🦓beta
An illustration of four people with zebra heads crossing a zebra crossing in the same style and background as the Beatle's Abbey Road album cover except that there is a surveillance drone, Google Maps car and police robodog in the background Zebra Crossing: an easy-to-use digital safety checklist

🦓 Zebra Crossing: an easy-to-use digital safety checklist

👋🏽 Start here!

🤔 Read this guide if you:

🗺 Where this guide is from

The advice here draws from our experiences living and working in the United States, Canada, and Hong Kong.

Much of what we write applies in other places, but please let us know if you see any gaps in our coverage.

🌱 How to use this guide

🗣 Read this guide in other languages

☕️ Support this guide

🕒 Last updated


🧐 Definitions, Background, and Theory

🎯 Threat modeling

Threat modeling is a process that allows us to identify potential threats to safeguard against them.

When putting together your threat model, ask yourself the following questions:

We’re all in a little bit of danger—otherwise, we wouldn’t bother putting a password on our computer or phone.

Still, it’s necessary to think about what’s at stake before dismissing concerns or becoming paranoid.

🔗 Weakest link

Remember, the weakest link is all that matters! For example, if an account’s password recovery links to your email, hackers only need to access your email to get to your account.

🔡 Encryption levels

Encryption is the process of converting information to prevent unauthorized access. You’ll want to be aware of three types of encryption levels:

  1. No encryption: Any third-party who intercepts the data can read it as-is.
  2. Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (Google or Facebook, for example) still has access and may hand the data over if required by the courts or government agencies.
  3. End-to-end encryption: Only the original sender and receiver can read the data. This means not even the platform has access. So if courts or other government agencies call, the service provider can’t hand over the messages because they don’t have them either.

🧩 Metadata

Metadata is data about your data. For example, the metadata for a phone call might be the number you called and for how long (but not the call’s contents).

With enough metadata, hackers can piece together a relatively reliable picture of who you are, who you know, and where you’re going.

It's worth noting that legal protections around metadata tend to be weak.


💦 Level 1 Recommendations

✅ Things to do now

Strengthen passwords

Double-lock important accounts

Use two-factor authentication (also known as 2FA and two-step verification) to add a second layer of protection on top of a typed password.

Usually, this takes the form of a short code sent to your phone via a specialized authenticator app or text message (SMS).

Authenticator apps are far more secure than SMS, so use one if available. (Wirecutter recommends Authy).

Now that you know what 2FA is, where should you use it? Turn on 2FA for your:

Finally, turn on cloud-backup for your authenticator app in case you ever lose your phone. See instructions for Authy.

Email

Encrypt your devices

💡 Remember: encryption is only fully effective when the device is off!

Other

💪🏽 Habits to cultivate

Email

Update all the things

Other


👍 Great job! You’ve covered the basics.
👍 Treat yourself to a cup of tea and a stretch.
👍 Ready for Level 2?


💦💦 Level 2 recommendations

✅ Things to do now

Enhance your privacy

On social media
On messaging apps
On browsers
On your phone
On your internet-connected physical devices

Set up your home wifi router

Other

💪🏾 Habits to cultivate

Enhance your privacy

Watch what you say in online groups

Don’t say anything you’d regret on in a “private” Slack group, Facebook page, WhatsApp group chat, or Telegram channel because:

Other


🎉 Congratulations! You're now reasonably secure!
🎉 (Which is more than most) :)
🎉 Take the rest of the day off, and...
🎉 Come back tomorrow (or another day) for Level 3!


💦💦💦 Level 3 recommendations

✅ To do

Lock up sensitive files

Upgrade your gear 💰

Revisit old passwords

Use end-to-end encrypted apps

Mobile messaging apps
One-on-one or small group voice/video calls
Large group video calls
Online file sharing/backup

😲 Wow, you completed all three levels!
😲 Well done! Now quickly look below
😲 to see if any apply to you.


