What is threat modeling and where do I start? Anchor link

Threat modeling helps you identify threats to the things you value and determine from whom you need to protect them. When building a threat model, answer these five questions:

1. What do I want to protect?
2. Who do I want to protect it from?
3. How bad are the consequences if I fail?
4. How likely is it that I will need to protect it?
5. How much trouble am I willing to go through to try to prevent potential consequences?

Let’s take a closer look at each of these questions.

What do I want to protect?

An “asset” is something you value and want to protect. In the context of digital security, an asset is usually some kind of information. For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices may also be assets.

Make a list of your assets: data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.

Who do I want to protect it from?

To answer this question, it’s important to identify who might want to target you or your information. A person or entity that poses a threat to your assets is an “adversary.” Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.

Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.

Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you’re done threat modeling.

How bad are the consequences if I fail?

There are many ways that an adversary can threaten your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.

The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.

Threat modeling involves understanding how bad the consequences could be if an adversary successfully attacks one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records and thus has the capability to use that data against you. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

Write down what your adversary might want to do with your private data.

How likely is it that I will need to protect it?

Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.

It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.

Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.

How much trouble am I willing to go through to try to prevent potential consequences?

Answering this question requires conducting the risk analysis. Not everyone has the same priorities or views threats in the same way.

For example, an attorney representing a client in a national security case would probably be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.

Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.

How Does End-to-End Encryption Work? Anchor link

When two people want to communicate securely (for example, Akiko and Boris) they must each generate crypto keys. Before Akiko sends a message to Boris she encrypts it to Boris's key so that only Boris can decrypt it. Then she sends the already-encrypted message across the Internet. If anyone is eavesdropping on Akiko and Boris—even if they have access to the service that Akiko is using to send this message (such as her email account)—they will only see the encrypted data and will be unable read the message. When Boris receives it, he must use his key to decrypt it into a readable message.

End-to-end encryption involves some effort, but it's the only way that users can verify the security of their communications without having to trust the platform that they're both using. Some services, such as Skype, have claimed to offer end-to-end encryption when it appears that they actually don't. For end-to-end encryption to be secure, users must be able to verify that the crypto key they're encrypting messages to belongs to the people they believe they do. If communications software doesn't have this ability built-in, then any encryption that it might be using can be intercepted by the service provider itself, for instance if a government compels it to.

You can read Freedom of the Press Foundation's whitepaper, Encryption Works for detailed instructions on using end-to-end encryption to protect instant messages and email. Be sure to check out the following SSD modules as well:

• An Introduction to Public Key Cryptography and PGP
• How to: Use OTR for Windows
• How to: Use OTR for Mac

Text Messages Anchor link

Standard text (SMS) messages do not offer end-to-end encryption. If you want to send encrypted messages on your phone, consider using encrypted instant messaging software instead of text messages.

Some end-to-end encrypted instant messaging services use their own protocol. So, for instance, users of Signal on Android and iOS can chat securely with others who use those programs. ChatSecure is a mobile app that encrypts conversations with OTR on any network that uses XMPP, which means you can choose from a range of independent instant messaging services.

Email Anchor link

Most email providers give you a way of accessing your email using a web browser, such as Firefox or Chrome. Of these providers, most of them provide support for HTTPS, or transport-layer encryption. You can tell that your email provider supports HTTPS if you log in to your webmail and the URL at the top of your browser begins with the letters HTTPS instead of HTTP (for example: https://mail.google.com).

If your email provider supports HTTPS, but does not do so by default, try replacing HTTP with HTTPS in the URL and refresh the page. If you’d like to make sure that you are always using HTTPS on sites where it is available, download the HTTPS Everywhere browser add-on for Firefox or Chrome.

Some webmail providers that use HTTPS by default include:

• Gmail
• Riseup
• Yahoo

Some webmail providers that give you the option of choosing to use HTTPS by default by selecting it in your settings. The most popular service that still does this is Hotmail.

What does transport-layer encryption do and why might you need it? HTTPS, also referred to as SSL or TLS, encrypts your communications so that it cannot be read by other people on your network. This can include the other people using the same Wi-Fi in an airport or at a café, the other people at your office or school, the administrators at your ISP, malicious hackers, governments, or law enforcement officials. Communications sent over your web browser, including the web pages that you visit and the content of your emails, blog posts, and messages, using HTTP rather than HTTPS are trivial for an attacker to intercept and read.

HTTPS is the most basic level of encryption for your web browsing that we recommend for everybody. It is as basic as putting on your seat belt when you drive.

