Playlist
  • Journalist on the move?

    How to stay safe online anywhere without sacrificing access to information.

    Journalists are used to working in dangerous situations, but there's no need to take unnecessary risks with your data and communications. With this playlist, you can learn how to understand your threat model, communicate safely with others, and circumvent online censorship.

  • Assessing Your Risks

    Trying to protect all your data from everyone all the time is impractical and exhausting. But, do not fear! Security is a process, and through thoughtful planning, you can assess what’s right for you. Security isn’t about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.

    In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it. This process is called “threat modeling.”

    This guide will teach you how to threat model, or how to assess your risks for your digital information and how to determine what solutions are best for you.

    What might threat modeling look like? Let’s say you want to keep your house and possessions safe, here are a few questions you might ask:

    What do I have inside my home that is worth protecting?

    • Assets could include: jewelry, electronics, financial documents, passports, or photos

    Who do I want to protect it from?

    • Adversaries could include: burglars, roommates, or guests

    How likely is it that I will need to protect it?

    • Does my neighborhood have a history of burglaries? How trustworthy are my roommates/guests? What are the capabilities of my adversaries? What are the risks I should consider?

    How bad are the consequences if I fail?

    • Do I have anything in my house that I cannot replace? Do I have the time or money to replace these things? Do I have insurance that covers goods stolen from my home?

    How much trouble am I willing to go through to prevent these consequences?

    • Am I willing to buy a safe for sensitive documents? Can I afford to buy a high-quality lock? Do I have time to open a security box at my local bank and keep my valuables there?

    Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the risk of a break-in is low, then you may not want to invest too much money in a lock. But, if the risk is high, you’ll want to get the best lock on the market, and consider adding a security system.

    Building a threat model helps you to understand the unique threats you face, your assets, your adversary, your adversary’s capabilities, and the likelihood of risks you face.

    What is threat modeling and where do I start? Anchor link

    Threat modeling helps you identify threats to the things you value and determine from whom you need to protect them. When building a threat model, answer these five questions:

    1. What do I want to protect?
    2. Who do I want to protect it from?
    3. How bad are the consequences if I fail?
    4. How likely is it that I will need to protect it?
    5. How much trouble am I willing to go through to try to prevent potential consequences?

    Let’s take a closer look at each of these questions.

    What do I want to protect?

    An “asset” is something you value and want to protect. In the context of digital security, an asset is usually some kind of information. For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices may also be assets.

    Make a list of your assets: data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.

    Who do I want to protect it from?

    To answer this question, it’s important to identify who might want to target you or your information. A person or entity that poses a threat to your assets is an “adversary.” Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.

    Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.

    Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you’re done threat modeling.

    How bad are the consequences if I fail?

    There are many ways that an adversary can threaten your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.

    The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.

    Threat modeling involves understanding how bad the consequences could be if an adversary successfully attacks one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records and thus has the capability to use that data against you. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

    Write down what your adversary might want to do with your private data.

    How likely is it that I will need to protect it?

    Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.

    It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

    Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don't view the threat as a problem.

    Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.

    How much trouble am I willing to go through to try to prevent potential consequences?

    Answering this question requires conducting the risk analysis. Not everyone has the same priorities or views threats in the same way.

    For example, an attorney representing a client in a national security case would probably be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.

    Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.

    Threat modeling as a regular practice Anchor link

    Keep in mind your threat model can change as your situation changes. Thus, conducting frequent threat modeling assessments is good practice.

    Create your own threat model based on your own unique situation. Then mark your calendar for a date in the future. This will prompt you to review your threat model and check back in to assess whether it’s still relevant to your situation.

    Last reviewed: 
    2017-09-07
  • Communicating with Others

    Telecommunication networks and the Internet have made communicating with people easier than ever, but have also made surveillance more prevalent than it has ever been in human history. Without taking extra steps to protect your privacy, every phone call, text message, email, instant message, voice over IP (VoIP) call, video chat, and social media message may be vulnerable to eavesdroppers.

    Often the safest way to communicate with others is in person, without computers or phones being involved at all. Because this isn’t always possible, the next best thing is to use end-to-end encryption while communicating over a network if you need to protect the content of your communications.

    How Does End-to-End Encryption Work? Anchor link

    When two people want to communicate securely (for example, Akiko and Boris) they must each generate crypto keys. Before Akiko sends a message to Boris she encrypts it to Boris's key so that only Boris can decrypt it. Then she sends the already-encrypted message across the Internet. If anyone is eavesdropping on Akiko and Boris—even if they have access to the service that Akiko is using to send this message (such as her email account)—they will only see the encrypted data and will be unable read the message. When Boris receives it, he must use his key to decrypt it into a readable message.

    End-to-end encryption involves some effort, but it's the only way that users can verify the security of their communications without having to trust the platform that they're both using. Some services, such as Skype, have claimed to offer end-to-end encryption when it appears that they actually don't. For end-to-end encryption to be secure, users must be able to verify that the crypto key they're encrypting messages to belongs to the people they believe they do. If communications software doesn't have this ability built-in, then any encryption that it might be using can be intercepted by the service provider itself, for instance if a government compels it to.

    You can read Freedom of the Press Foundation's whitepaper, Encryption Works for detailed instructions on using end-to-end encryption to protect instant messages and email. Be sure to check out the following SSD modules as well:

    Voice Calls Anchor link

    When you make a call from a landline or a mobile phone, your call is not end-to-end encrypted. If you're using a mobile phone, your call may be (weakly) encrypted between your handset and the cell phone towers. However as your conversation travels through the phone network, it's vulnerable to interception by your phone company and, by extension, any governments or organizations that have power over your phone company. The easiest way to ensure you have end-to-end encryption on voice conversations is to use VoIP instead.

    Beware! Most popular VoIP providers, such as Skype and Google Hangouts, offer transport encryption so that eavesdroppers cannot listen in, but the providers themselves are still potentially able to listen in. Depending on your threat model, this may or may not be a problem.

    Some services that offer end-to-end encrypted VoIP calls include:

    In order to have end-to-end encrypted VoIP conversations, both parties must be using the same (or compatible) software.

    Text Messages Anchor link

    Standard text (SMS) messages do not offer end-to-end encryption. If you want to send encrypted messages on your phone, consider using encrypted instant messaging software instead of text messages.

    Some end-to-end encrypted instant messaging services use their own protocol. So, for instance, users of Signal on Android and iOS can chat securely with others who use those programs. ChatSecure is a mobile app that encrypts conversations with OTR on any network that uses XMPP, which means you can choose from a range of independent instant messaging services.

    Instant Messages Anchor link

    Off-the-Record (OTR) is an end-to-end encryption protocol for real-time text conversations that can be used on top of a variety of services.

    Some tools that incorporate OTR with instant messaging include:

    Email Anchor link

    Most email providers give you a way of accessing your email using a web browser, such as Firefox or Chrome. Of these providers, most of them provide support for HTTPS, or transport-layer encryption. You can tell that your email provider supports HTTPS if you log in to your webmail and the URL at the top of your browser begins with the letters HTTPS instead of HTTP (for example: https://mail.google.com).

    If your email provider supports HTTPS, but does not do so by default, try replacing HTTP with HTTPS in the URL and refresh the page. If you’d like to make sure that you are always using HTTPS on sites where it is available, download the HTTPS Everywhere browser add-on for Firefox or Chrome.

    Some webmail providers that use HTTPS by default include:

    • Gmail
    • Riseup
    • Yahoo

    Some webmail providers that give you the option of choosing to use HTTPS by default by selecting it in your settings. The most popular service that still does this is Hotmail.

    What does transport-layer encryption do and why might you need it? HTTPS, also referred to as SSL or TLS, encrypts your communications so that it cannot be read by other people on your network. This can include the other people using the same Wi-Fi in an airport or at a café, the other people at your office or school, the administrators at your ISP, malicious hackers, governments, or law enforcement officials. Communications sent over your web browser, including the web pages that you visit and the content of your emails, blog posts, and messages, using HTTP rather than HTTPS are trivial for an attacker to intercept and read.

