DemNerdsTech help in dark times

DemNerds Cybersecurity Field Guide for Democracy Advocates

Welcome

It's a scary time out there, particularly if you're working on democracy, human rights, or the rule of law. The internet is noisy, hostile, and often dangerous, but most real-world harm still comes from common, preventable problems. Following some basic guidance can massively reduce your digital risk and your online footprint.

This guide offers practical, widely accepted cybersecurity advice for people working under real constraints. Most of these steps take minutes, not months.

You do not need to do everything in this guide. Doing what you can, and doing it consistently, makes a real difference.

We’re doing this for each other. They say a chain is only as strong as its weakest link, and that’s particularly true for those of us working together for freedom in a digital age. When we take basic digital safety seriously, everyone benefits. When we don’t, risk spreads quickly.

If you’re dealing with an active threat, harassment, account compromise, or a situation that feels like it’s escalating, skip ahead to “What do I do if I’m getting harassed?” or contact us directly.

Note: This is a living document. If you have suggestions or corrections, please contact us at ideas (at) demnerds dot org.

A short link to this guide is available at https://tinyurl.com/dn-cybertips.

If you only have time for five things…

If this guide feels long or overwhelming, start here. These five steps address a large share of real-world risk and can usually be done in an afternoon.

  • Use a password manager and unique passwords everywhere.
    Reused passwords are one of the most common ways accounts get taken over.
  • Turn on automatic updates for your phone and computer.
    Most successful attacks exploit known problems that already have fixes.
  • Enable two-factor authentication on your important accounts.
    Especially email, social media, cloud storage, and anything tied to your identity.
  • Lock down your phone.
    Use a longer PIN, set it to auto-lock quickly, enable remote lock/wipe, and back it up.
  • Have at least one working backup.
    Devices fail, accounts get locked, and mistakes happen. Backups turn disasters into inconveniences.

The rest of this guide builds on these basics. Doing these five things makes you meaningfully safer.

Cybersecurity Principles

The following are the most important big-picture concepts to take control of to secure your digital world.

It’s all about healthy habits

Cybersecurity isn’t about buying one magic piece of software or one weird trick to keep yourself safe. Like keeping yourself in good shape and avoiding getting sick, it’s about making smart choices, avoiding unnecessary risks, protecting yourself when you can, and building healthy habits.

Be paranoid: watch out for malware and phishing

The biggest risk people face online is from being tricked. Whether it’s bad software we unwittingly install and run, entering our password in a bogus site, or accidentally sharing personal information, different forms of phishing and social engineering are the main ways people get hacked.

Your best defense here is your normal spidey-sense of caution and curiosity.

  • If a request from someone you know seems weird, make sure they are actually who they claim. This could involve verifying the request by contacting them in a different way. For example, a phone call or Signal message can verify an unexpected email.
  • Don’t install software that doesn’t come from official app stores. If you get it from the iOS App Store, the Mac App Store, or the Google Play Store it is much more likely to be safe.
  • Check sender addresses and websites carefully. It might look legitimate, but come from a similar but bogus email or website.
  • Don’t click links or open attachments unless you’re sure who sent them. This is doubly true if the message seems to be demanding quick action—it’s a psychological trick to get you before you can think twice.

Always update your software

Like everything else, computer software has mistakes. Unfortunately, that often means attackers can use these errors as holes to break into your system.

  • Auto-update your computer and phone. Set your operating systems to auto-update—and when it has patches and wants you to restart, don’t put it off.
  • Your other software needs updating too. This is critical for your communications software and web browsers, as those are the ways you contact the internet.

Manage your passwords well

Your passwords are the gateway to everything you own, and bad passwords are one of the most common ways of getting hacked.

  • Use multi-word passphrases. It’s much easier to remember three random words (“door-moose-hop”), and they’re harder to crack as well.
  • Never repeat passwords. If one gets exposed (and it happens all the time), attackers will try it against all your other accounts.
  • Use a password manager. You probably have too many passwords to remember (especially since you aren’t repeating them). Use a password manager to keep track of them for you.
    • Bitwarden is free and excellent.
    • 1Password is a popular paid choice.
    • macOS’s built-in Passwords app is now quite good.
    • Password managers built into your browser, like Chrome, are less good—security holes in your browser (which happen with worrisome frequency) can expose your passwords.
  • Use two-factor authentication whenever possible. This means linking a text message (or better, an authentication app like Google Authenticator) to your account so even if someone steals your password they can’t get in.
  • Use passkeys where you can. Passkeys are a newer, very secure sign-in method that replaces passwords with device-based keys. Biometrics (Face ID/fingerprint) then unlock the passkey on your device, but your biometric data isn’t shared with websites. These are very secure—and best of all, you don’t need to remember a password at all.