But there are some things that HTTPS does not do. When you send email using HTTPS, your email provider still gets an unencrypted copy of your communication. Governments and law enforcement may be able to access this data with a warrant. In the United States, most email providers have a policy that says they will tell you when you have received a government request for your user data as long as they are legally allowed to do so, but these policies are strictly voluntary, and in many cases providers are legally prevented from informing their users of requests for data. Some email providers, such as Google, Yahoo, and Microsoft, publish transparency reports, detailing the number of government requests for user data they receive, which countries make the requests, and how often the company has complied by turning over data.

If your threat model includes a government or law enforcement, or you have some other reason for wanting to make sure that your email provider is not able to turn over the contents of your email communications to a third party, you may want to consider using end-to-end encryption for your email communications.

PGP (or Pretty Good Privacy) is the standard for end-to-end encryption of your email. Used correctly, it offers very strong protections for your communications. For detailed instructions on how to install and use PGP encryption for your email, see:

• How to: Use PGP for Mac OS X
• How to: Use PGP for Windows
• How to: Use PGP for Linux

Create a Secure Machine Anchor link

Maintaining a secure environment can be hard work. At best, you have to change passwords, habits, and perhaps the software you use on your main computer or device. At worst, you have to constantly think about whether you're leaking confidential information or using unsafe practices. Even when you know the problems, some solutions may be out of your hands. Other people might require you to continue unsafe digital security practices even after you have explained the dangers. For instance, work colleagues might want you to continue to open email attachments from them, even though you know your attackers could impersonate them and send you malware. Or you may be concerned that your main computer has already been compromised.

One strategy to consider is cordoning off valuable data and communications onto a more secure computer. Use that machine only occasionally, and when you do, consciously take much more care over your actions. If you need to open attachments, or use insecure software, do it on another machine.

If you're setting up a secure machine, what extra steps can you take to make it secure?

You can almost certainly keep the device in a more physically safe place: somewhere where you are able to tell if it has been tampered with, such as a locked cabinet.

You can install a privacy- and security-focused operating system like Tails. You might not be able (or want) to use an open source operating system in your everyday work, but if you just need to store, edit and write confidential emails or instant messages from this secure device, Tails will work well, and defaults to high security settings.

An extra, secure computer may not be as expensive an option as you think. A computer that is seldom used, and only runs a few programs, does not need to be particularly fast or new. You can buy an older netbook for a fraction of the price of a modern laptop or phone. Older machines also have the advantage that secure software like Tails may be more likely to work with them than newer models.

You can use the secure machine to keep the primary copy of confidential data. A secure machine can be valuable in cordoning off private data in this way, but you should also consider a couple of extra risks it might create. If you concentrate your most treasured information onto this one computer, it may make it more of an obvious target. Keep it well hidden, don't discuss its location, and don't neglect to encrypt the computer's drive with a strong password, so that if it is stolen, the data will remain unreadable without the password safe.

Another risk is the danger that destroying this one machine will destroy your only copy of the data.

If your adversary would benefit from you losing all your data, don't keep it in just one place, no matter how secure. Encrypt a copy and keep it somewhere else.

The highest level of protection from Internet attacks or online surveillance is, not surprisingly, not connecting to the Internet at all. You could make sure your secure computer never connects to a local network or Wifi, and only copy files onto the machine using physical media, like DVDs or USB drives. In network security, this is known as having an "air gap" between the computer and the rest of the world. Not many people go this far, but it can be an option if you want to keep data that is rarely accessed but you never want to lose. Examples might be an encryption key you only use for important messages (like "My other encryption keys are now insecure"), a list of passwords or instructions for other people to find if you are unavailable, or a backup copy of someone else's private data that has been entrusted to you. In most of these cases, you might want to consider just having a hidden storage device, rather than a full computer. An encrypted USB key kept safely hidden is probably as useful (or as useless) as a complete computer unplugged from the Internet.

If you do use the secure device to connect to the Internet, you might choose not to log in or use your usual accounts. Create separate web or email accounts that you use for communications from this device, and use Tor to keep your IP address hidden from those services. If someone is choosing to specifically target your identity with malware, or is only intercepting your communications, separate accounts and Tor can help break the link between your identity, and this particular machine.