    HTTPS is the most basic level of encryption for your web browsing that we recommend for everybody. It is as basic as putting on your seat belt when you drive.

    But there are some things that HTTPS does not do. When you send email using HTTPS, your email provider still gets an unencrypted copy of your communication. Governments and law enforcement may be able to access this data with a warrant. In the United States, most email providers have a policy that says they will tell you when you have received a government request for your user data as long as they are legally allowed to do so, but these policies are strictly voluntary, and in many cases providers are legally prevented from informing their users of requests for data. Some email providers, such as Google, Yahoo, and Microsoft, publish transparency reports, detailing the number of government requests for user data they receive, which countries make the requests, and how often the company has complied by turning over data.

    If your threat model includes a government or law enforcement, or you have some other reason for wanting to make sure that your email provider is not able to turn over the contents of your email communications to a third party, you may want to consider using end-to-end encryption for your email communications.

    PGP (or Pretty Good Privacy) is the standard for end-to-end encryption of your email. Used correctly, it offers very strong protections for your communications. For detailed instructions on how to install and use PGP encryption for your email, see:

    What End-To-End Encryption Does Not Do Anchor link

    End-to-end encryption only protects the content of your communication, not the fact of the communication itself. It does not protect your metadata—which is everything else, including the subject line of your email, or who you are communicating with and when.

    Metadata can provide extremely revealing information about you even when the content of your communication remains secret.

    Metadata about your phone calls can give away some very intimate and sensitive information. For example:

    • They know you rang a phone sex service at 2:24 am and spoke for 18 minutes, but they don't know what you talked about.
    • They know you called the suicide prevention hotline from the Golden Gate Bridge, but the topic of the call remains a secret.
    • They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour, but they don't know what was discussed.
    • They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after, but the content of those calls remains safe from government intrusion.
    • They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood's number later that day, but nobody knows what you spoke about.

    If you are calling from a cell phone, information about your location is metadata. In 2009, Green Party politician Malte Spitz sued Deutsche Telekom to force them to hand over six months of Spitz’s phone data, which he made available to a German newspaper. The resulting visualization showed a detailed history of Spitz’s movements.

    Protecting your metadata will require you to use other tools, such as Tor, at the same time as end-to-end encryption.

    For an example of how Tor and HTTPS work together to protect the contents of your communications and your metadata from a variety of potential attackers, you may wish to take a look at this explanation.

    Last reviewed: 
    2017-01-12
  • Keeping Your Data Safe

    One of the greatest challenges of defending your data from those who might want it is the sheer size of the information you store or carry, and the ease by which it can be taken from you. Many of us carry entire histories of our contacts, our communications, and our current documents on laptops, or even mobile phones. That data can include confidential information of dozens, even thousands, of people. A phone or laptop can be stolen, or copied in seconds.

    The United States is just one of many countries that seizes and copies data at borders. Data can be taken from you at roadblocks, grabbed from you in the street, or burgled from your house.

    Just as you can keep your communications safer with encryption, you can also make it harder for those who physically steal data to unlock its secrets. Computers and mobile phones can be locked by passwords, PINs or gestures, but these locks do not help protect data if the device itself is seized. It's relatively simple to bypass these locks, because your data is stored in an easily readable form within the device. All an attacker needs to do is to access the storage directly, and the data can be copied or examined without knowing your password.

    If you use encryption, your adversary needs not just your device, but also your password to unscramble the encrypted data—there's no shortcut.

    It's safest and easiest to encrypt all of your data, not just a few folders. Most computers and smartphones offer complete, full-disk encryption as an option. Android offers it under its "Security" settings, Apple devices such as the iPhone and iPad describe it as "Data Protection" and turn it on if you set a passcode. On computer running Windows Pro, it's known as "BitLocker." 

    BitLocker's code is closed and proprietary, which means it is hard for external reviewers to know exactly how secure it is. Using BitLocker requires you trust Microsoft provides a secure storage system without hidden vulnerabilities. On the other hand, if you're already using Windows, you are already trusting Microsoft to the same extent. If you are worried about surveillance from the kind of attackers who might know of or benefit from a back door in either Windows or BitLocker, you may wish to consider an alternative open-source operating system such as GNU/Linux or BSD, especially a version that has been hardened against security attacks, such Tails or Qubes OS.

    Apple provides a built-in full disk encryption feature on macOS called FileVault.  On Linux distributions, full-disk encryption is usually offered when you first set up your system. At the time this guide was updated, we do not have a full disk encryption tool for versions of Windows that do not include BitLocker that we can recommend.

    Whatever your device calls it, encryption is only as good as your password. If your attacker has your device, they have all the time in the world to try out new passwords. Forensic software can try millions of passwords a second. That means that a four number pin is unlikely to protect your data for very long at all, and even a long password may merely slow down your attacker. A really strong password under these conditions should be over fifteen characters long.

    Most of us are not realistically going to learn and enter such passphrases on our phones or mobile devices. So while encryption can be useful to prevent casual access, you should preserve truly confidential data by keeping it hidden from physical access by attackers, or cordoned away on a much more secure machine.

    Create a Secure Machine Anchor link

    Maintaining a secure environment can be hard work. At best, you have to change passwords, habits, and perhaps the software you use on your main computer or device. At worst, you have to constantly think about whether you're leaking confidential information or using unsafe practices. Even when you know the problems, some solutions may be out of your hands. Other people might require you to continue unsafe digital security practices even after you have explained the dangers. For instance, work colleagues might want you to continue to open email attachments from them, even though you know your attackers could impersonate them and send you malware. Or you may be concerned that your main computer has already been compromised.

    One strategy to consider is cordoning off valuable data and communications onto a more secure computer. Use that machine only occasionally, and when you do, consciously take much more care over your actions. If you need to open attachments, or use insecure software, do it on another machine.

    If you're setting up a secure machine, what extra steps can you take to make it secure?

    You can almost certainly keep the device in a more physically safe place: somewhere where you are able to tell if it has been tampered with, such as a locked cabinet.

    You can install a privacy- and security-focused operating system like Tails. You might not be able (or want) to use an open source operating system in your everyday work, but if you just need to store, edit and write confidential emails or instant messages from this secure device, Tails will work well, and defaults to high security settings.

    An extra, secure computer may not be as expensive an option as you think. A computer that is seldom used, and only runs a few programs, does not need to be particularly fast or new. You can buy an older netbook for a fraction of the price of a modern laptop or phone. Older machines also have the advantage that secure software like Tails may be more likely to work with them than newer models.

    You can use the secure machine to keep the primary copy of confidential data. A secure machine can be valuable in cordoning off private data in this way, but you should also consider a couple of extra risks it might create. If you concentrate your most treasured information onto this one computer, it may make it more of an obvious target. Keep it well hidden, don't discuss its location, and don't neglect to encrypt the computer's drive with a strong password, so that if it is stolen, the data will remain unreadable without the password safe.

    Another risk is the danger that destroying this one machine will destroy your only copy of the data.

    If your adversary would benefit from you losing all your data, don't keep it in just one place, no matter how secure. Encrypt a copy and keep it somewhere else.

    The highest level of protection from Internet attacks or online surveillance is, not surprisingly, not connecting to the Internet at all. You could make sure your secure computer never connects to a local network or Wifi, and only copy files onto the machine using physical media, like DVDs or USB drives. In network security, this is known as having an "air gap" between the computer and the rest of the world. Not many people go this far, but it can be an option if you want to keep data that is rarely accessed but you never want to lose. Examples might be an encryption key you only use for important messages (like "My other encryption keys are now insecure"), a list of passwords or instructions for other people to find if you are unavailable, or a backup copy of someone else's private data that has been entrusted to you. In most of these cases, you might want to consider just having a hidden storage device, rather than a full computer. An encrypted USB key kept safely hidden is probably as useful (or as useless) as a complete computer unplugged from the Internet.

