Secure messaging for activists and organizers – A practical guide

The right tools and practices help keep your messages, plans, and personal information safe from interception or intrusion. This guide will provide a practical overview of secure messaging for activists, including the risks faced, the tools available, and best practices to stay safe and protect your privacy.

Understanding the risks 

  • Surveillance – Your online activities, such as the websites you visit, the people you communicate with, and the content of your messages, may be monitored and collected by governments, companies, or other entities. This information can then be used to profile your activities, associations, and plans.
  • Intrusion – Adversaries may attempt to gain unauthorized access to your devices, accounts, or networks to steal sensitive information, disrupt your activities, or even compromise your entire organization.
  • Identification and tracking – Your digital footprint, including your device identifiers, IP address, or location data, can be used to identify and track your online and offline movements and activities.
  • Targeted attacks – In some cases, activists and organizers may face targeted cyberattacks, such as phishing attempts, malware infections, or social engineering tactics to compromise their devices, accounts, or sensitive information.
  • Data correlation – Adversaries may combine and analyze data from multiple sources, such as public records, social media, and surveillance data, to create detailed profiles and identify connections and patterns in your activities.

Choosing secure messaging tools 

  1. Open-source and auditable – Opt for open-source pastebin messaging apps, as this allows the security community to review and audit the code for any potential vulnerabilities or backdoors. Transparency builds trust and ensures the app is secure and private.
  2. Metadata protection – Metadata reveals who communicates with whom, when, and sometimes where. Choose a messaging app that minimizes metadata collection and storage. Some apps even allow you to use the app without providing personal information or phone numbers, enhancing your anonymity.
  3. Secure authentication – Strong authentication mechanisms, such as two-factor authentication (2FA), help ensure that only authorized users can access the messaging system, even if passwords are compromised.
  4. Ease of use and adoption – While security is the priority, the app should also be user-friendly and easy to adopt. If the app is simple enough, users may refrain from using it or making mistakes that compromise security.

Some recommended secure messaging apps that tick many boxes include Signal, Wire, and Session. These apps offer strong encryption, protect metadata, and balance security and usability well.

Implementing secure messaging practices 

Verify that the secure messaging app works as expected before sending sensitive information. Check that the encryption keys match and are verified between devices. Most secure messaging apps will display a security code or indicator you compare with your contacts to ensure a secure connection. A safe device is essential to protect your data, even if it falls into the wrong hands. Adversaries may trick you into revealing sensitive information or compromising your device. Be cautious of suspicious emails, links, or messages, and never disclose your passwords or security codes to anyone. Avoid providing any unnecessary personal information when setting up your secure messaging accounts. Use pseudonyms or aliases, and consider creating a separate email address that does not reveal your real name or organization.