A variation on the idea of a secure machine is to have an insecure machine: a device that you only use when you are going into dangerous places or need to try a risky operation. Many journalists and activists, for instance, take a minimal netbook with them when they travel. This computer does not have any of their documents, usual contact or email information on it, and so is less of a loss if it is confiscated or scanned. You can apply the same strategy to mobile phones. If you usually use a smartphone, consider buying a cheap throwaway or burner phone when travelling or for specific communications.

Creating Strong Passwords Using Dice Anchor link

There are a few passwords that you should memorize and that need to be particularly strong. These include:

• passwords for your device
• passwords for encryption (like full-disk encryption)
• the master password, or “passphrase,” for your password manager
• your email password

One of many difficulties when people choose passwords themselves is that people aren't very good at making random, unpredictable choices. An effective way of creating a strong and memorable password is to use dice and a word list to randomly choose words. Together, these words form your “passphrase.” A "passphrase" is a type of password that is longer for added security. For disk encryption and your password manager, we recommend selecting a minimum of six words.

Why use a minimum of six words? Why use dice to pick words in a phrase randomly? The longer and more random the password, the harder it is for both computers and humans to guess. To find out why you need such a long, hard-to-guess password, here’s a video explainer.

Try making a passphrase using one of EFF's word lists.

If your computer or device gets compromised and spyware is installed, the spyware can watch you type your master password and could steal the contents of the password manager. So it's still very important to keep your computer and other devices clean of malware when using a password manager.

Syncing Your Passwords Across Multiple Devices Anchor link

Many password managers allow you to access your passwords across devices through a password-synchronizing feature. This means when you sync your password file on one device, it will update it on all of your devices.

Password managers can store your passwords “in the cloud,” meaning encrypted on a remote server. When you need your passwords, these managers will retrieve and decrypt the passwords for you automatically. Password managers that use their own servers to store or help synchronize your passwords are more convenient, but are slightly more vulnerable to attack. If your passwords are stored both on your computer and in the cloud, an attacker does not need to take over your computer to find out your passwords. (They will need to break your password manager’s passphrase though.)

If this is concerning, don't sync your passwords to the cloud and instead opt to store them on just your devices.

Keep a backup of your password database just in case. Having a backup is useful if you lose your password database in a crash, or if your device is taken away from you. Password managers usually have a way to make a backup file, or you can use your regular backup program.

Sometimes, You Will Need to Disclose Your Password Anchor link

Laws about revealing passwords differ from place to place. In some jurisdictions you may be able to legally challenge a demand for your password while in others, local laws allow the government to demand disclosure — and even imprison you on the suspicion that you may know a password or key. Threats of physical harm can be used to force someone to give up their password. Or you may find yourself in a situation, such as travelling across a border, where the authorities can delay you or seize your devices if you refuse to give up a password or unlock your device.

We have a separate guide to crossing the U.S. border that gives advice on how to deal with requests for access to devices while travelling to or from the United States. In other situations, you should think about how someone might force you or others to give up your passwords, and what the consequences would be.

Preparing Your Personal Devices for a Protest Anchor link

Think carefully about what’s on your phone before bringing it to a protest. Your phone contains a wealth of private data, which can include your list of contacts, the people you have recently called, your text messages and email, photos and video, GPS location data, your web browsing history and passwords, and the contents of your social media accounts. Through stored passwords or active logins, access to the device can allow someone to obtain yet even more information on remote servers. (You can log out of these services).

In many countries, people are required to register their SIM cards when they purchase a mobile phone. If you take your mobile phone with you to a protest, it makes it easy for the government to figure out that you are there. If you need to keep your participation in a protest secret from governments or law enforcement, cover your face so that it is harder to identify you from photos. However, do note that masks may get you into trouble in some locations due to anti-mask laws. Also, do not take your mobile phone with you. If you absolutely must bring a mobile phone with you, try to bring one that is not registered in your name.

To protect your rights, you may want to harden your existing phone against searches. You should also consider bringing a throwaway or alternate phone to the protest that does not contain sensitive data, which you’ve never used to log in to your communications or social media accounts, and which you would not mind losing or parting with for a while. If you have a lot of sensitive or personal information on your phone, the latter might be a better option.

Password-protection and encryption options: Always password-protect your phone. But while password-protecting your phone is a small barrier to access, please be aware that merely password-protecting or locking your phone is not an effective barrier to expert forensic analysis. Android and iPhone both provide options for full-disk encryption on their operating systems, and you should use them, though the safest option remains leaving the phone elsewhere.