    If you do use the secure device to connect to the Internet, you might choose not to log in or use your usual accounts. Create separate web or email accounts that you use for communications from this device, and use Tor to keep your IP address hidden from those services. If someone is choosing to specifically target your identity with malware, or is only intercepting your communications, separate accounts and Tor can help break the link between your identity, and this particular machine.

    A variation on the idea of a secure machine is to have an insecure machine: a device that you only use when you are going into dangerous places or need to try a risky operation. Many journalists and activists, for instance, take a minimal netbook with them when they travel. This computer does not have any of their documents, usual contact or email information on it, and so is less of a loss if it is confiscated or scanned. You can apply the same strategy to mobile phones. If you usually use a smartphone, consider buying a cheap throwaway or burner phone when travelling or for specific communications.

    Last reviewed: 
    2016-12-01
  • Creating Strong Passwords

    Creating Strong Passwords Using Password Managers Anchor link

    Reusing passwords is an exceptionally bad security practice. If a bad actor gets ahold of a password that you've reused across multiple services, they can gain access to many of your accounts. This is why having multiple, strong, unique passwords is so important.

    Fortunately, a password manager can help. A password manager is a tool that creates and stores passwords for you, so you can use many different passwords on different sites and services without having to memorize them. Password managers:

    • generate strong passwords that a human being would be unlikely to guess.
    • store several passwords (and responses to security questions) safely.

    • protect all of your passwords with a single master password (or passphrase).

    KeePassXC is an example of a password manager that is open-source and free. You can keep this tool on your desktop or integrate it into your web browser. KeePassXC does not automatically save changes you make when using it, so if it crashes after you've added some passwords, you can lose them forever. You can change this in the settings.

    Wondering whether a password manager is the right tool for you? If a powerful adversary like a government is targeting you, it might not be.

    Remember:

    • using a password manager creates a single point of failure.

    • password managers are an obvious target for adversaries.

    • research suggests that many password managers have vulnerabilities.

    If you’re worried about expensive digital attacks, consider something more low-tech. You can create strong passwords manually (see “Creating strong passwords using dice” below), write them down, and keep them somewhere safe on your person.

    Wait, aren’t we supposed to keep passwords in our heads and never write them down? Actually, writing them down, and keeping them somewhere like your wallet, is useful so you’ll at least know if your written passwords go missing or get stolen.

    Creating Strong Passwords Using Dice Anchor link

    There are a few passwords that you should memorize and that need to be particularly strong. These include:

    One of many difficulties when people choose passwords themselves is that people aren't very good at making random, unpredictable choices. An effective way of creating a strong and memorable password is to use dice and a word list to randomly choose words. Together, these words form your “passphrase.” A "passphrase" is a type of password that is longer for added security. For disk encryption and your password manager, we recommend selecting a minimum of six words.

    Why use a minimum of six words? Why use dice to pick words in a phrase randomly? The longer and more random the password, the harder it is for both computers and humans to guess. To find out why you need such a long, hard-to-guess password, here’s a video explainer.

    Try making a passphrase using one of EFF's word lists.

    If your computer or device gets compromised and spyware is installed, the spyware can watch you type your master password and could steal the contents of the password manager. So it's still very important to keep your computer and other devices clean of malware when using a password manager.

    A Word About “Security Questions” Anchor link

    Beware of the “security questions” that websites use to confirm your identity. Honest answers to these questions are often publicly discoverable facts that a determined adversary can easily find and use to bypass your password entirely.

    Instead, give fictional answers that no one knows but you. For example, if the security question asks:

    “What was the name of your first pet?”

    Your answer could be a random password generated from your password manager. You can store these fictional answers in your password manager.

    Think of sites where you’ve used security questions and consider changing your responses. Do not use the same passwords or security question answers for multiple accounts on different websites or services.

    Syncing Your Passwords Across Multiple Devices Anchor link

    Many password managers allow you to access your passwords across devices through a password-synchronizing feature. This means when you sync your password file on one device, it will update it on all of your devices.

    Password managers can store your passwords “in the cloud,” meaning encrypted on a remote server. When you need your passwords, these managers will retrieve and decrypt the passwords for you automatically. Password managers that use their own servers to store or help synchronize your passwords are more convenient, but are slightly more vulnerable to attack. If your passwords are stored both on your computer and in the cloud, an attacker does not need to take over your computer to find out your passwords. (They will need to break your password manager’s passphrase though.)

    If this is concerning, don't sync your passwords to the cloud and instead opt to store them on just your devices.

    Keep a backup of your password database just in case. Having a backup is useful if you lose your password database in a crash, or if your device is taken away from you. Password managers usually have a way to make a backup file, or you can use your regular backup program.

    Multi-Factor Authentication and One-Time Passwords Anchor link

    Strong, unique passwords make it much harder for bad actors to access your accounts. To further protect your accounts, enable two-factor authentication.

    Some services offer two-factor authentication (also called 2FA, multi-factor authentication, or two-step verification), which requires users to possess two components (a password and a second factor) to gain access to their account. The second factor could be a one-off secret code or a number generated by a program running on a mobile device.

    Two-factor authentication using a mobile phone can be done in one of two ways:

    • your phone can run an authenticator application that generates security codes (such as Google Authenticator or Authy) or you can use a stand-alone hardware device (such as a YubiKey); or
    • the service can send you an SMS text message with an extra security code that you need to type in whenever you log in.

    If you have a choice, pick the authenticator application or stand-alone hardware device instead of receiving codes by text message. It’s easier for an attacker to redirect these codes to their own phone than it is to bypass the authenticator.

    Some services, such as Google, also allow you to generate a list of one-time passwords, also called single-use passwords. These are meant to be printed or written down on paper and carried with you. Each of these passwords works only once, so if one is stolen by spyware when you enter it, the thief won't be able to use it for anything in the future.

    If you or your organization run your own communications infrastructure, there's free software available that can be used to enable two-factor authentication for accessing your systems. Look for software offering implementations of the open standard “Time-Based One-Time Passwords” or RFC 6238.

    Sometimes, You Will Need to Disclose Your Password Anchor link

    Laws about revealing passwords differ from place to place. In some jurisdictions you may be able to legally challenge a demand for your password while in others, local laws allow the government to demand disclosure — and even imprison you on the suspicion that you may know a password or key. Threats of physical harm can be used to force someone to give up their password. Or you may find yourself in a situation, such as travelling across a border, where the authorities can delay you or seize your devices if you refuse to give up a password or unlock your device.

    We have a separate guide to crossing the U.S. border that gives advice on how to deal with requests for access to devices while travelling to or from the United States. In other situations, you should think about how someone might force you or others to give up your passwords, and what the consequences would be.

    Last reviewed: 
    2017-10-16
  • Attending Protests (International)

    With the proliferation of personal technologies, protesters of all political persuasions are increasingly documenting their protests—and encounters with the police—using electronic devices like cameras and mobile phones. In some cases, getting that one shot of the riot police coming right at you posted somewhere on the Internet is an exceptionally powerful act and can draw vital attention to your cause. The following are useful tips for you to remember if you find yourself at a protest and are concerned about protecting your electronic devices if or when you’re questioned, detained, or arrested by police. Remember that these tips are general guidelines, so if you have specific concerns, please talk to an attorney.

    For our guide to attending protests within the United States, click here.

    Preparing Your Personal Devices for a Protest Anchor link

    Think carefully about what’s on your phone before bringing it to a protest. Your phone contains a wealth of private data, which can include your list of contacts, the people you have recently called, your text messages and email, photos and video, GPS location data, your web browsing history and passwords, and the contents of your social media accounts. Through stored passwords or active logins, access to the device can allow someone to obtain yet even more information on remote servers. (You can log out of these services).

    In many countries, people are required to register their SIM cards when they purchase a mobile phone. If you take your mobile phone with you to a protest, it makes it easy for the government to figure out that you are there. If you need to keep your participation in a protest secret from governments or law enforcement, cover your face so that it is harder to identify you from photos. However, do note that masks may get you into trouble in some locations due to anti-mask laws. Also, do not take your mobile phone with you. If you absolutely must bring a mobile phone with you, try to bring one that is not registered in your name.