Secure your iPhone

Your phone is your most intimate part of your life. Keep it safe.

  • Ensure you have automatic updates on. (Settings → General → Software Update)
  • Use a 6-digit or alphanumeric passcode (not 4 digits).
  • Enable Face ID / Touch ID, but know how to quickly disable it (press Power + Volume → opening then requires a passcode).
    Note: Authorities can force you to use your face or finger to unlock your phone, but in many jurisdictions they need a warrant to make you enter a PIN.
  • Set your phone to auto-wipe after 10 failed attempts. (Settings → Face ID & Passcode → Erase Data)
  • Turn on Find My iPhone for remote lock and wipe if it’s lost or stolen.
  • Only install apps from the App Store. Apple makes you go out of your way to do it otherwise, but they have strong (if imperfect) vetting for malicious apps.
  • Check what apps have special access regularly. Review Settings → Privacy & Security to limit app access.
  • Back your phone up. Back up to iCloud or an encrypted computer backup.
  • Never tap “Trust this computer?” when connecting to an unknown source.
  • If you’re at very high risk, enable Lockdown Mode (Privacy & Security → Lockdown Mode). This will make your life more inconvenient, but it reduces the risk of being successfully hacked by sophisticated targeted malware. You can also use this selectively—for example if attending an event or traveling.

Secure your Android phone

Android phones vary a lot more than iOS devices, making these recommendations more variable. Menus may be in different places, or use different names.

Android security varies by manufacturer—some brands deliver security patches much faster than others. When safety matters, prioritize phones with a strong update track record, like Google's Pixel phones or Samsung devices.

  • Ensure you have automatic updates on, and check for updates regularly. (Settings → System → Software updates / Security update / Google Play system update)
  • Use a 6-digit (or longer) PIN or an alphanumeric password (not a 4-digit PIN or pattern).
  • Enable fingerprint/face unlock, but know how to quickly require PIN-only using Lockdown (enable “Show lockdown option”; Lockdown disables biometrics until you enter your PIN/password).
  • Keep your phone set to lock quickly when you’re not using it (short auto-lock timeout). (Menu wording varies by device.)
  • If your phone supports it, enable “Auto factory reset” after repeated failed unlock attempts (commonly 15 on Samsung).
  • Turn on Find My Device / Find Hub for remote locate, lock, and erase if it’s lost or stolen.
  • Only install apps from the Play Store; avoid “unknown apps” / sideloaded APKs unless you fully trust the source.
  • Review app permissions regularly (Settings → Privacy → Permission manager / Privacy dashboard) and remove anything you don’t expect (Location, Mic, Camera, Contacts, Files).
  • Back your phone up (Settings → Google → Backup) and confirm you can restore it. Note: Standard Android backup is encrypted in transit and at rest, and from Android 9 it may be encrypted with a key not known to Google when a screen lock is set (device/feature dependent).
  • Never approve USB debugging trust prompts or enable USB debugging except when you truly need it. USB debugging grants powerful access to a “trusted” computer.
  • If you’re at very high risk, use Lockdown when traveling or attending sensitive events (it forces PIN/password unlock and reduces exposure if someone grabs your phone).

Travel tips

You have basically no right to privacy when you are crossing an international border, and it can feel like you have little in airports or transit points. As such, any devices with you can be searched without a warrant; remember that the safest data is the stuff you didn’t bring. Laws and enforcement practices vary by country and situation. This section reflects common experiences, not legal guarantees.

