Digital Security for Direct Action Organizing | Digital Security Checklists for Activists

Last reviewed on January 10, 2025

Takes about 1 hour

When organizing an action, we have an opportunity to set norms around digital security and help educate comrades.

We also need a higher level of security ourselves because we know that the cops target movement organizers.

This checklist will help you get your digital security in order and prepare the action participants as well.

We originally created this site so action organizers could send the Prepare for a Protest checklist to participants and know it was both easy-to-follow and comprehensive.

Threats to consider:

Government surveillance of texts, calls, location, social network (example: COINTELPRO in the 1960s, Movement for Black Lives in recent years).
Trumped up legal charges, harassment, publicly discrediting you or your group, etc.
Government informants inside our groups
Big tech companies tracking your every move online. The government can get this data through a warrant or buy it from data mining companies.
Your phone getting spyware from a malicious link or your passcode being cracked

Baseline protections

everyone

This section is for anyone doing activism or advocacy work.

Complete our Security Essentials guide

Using up-to-date software, strong passwords, and choosing apps that protect your privacy are essential baseline steps to protecting the security of the people you’re organizing with.

How to

Do everything in the Security Essentials checklist (including the "enhanced security" section)

Complete our guide to secure your phone

As an organizer of an action, you’re much more likely to be the target of state surveillance, so it’s important to take more precautions.

How to

Do everything in the Prepare for a Protest checklist (including the "enhanced security" section)

Use Signal for secure texts/calls for action organizing

If you use unencrypted channels, your texts and calls can be spied on by corporations and law enforcement (with or without a warrant).

DO: Use signal for texts/calls

DO NOT: Use normal texts, calls, WhatsApp, Telegram

How to set up

Install Signal (iPhone, Android)
Make sure you’ve set a usernames (ex: @cloudy.52). Share this with people you want to connect with rather than your phone number.
Set default disappearing messages to 1 week for all new chats, especially for group chat that you’re an organizer for. Go to Signal > Settings > Privacy
- Change disappearing messages to be shorter the closer you get to the action start time. You might set it to 1 hour or 5 minutes on the day of the action.
Disable Signal notifications (so they aren’t visible when your phone is locked)

Even if you’re practicing great security hygiene, your conversational partner can put your messages at risk if they are not being careful. Encourage others to lock down Signal by following this checklist as well.

Configure Signal to be the most secure

How to

Complete all the steps in our Signal Checklist to make signal more secure and private.

Signal Security Checklist →

Use Proton Docs and Mail for activism instead of Google Docs and Gmail

Protect yourself and your community from government data demands that you don't know about.

DO: Use Proton Docs and Proton Mail

DO NOT: Use Google Docs and Gmail for activism communications

Tech companies (like Google) often receive government demands to turn over all the account data for an activist. This often includes a "gag order" which means the company can't tell the user until months or years later.

Encrypted cloud tools like Proton Mail, Drive, Docs, and Sheets ensure the company doesn't hold readable copies of your data to hand over. If the government wants it, they'd need to demand it from you—giving you notice and the opportunity to challenge it with legal support.

Limitations of encrypted email: Proton encrypts everything on their servers. But encryption only protects both ends if the recipient also uses encrypted email. If you email a Gmail user, Google has a copy they can hand over.

For sensitive communication, always use Signal with disappearing messages enabled.

How to set up and use Proton Docs and Proton Mail

Create a Proton account

Suggestion: Chose a random username and random display name. so you have the option of not revealing you share this email address.

Sign up for a free Proton account.
Verify: When asked to verify if you are a human, choose the “CAPTCHA” option rather than the “email” option, so you don't link your true identity.
When asked to set your phone number / email as a recovery method, choose Maybe later.

Use Proton Drive/Docs/Sheets

Create and edit documents collaborative much like Google Docs. Someone must have a Proton account to be shared directly.
Share securely: Only use "share by link" when necessary, set a document password, set the "public link" to have an expiration date.

Use Proton Mail

Use Proton Mail for: website accounts, newsletters, public-facing communications needing anonymity, and non-sensitive organizing work.
Don't use any email for: truly sensitive communications that might put someone at legal risk.
What gets encrypted vs not: Messages between Proton Mail users are automatically end-to-end encrypted. Messages to people using a different email provider will not be encrypted, but you can send a password-protected email.

CryptPad is another popular encrypted doc option, but it very difficult to use. If it has features you need, it accomplishes the same result.

Proton concerns: While there have been concerns about Proton's CEO, we still believe it is a worthwhile tool to use. Your risk tolerance may vary.

Use Tor Browser to browse the web anonymously for sensitive research

DO: Use Tor Browser for sensitive research and browsing

DO NOT: Use any other browser (Chrome, Safari, etc)

It is very easy for government agents and corporations to track your online activity when you’re using a normal browser.

Tor Browser encrypts your traffic, relays it through multiple computers, and goes to great lengths to prevent online tracking in order to help you remain relatively anonymous online.

How to set up Tor Browser

Install Tor Browser on your laptop.
See the full anonymous browsing guide here.

Use Signal for secure group video/audio calls

If you have a call through an app that isn’t end-to-end encrypted, it’s possible for it to be intercepted either by the app itself by or the government.

DO: Use Signal for secure group video/audio calls

DO NOT: Use Jitsi Meet. Avoid using Zoom when possible.