    To protect your rights, you may want to harden your existing phone against searches. You should also consider bringing a throwaway or alternate phone to the protest that does not contain sensitive data, which you’ve never used to log in to your communications or social media accounts, and which you would not mind losing or parting with for a while. If you have a lot of sensitive or personal information on your phone, the latter might be a better option.

    Password-protection and encryption options: Always password-protect your phone. But while password-protecting your phone is a small barrier to access, please be aware that merely password-protecting or locking your phone is not an effective barrier to expert forensic analysis. Android and iPhone both provide options for full-disk encryption on their operating systems, and you should use them, though the safest option remains leaving the phone elsewhere.

    One problem with mobile phone encryption is that on Android the same password is used for disk encryption and screen unlocking. This was a bad design, because it forces the user to either select a too-weak password for the encryption, or to type a too-long and inconvenient password for the screen. The best compromise may be 8-12 fairly random characters that are nonetheless easy to type quickly on your particular device. Or if you have root access to your Android phone and know how to use a shell, read here for instructions on how to set up a separate (longer) password for full-disk encryption. (See also "Communicating with Others” for details on how to encrypt text and voice calls.)

    Back up your data: It’s important that you frequently back up the data stored on your phone, especially if your device lands into the hands of a police officer. You may not get your phone back for a while (if at all) and it is possible that its contents may be deleted, whether intentionally or not.

    For similar reasons, consider writing one important, but non-incriminating phone number on your body with a permanent marker in case you lose your phone, but are permitted to make a call.

    Cell site location information: If you take your mobile phone with you to a protest, it makes it easy for the government to figure out that you are there by seeking the information from your provider. (We believe that governments should obtain an individualized warrant to obtain location information, but governments often disagree). If you need to keep the fact of your participation in a protest from the government, do not take your mobile phone with you. If you absolutely must bring a mobile phone with you, try to bring one that is not registered in your name.

    If you are concerned about being arrested at the protest, it’s best practice to pre-arrange a message to a trusted friend who is in a safe place. Write your text message to that person in advance and queue it up so that you can send it quickly in case of an emergency to let them know you have been arrested. Similarly, you may want to plan a pre-arranged call after the protest with a friend—if they don’t hear from you, they can assume you’ve been arrested.

    In addition to being made aware that your phone has been seized and you have been arrested, that trusted friend might be able to change the passwords to your email and social media accounts in case you are coerced into giving up your passwords to the authorities.

    Please note that deliberately concealing or destroying evidence may be considered an illegal act in itself in some jurisdictions (including many social democracies).

    Be sure you and your friend understand the law and the risks before engaging in this plan. For instance, if you are protesting in a country with a strong tradition of the rule of law and where protesting in itself is not a crime, it may be that conspiring to lock out law enforcement from your accounts may lead to you breaking the law when previously you would be able to leave without charge. On the other hand, if you are concerned for the physical safety of you and your colleagues at the hands of a unchecked militia, protecting your friends’ identities and your own data from them may be a greater priority than complying with an investigation.

    You’re at the Protest—Now What? Anchor link

    Once you are at the protest, keep in mind that law enforcement may be monitoring communications in the area. You may wish to encrypt your chats using ChatSecure, or your text and phone conversations using Signal.

    Please remember that even if your communications are encrypted, your metadata is not; your mobile phone will still give away your location and the metadata about your communications, such as whom you are talking to and for how long.

    If you want to keep your identity and location secret, make sure to strip all metadata off of your photos before you post them.

    In other circumstances, metadata can be useful for demonstrating the credibility of evidence collected at a protest. The Guardian Project makes a tool called InformaCam that allows you to store metadata along with including information about the user’s current GPS coordinates, altitude, compass bearing, light meter readings, the signatures of neighboring devices, cell towers, and WiFi networks; and serves to shed light on the exact circumstances and contexts under which the digital image was taken.

    Last reviewed: 
    2015-11-19
  • How to: Circumvent Online Censorship

    This is a short overview to circumventing online censorship, but is by no means comprehensive.

    Governments, companies, schools, and Internet providers sometimes use software to prevent their users from accessing certain websites and services. This is called Internet filtering or blocking, and it is a form of censorship. Filtering comes in different forms. Censors can block individual web pages, or even entire websites. Sometimes, content is blocked based on the keywords it contains.

    There are different ways of beating Internet censorship. Some protect you from surveillance, but many do not. When someone who controls your net connection filters or blocks a site, you can almost always use a circumvention tool to get to the information you need. Note: Circumvention tools that promise privacy or security are not always private or secure. And tools that use terms like “anonymizer” do not always keeps your identity completely secret.

    The circumvention tool that is best for you depends on your threat model. If you’re not sure what your threat model is, start here.

    In this article, we'll talk about four ways to circumvent censorship:

    • Visiting a web proxy to access a blocked website.
    • Visiting an encrypted web proxy to access a blocked website.
    • Using a Virtual Private Network (VPN) to access blocked websites or services.
    • Using the Tor Browser to access a blocked website or protect your identity.

    Basic techniques Anchor link

    Circumvention tools usually work by diverting your web traffic so it avoids the machines that do the blocking or filtering. A service that redirects your Internet connection past these blocks is sometimes called a proxy.

    HTTPS is the secure version of the HTTP protocol you use to access websites. Sometimes a censor will only block the insecure (HTTP) version of a site. That means you can access the blocked site simply by entering the version of the web address that starts with HTTPS.

    This is useful if the censorship you are fighting blocks individual web pages based on their contents. HTTPS stops censors from reading your web traffic, so they cannot tell what keywords are being sent, or which individual web page you are visiting.

    Censors can still see the domain names of all websites you visit. So, for example, if you visit “eff.org/https-everywhere” censors can see that you are on “eff.org” but not that you are on the “https-everywhere” page.

    If you suspect this type of simple blocking, try entering https:// before the domain in place of http:

    Try installing EFF’s HTTPS Everywhere extension to automatically turn on HTTPS where possible.

    Another way that you may be able to circumvent basic censorship techniques is by trying an alternate domain name or URL. For example, instead of visiting http://twitter.com, you might try the mobile version of the site at http://m.twitter.com. Censors that block websites or web pages work from a blacklist of banned websites, so anything that is not on that blacklist will get through. They might not know of all different versions of a particular website's name—especially if the administrators of the site know it is blocked and register more than one domain.

    Web-based proxies Anchor link

    A web-based proxy (such as http://proxy.org/) is a website that lets its users access other blocked or censored websites. It is therefore a good way to circumvent censorship. In order to use a web-based proxy, visit the proxy and enter the web address that you want to see; the proxy will then display the web page you asked for.

    However, web-based proxies don’t provide any security and will be a poor choice if your threat model includes someone monitoring your internet connection. They will not help you to use blocked services such as your instant messaging apps. The web-based proxy will have a complete record of everything you do online, which can be a privacy risk for some users depending on their threat model.

    Encrypted proxies Anchor link

    Numerous proxy tools utilize encryption to provide an additional layer of security on top of the ability to bypass filtering. The connection is encrypted so others cannot see what you are visiting. While encrypted proxies are generally more secure than plain web-based proxies, the tool provider may have information about you. They might have your name and email address in their records, for instance. That means that these tools do not provide full anonymity.

    The simplest form of an encrypted web proxy is one that starts with “https”— this will use the encryption usually provided by secure websites. However, be cautious—the owners of these proxies can see the data you send to and from other secure websites. Ultrasurf and Psiphon are examples of these tools.

    Virtual Private Networks Anchor link

    A Virtual Private Network (VPN) encrypts and sends all Internet data from your computer through another computer. This computer could belong to a commercial or nonprofit VPN service, your company, or a trusted contact. Once a VPN service is correctly configured, you can use it to access webpages, e-mail, instant messaging, VoIP, and any other Internet service. A VPN protects your traffic from being spied on locally, but your VPN provider can still keep logs of the websites you access, or even let a third party snoop directly on your web browsing. Depending on your threat model, the possibility of a government listening in on your VPN connection or getting hold of VPN logs may be a significant risk. For some users, this could outweigh the short-term benefits of using a VPN.