💦❗️ Scenario-based recommendations

👩🏿‍💻 Hosting a public event on a video calling platform (e.g. Zoom)


🛫 Crossing an international border


😭 Somebody took my phone/computer!


👾 I think my computer has been hacked?


🍆 Sexting & consensual image sharing


✊🏾 Attending a protest

In case of emergency

Store less share less

Minimize location tracking

Other


📰 I'm a journalist working on a sensitive topic

Below are some basics that all journalists should consider. If you're working on/in a particularly sensitive story/region (e.g. a whisteblower story), you and your team should get an tailored training session from an expert.

Be prepared

Protect your sources

Protect yourself

Protect your data

For more information


🕵🏼‍♂️ Online harassment & doxxing

Harassment and doxxing can get very specific and complicated based on the attacker, your position, the overall cultural context, etc. While we have some general suggestions below, we implore you to think about whether your situation has escalated sufficiently and whether it's time to find professional, one-on-one help.

Recruit a trusted friend

Search for public information about yourself (dox yourself)

Ask your trusted friend to:

For more information, see Access Now Digital Security Helpline's Self-Doxing Guide.

Monitor updates & collect receipts

Delete online information about you

Ignore/reply/report/block your harassers

Social media platform tools and features

Facebook has a few features to control your interactions, but ultimately relies on you setting limits on who can see and comment on your posts and profile:

Instagram has a set of nuanced features within its mobile app to filter and fine tune social interactions on its platform:

Twitter works with some pretty handy third-party tools and has a few features of its own:

Notify other parties

Be extra kind to yourself

Bonus tips for journalists and researchers

For more information


👀 Remove information about you off of the internet

If you're about to become a public figure or are experiencing harassment, consider some of the suggestions below.

Clean up your social media presences

You might not need to delete your entire account, but consider deleting (or making private) posts that are old and/or reveal too much about where you live, where you go, and who you're with.

Facebook
Whatsapp
Instagram
Twitter
Reddit and other forums
LinkedIn

Delete your social media accounts... temporarily

Many social media companies let you restore your full account after deleting it if you restore after a specific period of time. This can be useful if you want to just hide for a while and wait for an event to pass.

Remove your information from other people's accounts or websites

Removing articles and press about you online

Obscure your personal information


💔 I think my partner is spying on me through my phone (stalkerware)

If you're not sure and things between you and your partner aren't that bad yet:

If you're pretty sure they're spying on you and you're scared:

For more information


👤 I don't want to give out my personal information for online dating/networking/organizing

For messaging apps that use phone numbers as the primary identifier/username (e.g. Signal, WhatsApp, Telegram), get a secondary number from:

For sites and services that use email as the primary identifier/username, either get a new email account or get an email alias that forwards to your main account from:

To mask what you've bought from your bank, get a virtual credit card from Privacy (US-only, feature only available for Pro accounts 💰).

Keep in mind:

For true anonymity – create an untraceable online persona under a pseudonymn


🤐 Traveling to a place with weak data protection laws or internet censorship


😣 I need help now, my systems are under attack!

If you work as part of a civil society group, contact:

Or try these regional hotlines:

If you are being harassed online, contact:

Alternately, hotlines that don't focus on digital safety may still be able to help:

If someone else has taken control of your accounts:

If you've been a victim of an online scam, fraud or ransomware:


💦❓ Other recommendations

This section is a catch-all for difficult or esoteric practices that do not fall under any of our scenarios above and might not lead to an immediate payoff for the casual user.

Emails

File storage & sharing

Messaging apps

Hosting/running a website

Other


🏆 Oh my, you made it this far.
🏆 You are a true champ!


🧠 Other resources

We consulted many sources and drew upon our own experiences in creating this resource. If you're not finding quite what you want here, we recommend checking out these other resources:


📝 License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.


👋🏾 Special thanks

Special thanks to the CryptoHarlem community, to the students at the School of Journalism and Communication at the Chinese University of Hong Kong, and to our GitHub contributors.

View this document on Github