One problem with mobile phone encryption is that on Android the same password is used for disk encryption and screen unlocking. This was a bad design, because it forces the user to either select a too-weak password for the encryption, or to type a too-long and inconvenient password for the screen. The best compromise may be 8-12 fairly random characters that are nonetheless easy to type quickly on your particular device. Or if you have root access to your Android phone and know how to use a shell, read here for instructions on how to set up a separate (longer) password for full-disk encryption. (See also "Communicating with Others” for details on how to encrypt text and voice calls.)

Back up your data: It’s important that you frequently back up the data stored on your phone, especially if your device lands into the hands of a police officer. You may not get your phone back for a while (if at all) and it is possible that its contents may be deleted, whether intentionally or not.

For similar reasons, consider writing one important, but non-incriminating phone number on your body with a permanent marker in case you lose your phone, but are permitted to make a call.

Cell site location information: If you take your mobile phone with you to a protest, it makes it easy for the government to figure out that you are there by seeking the information from your provider. (We believe that governments should obtain an individualized warrant to obtain location information, but governments often disagree). If you need to keep the fact of your participation in a protest from the government, do not take your mobile phone with you. If you absolutely must bring a mobile phone with you, try to bring one that is not registered in your name.

If you are concerned about being arrested at the protest, it’s best practice to pre-arrange a message to a trusted friend who is in a safe place. Write your text message to that person in advance and queue it up so that you can send it quickly in case of an emergency to let them know you have been arrested. Similarly, you may want to plan a pre-arranged call after the protest with a friend—if they don’t hear from you, they can assume you’ve been arrested.

In addition to being made aware that your phone has been seized and you have been arrested, that trusted friend might be able to change the passwords to your email and social media accounts in case you are coerced into giving up your passwords to the authorities.

Please note that deliberately concealing or destroying evidence may be considered an illegal act in itself in some jurisdictions (including many social democracies).

Be sure you and your friend understand the law and the risks before engaging in this plan. For instance, if you are protesting in a country with a strong tradition of the rule of law and where protesting in itself is not a crime, it may be that conspiring to lock out law enforcement from your accounts may lead to you breaking the law when previously you would be able to leave without charge. On the other hand, if you are concerned for the physical safety of you and your colleagues at the hands of a unchecked militia, protecting your friends’ identities and your own data from them may be a greater priority than complying with an investigation.

Protect your Phone Before you Protest Anchor link

Think carefully about what’s on your phone before bringing it to a protest.

Your phone contains a wealth of private data, which can include your list of contacts, the people you have recently called, your text messages and email, photos and video, GPS location data, your web browsing history and passwords or active logins, and the contents of your email and social media accounts. Through stored passwords, access to the device can allow someone to obtain yet even more information on remote servers.

The United States Supreme Court recently held that the police are required to get a warrant to obtain this information when someone is arrested, but the exact limits of that ruling are still being examined. In addition, sometimes law enforcement will seek to seize a phone because they believe it contains evidence of a crime (such as photos you may have taken of the protest), or as part of a vehicle search. They can then later get a warrant to examine the phone that they’ve already seized.

To protect your rights, you may want to harden your existing phone against searches. You should also consider bringing a throwaway or alternate phone to the protest that does not contain sensitive data, which you’ve never used to log in to your communications or social media accounts, and which you would not mind losing or parting with for a while. If you have a lot of sensitive or personal information on your phone, the latter might be a better option.

Password-protection and encryption options: Always password-protect your phone. Be aware that merely password-protecting or locking your phone is not an effective barrier to expert forensic analysis. Android and iPhone both provide options for full-disk encryption on their operating systems, and you should use them, though the safest option remains leaving the phone elsewhere.

One problem with mobile phone encryption is that on Android the same password is used for disk encryption and screen unlocking. This was a bad design, because it forces the user to either select a too-weak password for the encryption, or to type a too-long and inconvenient password for the screen. The best compromise may be 8-12 fairly random characters that are nonetheless easy to type quickly on your particular device. Or if you have root access to your Android phone and know how to use a shell, read here. (See also "Communicating with Others” for details on how to encrypt text and voice calls.)

Back up your data: It’s important that you frequently back up the data stored on your phone, especially if your device lands into the hands of a police officer. You may not get your phone back for a while (if at all) and it is possible that its contents may be deleted, whether intentional or not. While we believe it would be improper for the police to delete your information, there’s a chance it could happen.

For similar reasons, consider writing one important, but non-incriminating phone number on your body with a permanent marker in case you lose your phone, but are permitted to make a call.

