🦓beta
An illustration of four people with zebra heads crossing a zebra crossing in the same style and background as the Beatle's Abbey Road album cover except that there is a surveillance drone, Google Maps car and police robodog in the background Zebra Crossing: an easy-to-use digital safety checklist

🦓 Zebra Crossing: an easy-to-use digital safety checklist

🎯 Start here!

🤔 Read this guide if you

🗺 Where this guide is from

🌱 How to use this guide

🗣 Read this guide in other languages

☕️ Support this guide

🕒 Last updated


🧐 Useful terms to learn

🎯 Threat modeling

Threat modeling is a process that allows us to identify potential threats to safeguard against them. To build your threat model, ask yourself the following:

Remember though, your threat model can change — either gradually over time or abruptly, say, when a new law is suddenly passed.

🔗 Weakest link

The weakest link is where your digital safety is most vulnerable. For example, if an account’s forgot password function sends a link to your email, attackers only need to access your email to gain access to the account.

🔡 Encryption levels

Encryption is the process of scrambling or encoding information to make it unreadable to passers-by and prevent unauthorized access. People often categorize encryption into these three types:

  1. No encryption: Any third party can intercept the data and read it as-is. Often called "plaintext."
  2. Standard encryption: Data is encrypted so that intercepting third parties cannot read it, but the platform being used to send the data (e.g. Facebook Messenger) can unscramble and read it. The platform may hand the unscrambled data to courts or government agencies if ordered to do so.
  3. End-to-end encryption: Only the original sender and receiver can read the data. The platform being used to send the data only has the scrambled, unreadable version. So if courts or government agencies order the platform to hand over the data, there's nothing useful to hand over.

🧩 Metadata

Metadata is the contextual information surrounding your data. For example, the metadata for a phone call includes the number you called and the length of your call (but not the call’s contents). With enough metadata, attackers can piece together a relatively reliable picture of who you are, who you know, and where you’re going.

Unfortunately, legal protections around metadata tend to be weak or nonexistent.


🚶🏽‍♀️ Level 1

✅ Things to do

Identify important accounts

Double-lock important accounts

The first lock is usually your account password. The second lock takes on a different form and/or comes via a different channel — most often as a code sent to your phone via an app or text message (SMS). This additional lock is usually called two-factor authentication (abbreviated as 2FA) or two-step verification.

Double-check backup security questions on important accounts

Secure your email

Secure your phone

Secure your computer

Other considerations

💪🏽 Habits to grow

Watch out for phishing scams

A phishing scam is an email or text message where an attacker is trying to trick you into giving your password or other login details. To defend yourself:

Beware of file attachments

Update all the things

Other considerations


👍 Great job! You've secured
👍 some important quick wins
👍 for your online safety & privacy.
👍 Please, do treat yourself to
👍 a cup of tea and a stretch.
👍
👍 Now, ready for Level 2?


🏃🏻‍♂️ Level 2

✅ Things to do

Install a password manager

One common way attackers gain access to your account is if your password is too easy: it's too short, too obvious, or — if you use the same password on multiple accounts — already been leaked as a part of a data breach/hacking incident.

The best way to counteract this problem is to install and use a password manager, which helps you generate long passwords, store them, and fill them in automatically when you're logging into a website.

Encrypt your devices

Remember, encryption is only fully effective when the device is off!

Make sure your home wifi router is set up right

Track your devices in case you lose them

Enhance your privacy

On social media & messaging apps
On email & social media accounts
On your phone
On your mobile/computer web browsers
On other internet-connected devices
Other considerations

💪🏽 Habits to grow

Enhance your privacy

Watch what you say in online groups

Don’t say anything you’d regret on in a “private” group on Slack, Discord, Facebook, WhatsApp group chat, Telegram channel, or any “private” online forum. Here’s why:

  1. Any member can leak all of the data.
  2. Administrators usually have access to everything within the group, including deleted messages and private direct messages between two people.
  3. What you say can be traced back to your account's phone number or email. Even if you're not using your real name or photo.
    • To prevent this in Telegram, go into Settings → Privacy and Security → Phone Number, and then set:
      • Who can see my phone number to Nobody.
      • Who can find me by my number to My Contacts.

Other considerations


🎉 Congratulations! You dove
🎉 fearlessly into your settings,
🎉 clicking, tapping, swiping,
🎉 which makes you a very, very
🎉 above average human being.
🎉 Now, you deserve a day off.
🎉
🎉 When you come back,
🎉 be prepared to join
🎉 the upper ranks of safety
🎉 as you enter Level 3.


🧗🏿‍♀️ Level 3

✅ Things to do

Put an extra lock on sensitive files

Upgrade your gear 💰

Use end-to-end encrypted apps

For secure messaging & calls
For online file-sharing and backup

Further secure your messaging apps

Be aware of what other people can see in a group chat

Messaging apps use either your phone number or a username as the unique identifier (which other people use to add you on the platform). As such, your phone number or username is then visible to anyone you're in a group chat with, along with the name and photo in your profile.

Here's a breakdown of what unique identifiers are used for some popular messaging apps that offer some form of end-to-end encryption:

If you don't want to give out your personal phone number, consider getting a virtual phone number from one of the providers listed in our scenario for Masking your identity for online dating, events, or organizing.

Use app-specific safety & privacy features
Signal
Telegram
WhatsApp

Fully utilize your password manager


😲 Wow, you really did it.
😲 You finished all 3 levels!
😲 You deserve a reward —
😲 a cookie, perhaps,
😲 but not the tracking type.
😲
😲 Rest for the rest of the week
😲 and when you're well rested,
😲 come back and check out
😲 the scenarios below.