    For information about specific VPN services, click here.

    We at EFF cannot vouch for this rating of VPNs. Some VPNs with exemplary privacy policies could be run by devious people. Do not use a VPN that you do not trust.

    Tor Anchor link

    Tor is open-source software designed to give you anonymity on the web. Tor Browser is a web browser built on top of the Tor anonymity network. Because of how Tor routes your web browsing traffic, it also allows you to circumvent censorship. (See our How to: Use Tor guides for Linux, macOS and Windows).

    When you first start the Tor Browser, you can choose an option specifying that you are on a network that is censored:

    Tor will not only bypass almost all national censorship, but, if properly configured, can also protect your identity from an adversary listening in on your country’s networks. It can, however, be slow and difficult to use.

    To learn how to use Tor on a desktop machine, click here for Linux, here for macOS, or here for Windows, but please be sure to tap “Configure” instead of “Connect” in the window displayed above.

     

    Last reviewed: 
    2017-08-10
  • Choosing the VPN That's Right for You

    What’s a VPN? VPN stands for “Virtual Private Network.” It enables a computer to send and receive data across shared or public networks as if it is directly connected to the private network—benefiting from the functionality, security, and management policies of the private network.

    What is a VPN Good For? Anchor link

    You can use a VPN to connect to the corporate intranet at your office while you’re traveling abroad, while you are at home, or any other time you are out of the office.

    You can also use a commercial VPN to encrypt your data as it travels over a public network, such as the Wi-Fi in an Internet café or a hotel.

    You can use a commercial VPN to circumvent Internet censorship on a network that blocks certain sites or services. For example, some Chinese users use commercial VPNs to access websites blocked by the Great Firewall.

    You can also connect to your home network by running your own VPN service, using open-source software such as OpenVPN.

    What Doesn’t a VPN Do? Anchor link

    A VPN protects your Internet traffic from surveillance on the public network, but it does not protect your data from people on the private network you’re using. If you are using a corporate VPN, then whoever runs the corporate network will see your traffic. If you are using a commercial VPN, whoever runs the service will be able to see your traffic.

    A disreputable VPN service might do this deliberately, to collect personal information or other valuable data.

    The manager of your corporate or commercial VPN may also be subject to pressure from governments or law enforcement to turn over information about the data you have sent over the network. You should review your VPN provider’s privacy policy for information about the circumstances under which your VPN provider may turn your data over to governments or law enforcement.

    You should also take note of the countries in which the VPN provider does business. The provider will be subject to the laws in those countries, which may include both legal requests for your information from that government, and other countries with whom it has a legal assistance treaty. In some cases, the laws will allow for requests without notice to you or an opportunity to contest the request.

    Most commercial VPNs will require you to pay using a credit card, which includes information about you that you may not want to disclose to your VPN provider. If you would like to keep your credit card number from your commercial VPN provider, you may wish to use a VPN provider that accepts Bitcoin, or use temporary or disposable credit card numbers. Also, please note that the VPN provider may still collect your IP address when you use their service, which can be used to identify you, even if you use an alternative payment method. If you would like to hide your IP address from your VPN provider, you may wish to use Tor when connecting to your VPN.

    For information about specific VPN services, click here.

    We at EFF cannot vouch for this rating of VPNs. Some VPNs with exemplary privacy policies could be run by devious people. Do not use a VPN that you do not trust.

    Last reviewed: 
    2016-06-09
  • Things to Consider When Crossing the US Border

    Planning on crossing the border into the United States anytime soon? Did you know that the government has the right to, without a warrant, search travelers at the border—including when they land at international airports—as part of its traditional power to control the flow of items into the country? (Note that although some of the same legal justifications exist for searches of those leaving the US and that such searches are possible, travelers are not routinely searched on their way out of the country.)

    For a more in depth treatment of this issue, check out EFF's guide, Defending Privacy at the US Border

    In the Meantime, Here are Some Things to Keep in Mind When Crossing the US Border: Anchor link

    • Have you backed up your devices? This may help in case one or more of your devices is seized. You can use an online backup service or an external hard drive, though we don't recommend carrying both your laptop and your backup hard drive at the same time.

    • Do you need to be carrying so much data? We suggest minimizing the amount of data you are carrying over the border. Consider traveling with a "clean" laptop, and note that simply dragging files to your trash doesn't delete them completely. Make sure you securely delete your files.

    • Are your devices encrypted? We recommend full-disk encryption on your devices (laptops, mobile phones, etc.) and choosing secure passphrases. If a border agent asks for your passphrase, you do not have to comply. Only a judge can force you to reveal such information. However, refusal to comply could bear consequences: for noncitizens, you may be refused entry into the country; for citizens, you may be detained until the border patrol decides what to do, which may include seizing your computer, phone, camera, USB sticks, etc.

    • When you enter a new country, consider purchasing a temporary phone and transferring your SIM card over or getting a new number. This phone will carry far less data than your normal phone.

    • When dealing with border guards, remember these three things: Be courteous, do not lie, and do not physically interfere with the agent’s search.

    Last reviewed: 
    2014-10-18
  • How to: Delete Your Data Securely on Mac OS X

    Most of us think that a file on our computer is deleted once we put the file in our computer's trash folder and empty the trash; in reality, deleting the file does not completely erase it. When one does this, the computer just makes the file invisible to the user and marks the part of the disk that the file was stored on as "available”—meaning that your operating system can now write over the file with new data. Therefore, it may be weeks, months, or even years before that file is overwritten with a new one. Until this happens, that “deleted” file is still on your disk; it’s just invisible to normal operations. And with a little work and the right tools (such as “undelete” software or forensic methods), you can even still retrieve the “deleted” file. The bottom line is that computers normally don't "delete" files; they just allow the space those files take up to be overwritten by something else some time in the future.

    The best way to delete a file forever, then, is to make sure it gets overwritten immediately, in a way that makes it difficult to retrieve what used to be written there. Your operating system probably already has software that can do this for you—software that can overwrite all of the "empty" space on your disk with gibberish and thereby protect the confidentiality of deleted data.

    Note that securely deleting data from solid state drives (SSDs), USB flash drives, and SD cards is very hard! The instructions below apply only to traditional disk drives, and not to SSDs, which are becoming standard in modern laptops, USB keys/USB thumb drives, or SD cards/flash memory cards.

    This is because these types or drives use a technique called wear leveling. (You can read more about why this causes problems for secure deletion here.)

    If you’re using an SSD or a USB flash drive, you can jump to the section below.

    Secure Deletion on Mac OS X Anchor link

    On OS X 10.4 to 10.10, you can securely delete files by moving them to the Trash and then selecting Finder > Secure Empty Trash.

    The Secure Empty Trash feature was removed in OS X 10.11, because Apple felt that it could not guarantee secure deletion on the fast flash (SSD) drives that most of its modern models now use.

    If you use a traditional hard drive, and are comfortable with the command line, you can still use the Mac's srm command to overwrite the file. Fuller instructions (in English) are available here.

    A Warning About the Limitations of Secure Deletion Tools Anchor link

    First, remember that the advice above only deletes files on the disk of the computer you’re using. None of the tools above will delete backups that were made to somewhere else on your computer, another disk or USB drive, a “Time Machine,” on an email server, or in the cloud. In order to securely delete a file, you must delete every copy of that file, everywhere it was stored or sent. Additionally, once a file is stored in the cloud (e.g. via Dropbox or some other file-sharing service) then there’s usually no way to guarantee that it will be deleted forever.

    Unfortunately, there’s also another limitation to secure deletion tools. Even if you follow the advice above and you’ve deleted all copies of a file, there is a chance that certain traces of deleted files may persist on your computer, not because the files themselves haven't been properly deleted, but because some part of the operating system or some other program keeps a deliberate record of them.

