Securing Your Digital Life Like a Normal Person

As part of my PhD research, I’ve been studying how at-risk groups manage their information security. I learn from, and work with journalists and human rights organizations. In practice, they’re usually ordinary people with elevated security needs.

Whenever I talk about my research publicly, I often get a variant of the same question:

“What can I, Normal Person, do to improve my security?”

If you talk to most security specialists they will take a step back and answer, “It depends, what are the threats to your data?” Specialists know how to break down and analyze of potential risks, and the capabilities of adversaries.

On more than one occasion, I’ve answered this question like a specialist, but I’m not convinced it was helpful for my audience of Normal People. Why? There aren’t always clear, looming threats. Instead, Normal People often have generalized concerns that call for generalized solutions. Let’s start with a vague outline of our Normal Person.

Our Normal Person is somewhat concerned with their online privacy and security. They know they should do something to improve their security posture, but they don’t want to invest a lot of time on it, and don’t have an exhaustive knowledge about how to do so. They use proprietary operating systems and hardware created by Microsoft, Apple, and Google. They may be using Mozilla’s Firefox, Google Chrome, Safari, Microsoft Internet Explorer, or Edge. They may run antivirus. They turn to friends and family for help with specific security issues.

Do you know anybody like this?

There are great resources for journalists and other users with specific security concerns. Instead, I want to outline a few steps that Normal People can take to improve their security posture. I want to highlight steps that require little investment — things you can do right now.

To get started: Be safer when browsing the Web

Use Google Chrome or Firefox to access browser extensions that can help improve your privacy when browsing the Web.

• Disrupt online tracking. Advertisers automatically place files — called cookies — onto your browser to keep track of the pages you visit online. You can block tracking cookies with Privacy Badger for Google Chrome or Firefox.
• When you connect to the Web, some sites you visit offer both unsecured (HTTP) and secured (HTTPS) versions of the page. Download HTTPS Everywhere on Google Chrome or Firefox to automatically connect to the secured versions of many websites.
• Advertising is the business model of many parts of the Web, and yet ads can be used to deliver scams and malicious ads to users. Online advertising networks have hada hard time detecting which ads they serve are abusive. Block potentially malicious ads with uBlock Origin for Chrome or Firefox. You can also keep ads for sites you trust.
• When you browse the web, your IP address broadcasts your rough location. When you are concerned about giving away your location, use a Virtual Private Network (VPN). A VPN encrypts and tunnels your Web traffic to a remote location. It can also be helpful for everyday use, especially if you want to access websites that are blocked in your country. Note that you are not invisible while using a VPN; your browser cookies may still identify your browsing sessions, even on a VPN. If you are concerned about being identified, consider closing your normal browser and only browsing from a secondary “clean” browser you don’t normally use when your VPN is enabled. Because your web traffic goes through the VPN provider, you really need to trust them, so choose wisely. Check out the Wirecutter guide to choosing a VPN for the newest recommendations.

The landing page for Tor Browser

• Whether through our IP addresses, or through information broadcasted by our browsers, most of us are fairly identifiable online. (Learn how identifiable your browser is here.) Download Tor Browser to connect to the Web anonymously. If you use the Firefox browser, you may already feel comfortable using Tor, which is built on top of Firefox. Tor Browser encrypts your traffic and bounces your secured connection within the Tor network before connecting to the Web from a remote location. For example, if you connect to a website (e.g., duckduckgo.com) within Tor Browser, you may appear to connect from a different country. Connecting through Tor can be a little slower than a standard browser, but it’s helpful for sharing information anonymously, avoiding surveillance, or accessing censored webpages. It is important to note that network eavesdroppers can still tell that you’re using Tor — they just can’t tell what you’re doing within Tor. If you’re looking for real anonymity, avoid sharing personal information in websites you access through Tor Browser.
• Occasionally scan for malware with Malwarebytes or similar tools.

Next: Encrypt it all

You can scramble your data so that no one, except for you and the people you wish to include, will be able to read it.

• Encrypt your hard drive. If your device is ever lost or stolen, it’s easy for thieves to take data off your hard disk. Good news: If you have a new password-protected iPhone your disk is already encrypted. Most modern Android phones (e.g., in the Pixel line) are encrypted by default, but you should double check in your phone’s Settings app. If you have an Android Device, it’s pretty easy to encrypt your phone. For your laptop or desktop, you can encrypt your hard drive using your operating system’s native software: FileVault for Mac, or BitLocker on Windows.
• If you’re concerned about the privacy of your phone conversations, download Signal for iOS or Android to exchange secure calls and messages with your friends. If you have friends who you text non-stop, have them try Signal as well. Research suggests that half of our texts go to our inner-circle — roughly 5 people. If you and one friend use Signal, it’s a huge improvement for your privacy and theirs. I wrote a guide introducing Signal for beginners, if you want help getting started.
• If you already use WhatsApp, it now uses similar encryption to Signal, but needs a few changes to its settings to maximize the security benefits. Download WhatsApp for iOS or Android, and read about upgrading WhatsApp security.
• If you use an Apple device, iMessage and FaceTime encrypt your conversations with other Apple users by default. If you’re using SMS to speak with users on other platforms, those messages are not protected.

More work, but important: Authenticating logins

Passwords are often the only thing standing between attackers and your information. It takes more work to manage your passwords than the previous steps, but it’s worthwhile.

• Use a password manager. Everyone knows you reuse the same password for everything, because it’s easy to remember. We’re not usually great at remembering multiple passwords. A password manager like 1Password can help to randomize strong passwords and store them securely. Use this software to randomize and quickly fill out your unique passwords. I wrote a guide on getting started.

Two-factor authentication app

• Passwords aren’t enough. To make it harder for someone to break into your accounts, many online services allow you to verify your identity when logging in by entering an extra piece of information beyond the password.

This may be a text message with an authentication code, or a code generated using a mobile app. Use two-factor authentication everywhere, but especially for your primary email account. If someone gets your email, they can use it to log into everything else. Gmail users can enable two-factor authentication here. If you use Twitter, Facebook, Dropbox, or any number of other services, consider using two-factor for those services as well. I wrote a guide on getting started.

These tips only scratch the surface, but are some of the simplest and most effective approaches that we have for keeping your data, yours.

If you’re interested in learning more, check out the Electronic Frontier Foundation’s Surveillance Self-Defense guide.

Edit: I’ve made a couple of changes to the VPN section, per recommendations of security friends. Because Adblock Plus has opened a marketplace for selectively displaying ads, I have removed it from the recommendations here. I added a section about using Tor Browser, a link to a Signal, password manager, and 2FA resource. I’ve also added a few links on WhatsApp, and resources from the EFF.

Last updated August 8, 2021.