Trying to protect all your data from everyone all the time is impractical and exhausting. But, have no fear! Security is a process, and through thoughtful planning, you can put together a plan that’s right for you. Security isn’t just about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.

In computer security, a threat is a potential event that could undermine your efforts to defend your data. You can counter the threats you face by determining what you need to protect and from whom you need to protect it. This is the process of security planning, often referred to as “threat modeling.”

This guide will teach you how to make a security plan for your digital information and how to determine what solutions are best for you.

What does a security plan look like? Let’s say you want to keep your house and possessions safe. Here are a few questions you might ask:

What do I have inside my home that is worth protecting?

• Assets could include: jewelry, electronics, financial documents, passports, or photos

Who do I want to protect it from?

• Adversaries could include: burglars, roommates, or guests

How likely is it that I will need to protect it?

• Does my neighborhood have a history of burglaries? How trustworthy are my roommates/guests? What are the capabilities of my adversaries? What are the risks I should consider?

How bad are the consequences if I fail?

• Do I have anything in my house that I cannot replace? Do I have the time or money to replace these things? Do I have insurance that covers goods stolen from my home?

How much trouble am I willing to go through to prevent these consequences?

• Am I willing to buy a safe for sensitive documents? Can I afford to buy a high-quality lock? Do I have time to open a security box at my local bank and keep my valuables there?

Once you have asked yourself these questions, you are in a position to assess what measures to take. If your possessions are valuable, but the probability of a break-in is low, then you may not want to invest too much money in a lock. But, if the probability of a break-in is high, you’ll want to get the best lock on the market, and consider adding a security system.

Making a security plan will help you to understand the threats that are unique to you and to evaluate your assets, your adversaries, and your adversaries’ capabilities, along with the likelihood of risks you face.

How do I make my own security plan? Where do I start?

Security planning helps you to identify what could happen to the things you value and determine from whom you need to protect them. When building a security plan answer these five questions:

1. What do I want to protect?
2. Who do I want to protect it from?
3. How bad are the consequences if I fail?
4. How likely is it that I will need to protect it?
5. How much trouble am I willing to go through to try to prevent potential consequences?

Let’s take a closer look at each of these questions.

What do I want to protect?

An “asset” is something you value and want to protect. In the context of digital security, an asset is usually some kind of information. For example, your emails, contact lists, instant messages, location, and files are all possible assets. Your devices may also be assets.

Make a list of your assets: data that you keep, where it’s kept, who has access to it, and what stops others from accessing it.

Who do I want to protect it from?

To answer this question, it’s important to identify who might want to target you or your information. A person or entity that poses a threat to your assets is an “adversary.” Examples of potential adversaries are your boss, your former partner, your business competition, your government, or a hacker on a public network.

Make a list of your adversaries, or those who might want to get ahold of your assets. Your list may include individuals, a government agency, or corporations.

Depending on who your adversaries are, under some circumstances this list might be something you want to destroy after you’re done security planning.

How bad are the consequences if I fail?

There are many ways that an adversary could gain access to your data. For example, an adversary can read your private communications as they pass through the network, or they can delete or corrupt your data.

The motives of adversaries differ widely, as do their tactics. A government trying to prevent the spread of a video showing police violence may be content to simply delete or reduce the availability of that video. In contrast, a political opponent may wish to gain access to secret content and publish that content without you knowing.

Security planning involves understanding how bad the consequences could be if an adversary successfully gains access to one of your assets. To determine this, you should consider the capability of your adversary. For example, your mobile phone provider has access to all your phone records. A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might have stronger capabilities.

Write down what your adversary might want to do with your private data.

How likely is it that I will need to protect it?

Risk is the likelihood that a particular threat against a particular asset will actually occur. It goes hand-in-hand with capability. While your mobile phone provider has the capability to access all of your data, the risk of them posting your private data online to harm your reputation is low.

It is important to distinguish between what might happen and the probability it may happen. For instance, there is a threat that your building might collapse, but the risk of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where they are not).

Assessing risks is both a personal and a subjective process. Many people find certain threats unacceptable no matter the likelihood they will occur because the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high risks because they don’t view the threat as a problem.

Write down which threats you are going to take seriously, and which may be too rare or too harmless (or too difficult to combat) to worry about.

How much trouble am I willing to go through to try to prevent potential consequences?

There is no perfect option for security. Not everyone has the same priorities, concerns, or access to resources. Your risk assessment will allow you to plan the right strategy for you, balancing convenience, cost, and privacy.

For example, an attorney representing a client in a national security case may be willing to go to greater lengths to protect communications about that case, such as using encrypted email, than a mother who regularly emails her daughter funny cat videos.