    There are many ways in which this could occur, but two examples should suffice to convey the possibility. On Windows or Mac OS, a copy of Microsoft Office may retain a reference to the name of a file in the "Recent Documents" menu, even if the file has been deleted (Office might sometimes even keep temporary files containing the contents of the file). On a Linux or other *nix system, OpenOffice may keep as many records as Microsoft Office, and a user's shell history file may contain commands that include the file's name, even though the file has been securely deleted. In practice, there may be dozens of programs that behave like this.

    It's hard to know how to respond to this problem. It is safe to assume that even if a file has been securely deleted, its name will probably continue to exist for some time on your computer. Overwriting the entire disk is the only way to be 100% sure the name is gone. Some of you may be wondering, "Could I search the raw data on the disk to see if there are any copies of the data anywhere?" The answer is yes and no. Searching the disk (e.g. by using a command like grep -ab /dev/ on Linux) will tell you if the data is present in plaintext, but it won't tell you if some program has compressed or otherwise coded references to it. Also be careful that the search itself does not leave a record! The probability that the file's contents may persist is lower, but not impossible. Overwriting the entire disk and installing a fresh operating system is the only way to be 100% certain that records of a file have been erased.

    Secure Deletion When Discarding Old Hardware Anchor link

    If you want to finally throw a piece of hardware away or sell it on eBay, you'll want to make sure no one can retrieve your data from it. Studies have repeatedly found that computer owners usually fail to do this―hard drives are often resold chock-full of highly sensitive information. So, before selling or recycling a computer, be sure to overwrite its storage media with gibberish first. And even if you're not getting rid of it right away, if you have a computer that has reached the end of its life and is no longer in use, it's also safer to wipe the hard drive before stashing the machine in a corner or a closet. Darik's Boot and Nuke is a tool designed for this purpose, and there are a variety of tutorials on how to use it across the web (including here).

    Some full-disk encryption software has the ability to destroy the master key, rendering a hard drive's encrypted contents permanently incomprehensible. Since the key is a tiny amount of data and can be destroyed almost instantaneously, this represents a much faster alternative to overwriting with software like Darik's Boot and Nuke, which can be quite time-consuming for larger drives. However, this option is only feasible if the hard drive was always encrypted. If you weren't using full-disk encryption ahead of time, you'll need to overwrite the whole drive before getting rid of it.

    Discarding CD-ROMS Anchor link

    When it comes to CD-ROMs, you should do the same thing you do with paper―shred them. There are inexpensive shredders that will chew up CD-ROMs. Never just toss a CD-ROM out in the garbage unless you're absolutely sure there's nothing sensitive on it.

    Secure Deletion on Solid-state Disks (SSDs), USB Flash Drives, and SD Cards Anchor link

    Unfortunately due to the way SSDs, USB flash drives, and SD cards work, it is difficult, if not impossible, to securely delete both individual files and free space. As a result your best bet in terms of protection is to use encryption—that way, even if the file is still on the disk, it will at least look like gibberish to anyone who gets ahold of it and can’t force you to decrypt it. At this point in time, we cannot provide a good general procedure that will definitely remove your data from an SSD. If you want to know why it’s so hard to delete data, read on.

    As we mentioned above, SSDs and USB flash drives use a technique called wear leveling. At a high level, wear leveling works as follows. The space on every disk is divided into blocks, kind of like the pages in a book. When a file is written to disk, it’s assigned to a certain block or set of blocks (pages). If you wanted to overwrite the file then all you would have to do is tell the disk to overwrite those blocks. But in SSDs and USB drives, erasing and re-writing the same block can wear it out. Each block can only be erased and rewritten a limited number of times before that block just won’t work anymore (the same way if you keep writing and erasing with a pencil and paper, eventually the paper might rip and be useless). To counteract this, SSDs and USB drives will try to make sure that the amount of times each block has been erased and rewritten is about the same, so that the drive will last as long as possible (thus the term wear leveling). As a side effect, sometimes instead of erasing and writing the block a file was originally stored on, the drive will instead leave that block alone, mark it as invalid, and just write the modified file to a different block. This is kind of like leaving the page in the book unchanged, writing the modified file on a different page, and then just updating the book’s table of contents to point to the new page. All of this occurs at a very low level in the electronics of the disk, so the operating system doesn’t even realize it’s happened. This means, however, that even if you try to overwrite a file, there’s no guarantee the drive will actually overwrite it—and that’s why secure deletion with SSDs is so much harder.

    Last reviewed: 
    2016-09-08
  • How to: Delete Your Data Securely on Windows

    Most of us think that a file on our computer is deleted once we put the file in our computer's trash folder and empty the trash; in reality, deleting the file does not completely erase it. When one does this, the computer just makes the file invisible to the user and marks the part of the disk that the file was stored on as "available”—meaning that your operating system can now write over the file with new data. Therefore, it may be weeks, months, or even years before that file is overwritten with a new one. Until this happens, that “deleted” file is still on your disk; it’s just invisible to normal operations. And with a little work and the right tools (such as “undelete” software or forensic methods), you can even still retrieve the “deleted” file. The bottom line is that computers normally don't "delete" files; they just allow the space those files take up to be overwritten by something else some time in the future.

    The best way to delete a file forever, then, is to make sure it gets overwritten immediately, in a way that makes it difficult to retrieve what used to be written there. Your operating system probably already has software that can do this for you—software that can overwrite all of the "empty" space on your disk with gibberish and thereby protect the confidentiality of deleted data.

    Note that securely deleting data from solid state drives (SSDs), USB flash drives, and SD cards is very hard! The instructions below apply only to traditional disk drives, and not to SSDs, which are becoming standard in modern laptops, USB keys/USB thumb drives, or SD cards/flash memory cards.

    This is because these types or drives use a technique called wear leveling. (You can read more about why this causes problems for secure deletion here.)

    If you’re using an SSD or a USB flash drive, you can jump to the section below.

    On Windows, we currently suggest using BleachBit. BleachBit is a free/open source secure deletion tool for Windows and Linux, and is much more sophisticated than the built-in Cipher.exe.

    BleachBit can be used to quickly and easily target individual files for secure deletion, or to implement periodic secure deletion policies. It is also possible to write custom file deletion instructions. Please check the documentation for further information.

    Getting BleachBit Anchor link

    You can get BleachBig on Windows by downloading the installer from the BleachBit download page

    Click on the BleachBit installer .exe link. You'll be taken to the download page.

    Many browsers will ask you to confirm whether you want to download this file. Internet Explorer 11 shows a bar at the bottom of the browser window with an orange border.

    For any browser it is best to first save the file before proceeding, so click the “Save” button. By default, most browsers save downloaded files in the Downloads folder.

    Installing BleachBit Anchor link

    Keep the Windows Explorer window open and double-click on BleachBit-1.6-setup. You'll be asked if you want to allow the installation of this program. Click the “Yes” button.

    A window will open asking you to select an installation language. Select the language you want and click the OK button.

    The next window will show you the GNU General Public License. Check the box acceptance box and click the Next button.

    In the next window BleachBit shows some customization options. You may leave the options as they are. We recommend removing the check mark from the Desktop option. Click the Next button.

    Now BleachBit will ask you to confirm whether you want to install again. Click the Install button.

    Finally, the BleachBit installer shows a window telling you the installation is complete. Click the Next button.

    The last window in the installer asks whether you want to run BleachBit. Remove the checkmark from the Run BleachBit option. Click the Finish button.

    Using BleachBit Anchor link

    BleachBit interface

    Go to the Start menu, click the Windows icon, and select BleachBit from the menu.

    A small window will open and confirm you want to open BleachBit.

    The main BleachBit window will open. BleachBit will detect several commonly installed programs and show special options for each program. BleachBit comes with four default settings.

    Using Presets

    BleachBit can wipe the traces Internet Explorer leaves behind using the Internet Explorer preset (however BleachBit cannot wipe traces from any other browser). Check the box next to Internet Explorer. Notice how all the boxes belonging the Cookies, Form history, History, and Temporary files option are also checked. You can uncheck them as needed. Click the Clean button.

