The Digital Security Resource Hub was prepared by Amnesty International’s Security Lab for human rights defenders, activists, journalists and other members of civil society. The hub will make it easier to identify accessible, high quality, updated and free advice and resources to support civil society with building and protecting their digital resilience.
Governments and non-state actors regularly use digital attacks to surveil, harass and intimidate human rights defenders (HRDs), activists, journalists, and other civil society members.
Forms of digital attacks can include:
- malware attacks, including mobile and computer spyware
- ransomware
- social engineering threats, including phishing attacks and impersonation
- threats against availability, including availability of the internet and denial-of-service attacks
- disinformation and misinformation
- online harassment, including tech-facilitated gender-based violence
- doxing and blackmailing
- blackmail
- account takeover
- digital surveillance
It is not possible to stop all attacks, but it is possible to increase individuals’ and organisations’ digital resilience to protect data, accounts, devices, and infrastructure.
This resource hub provides recommendations to protect your devices and data against digital surveillance, along with additional resources to help you build your digital resilience.
Digital surveillance
Protecting devices and data
All users
If you are at risk of digital surveillance, you can enable and use specific tools and features on your phones and accounts to enhance the protection of your devices and data.
Open Briefing has created the Holistic Security Protocol for Human Rights Defenders (the Defender’s Protocol) to help us enhance our individual and collective security, including our digital security.
Defender’s Protocol – Digital Security
- Consider the different types of information that you hold and seek to better understand both their value to your work and the harms to you and others that could result from an attacker accessing them. Put in place additional measures to protect those assets representing the greatest value or potential harms.
- If it has to be shared, communicate sensitive information with co-workers face-to-face or using communication tools that allow end-to-end encryption and disappearing messages.
- Ensure that any computer or mobile device that you use:
- Cannot be physically accessed by unauthorised persons.
- Requires a password or passcode to unlock.
- Is running the latest available versions of the operating system and all installed apps/software.
- Has full disk encryption enabled, if legal in your country.
- Has antivirus software and a firewall installed, updated and configured correctly.
- Is not rooted or jailbroken and does not have any pirated software installed on it.
- Is shut down and powered off as frequently as possible, rather than just put into sleep or hibernate state.
- Ensure that any online service that you use:
- Requires a complex, unique password to access.
- Has two-factor authentication (2FA/2SV) enabled, if available.
- Use a privacy-focused VPN if accessing the internet through a public or untrusted network.
- Securely delete sensitive information in all its forms and variations as soon as it is no longer needed, and ensure that it is not recoverable.
High-risk users
Specific users might be at heightened risk of digital surveillance due to their profile or activity. Protective tools and features for high-risk users can be found on iPhones, Android devices and online services.
Please note this list is not intended as a replacement for formal information and digital security risk assessment and training.
iPhone
Frequently check the App Privacy Report
The App Privacy Report feature shows apps that are collecting sensitive data. Disable or remove apps that you no longer use. Surveillance companies buy location data from advertising companies to enable targeted surveillance.
Settings > Privacy & Security > App Privacy Report
Enable Lockdown Mode
Lockdown Mode is an enhanced protection feature introduced by Apple following the 2021 Pegasus Project revelations (Amnesty International’s Security Lab was a technical partner in this investigation). It prevents many forms of advanced attacks and should be enabled on iPhones and Apple devices belonging to at-risk users.
Settings > Privacy & Security > Lockdown Mode (at bottom) > Enable
Turn off Location Services and delete Significant Locations
Location Services allows apps and websites to use information from various kinds of networks to determine your approximate or precise location. If you are a high-risk user, you can turn off Location Services in your devices and delete your significant locations.
Location Services: Settings > Privacy & Security > Location Services > Turn off location sharing
Significant Locations: Settings > Privacy & Security > Location Services > System Services > Significant Locations > Clear History
Activate Stolen Device Protection
Stolen Device Protection adds a layer of security when your iPhone is away from familiar locations, such as home or work, and helps protect your accounts and personal information in case your iPhone is ever stolen by preventing critical operations to be performed.
Settings > Face ID & Passcode > Stolen Device Protection*
*To use Stolen Device Protection, you must use 2FA for you Apple ID, set up a device passcode, Face ID or Touch ID, and enable Significant Locations, and turn on Find My.
Android
Disable Install Apps from Unknown Sources
Most Android spyware is deployed by malicious apps installed outside the Play Store. Disabling this feature prevents external apps being installed.
Android Settings > Security > Untick the option “Unknown sources”
Enable Enhanced Safe Browsing
Google Chrome offers an optional Enhanced Safe Browsing feature to scan links and browser history for phishing, malware and advanced targeted attacks. This sends additional information to Google about your internet browsing activity but can help protect your device from new threats.
Chrome > More Settings > Privacy & Security > Safe Browsing > “Enhanced protection”
Turn on Always use secure connections
Some advanced attacks can be triggered by browsing an unencrypted web page. The risk can be reduced by enabling the Always use secure connections option in Chrome.
Chrome > More Settings > Privacy & Security > Security > “Always use secure connections”
Run a Safety Check on your Android device
Google Chrome on Android offers a Safety Check feature to confirm if your browser and accounts are safe from common threats including known compromised passwords, your safe browsing status and if Chrome updates are available.
Chrome > More Settings > Safety Check > “Check now”
Online services
Enable two-factor authentication (2FA) on online accounts
Enable two-factor authentication (2FA) on all online accounts and services that allow it (see 2fa.directory). It is more secure to use a 2FA app (such as Microsoft Authenticator, Aegis, Authy) or physical security key (e.g. Yubikey) rather than SMS.
Make sure to frequently review your recovery email addresses or phone numbers, as these could also be used maliciously.
Review privacy settings on social media accounts
Social media profiles and networks can be leveraged to conduct malicious activities, such as virtual and physical surveillance, doxing, information gathering, hacking and smearing. Minimise any personal data shared on social media, keep your accounts private if possible, and disable visibility of accounts via search engines.
Enable two-factor authentication (2FA) on messaging apps and use disappearing messages
Messaging apps such as WhatsApp and Signal are key to our communications. Both are offer end-to-end encryption and a two-factor authentication (2FA) or Registration Lock feature to prevent an attacker with access to your messages from hijacking your accounts and impersonating you.
Some apps offer disappearing messages as an optional feature for more privacy. This feature ensures your message disappears after a specified period unless it is kept.
Use a Password Manager
Password reuse is the easiest way for an attacker to compromise an organisational or individual account. Billions of email and password combinations are included in public leaks and your favourite password is likely public already (see Have I Been Pwned?). Use a Password Manager, which creates a unique password for each account: KeepassXC, 1Password or BitWarden are all relevant options.
Digital resilience and security
For other forms of digital attacks, the Security Lab has brought together relevant, free and accessible digital and information security resources. Resources include helplines and helpdesks, digital and information security guides and tools, as well as organisations providing digital risk assessments.
We have further lists of local resources for specific countries, please let us know if you would like to access them.
The Security Lab assumes no responsibility for the resources and organisations shared. This list is in ongoing improvement so please feel free to suggest additional resources, or let us know when resources are no longer available by contacting us.
Please be mindful when using any online tools and avoid sharing your personal and digital information online, such as your passwords.