Write down what options you have available to you to help mitigate your unique threats. Note if you have any financial constraints, technical constraints, or social constraints.

Security planning as a regular practice

Keep in mind your security plan can change as your situation changes. Thus, revisiting your security plan frequently is good practice.

Create your own security plan based on your own unique situation. Then mark your calendar for a date in the future. This will prompt you to review your plan and check back in to determine whether it’s still relevant to your situation.

Telecommunication networks and the Internet have made communicating with people easier than ever, but have also made surveillance more prevalent. Without taking extra steps to protect your privacy, every phone call, text message, email, instant message, video and audio chat, and social media message could be vulnerable to eavesdroppers.

Often the most privacy-protective way to communicate with others is in person, without computers or phones being involved at all. Because this isn’t always possible, the next best thing is to use end-to-end encryption.

How Does End-to-End Encryption Work?

End-to-end encryption ensures that information is turned into a secret message by its original sender (the first “end”), and decoded only by its final recipient (the second “end”). This means that no one can “listen in” and eavesdrop on your activity, including wifi cafe snoops, your Internet service provider, and even the website or app you are using itself. Somewhat counter-intuitively, just because you access messages in an app on your phone or information from a website on your computer does not mean that the app company or website platform itself can see them. This is a core characteristic of good encryption: even the people who design and deploy it cannot themselves break it.

All the tools that have guides on the SSD site use end-to-end encryption. You can use end-to-end encryption for any kind of communication — including voice and video calls, messaging and chat, and email.

(Not to be confused with end-to-end encryption is transport-layer encryption. While end-to-end encryption protects messages, for example, all the way from you to your recipient, transport-layer encryption only protects them as they travel from your device to the app’s servers and from the app’s servers to your recipient’s device. In the middle, your messaging service provider—or the website you are browsing, or the app you are using—can see unencrypted copies of your messages.)

Under the hood, end-to-end encryption works like this: When two people want to communicate via end-to-end encryption (for example, Akiko and Boris) they must each generate pieces of data, called keys. These keys can be used to turn data that anyone can read into data that can be only read by someone who has a matching key. Before Akiko sends a message to Boris, she encrypts it to Boris's key so that only Boris can decrypt it. Then she sends this encrypted message across the Internet. If anyone is eavesdropping on Akiko and Boris—even if they have access to the service that Akiko is using to send this message (such as her email account)—they will only see the encrypted data and will be unable to read the message. When Boris receives it, he must use his key to decrypt it into a readable message.

Some services, like Google Hangouts, advertise “encryption,” but use keys that are created and controlled by Google, not the sender and final receiver of the message. This is not end-to-end encryption. To be truly secure, only the “ends” of the conversation should have the keys that let them encrypt and decrypt. If the service you use controls the keys, that is transport layer-encryption instead.

End-to-end encryption means that users must keep their keys secret. It can also mean doing work to make sure the keys used to encrypt and decrypt belong to the right people. Using end-to-end encryption can involve some effort—from simply choosing to download an app that offers it to proactively verifying keys—but it's the best way for users to verify the security of their communications without having to trust the platform that they're both using.

Learn more about encryption in What Should I know About Encryption?, Key Concepts in Encryption, and Different Types of Encryption. We also explain one particular kind of end-to-end encryption—called “public key encryption”—in more detail in A Deep Dive on End-to-End Encryption.

Phone Calls and Text Messages versus Encrypted Internet Messages

When you make a call from a landline or a mobile phone, your call is not end-to-end encrypted. When you send a text message (also known as SMS) on a phone, the text is not encrypted at all. Both allow governments or anyone else with power over the phone company to read your messages or record your calls. If your risk assessment includes government interception, you may prefer to use encrypted alternatives that operate over the Internet. As a bonus, many of these encrypted alternatives also offer video.

Some examples of services or software that offer end-to-end encrypted texting and voice and video calls include:

• Signal (for iOS and Android)
• WhatsApp (for iOS and Android)
• Wire

Some examples of services that do not offer end-to-end encryption by default include:

• Google Hangouts
• Kakao Talk
• Line
• Snapchat
• WeChat
• QQ
• Yahoo Messenger

And some services, like Facebook Messenger and Telegram, only offer end-to-end encryption if you deliberately turn it on. Others, like iMessage, only offer end-to-end encryption when both users are using a particular device (in the case of iMessage, both users need to be using an iPhone).

How Much Can You Trust Your Messaging Service?