  • You can politely decline to share passwords—but you may end up in a cell or without a phone. You don’t have to acquiesce, but non-citizens may be turned away, and citizens can have their devices taken and can be detained.
  • Back up before you go. Great advice to back up routinely anyway, because there’s always a chance you’ll drop your phone in the ocean or forget your computer in a hotel.
  • Don’t bring your normal phone and computer if you can avoid it. Bring a basic device that can do the bare minimum you need. Chromebooks can be easily erased and restored.
  • Delete social media and communications apps when you’re going to be crossing a border if you are using your normal devices. You can always re-download them later.
  • Be careful of random USB ports for charging. Theoretically, these can be used for hacking attacks, although this has not been confirmed in the wild. If you route through a power brick of your own or use a “data blocker” USB adapter you’re safe.

Secure your computer

Your computer is the foundation of your digital life. It provides access to all of your accounts and hosts much of your most important information. Computers are easy to lose or steal, and a primary target for hacking, so it’s critical that they are a trustworthy partner.

  • Use a good password. This is an important place for a quality password you don’t use anywhere else.
  • Set your computer to auto-lock. When you wander away from it, the system should lock after a minute or two.
  • Keep the operating system up to date. Ensure that you’ve enabled auto-updates—and reboot as soon as the system asks you to.
  • Encrypt your hard drive (FileVault on Mac, BitLocker on Windows).
  • Use browsers that respect privacy: Firefox, Tor Browser, or Brave are particularly good; add uBlock Origin and Privacy Badger. Chrome is a great browser, but Google is in the business of tracking you to sell you ads.
  • Use added anti-malware protection. While Windows' built-in Microsoft Defender is considered quite good these days, and Macs typically have fewer problems with viruses and malware, it's still wise to augment with additional protection. Malwarebytes offers quality additional protection for both Windows and macOS.

Virtual meeting security: vet and verify

As has always been the case, people who want to disrupt the work of organizing often do so by infiltrating meetings. Online, that’s easier than ever.

  • Use initials or alternative names when entering a virtual meeting. This protects your identity if someone leaks the meeting or tries to attack participants.
  • Consider turning on a fake background. This can prevent people from identifying your location—or other individuals who might wander into your camera.
  • For internal meetings, turn on cameras to verify identity. For internal meetings with all known attendees, turn cameras on to allow colleagues to recognize whom they are speaking with. Do not share a meeting link to folks outside of pre-determined processes from the meeting host.
  • Have a vetting process for virtual events—and follow it. Share the meeting link shortly before the event. Set up a waiting room to verify folks before they join the meeting. Assign a co-host to monitor participants for unusual or disruptive behavior.

Clean up your internet profile and anonymize yourself

Today the most intimidating threat to most democracy activists is not a shadowy hacker, but howling digital mobs. While harassment and hate online can be devastating on its own, doxxing (revealing personal or location information about individuals) can lead to severe physical consequences as well.

  • Have an intentional conversation and make a conscious decision about your public exposure. Your level of social media, traditional media, and internet exposure should be an intentional choice. Have a conversation with your important people and decide how public you want to be.
  • Consider using just initials or a pseudonym when possible. Whether connecting to Zoom meetings or in Signal chats, consider not having your full name available.
  • Limit what you share publicly. Personal details (address, family, travel plans) can be used for harassment or phishing.
  • Check social-media privacy settings. Make past posts visible only to friends or trusted contacts.
  • Be careful with friend requests. Many fake accounts target activists. Do you actually know the person? And even if you recognize their name, does their account seem legitimate?

Keep a backup and be ready for problems

Bad stuff happens. Disks fail, computers fall off desks, phones are left in bathrooms—even without targeted threats. These days some of the most common hacks are ransomware: they break into your computer, encrypt all the data, and promise they’ll give you the keys if you send them a bunch of bitcoin (maybe). Having effective backups can help protect you.

  • Have good backups. Keep two copies of your most important documents—one offline, one encrypted online. A backup hard drive for your computer is an inexpensive method to add a lot of protection, as long as you use it regularly.
    • On macOS, Time Machine makes this easy.
    • On Windows, “Windows File History” can back up to an external hard drive.
    • More full-featured (and expensive) solutions include Acronis True Image or EaseUS Todo Backup.
  • Plan for account recovery. Most online accounts have backup codes or some mechanism to get into your account if you lose your password or your two-factor authentication (2FA) app. Store backup codes safely—either printed and filed away, or in your secure password manager.
  • Have a special backup of your password manager. Since you’re using a password manager (right?) it contains access to most of your stuff. Keep a backup of that data file (still protected by your strong password) so you can access it if something goes wrong.
  • Know your contacts. Have a small trusted network you can reach if accounts are compromised, and know multiple methods to reach them.

