The Digital Security Resource Hub was prepared by Amnesty International’s Security Lab for human rights defenders, activists, journalists and other members of civil society. This hub provides an overview of a variety of resources ranging from risk analysis support to helplines to tools that you can use to strengthen your digital and information security practices.
We recommend that you take time to review the hub’s offerings, and the video, below, explains how to use the Resource Hub.
High-risk users
Specific users might be at heightened risk of digital surveillance due to their profile or activity. Protective tools and features for high-risk users can be found on iPhones, Android devices and online services.
Please note this list is not intended as a replacement for formal information and digital security risk assessment and training.
iPhone
Frequently check the App Privacy Report
The App Privacy Report feature shows apps that are collecting sensitive data. Disable or remove apps that you no longer use. Surveillance companies buy location data from advertising companies to enable targeted surveillance.
Settings > Privacy & Security > App Privacy Report
Enable Lockdown Mode
Lockdown Mode is an enhanced protection feature introduced by Apple following the 2021 Pegasus Project revelations (Amnesty International’s Security Lab was a technical partner in this investigation). It prevents many forms of advanced attacks and should be enabled on iPhones and Apple devices belonging to at-risk users.
Settings > Privacy & Security > Lockdown Mode (at bottom) > Enable
Turn off Location Services and delete Significant Locations
Location Services allows apps and websites to use information from various kinds of networks to determine your approximate or precise location. If you are a high-risk user, you can turn off Location Services in your devices and delete your significant locations.
Location Services: Settings > Privacy & Security > Location Services > Turn off location sharing
Significant Locations: Settings > Privacy & Security > Location Services > System Services > Significant Locations > Clear History
Activate Stolen Device Protection
Stolen Device Protection adds a layer of security when your iPhone is away from familiar locations, such as home or work, and helps protect your accounts and personal information in case your iPhone is ever stolen by preventing critical operations to be performed.
Settings > Face ID & Passcode > Stolen Device Protection*
*To use Stolen Device Protection, you must use 2FA for you Apple ID, set up a device passcode, Face ID or Touch ID, and enable Significant Locations, and turn on Find My.
Android
Disable Install Apps from Unknown Sources
Most Android spyware is deployed by malicious apps installed outside the Play Store. Disabling this feature prevents external apps being installed.
Android Settings > Security > Untick the option “Unknown sources”
Enable Enhanced Safe Browsing
Google Chrome offers an optional Enhanced Safe Browsing feature to scan links and browser history for phishing, malware and advanced targeted attacks. This sends additional information to Google about your internet browsing activity but can help protect your device from new threats.
Chrome > More Settings > Privacy & Security > Safe Browsing > “Enhanced protection”
Turn on Always use secure connections
Some advanced attacks can be triggered by browsing an unencrypted web page. The risk can be reduced by enabling the Always use secure connections option in Chrome.
Chrome > More Settings > Privacy & Security > Security > “Always use secure connections”
Run a Safety Check on your Android device
Google Chrome on Android offers a Safety Check feature to confirm if your browser and accounts are safe from common threats including known compromised passwords, your safe browsing status and if Chrome updates are available.
Chrome > More Settings > Safety Check > “Check now”
Online services
Enable two-factor authentication (2FA) on online accounts
Enable two-factor authentication (2FA) on all online accounts and services that allow it (see 2fa.directory). It is more secure to use a 2FA app (such as Microsoft Authenticator, Aegis, Authy) or physical security key (e.g. Yubikey) rather than SMS.
Make sure to frequently review your recovery email addresses or phone numbers, as these could also be used maliciously.
Review privacy settings on social media accounts
Social media profiles and networks can be leveraged to conduct malicious activities, such as virtual and physical surveillance, doxing, information gathering, hacking and smearing. Minimise any personal data shared on social media, keep your accounts private if possible, and disable visibility of accounts via search engines.
Enable two-factor authentication (2FA) on messaging apps and use disappearing messages
Messaging apps such as WhatsApp and Signal are key to our communications. Both are offer end-to-end encryption and a two-factor authentication (2FA) or Registration Lock feature to prevent an attacker with access to your messages from hijacking your accounts and impersonating you.
Some apps offer disappearing messages as an optional feature for more privacy. This feature ensures your message disappears after a specified period unless it is kept.
Use a Password Manager
Password reuse is the easiest way for an attacker to compromise an organisational or individual account. Billions of email and password combinations are included in public leaks and your favourite password is likely public already (see Have I Been Pwned?). Use a Password Manager, which creates a unique password for each account: KeepassXC, 1Password or BitWarden are all relevant options.
The Security Lab assumes no responsibility for the resources and organisations shared. This list is in ongoing improvement so please feel free to suggest additional resources, or let us know when resources are no longer available by contacting us.
Please be mindful when using any online tools and avoid sharing your personal and digital information online, such as your passwords.