End-to-end encryption can defend you against surveillance by governments, hackers, and the messaging service itself. But all of those groups might be able to make secret changes in the software you use so that even if it claims to use end-to-end encryption, it is really sending your data unencrypted or with weakened encryption.

Many groups, including EFF, spend time watching well-known providers (like WhatsApp, which is owned by Facebook, or Signal) to make sure they really are providing the end-to-end encryption they promise. But if you are concerned about these risks, you can use tools that use publicly known and reviewed encryption techniques and are designed to be independent of the transport systems they use. OTR and PGP are two examples. These systems rely on user expertise to operate, are often less user-friendly, and are older protocols that don’t use all of the modern best encryption techniques.

Off-the-Record (OTR) is an end-to-end encryption protocol for real-time text conversations that can be used on top of a variety of instant messaging services. Some tools that incorporate OTR include:

• Pidgin (for Windows or Linux)
• Adium (for macOS)
• Jitsi (for Linux, Windows, macOS)

PGP (or Pretty Good Privacy) is the standard for end-to-end encryption of email. For detailed instructions on how to install and use PGP encryption for your email, see:

• How to: Use PGP for macOS
• How to: Use PGP for Windows
• How to: Use PGP for Linux

PGP for email is best-suited for technically experienced users communicating with other technically experienced users who are well aware of PGP’s complexities and limitations.

What End-To-End Encryption Does Not Do

End-to-end encryption only protects the content of your communication, not the fact that you are communicating in the first place. It does not protect your metadata, which includes, for example, the subject line of an email, who you are communicating with, and when. If you are making a call from a cell phone, information about your location is also metadata.

Metadata can provide extremely revealing information about you even when the content of your communication remains secret.

Metadata about your phone calls can give away some very intimate and sensitive information. For example:

• They know you rang a phone sex service at 2:24 am and spoke for 18 minutes, but they don't know what you talked about.
• They know you called the suicide prevention hotline from the Golden Gate Bridge, but the topic of the call remains a secret.
• They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour, but they don't know what was discussed.
• They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then called your senators and congressional representatives immediately after, but the content of those calls remains safe from government intrusion.
• They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood's number later that day, but nobody knows what you spoke about.

Other Important Features

End-to-end encryption is only one of many features that may be important to you in secure communication. As described above, end-to-end encryption is great for preventing companies and governments from accessing your messages. But for many people, companies and governments are not the biggest threat, and therefore end-to-end encryption might not be the biggest priority.

For example, if someone is worried about a spouse, parent, or employer with physical access to their device, the ability to send ephemeral, “disappearing” messages might be their deciding factor in choosing a messenger. Someone else might be worried about giving their phone number out, and so the ability to use a non-phone-number “alias” might be important.

More generally, security and privacy features are not the only variables that matter in choosing a secure communications method. An app with great security features is worthless if none of your friends and contacts use it, and the most popular and widely used apps can vary significantly by country and community. Poor quality of service or having to pay for an app can also make a messenger unsuitable for some people.

The more clearly you understand what you want and need out of a secure communication method, the easier it will be to navigate the wealth of extensive, conflicting, and sometimes outdated information available.

Creating Strong Passwords Using Password Managers

Reusing passwords is an exceptionally bad security practice. If a bad actor gets ahold of a password that you've reused across multiple services, they can gain access to many of your accounts. This is why having multiple, strong, unique passwords is so important.

Fortunately, a password manager can help. A password manager is a tool that creates and stores passwords for you, so you can use many different passwords on different sites and services without having to memorize them. Password managers:

• generate strong passwords that a human being would be unlikely to guess.

• store several passwords (and responses to security questions) safely.

• protect all of your passwords with a single master password (or passphrase).

KeePassXC is an example of a password manager that is open-source and free. You can keep this tool on your desktop or integrate it into your web browser. KeePassXC does not automatically save changes you make when using it, so if it crashes after you've added some passwords, you can lose them forever. You can change this in the settings.

Wondering whether a password manager is the right tool for you? If a powerful adversary like a government is targeting you, it might not be.

Remember:

• using a password manager creates a single point of failure.

• password managers are an obvious target for adversaries.

• research suggests that many password managers have vulnerabilities.

If you’re worried about expensive digital attacks, consider something more low-tech. You can create strong passwords manually (see “Creating strong passwords using dice” below), write them down, and keep them somewhere safe on your person.

Wait, aren’t we supposed to keep passwords in our heads and never write them down? Actually, writing them down, and keeping them somewhere like your wallet, is useful so you’ll at least know if your written passwords go missing or get stolen.