Communication common sense

While there’s a lot you can do to lock down your communication channels, one of the most important principles is “what you don’t have can’t be stolen.” Be thoughtful about what you say and to whom.

  • Don’t communicate sensitive things via email or SMS. If you think something ought not be communicated in writing, you’re right.
  • If you are in a group chat, there may be times when it is prudent to refer to actions by their owner (for example, “John’s action item” instead of “Save Public Research Data”).
  • Use your professional judgement about what should be discussed in group chats vs. separate individual chats.

Use a personal VPN

When connecting to any internet system or website, the network provider—and often government entities—can see where you’re connecting from and what you’re connecting to. These days most web connections are encrypted, so the actual content typically remains private, but who is looking at what resources can be more information than you want to give away. These threats can be highest in public settings, like airports or hotels, with public wifi.

  • Get a quality VPN. ProtonVPN, NordVPN, and Mullvad are all good choices.
  • Cloudflare WARP is free and effective, but it’s not the same as a traditional privacy-focused VPN.
  • Avoid sketchy free VPNs—they make money by harvesting your data.

Are you managing a group or community?

Are you building a community of like-minded individuals? Is there a risk of infiltration from malevolent actors or trolls? As with other forms of cybersecurity, you need to be thoughtful about how you manage your digital groups and tools so we can keep each other safe.

  • Speak with new members individually before adding them. Have a brief one-on-one call with anyone who wants to join your group. This helps confirm identity in case they found out about your community and intend to join to make trouble.
  • Make sure you know who is behind all the Signal handles and email addresses in your group. People often use aliases, initials, or pseudonyms, which is often a good thing. However, as a group leader, it’s important that you really know who the humans behind them are. Use Signal nicknames to capture people’s identities in a stable way.
  • Restrict document access. If you are sharing sensitive documents using a service like Google Docs or Proton Docs, ensure access is restricted and that you personally approve anyone added. Avoid using unrestricted links, as they can be shared outside the target community. Be aware that sharing most documents shows who owns and has contributed to the document.
  • Store PII securely. Personally identifiable information (PII) such as members’ names, phones, emails, Signal handles, etc. should only be stored in appropriate, secure, access-limited platforms. Do not make copies, forward, or download to your computers.
  • Verify participants on group calls. Until your group is fully vetted, ask participants to turn on their cameras and identify themselves at the start of calls.

Platform-specific guidance

Some brief notes on the most important things to do for each of these popular platforms.

Platform settings and menus change frequently. Names and paths listed here may differ slightly from what you see on your device. If you catch errors, have suggestions, or want to add another platform, let us know.

Do you use Signal? (We certainly hope so!)

Signal is a fabulous and high-quality messaging platform. Uniquely among popular communication products, it has been created by a non-profit with a goal of keeping people safe online, not tracking your behaviors to sell advertising. While the system is very secure and private by default, there’s a bit more you can do.

  • Set your display name to something nonspecific. Your name shows up in group chats, and it’s hard to know who’s in there. You can set it to something like your initials, a pseudonym, or a totally made-up word. Be aware that the flip side is that the people you’re talking to will have less idea who you are.
  • Always relay calls. In the Signal app: Settings → Privacy → Advanced → enable “Always Relay Calls.” This makes it harder for networks between you and the person you are calling to see the IP address of both sides of the call and figure out who you are calling, when, and for how long.
  • Enable disappearing messages. In the Signal app: Settings → Privacy → Disappearing Messages. Set a default timer for new chats with a maximum of 4 weeks. If the communications are sensitive, use a shorter timer.
  • Disable link previews. In the Signal app: Settings → Chats → disable “Generate link previews.” Signal won’t fetch content from links you send to display them, which improves the privacy of your IP address.
  • Save nicknames for your contacts. Many people follow the advice above about changing their display name, and they may change it in the future. For your contacts you care most about or work closely with, use the Signal “nickname” feature.
  • Be aware of name conflicts. Because anyone can call themselves anything, be aware of identical names in groups. Signal will pop up a message. It’s probably benign, but it’s worth investigating.
  • Be aware of device changes. If a Signal account is being used from a new device, your app will notice it. You’ll see a message like “Your safety number with John Doe changed.” They probably got a new phone, but it’s also what you’d see if someone stole their account. If it’s suspicious, check in with them (but not on Signal).
  • Leave Signal groups you are not actively participating in. Take 10 minutes to scroll through your Signal groups and leave or close groups that are no longer active.
  • If you can, donate to Signal to keep them going strong.