    BleachBit will now clean up certain files and show you the progress.

    Securely Delete a Folder

    Click the File menu and select Shred Folders.

    A small window will open up. Select the folder you want to shred.

    BleachBit will ask you to confirm whether you want to permanently delete the files you selected. Click the Delete button.

    BleachBit will now show you the files you deleted. Notice that BleachBit securely deletes each file in the folder, then securely deletes the folder.

    Securely Delete a File

    Click the File menu and select Shred Files.

    A file selection window will open up. Select the files you want to shred.

    BleachBit will ask you to confirm whether you want to permanently delete the files you selected. Click the Delete button.

    BleachBit has a number of other features. The most useful may be to “wipe free space.” This will attempt to remove any traces of files you have already deleted. Often Windows will leave all or part of the data from deleted files in the remaining free space left on the hard drive.  “Wipe free space” will overwrite these supposedly empty parts of the hard drive with random data. Wiping free space can take a lot of time, depending on how much spare capacity your drive has.

    A Warning About the Limitations of Secure Deletion Tools Anchor link

    First, remember that the advice above only deletes files on the disk of the computer you’re using. None of the tools above will delete backups that were made to somewhere else on your computer, another disk or USB drive, a “Time Machine,” on an email server, or in the cloud. In order to securely delete a file, you must delete every copy of that file, everywhere it was stored or sent. Additionally, once a file is stored in the cloud (e.g. via Dropbox or some other file-sharing service) then there’s usually no way to guarantee that it will be deleted forever.

    Unfortunately, there’s also another limitation to secure deletion tools. Even if you follow the advice above and you’ve deleted all copies of a file, there is a chance that certain traces of deleted files may persist on your computer, not because the files themselves haven't been properly deleted, but because some part of the operating system or some other program keeps a deliberate record of them.

    There are many ways in which this could occur, but two examples should suffice to convey the possibility. On Windows or Mac OS, a copy of Microsoft Office may retain a reference to the name of a file in the "Recent Documents" menu, even if the file has been deleted (Office might sometimes even keep temporary files containing the contents of the file). On a Linux or other *nix system, OpenOffice may keep as many records as Microsoft Office, and a user's shell history file may contain commands that include the file's name, even though the file has been securely deleted. In practice, there may be dozens of programs that behave like this.

    It's hard to know how to respond to this problem. It is safe to assume that even if a file has been securely deleted, its name will probably continue to exist for some time on your computer. Overwriting the entire disk is the only way to be 100% sure the name is gone.

    Secure Deletion When Discarding Old Hardware Anchor link

    If you want to finally throw a piece of hardware away or sell it on eBay, you'll want to make sure no one can retrieve your data from it. Studies have repeatedly found that computer owners usually fail to do this―hard drives are often resold chock-full of highly sensitive information. So, before selling or recycling a computer, be sure to overwrite its storage media with gibberish first. And even if you're not getting rid of it right away, if you have a computer that has reached the end of its life and is no longer in use, it's also safer to wipe the hard drive before stashing the machine in a corner or a closet. Darik's Boot and Nuke is a tool designed for this purpose, and there are a variety of tutorials on how to use it across the web (including here).

    Some full-disk encryption software has the ability to destroy the master key, rendering a hard drive's encrypted contents permanently incomprehensible. Since the key is a tiny amount of data and can be destroyed almost instantaneously, this represents a much faster alternative to overwriting with software like Darik's Boot and Nuke, which can be quite time-consuming for larger drives. However, this option is only feasible if the hard drive was always encrypted. If you weren't using full-disk encryption ahead of time, you'll need to overwrite the whole drive before getting rid of it.

    Discarding CD-ROMS Anchor link

    When it comes to CD-ROMs, you should do the same thing you do with paper―shred them. There are inexpensive shredders that will chew up CD-ROMs. Never just toss a CD-ROM out in the garbage unless you're absolutely sure there's nothing sensitive on it.

    Secure Deletion on Solid-State Disks (SSDs), USB Flash Drives, and SD Cards Anchor link

    Unfortunately due to the way SSDs, USB flash drives, and SD cards work, it is difficult, if not impossible, to securely delete both individual files and free space. As a result your best bet in terms of protection is to use encryption—that way, even if the file is still on the disk, it will at least look like gibberish to anyone who gets ahold of it and can’t force you to decrypt it. At this point in time, we cannot provide a good general procedure that will definitely remove your data from an SSD. If you want to know why it’s so hard to delete data, read on.

    As we mentioned above, SSDs and USB flash drives use a technique called wear leveling. At a high level, wear leveling works as follows. The space on every disk is divided into blocks, kind of like the pages in a book. When a file is written to disk, it’s assigned to a certain block or set of blocks (pages). If you wanted to overwrite the file then all you would have to do is tell the disk to overwrite those blocks. But in SSDs and USB drives, erasing and re-writing the same block can wear it out. Each block can only be erased and rewritten a limited number of times before that block just won’t work anymore (the same way if you keep writing and erasing with a pencil and paper, eventually the paper might rip and be useless). To counteract this, SSDs and USB drives will try to make sure that the amount of times each block has been erased and rewritten is about the same, so that the drive will last as long as possible (thus the term wear leveling). As a side effect, sometimes instead of erasing and writing the block a file was originally stored on, the drive will instead leave that block alone, mark it as invalid, and just write the modified file to a different block. This is kind of like leaving the page in the book unchanged, writing the modified file on a different page, and then just updating the book’s table of contents to point to the new page. All of this occurs at a very low level in the electronics of the disk, so the operating system doesn’t even realize it’s happened. This means, however, that even if you try to overwrite a file, there’s no guarantee the drive will actually overwrite it—and that’s why secure deletion with SSDs is so much harder.

     

    Last reviewed: 
    2015-03-04
  • How to: Delete your Data Securely on Linux

    Most of us think that a file on our computer is deleted once we put the file in our computer's trash folder and empty the trash; in reality, deleting the file does not completely erase it. When one does this, the computer just makes the file invisible to the user and marks the part of the disk that the file was stored on as "available”—meaning that your operating system can now write over the file with new data. Therefore, it may be weeks, months, or even years before that file is overwritten with a new one. Until this happens, that “deleted” file is still on your disk; it’s just invisible to normal operations. And with a little work and the right tools (such as “undelete” software or forensic methods), you can even still retrieve the “deleted” file. The bottom line is that computers normally don't "delete" files; they just allow the space those files take up to be overwritten by something else some time in the future.

    The best way to delete a file forever, then, is to make sure it gets overwritten immediately, in a way that makes it difficult to retrieve what used to be written there. Your operating system probably already has software that can do this for you—software that can overwrite all of the "empty" space on your disk with gibberish and thereby protect the confidentiality of deleted data.

    Note that securely deleting data from solid state drives (SSDs), USB flash drives, and SD cards is very hard! The instructions below apply only to traditional disk drives, and not to SSDs, which are becoming standard in modern laptops, USB keys/USB thumb drives, or SD cards/flash memory cards.

    This is because these types or drives use a technique called wear leveling. (You can read more about why this causes problems for secure deletion here.)

    If you’re using an SSD or a USB flash drive, you can jump to the section below.

    On Linux, we currently suggest using BleachBit. BleachBit is an open-source secure deletion tool for Windows and Linux, and is much more sophisticated than the built-in “shred.”

    BleachBit can be used to quickly and easily target individual files for secure deletion, or to implement periodic secure deletion policies. It is also possible to write custom file deletion instructions. Please check the documentation for further information.

    Installing BleachBit Anchor link

    Installing with the Ubuntu Software Center

    You can get BleachBit on Ubuntu Linux by using the Ubuntu Software Center. Click on the Application button in the upper left menu and use the search field.

    Type “software” in the search field and click the Ubuntu Software icon.

    You can browse through the Ubuntu Software Center to look for BleachBit but searching is faster. Use the search field.

    Enter “bleachbit” in the search field and press enter and BleachBit will display as a result.

    Click on BleachBit and click the Install button.