🤹🏻 Scenarios


👤 Masking your identity for online dating, events, or organizing

Don't use your full name

Get a secondary phone number

For messaging apps using phone numbers as the primary identifier or username (e.g., Signal, WhatsApp, Telegram), get a secondary number from:

Note: If you lose/unsubscribe to your secondary phone number, other people can buy it and impersonate you.

Get an email alias

For sites and services that use email as the primary identifier/username, get a new 🆓 email account or an email alias that forwards to your main account from:

Buy things online anonymously

Create an untraceable online alias

Even with all the third-party services above, courts can still compel companies to hand over information about you. So if you are really in a high-risk situation, you may need to do all of the above and more. For one example of this, see Matt Mitchell's PRIVACY RECIPE: Creating an online persona.


✊🏾 Attending a protest

When it comes to attending a protest, there are many, many considerations depending on where you are and who you are. In this guide, we are only going to make recommendations related to uses of technology.

Things to do before you go

Keep communications private
Minimize location tracking on your phone
Other considerations
Get a burner phone only if you really need it

Remember when you're out


🩸 Accessing reproductive health services privately

Getting the care you need can be a controversial and fraught endeavor in many parts of the world. Here are some recommendations that may apply if you live in one of those places.

Researching and talking to friends

Tracking your period

Interacting with a clinic

Traveling to a clinic


🛫 Crossing an international border

For extreme situations

Note: Some of these practices might raise suspicions and backfire.


🤐 Traveling to a place with weak data privacy laws or internet censorship


‍💻 Hosting a public event online


🥴 Online harassment & doxxing

Harassment and doxxing tend to be very specific situations, which vary drastically depending on who you are, what you do, who the attacker is, etc.

While we have some general recommendations below, we suggest seeking additional information from someone in your community and from an online resource/guide that hews closer to your exact situation.

Build support systems

Recruit a trusted friend

Do not force yourself into a corner by going at this alone!

We recommend either going through the recommendations below with your trusted friend or handing the recommendations over to them.

Connect with communities

Research and monitor the situation

Search for public information about yourself (dox yourself)
Monitor updates and collect evidence

Decide on a course of action

Ways to deal with your harasser(s)

The following choices are not mutually exclusive, and the best choice may change over time as the situation evolves:

If you decide to report
Delete online information about you

In most cases, you will be safer if you review and remove some of the public information that's out there online about. See the scenario below titled: Remove information about you off of the internet.

Notify other parties

In parallel to monitoring the situation and dealing with your harasser(s), it may be important to:

Bonus: helpful social media platform tools and features

Facebook

Facebook has a few features to control your interactions, but ultimately relies on you setting limits on who can see and comment on your posts and profile.

Instagram

Instagram has a set of nuanced features within its mobile app to filter and fine-tune social interactions on its platform.

Twitter

Twitter works with some pretty handy third-party tools and has a few features of its own.

Discord

Discord is centered around separate communities/servers, which affects the way blocking works.

Choosing between muting or blocking an account

Show yourself some kindness

Bonus tips for journalists and researchers

Check out these additional resources


👀 Remove information about you off of the internet

If you’re about to become a public figure or are experiencing harassment, consider the suggestions below.

Clean up your social media presences

You might not need to delete your entire account, but consider deleting (or making private) old posts or posts that reveal too much about where you live, where you go, and who you’re with.

Facebook
WhatsApp
Instagram
Twitter
LinkedIn
Reddit and other forums

Delete your social media accounts...temporarily

Many social media companies let you restore your deleted account after a specific period. This can be useful if you want to hide for a while and wait for an event to pass.

Remove your information from other people’s accounts or websites

Remember: Information removal requests takes time to process and often require repeated attempts.

Remove articles and press about you online

Note: The larger the publication, the harder it is to persuade them.

Obscure your personal information


💔 Dealing with stalkerware/spyware

When someone close to you (usually a romantic partner) spies on you using a hidden app on your mobile device, that person is using stalkerware.

If you’re not sure and things haven’t escalated between you and your partner

If you’re pretty sure they’re spying on you and you’re scared

Don’t go through this alone — seek help:

Additional resources


📰 Researching and writing about sensitive topics

Below are some general recommendations that all journalists and researchers should consider, especially for those working with (human) sources. If you have access to experts and training sessions through your workplace or professional communities, we highly recommend you taking advantage of that.

Be prepared

Protect your sources

Protect yourself

Protect your data

Note: Courts can compel companies like Google to hand over all of your data.


😭 Missing or lost device


👾 Figuring out if your device has been hacked


😣 Seeking help in an emergency

Hotlines and helplines

Services for civil society workers
Regional services
Services to counteract online harassment
Other services to consider

If someone else has taken control of your accounts

If you’ve been a victim of an online scam, fraud or ransomware


🎁 Bonus

This section contains additional tips and tools that we encountered during our research. Many of the recommendations below are popular with members of the cybersecurity community, but we found them to be a little too hard to follow, a little too new/untested or a little too specific for a small group of people.

Cool tools for maximum safety

Cool tools that cost money

Cool tools with steep learning curves

Hosting/running a website

Other bonus items


🏆 Oh my, you have arrived.
🏆 This is the end.
🏆 Thank you for reading.
🏆 Thank you for being thorough.
🏆 You are a true champ.


🧠 Other resources

We consulted many sources and drew upon our experiences in creating this guide. If you’re not finding quite what you want here, we recommend checking out the following resources:


📝 License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.


👋🏾 Special thanks

Special thanks to the CryptoHarlem community, the students at the School of Journalism and Communication at the Chinese University of Hong Kong, and our GitHub contributors.

View this document on Github