Do you use WhatsApp?

The primary concern with WhatsApp is it’s owned by Meta/Facebook, a company with financial incentives to monetize your data and a history of bowing to government pressure. The actual communications between WhatsApp devices are protected by the same encryption as Signal, but what happens to the information before or after that, and what the future may bring, are more difficult questions.

  • Protect IP address in calls. Go to Settings → Privacy → Advanced → enable “Protect IP address in calls.”
  • Disable link previews. In the same place, disable link previews. Preloading links can spread malware and potentially expose your identity.

Do you use Google?

Google provides an amazing toolset that has become indispensable for many organizations and individuals. While they are in the business of monetizing your data, they have had a strong track record for protecting against cybersecurity threats and legal overreach. While it is not obvious that will continue, it is still very valuable to further harden your accounts against outside attackers.

  • Enable the Advanced Protection Program. This flags your account as one that may be at higher risk and enforces a range of other best practices.

Do you use Microsoft and do you work for a rights or political organization?

Microsoft offers a form of heightened account security similar to Google, but it’s only available for selected types of organizations, not individuals. If you are a journalist, a political candidate, or a member of a civil society organization (using Microsoft 365) you may be eligible.

  • Enable Microsoft Account Guard.

Do you use Proton?

Swiss-based Proton is well regarded for its set of privacy-focused email and hosting platforms. If you’re using a paid version of their system, you can dial the security up another level.

  • Enable Proton Sentinel. This provides more auditing and detailed logging, and escalated response for security issues.

Do you use Apple?

Apple is a very large company with deep business interests in the US, China, India, and most of the world. However, they have historically made a real effort to promote user privacy, and as a company that does not (primarily, yet) make money from monetizing your personal data, their financial incentives are more in alignment with privacy.

  • Turn on Advanced Data Protection. This enables full encryption for all your Apple-managed data—even Apple can’t get at it. This provides a great deal of security, but it also means that if you lose your Apple ID password and your recovery method, Apple cannot help you recover your data.

On iPhone or iPad:

  • Go to Settings → [Your Name] → iCloud → Advanced Data Protection.

On Mac:

  • Open System Settings → [Your Name] → iCloud → Advanced Data Protection.
  • Click Turn On, verify your recovery method, and confirm.
  • Make sure to store your recovery key somewhere physically safe, or set a trusted recovery contact you truly trust—or it’s gone forever.

Do you use Facebook?

Ah, for the good old days when Facebook was a chatty community of close friends sharing ill-advised late night photos. Now it’s troll central, and a prime place for phishing attacks, impersonation, and doxxing.

  • Enable two-factor authentication. (Settings → Security and Login → Two-Factor Authentication) Choose “Authentication App” rather than SMS. Add backup codes and store them offline or in a password manager.
  • Use a strong, unique password (and keep it in your password manager).
  • Get notified about unrecognized logins and ensure you have recovery access. (Settings → Security and Login → Get alerts about unrecognized logins.) Enable both Messenger and email alerts. Check that recovery info is current and tied to a secure email account with 2FA.
  • Lock your profile. (Menu → Profile → ⋯ → Lock Profile) The one-click “Lock profile” button turns on maximum privacy settings.
  • Hide your network of friends. (Friends tab → ⋯ → Edit Privacy → Only Me)
  • Opt out of face recognition. (Settings → Face Recognition → No)
  • Make yourself harder to find. (Settings → Privacy → How people can find and contact you) Disable “Do you want search engines outside Facebook to link to your profile?” and restrict name search where possible.
  • Disable off-Facebook ad tracking. (Settings → Ad Preferences → Ad Settings.) Turn off “Data about your activity from partners.” and “Ads shown off of Facebook.”
  • Review apps & websites. (Settings → Apps and Websites → remove old logins) Clean out ancient games or campaigns you connected to your account.
  • Turn on tag and timeline review. (Settings → Profile and Tagging → Review posts and tags before they appear)
  • Control who can contact you. (Settings → Privacy → How people can find and contact you) Set “Who can send you friend requests?” to “Friends of friends” and “Who can look you up by phone/email?” to “Only Me.”
  • Filter more spam messages. (Message Requests → Spam Filters) Enable strict filtering.
  • Enable Facebook Protect if offered. If you have the chance, take it. It ups security and account takeover protection.

