

Keep communications private
Minimize location tracking on your phone
Other considerations
Get a burner phone only if you really need it

Remember when you're out

Respect privacy when taking photos and videos

🫶🏾 Organizing a mutual aid group

Mutual aid groups often include people with different backgrounds, so it’s very likely that at least one person in the group won’t be up-to-date on their digital safety practices. So the chances of an accidental data leak are much higher. Luckily, there are things you can do to minimize the damage done if that happens.

Picking a chat app for closed, private groups

Sometimes you will have to compromise on using the most technically secure app to using one that people are already familiar with. The one baseline requirement that’s worth fighting for is to use an app with support for disappearing messages (and to make sure it’s turned on).

We recommend:

We don’t currently recommend Telegram, but it remains a popular choice for group chats. So we’ve included notes below on how to use it more safely:

We do not recommend using WhatsApp at all. While its group chats are end-to-end encrypted, there are many downsides:

Picking an app to broadcast updates

Groups often use social media platforms (e.g. Instagram, X/Twitter) to post updates about their work. One popular alternative is to use Telegram’s Channels to broadcast messages one-way to a large audience (with no comments or replies). The advantages of Telegram Channels:

Picking an app for big-group public outreach

When your group grows, it may make sense to set up a more public online space to work with new members. Groups often migrate to platforms like Slack, Mattermost and Discord, which allow for multiple chatrooms within the same space. However, because these platforms are designed for corporate workplaces or public gaming communities, their privacy features are very limited. So we recommend using these platforms only for public outreach or for quasi-public messaging.

Picking an app for group video calls

Video call apps are tricky because not many of them support end-to-end encryption, and even those that do often collect your metadata. Having said that here is what we recommend:

How to pick collaboration apps/platforms

There are two paths groups take when it comes to picking collaboration apps/platforms:

  1. Use Google’s apps because they’re more accessible.
  2. Use open-source alternatives because they have better privacy features.

Here’s the rundown on both of these paths.

1. Using Google Workspace more safely

Google Workplace (Docs, Sheets, Drive, etc.) is a popular choice for collaborative work because its apps are powerful, easy-to-use and work well on mobile devices. But they also carry serious privacy limitations:

  1. Anyone who opens a document or file can see the creator’s profile picture, name and email address tied to their Google account.
  2. The activity log on documents also shows the details of who has made edits.
  3. None of your data is end-to-end encrypted.

To mitigate these pitfalls:

2. Using open-source alternatives

Our recommended apps/platforms with notes about their accessibility limitations:


🩸 Accessing reproductive health services privately

Getting the care you need can be a controversial and fraught endeavor in many parts of the world. Here are some recommendations that may apply if you live in one of those places.

Researching and talking to friends

Tracking your period

Interacting with a clinic

Traveling to a clinic

Further advice for people in the US


🛫 Crossing an international border

For extreme situations

Note: Some of these practices might raise suspicions and backfire.


🤐 Traveling to a place with weak data privacy laws or internet censorship


‍💻 Hosting a public event online


🥴 Online harassment & doxxing

Harassment and doxxing tend to be very specific situations, which vary drastically depending on who you are, what you do, who the attacker is, etc.

While we have some general recommendations below, we suggest seeking additional information from someone in your community and from an online resource/guide that hews closer to your exact situation.

Build support systems

Recruit a trusted friend

Do not force yourself into a corner by going at this alone!

We recommend either going through the recommendations below with your trusted friend or handing the recommendations over to them.

Connect with communities

Research and monitor the situation

Search for public information about yourself (dox yourself)
Monitor updates and collect evidence

Decide on a course of action

Ways to deal with your harasser(s)

The following choices are not mutually exclusive, and the best choice may change over time as the situation evolves:

See PEN America's Guidelines for Safely Practicing Counterspeech for extra tips on how to talk back effectively.

If you decide to report
Delete online information about you

In most cases, you will be safer if you review and remove some of the public information that's out there online about. See the scenario below titled: Remove information about you off of the internet.

Notify other parties

In parallel to monitoring the situation and dealing with your harasser(s), it may be important to:

Bonus: helpful social media platform tools and features

Facebook

Facebook has a few features to control your interactions, but ultimately relies on you setting limits on who can see and comment on your posts and profile.

Instagram

Instagram has a set of nuanced features within its mobile app to filter and fine-tune social interactions on its platform.

X/Twitter

X no longer supports third-party tools that combat harassment, and the platform’s moderation efforts have gotten lax. If the controls below don’t work, consider setting your profile to private and disengaging until the platform is stable again.

Discord

Discord is centered around separate communities/servers, which affects the way blocking works.

Choosing between muting or blocking an account

Show yourself some kindness

Bonus tips for journalists and researchers

Check out these additional resources


👀 Remove information about you off of the internet

If you’re about to become a public figure or are experiencing harassment, consider the suggestions below.

Clean up your social media presences

You might not need to delete your entire account, but consider deleting (or making private) old posts or posts that reveal too much about where you live, where you go, and who you’re with.

Facebook
WhatsApp
Instagram
X/Twitter
LinkedIn
Reddit and other forums

Delete your social media accounts...temporarily

Many social media companies let you restore your deleted account after a specific period. This can be useful if you want to hide for a while and wait for an event to pass.

Remove your information from other people’s accounts or websites

Remember: Information removal requests takes time to process and often require repeated attempts.

Remove articles and press about you online

Note: The larger the publication, the harder it is to persuade them.

Obscure your personal information


💔 Dealing with stalkerware/spyware

When someone close to you (usually a romantic partner) spies on you using a hidden app on your mobile device, that person is using stalkerware.

If you’re not sure and things haven’t escalated between you and your partner

If you’re pretty sure they’re spying on you and you’re scared

Don’t go through this alone — seek help:

Additional resources


📰 Researching and writing about sensitive topics

Below are some general recommendations that all journalists and researchers should consider, especially for those working with (human) sources. If you have access to experts and training sessions through your workplace or professional communities, we highly recommend you taking advantage of that.

Be prepared

Protect your sources

Protect yourself

Protect your data

Note: Courts can compel companies like Google to hand over all of your data.


😭 Missing or lost device


👾 Figuring out if your device has been hacked


😣 Seeking help in an emergency

Hotlines and helplines

Services for civil society workers
Services for journalists
Regional services
Services for victims of intimate image abuse
Other services to consider

If someone else has taken control of your accounts

If you’ve been a victim of an online scam, fraud or ransomware

If you need to safely send information to journalists


🎁 Bonus

This section contains additional tips and tools that we encountered during our research. Many of the recommendations below are popular with members of the cybersecurity community, but we found them to be a little too hard to follow, a little too new/untested or a little too specific for a small group of people.

Cool tools for maximum safety

Cool tools that cost money

Cool tools with steep learning curves

Hosting/running a website

Other bonus items


🏆 Oh my, you have arrived.
🏆 This is the end.
🏆 Thank you for reading.
🏆 Thank you for being thorough.
🏆 You are a true champ.


🧠 Other resources

We consulted many sources and drew upon our experiences in creating this guide. If you’re not finding quite what you want here, we recommend checking out the following resources:


📝 License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.


👋🏾 Special thanks

Special thanks to the CryptoHarlem community, the students at the School of Journalism and Communication at the Chinese University of Hong Kong, and our GitHub contributors.

View this document on Github