Creating Strong Passwords Using Dice

There are a few passwords that you should memorize and that need to be particularly strong. These include:

• passwords for your device
• passwords for encryption (like full-disk encryption)
• the master password, or “passphrase,” for your password manager
• your email password

One of many difficulties when people choose passwords themselves is that people aren't very good at making random, unpredictable choices. An effective way of creating a strong and memorable password is to use dice and a word list to randomly choose words. Together, these words form your “passphrase.” A "passphrase" is a type of password that is longer for added security. For disk encryption and your password manager, we recommend selecting a minimum of six words.

Why use a minimum of six words? Why use dice to pick words in a phrase randomly? The longer and more random the password, the harder it is for both computers and humans to guess. To find out why you need such a long, hard-to-guess password, here’s a video explainer.

Try making a passphrase using one of EFF's word lists.

If your computer or device gets compromised and spyware is installed, the spyware can watch you type your master password and could steal the contents of the password manager. So it's still very important to keep your computer and other devices clean of malware when using a password manager.

A Word About “Security Questions”

Beware of the “security questions” that websites use to confirm your identity. Honest answers to these questions are often publicly discoverable facts that a determined adversary can easily find and use to bypass your password entirely.

Instead, give fictional answers that no one knows but you. For example, if the security question asks:

“What was the name of your first pet?”

Your answer could be a random password generated from your password manager. You can store these fictional answers in your password manager.

Think of sites where you’ve used security questions and consider changing your responses. Do not use the same passwords or security question answers for multiple accounts on different websites or services.

Syncing Your Passwords Across Multiple Devices

Many password managers allow you to access your passwords across devices through a password-synchronizing feature. This means when you sync your password file on one device, it will update it on all of your devices.

Password managers can store your passwords “in the cloud,” meaning encrypted on a remote server. When you need your passwords, these managers will retrieve and decrypt the passwords for you automatically. Password managers that use their own servers to store or help synchronize your passwords are more convenient, but are slightly more vulnerable to attacks. If your passwords are stored both on your computer and in the cloud, an attacker does not need to take over your computer to find out your passwords. (They will need to break your password manager’s passphrase though.)

If this is concerning, don't sync your passwords to the cloud and instead opt to store them on just your devices.

Keep a backup of your password database just in case. Having a backup is useful if you lose your password database in a crash, or if your device is taken away from you. Password managers usually have a way to make a backup file, or you can use your regular backup program.

Multi-Factor Authentication and One-Time Passwords

Strong, unique passwords make it much harder for bad actors to access your accounts. To further protect your accounts, enable two-factor authentication.

Some services offer two-factor authentication (also called 2FA, multi-factor authentication, or two-step verification), which requires users to possess two components (a password and a second factor) to gain access to their account. The second factor could be a one-off secret code or a number generated by a program running on a mobile device.

Two-factor authentication using a mobile phone can be done in one of two ways:

• your phone can run an authenticator application that generates security codes (such as Google Authenticator or Authy) or you can use a stand-alone hardware device (such as a YubiKey); or
• the service can send you an SMS text message with an extra security code that you need to type in whenever you log in.

If you have a choice, pick the authenticator application or stand-alone hardware device instead of receiving codes by text message. It’s easier for an attacker to redirect these codes to their own phone than it is to bypass the authenticator.

Some services, such as Google, also allow you to generate a list of one-time passwords, also called single-use passwords. These are meant to be printed or written down on paper and carried with you. Each of these passwords works only once, so if one is stolen by spyware when you enter it, the thief won't be able to use it for anything in the future.

If you or your organization run your own communications infrastructure, there's free software available that can be used to enable two-factor authentication for accessing your systems. Look for software offering implementations of the open standard “Time-Based One-Time Passwords” or RFC 6238.

Sometimes, You Will Need to Disclose Your Password

Laws about revealing passwords differ from place to place. In some jurisdictions you may be able to legally challenge a demand for your password while in others, local laws allow the government to demand disclosure — and even imprison you on the suspicion that you may know a password or key. Threats of physical harm can be used to force someone to give up their password. Or you may find yourself in a situation, such as travelling across a border, where the authorities can delay you or seize your devices if you refuse to give up a password or unlock your device.

We have a separate guide to crossing the U.S. border that gives advice on how to deal with requests for access to devices while travelling to or from the United States. In other situations, you should think about how someone might force you or others to give up your passwords, and what the consequences would be.

Note: Modern versions of macOS will prompt you to use FileVault 2 to encrypt your entire drive. We highly recommend you take this step to protect your data.  If you encrypt your entire drive, you don’t have to worry much about doing secure deletion since the master encryption key is protected with a password that you control, and that you can change or erase to make data on the drive irretrievable. More information is available on encrypting with FileVault 2.