Do you use Instagram?

Lots of overlap with Facebook (they’re all Meta-owned products). If you’re on the ’Gram, take these steps:

  • Turn on two-factor authentication. (Settings → Security → Two-Factor Authentication) Use an authenticator app, not SMS.
  • Use a strong, unique password stored in a password manager.
  • Check login activity. (Settings → Security → Login Activity → log out of unknown devices)
  • Enable security alerts. (Settings → Security → Emails from Instagram)
  • Set your account to private. (Settings → Privacy → Account Privacy → Private Account)
  • Hide activity status. (Settings → Privacy → Activity Status → Off)
  • Review your followers regularly and remove anyone you don’t know or trust.
  • Filter DMs. (Settings → Privacy → Messages → limit who can send you requests)
  • Filter comments / block keywords. (Settings → Privacy → Hidden Words → offensive filter on + custom keywords)
  • Restrict or block harassers. “Restrict” hides their comments from others without alerting them.
  • Limit tags and mentions. (Settings → Privacy → Tags & Mentions → “Only People You Follow” or “No One.”)
  • Clean up app connections. (Settings → Security → Apps & Websites → remove old logins)

Do you use TikTok?

If cybersecurity is a high priority for you, this platform carries serious tradeoffs.

TikTok is owned by ByteDance, a People’s Republic of China-based company, which creates particular concerns for activists. Under China’s National Intelligence Law, companies can be compelled to share data with the government in secret, and those at risk should assume your data can be accessible to PRC authorities. Employee access in the past has demonstrated that PRC-based engineers could access user data from across the globe.

TikTok also is extremely aggressive in the data it collects, including other installed apps, network information, device IDs, and even taps and text input events on websites opened inside the app. TikTok also has a history of suppressing political content around human rights issues.

So what can I do next? Create a security plan

Congratulations. If you’ve made it through this guide, you’ve gone a very long way to keeping yourself safer online with generic advice. However, every person is different, with different adversaries, different things they care about, different systems they use, and different tolerance for risk.

If you want to take the next step, create an individualized security plan.

Consumer Reports has an excellent resource, Security Planner, which helps you walk through the steps to keep yourself safe in the ways that matter most to you.

What do I do if I’m getting harassed?

This section focuses on common first steps, not legal advice or emergency response.

  • Make sure all your social media (including LinkedIn for now) are set to private/friends only or deactivated altogether.
  • Freeze your credit. Equifax, Experian, and TransUnion all do it for free and it's easy.
  • Consider DeleteMe and/or Kanary to wipe PII from the internet to the extent possible.
  • On Google, go to https://myactivity.google.com/results-about-you to flag phone numbers and addresses to pull down (you can even see data breaches on the dark web).
  • If you have an iPhone, put it in Lockdown Mode and turn off Siri for apps.
  • Try not to panic, but report any actual threats to law enforcement.
  • Document, document, document. Chances are good they are collecting names on a list somewhere—best to be ready should you need it for legal purposes.

Other great resources

  • In an emergency, you may be able to call on the great folks from the Democracy Security Project at 1-234-DSP-HELP.
  • Frontline Defenders’ Security in a Box
  • CISA’s Mitigating Cyber Threats with Limited Resources
  • NDI’s Digital Organizing SOS and Cybersecurity for CSOs
  • PEN’s Digital Safety Snacks and Online Harassment Field Manual
  • The New York Times’s How to Doxx Yourself
  • EFF’s Surveillance Self-Defense
  • NAC’s The Activist Checklist
  • American Library Association’s Digital Security Basics

Change log

  • Oct 9, 2025 — Initial release
  • Nov 3, 2025 — Various edits and additions. New section on group management.
  • Nov 15, 2025 — Added initial draft of Instagram section.
  • Jan 12, 2026 — Review, refresh, light edits. New Android section.
  • Jan 20, 2026 — Rewritten welcome section. Additional internal structure.

License

© 2026 Democracy Nerds (demnerds.org)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0).