How to use Signal for group calls

Signal calls (audio or video) use the same powerful encryption technology that we trust in Signal messenger.

If you want to invite participants without an existing Signal group: Open Signal > Calls > Create a Call Link > Copy Link (or Join)
If you’re already in a group with the people you want to call: You can click the video camera icon 🎥 in the top right of any Signal group to start a group call.

Be careful what you say near a computer, even when your call is encrypted: While using end-to-end encrypted calls makes it much harder for your conversation to be surveilled, it is still possible that someone’s phone/computer has spyware that gives an attacker full access to what’s happening on the device. We suggest not saying critical information (like the location of a surprise action) over any digital channel or near any microphones.

Signal Call	Zoom
✅ Most secure ✅ Up to 50 participants ❌ No host controls	🟡 Just secure enough, but Signal is best ✅ Up to 100 Participants ✅ Has host controls (muting participants)

Is it okay to use Zoom? (Avoid when possible!)

Zoom does offer end-to-end encryption, but we’re hesitant to recommend it since it wasn’t built with privacy as the main focus. It’s hard to fully trust software from a big corporation like theirs.
If you do use Zoom, make sure to enable end-to-end encryption and suggest everyone sign out of their normal Zoom account before joining the meeting (so they are less trackable). We suggest being more cautious about what you say on Zoom.

Is it okay to use Jitsi Meet? (We don’t recommend it!)

Jitsi Meet has been a common choice among activists because it doesn’t require an account. (It might have been a good choice before Signal added group audio and video calling.)
Why we recommend avoiding Jitsi Meet: It’s not end-to-end encrypted by default, so it is easier to forget to turn it on (which makes your conversation vulnerable to an attacker). Our understanding of their end-to-end encryption option is that it was implemented quickly and it’s not clear to us that it was rigorous or is still being actively developed. Given that, we suggest avoiding it.

Establish digital security agreements with participants/members

As an organizer, you can help the group set good digital security practices

How to establish digital security agreements

Phone security: Create agreements around who is bringing phones and what level of security is needed given the risk of this action.
We suggest sending your participants a link to our protest checklist: Phones at Protests.
And if you know certain folks are more likely to be arrested, you can suggest they leave their phone at home, bring a secondary phone, or at least follow the “enhanced security” section of that guide as well.
Photo privacy: Create agreements around how photos are shared (or not) and how cautious you want to be about faces present in the photos.
General security: For anyone organizing with you regularly, we suggest they also follow the essentials checklist to help keep everyone around them safe: Security Essentials Checklist

Remove all members from unused/unvetted Signal groups after an action

Inactive groups are ripe sources of information for cops to harvest information about our movements.

If you have any unvetted Signal groups, it is best to operate as though there may be informants in the group. While these groups can important for rallying our comrades to an action, it, they are also provide information about

Important: Deleting the thread is not enough. That will just delete it from your device, but the thread will remain.

How to remove members

Go to the group thread (you must be an admin)
Write a message to the group explaining why you’re closing the group. (This is a good opportunity to help educate them on good Signal security hygiene.)
Click on the group avatar to open the group settings.
Scroll to the members list
Click on each member > click Remove from group. (Unfortunately, this must be done manually for each member!)
When you're done, delete the thread

If you need to send photos/videos of the action, use Signal (not email)

DO: Use Signal to send photos/videos

DO NOT: Use email, Google Photos, Google Drive, iCloud, etc.

Signal is the best option because it removes metadata (like location, phone model, and date/time). It also offers an editing tool to blur faces.

If the files are too big for Signal, we recommend Proton Drive.

Advanced users can also try out Onion Share for more anonymity.

Enhanced protections

medium-threat

This section is for you if you are in a leadership role or you are doing activism that is more likely be targetted by the state or your opposition.

Reduce your online footprint to protect against doxing

Action organizers and movement leaders are at higher risk of being targeted by doxing attacks. The political right in the US has gotten more proficient at doxing in recent years.

Doxing refers to the malicious publication of someone's private information like their home address, workplace, or contact details—typically to enable harassment or intimidation.

How to protect yourself against doxing attacks

Scrubbing your private information from the internet is a very involved project that you probably want to do over time. You can do some of the most important and obvious steps quickly right now

Lock down your privacy settings of each social media account to be only visible by friends. Facebook, Twitter, and Instagram are good places to start. LinkedIn is especially important to lock down because it provides your current workplace and location.
Remove your data from data brokers that compile and sell your personal information. You can use a paid service like Delete Me. Or do it yourself, which will take much more time (see page 25 of this guide). You can find a big-ass data broker opt-out list here
Consider using a PO Box instead of your street address for package delivery, when registering for accounts, or when making payments. If you're moving soon, this is an especially important time to consider switching, so your new address never gets online.
This is just a very basic start! For a very detailed guide, we recommend Equality Lab's Anti-Doxing Guide (page 25 is a good place to start).

Use VeraCrypt to create a secure folders on your computer

Important if you have very sensitive files

DO: Use VeraCrypt to create secure folders on your computer

How to use VeraCrypt

Install VeraCrypt
Follow their beginner guide to create a secure archive and move your sensitive files to it

Avoid using the Signal desktop app

For added security, don't use the signal desktop app as it creates an additional way for an attacker to get access to all your messages if they hack into your laptop.

Have Questions?

Let us know if you have questions or feedback so we can make these guides as useful as possible.