Secure Your Emails, Messages, Chats and File Transfer

Use email system set up by the organization

If you have no access and need to send email contains of sensitive information, some options you can consider doing are:

  • Please separate your email between personal and working email. Do not use your working email as your personal communication channels.
  • Use secure and reputable email providers that provide E2EE by default and other security- focused features. Some recommended ones are Protonmail or Tutanota. Note however that both the sender and the receiver must use the same provider for the email content to be encrypted. If the sender is using Protonmail or Tutanota but the receiver is using unencrypted Gmail, then the message will not be encrypted. Protonmail has the option to password-protect and encrypt emails for non-protonmail users.
  • You can add E2EE to your email by using GPG/PGP tools such as Flowcrypt or Mailvelope for web-based emails such as Gmail, Yahoo.

Use end-to-end encrypted chat apps to protect the content of your messages.

Turn on disappearing messages to reduce your data trails, and periodically check your chats – leave groups that are no longer relevant:

  • Use open-source E2EE apps such as Signal.
  • For WhatsApp and Signal, make sure you turn on the PIN for two-step verification (see the steps for WhatsApp, and for Signal). This locks your account to your device and prevents account takeovers.
  • For video/audio calls:
    • Use the one that is set up by the organization and use multiple layers of protection such as private meetings and do not share the meeting link with uninvited parties.
    • Alternatively, you can use Signal for small group discussion.
    • Also, you can consider Jitsi and various community-run servers.
    • If you need to use Zoom, you can password protect your meetings and circulate it only among trusted users. Avoid using your Zoom personal ID and create a new room each time.
    • For added precaution, you can ask participants to use pseudonyms, and ensure they connect through VPN and through incognito browsers or Tor.

Social Media Credentials 

(THIS PART IS ALSO WRITTEN IN THE COMMUNICATIONS POLICY)

  • Avoid giving or sharing true personal information, such as phone number, date of birth, location, your mother’s maiden name, etc. as this information may be misused. It is also very easy to gather this information that can allow attackers to gain access to your account.
  • Do not mention names or tag people on social media without their consent and consider the risks if you’re uploading these media of them attending protests, as they may be used as evidence against them. Consider blurring their faces and any identifiable traits (e.g., tattoos).
  • If you rely on social media or YouTube to share and disseminate your videos, consider creating a different persona (or more) or pseudonymized accounts that are difficult to trace back to you. For example, create a different Gmail account to share your videos on YouTube, or a different Instagram or Facebook account. Try to open them from a secure connection (e.g., through Tor, VPN).