Cell site location information: If you take your mobile phone with you to a protest, it makes it easy for the government to figure out that you are there by seeking the information from your provider. (We believe that the law requires the government obtain an individualized warrant to obtain location information, but the government disagrees). If you need to keep the fact of your participation in a protest from the government do not take your mobile phone with you. If you absolutely must bring a mobile phone with you, try to bring one that is not registered in your name.

You may not be able to reach colleagues if you are detained. You may want to plan a pre-arranged call after the protest with a friend—if they don’t hear from you, they can assume you’ve been arrested.

Help! Help! I’m Being Arrested Anchor link

Remember that you have a right to remain silent—about your phone and anything else.

If questioned by police, you can politely but firmly ask to speak to your attorney and politely but firmly request that all further questioning stop until your attorney is present. It is best to say nothing at all until you have a chance to talk to a lawyer. However, if you do decide to answer questions, be sure to tell the truth. It is likely a crime to lie to a police officer and you may find yourself in more trouble for lying to law enforcement than for whatever it was they wanted on your computer.

If the police ask to see your phone, you can tell them you do not consent to the search of the device. They might still be able to search your phone with a warrant after they arrest you, but at least it’s clear that you did not give them permission to do so.

If the police ask for the password to your electronic device (or ask you to unlock it), you can politely refuse to provide it and ask to speak to your lawyer. If the police ask if a phone is yours, you can tell them that it is lawfully in your possession without admitting or denying ownership or control. Every arrest situation is different, and you will need an attorney to help you sort through your particular circumstance.

Ask your attorney about the Fifth Amendment, which protects you from being forced to give the government self-incriminating testimony. If turning over an encryption key or password triggers this right, not even a court can force you to divulge the information. If turning over an encryption key or password will reveal to the government information it does not have (such as demonstrating that you have control over files on a computer), there is a strong argument that the Fifth Amendment protects you. If, however, turning over passwords and encryption keys will not result in a “testimonial act,” for instance demonstrating that you have control over the data, then the Fifth Amendment may not protect you. Your attorney can help you figure out how this applies in a particular situation.

And just because the police cannot compel you to give up your password, doesn’t mean that they can’t pressure you. The police may detain you and you may go to jail rather than being immediately released if they think you’re refusing to be cooperative. You will need to decide whether to comply.

Security is a Process, not a Purchase Anchor link

The first thing to remember before changing the software you use or buying new tools is that no tool is going to give you absolute protection from surveillance in all circumstances. Using encryption software will generally make it harder for others to read your communications or go through your computer's files. But attacks on your digital security will always seek out the weakest element of your security practices. When you use a new secure tool, you should think about how using it might affect other ways someone could target you. For example, if you decide to use a secure texting program to talk to a contact because you know that your phone might be compromised, might the fact that you're using this program at all give an adversary a clue that you are talking about private information?

Secondly, remember your threat model. You don't need to buy some expensive encrypted phone system that claims to be “NSA-proof” if your biggest threat is physical surveillance from a private investigator with no access to internet surveillance tools. Alternatively, if you are facing a government that regularly jails dissidents because they use encryption tools, it may make sense to use simpler tricks—like a set of pre-arranged codes—rather than risk leaving evidence that you use encryption software on your laptop.

Given all that, here are some questions you can ask about a tool before downloading, purchasing, or using it.

How Clear are its Creators About its Advantages and Disadvantages? Anchor link

No software or hardware is entirely secure. Creators or sellers who are honest about the limitations of their product will give you a much stronger idea of whether their application is appropriate for you.

Don't trust blanket statements that say that the code is “military-grade” or “NSA-proof”; these mean nothing and give a strong warning that the creators are overconfident or unwilling to consider the possible failings in their product.

Because attackers are always trying to discover new ways to break the security of tools, software and hardware often needs to be updated to fix new vulnerabilities. It can be a serious problem if the creators of a tool are unwilling to do this, either because they fear bad publicity, or because they have not built the infrastructure to fix problems.

You can't predict the future, but a good indicator of how toolmakers will behave in the future is their past activity. If the tool's website lists previous issues and links to regular updates and information—like specifically how long it has been since the software was last updated—you can be more confident that they will continue to provide this service in the future.

Check for Recalls and Online Criticism Anchor link

Of course, companies selling products and enthusiasts advertising their latest software can be misled, be misleading, or even outright lie. A product that was originally secure might be discovered to have terrible flaws in the future. Make sure you stay well-informed on the latest news about the tools that you use.