    The Ubuntu Software Center will ask for your password for permission. Enter your password and click the Authenticate button.

    The Ubuntu Software Center will install BleachBit and show you a small progress bar. When the installation is done you will see a Remove button.

    Installing From the Terminal Anchor link

    You can get BleachBit on Ubuntu Linux by using the Terminal. Click on the Application button in the upper left menu and use the search field. 

    Type “sudo apt-get install bleachbit” and press the Enter.

    You are asked to enter your password to verify that you want to install BleachBit. Enter your password and press Enter.

    Now you'll see the progress of the installation of BleachBit and when it is done you should be back at the command line where you started.

    Adding BleachBit to sidebar Anchor link

    Click on the Application button in the upper left menu and use the search field.

    Type “bleach” in the search field and two options will appear: BleachBit and BleachBit (as root). The BleachBit (as root) option should only be used if you know what you are doing and can cause irreparable harm if you use it to delete files needed by the operating system.

    Right-click on BleachBit and select “Add to Favorites.”

    Using BleachBit Anchor link

    Click on the Application button in the upper left menu and click on BleachBit from the favorites.

    The main BleachBit window will open.

    First BleachBit gives us an overview of the preferences. We recommend checking the “Overwrite files to hide contents” option.

    Click the Close button.

    BleachBit will detect several commonly installed programs and will show special option for each program. BleachBit comes with four default settings.

    Using Presets

    Some software leaves behind records of when and how it was used. Two important examples that merely begin to illustrate this widespread issue are Recent Documents and web browser history. Software that tracks the recently-edited documents leaves a record of the names of files you've been working with, even if those files themselves have been deleted. And web browsers usually keep detailed records of what sites you've visited recently, and even keep cached copies of pages and images from those sites to make them load faster next time you visit.

    Bleachbit provides "presets" that can remove some of these records for you, based on the Bleachbit authors' research about locations of records on your computer that tend to reveal your previous activity. We'll describe using just two of these presets so you can get an idea of how they work.

    Check the box next to System. Notice that this marks all the checkboxes under the System category. Uncheck the System box and check the following boxes: Recent document list and Trash. Click the Clean button.

    BleachBit will now ask you for confirmation. Click the Delete button.

    BleachBit will now clean up certain files and show you the progress.

    Securely Delete a Folder

    Click the File menu and select Shred Folders.

    A small window will open up. Select the folder you want to shred.

    BleachBit will ask you to confirm whether you want to permanently delete the files you selected. Click the Delete button.

    BleachBit will now show you the files you deleted. Notice that BleachBit securely deletes each file in the folder, then securely deletes the folder.

    Securely Delete a File

    Click the File menu and select Shred Files.

    A file selection window will open up. Select the files you want to shred.

    BleachBit will ask you to confirm whether you want to permanently delete the files you selected. Click the Delete button.

    A Warning About the Limitations of Secure Deletion Tools Anchor link

    First, remember that the advice above only deletes files on the disk of the computer you’re using. None of the tools above will delete backups that were made to somewhere else on your computer, another disk or USB drive, a “Time Machine,” on an email server, or in the cloud. In order to securely delete a file, you must delete every copy of that file, everywhere it was stored or sent. Additionally, once a file is stored in the cloud (e.g. via Dropbox or some other file-sharing service) then there’s usually no way to guarantee that it will be deleted forever.

    Unfortunately, there’s also another limitation to secure deletion tools. Even if you follow the advice above and you’ve deleted all copies of a file, there is a chance that certain traces of deleted files may persist on your computer, not because the files themselves haven't been properly deleted, but because some part of the operating system or some other program keeps a deliberate record of them.

    There are many ways in which this could occur, but two examples should suffice to convey the possibility. On Windows or Mac OS, a copy of Microsoft Office may retain a reference to the name of a file in the "Recent Documents" menu, even if the file has been deleted (Office might sometimes even keep temporary files containing the contents of the file). On a Linux or other *nix system, OpenOffice may keep as many records as Microsoft Office, and a user's shell history file may contain commands that include the file's name, even though the file has been securely deleted. In practice, there may be dozens of programs that behave like this.

    It's hard to know how to respond to this problem. It is safe to assume that even if a file has been securely deleted, its name will probably continue to exist for some time on your computer. Overwriting the entire disk is the only way to be 100% sure the name is gone. Some of you may be wondering, "Could I search the raw data on the disk to see if there are any copies of the data anywhere?" The answer is yes and no. Searching the disk (e.g. by using a command like grep -ab /dev/ on Linux) will tell you if the data is present in plaintext, but it won't tell you if some program has compressed or otherwise coded references to it. Also be careful that the search itself does not leave a record! The probability that the file's contents may persist is lower, but not impossible. Overwriting the entire disk and installing a fresh operating system is the only way to be 100% certain that records of a file have been erased.

    Secure Deletion When Discarding Old Hardware Anchor link

    If you want to finally throw a piece of hardware away or sell it on eBay, you'll want to make sure no one can retrieve your data from it. Studies have repeatedly found that computer owners usually fail to do this―hard drives are often resold chock-full of highly sensitive information. So, before selling or recycling a computer, be sure to overwrite its storage media with gibberish first. And even if you're not getting rid of it right away, if you have a computer that has reached the end of its life and is no longer in use, it's also safer to wipe the hard drive before stashing the machine in a corner or a closet. Darik's Boot and Nuke is a tool designed for this purpose, and there are a variety of tutorials on how to use it across the web (including here).

    Some full-disk encryption software has the ability to destroy the master key, rendering a hard drive's encrypted contents permanently incomprehensible. Since the key is a tiny amount of data and can be destroyed almost instantaneously, this represents a much faster alternative to overwriting with software like Darik's Boot and Nuke, which can be quite time-consuming for larger drives. However, this option is only feasible if the hard drive was always encrypted. If you weren't using full-disk encryption ahead of time, you'll need to overwrite the whole drive before getting rid of it.

    Discarding CD-ROMS Anchor link

    When it comes to CD-ROMs, you should do the same thing you do with paper―shred them. There are inexpensive shredders that will chew up CD-ROMs. Never just toss a CD-ROM out in the garbage unless you're absolutely sure there's nothing sensitive on it.

    Secure Deletion on Solid-state Disks (SSDs), USB Flash Drives, and SD Cards Anchor link

    Unfortunately due to the way SSDs, USB flash drives, and SD cards work, it is difficult, if not impossible, to securely delete both individual files and free space. As a result your best bet in terms of protection is to use encryption—that way, even if the file is still on the disk, it will at least look like gibberish to anyone who gets ahold of it and can’t force you to decrypt it. At this point in time, we cannot provide a good general procedure that will definitely remove your data from an SSD. If you want to know why it’s so hard to delete data, read on.

    As we mentioned above, SSDs and USB flash drives use a technique called wear leveling. At a high level, wear leveling works as follows. The space on every disk is divided into blocks, kind of like the pages in a book. When a file is written to disk, it’s assigned to a certain block or set of blocks (pages). If you wanted to overwrite the file then all you would have to do is tell the disk to overwrite those blocks. But in SSDs and USB drives, erasing and re-writing the same block can wear it out. Each block can only be erased and rewritten a limited number of times before that block just won’t work anymore (the same way if you keep writing and erasing with a pencil and paper, eventually the paper might rip and be useless). To counteract this, SSDs and USB drives will try to make sure that the amount of times each block has been erased and rewritten is about the same, so that the drive will last as long as possible (thus the term wear leveling). As a side effect, sometimes instead of erasing and writing the block a file was originally stored on, the drive will instead leave that block alone, mark it as invalid, and just write the modified file to a different block. This is kind of like leaving the page in the book unchanged, writing the modified file on a different page, and then just updating the book’s table of contents to point to the new page. All of this occurs at a very low level in the electronics of the disk, so the operating system doesn’t even realize it’s happened. This means, however, that even if you try to overwrite a file, there’s no guarantee the drive will actually overwrite it—and that’s why secure deletion with SSDs is so much harder.

    Last reviewed: 
    2015-03-06