a digital security checklist


Threat modelling

Here's two great introductions to threat modelling: one by Ars Technica and one by the EFF.


It might be good practice to have several messengers or message groups installed, for different use cases. So you could for example have an instance of Signal, with disappearing messages enabled and no backups being made, for secure communication, and an instance of WhatsApp where you share and keep happy memories, holiday photos, and are willing to do backups or cloud sync.

Passwords and authentication

When it comes to two factor authentication:

Physical/ Bluetooth keys  >  Authenticator apps  >  Text message authentication  >  Nothing

Apps and updates

It is unfortunately not possible to always install the latest versions of mobile or desktop operating systems on older hardware. If software updates are no longer available for your device, it's time to upgrade.

Secure browsing

When it comes to web browsing, it is easy to hide in a crowd but almost impossible to be fully anonymous. If you are going to try to the latter and use TOR, make sure you've spent time reading up about things like scripts, browser fingerprints, and the like. It's best to seek outside advice from a trusted security contact if you're working on something extremely sensitive.

Basic operational security

One of the most difficult aspects of operational security is the fact that it might feel like we aren't trusting friends and colleagues within our organisation, for example by not giving them admin access to its Facebook page or not sharing all information with them. But don't forget that security breaches and phishing can happen to the very best of us. You are not distrusting people as much as minimising attack surface when only sharing information with a limited group. Make sure that everyone in your organisation knows and understands this.