Products Mentioned in This Guide Anchor link

We try to ensure that the software and hardware we mention in this guide complies with the criteria we've listed above: we have made a good faith effort to only list products that have a solid grounding in what we currently know about digital security, are generally transparent about their operation (and their failings), have defenses against the possibility that the creators themselves will be compromised, and are currently maintained, with a large and technically-knowledgeable user base. We believe that they have, at the time of writing, the eye of a wide audience who is examining them for flaws, and would raise concerns to the public quickly. Please understand that we do not have the resources to examine or make independent assurances about their security, we are not endorsing these products and cannot guarantee complete security.

Basic techniques Anchor link

Circumvention tools usually work by diverting your web traffic so it avoids the machines that do the blocking or filtering. A service that redirects your Internet connection past these blocks is sometimes called a proxy.

HTTPS is the secure version of the HTTP protocol you use to access websites. Sometimes a censor will only block the insecure (HTTP) version of a site. That means you can access the blocked site simply by entering the version of the web address that starts with HTTPS.

This is useful if the censorship you are fighting blocks individual web pages based on their contents. HTTPS stops censors from reading your web traffic, so they cannot tell what keywords are being sent, or which individual web page you are visiting.

Censors can still see the domain names of all websites you visit. So, for example, if you visit “eff.org/https-everywhere” censors can see that you are on “eff.org” but not that you are on the “https-everywhere” page.

If you suspect this type of simple blocking, try entering https:// before the domain in place of http:

Try installing EFF’s HTTPS Everywhere extension to automatically turn on HTTPS where possible.

Another way that you may be able to circumvent basic censorship techniques is by trying an alternate domain name or URL. For example, instead of visiting http://twitter.com, you might try the mobile version of the site at http://m.twitter.com. Censors that block websites or web pages work from a blacklist of banned websites, so anything that is not on that blacklist will get through. They might not know of all different versions of a particular website's name—especially if the administrators of the site know it is blocked and register more than one domain.

Encrypted proxies Anchor link

Numerous proxy tools utilize encryption to provide an additional layer of security on top of the ability to bypass filtering. The connection is encrypted so others cannot see what you are visiting. While encrypted proxies are generally more secure than plain web-based proxies, the tool provider may have information about you. They might have your name and email address in their records, for instance. That means that these tools do not provide full anonymity.

The simplest form of an encrypted web proxy is one that starts with “https”— this will use the encryption usually provided by secure websites. However, be cautious—the owners of these proxies can see the data you send to and from other secure websites. Ultrasurf and Psiphon are examples of these tools.

Tor Anchor link

Tor is open-source software designed to give you anonymity on the web. Tor Browser is a web browser built on top of the Tor anonymity network. Because of how Tor routes your web browsing traffic, it also allows you to circumvent censorship. (See our How to: Use Tor guides for Linux, macOS and Windows).

When you first start the Tor Browser, you can choose an option specifying that you are on a network that is censored:

Tor will not only bypass almost all national censorship, but, if properly configured, can also protect your identity from an adversary listening in on your country’s networks. It can, however, be slow and difficult to use.

To learn how to use Tor on a desktop machine, click here for Linux, here for macOS, or here for Windows, but please be sure to tap “Configure” instead of “Connect” in the window displayed above.

Registering for a Social Media Site Anchor link

• Do you want to use your real name? Some social media sites have so-called "real name policies," but these have become more lax over time. If you do not want to use your real name when registering for a social media site, do not.
• When you register, don't provide more information than is necessary. If you are concerned with hiding your identity, use a separate email address. Be aware that your IP address may be logged at registration.
• Choose a strong password and, if possible, enable two-factor authentication. Check out our guide to enabling two-factor authentication here.
• Beware of password recovery questions whose answers can be mined from your social media details. For example: “What city were you born in?” or “What is the name of your pet?” You may want to choose password recovery answers that are false. One good way to remember the answers to password recovery questions, should you choose to use false answers for added security, is to note your chosen answers in a password safe.

Change Your Privacy Settings Anchor link

Specifically, change the default settings. For example, do you want to share your posts with the public, or only with a specific group of people? Should people be able to find you using your email address or phone number? Do you want your location shared automatically?

• How to change your Facebook privacy settings

Remember, privacy settings are subject to change. Sometimes, these privacy settings get stronger and more granular; sometimes not. Be sure to pay attention to these changes closely to see if any information that was once private will be shared, or if any additional settings will allow you to take more control of your privacy.