The instructions below should only be used for securely deleting data from spinning drives. These instructions apply only to traditional disk drives, and not to Solid State Drives (SSDs), which are standard in modern computers, USB keys/USB thumb drives, or SD cards/flash memory cards. Secure deletion on SSDs, USB flash drives, and SD cards is very hard! This is because these types of drives use a technique called wear leveling and do not provide low-level access to the bits as stored on the drive. (You can read more about why this causes problems for secure deletion here.) If you’re using an SSD or a USB flash drive, you can jump to the section below.

Did you know that when you move a file on your computer into your computer's trash folder and empty the trash, the file is not completely erased? Computers normally don't “delete” files; when you move a file to the trash, your computer just makes the file invisible and allows the space it took up to be overwritten by something else sometime in the future. Therefore, it may be weeks, months, or even years before that file is overwritten. Until this happens, that “deleted” file is still on your disk; it’s just invisible to normal operations. And with a little work and the right tools (such as “undelete” software or forensic methods), that “deleted” file can be retrieved.

So, what’s the best way to delete a file forever? Ensure it gets overwritten immediately. This makes it difficult to retrieve what used to be written there. Your operating system probably already has software that can do this for you—software that can overwrite all of the “empty” space on your disk with gibberish and thereby protect the confidentiality of deleted data.

Secure Deletion on macOS

On OS X 10.4 to 10.10, you can securely delete files by moving them to the Trash and then selecting Finder > Secure Empty Trash.

The Secure Empty Trash feature was removed in OS X 10.11 because Apple felt that it could not guarantee secure deletion on the fast flash (SSD) drives that most of its modern models now use.

If you use a traditional hard drive with OS X 10.11, and are comfortable with the command line, you can use the Mac's srm command to overwrite the file. Fuller instructions (in English) are available here.

srm was removed in OS X 10.12, but it is still possible to install.

In the latest versions of macOS, you can use rm -P to overwrite the file. This command overwrites the file contents several times.

A Warning About the Limitations of Secure Deletion Tools

Remember that the advice above only deletes files on the disk of the computer you’re using. None of the tools above will delete backups that were made to somewhere else on your computer, another disk or USB drive, a “Time Machine,” on an email server, in the cloud, or sent to your contacts. In order to securely delete a file, you must delete every copy of that file, everywhere it was stored or sent. Additionally, once a file is stored in the cloud (e.g. via Dropbox or some other file-sharing service) there’s usually no way to guarantee that it will be deleted forever.

Unfortunately, there’s also another limitation to secure deletion tools. Even if you follow the advice above and you’ve deleted all copies of a file, there is a chance that certain traces of deleted files may persist on your computer, not because the files themselves haven't been properly deleted, but because some part of the operating system or some other program keeps a deliberate record of them.

There are many ways in which this could occur, but two examples should suffice to convey the possibility. On Windows or macOS, Microsoft Office may retain a reference to the name of a file in the “Recent Documents” menu, even if the file has been deleted (Office might sometimes even keep temporary files containing the contents of the file). LibreOffice may keep as many records as Microsoft Office, and a user's shell history file may contain commands that include the file's name, even though the file has been securely deleted. In practice, there may be dozens of programs that behave like this.

It's hard to know how to respond to this problem. It is safe to assume that even if a file has been securely deleted, its name will probably continue to exist for some time on your computer. Overwriting the entire disk is the only way to be 100% sure the name is gone. Some of you may be wondering, “Could I search the raw data on the disk to see if there are any copies of the data anywhere?” The answer is yes and no. Searching the disk will tell you if the data is present in plaintext, but it won't tell you if some program has compressed or otherwise coded references to it. Also, be careful that the search itself does not leave a record! The probability that the file's contents may persist is lower, but not impossible. Overwriting the entire disk and installing a fresh operating system is the only way to be 100% certain that records of a file have been erased.

Secure Deletion When Discarding Old Hardware

If you want to throw a piece of hardware away or sell it on eBay, you'll want to make sure no one can retrieve your data from it. Studies have repeatedly found that computer owners usually fail to do this―hard drives are often resold chock-full of highly sensitive information. So, before selling or recycling a computer, be sure to overwrite its storage media with gibberish first. And even if you're not getting rid of it right away, if you have a computer that has reached the end of its life and is no longer in use, it's also safer to wipe the hard drive before stashing the machine in a corner or a closet. Darik's Boot and Nuke is a tool designed for this purpose, and there are a variety of tutorials on how to use it across the web (including here).

Some full-disk encryption software has the ability to destroy the master key, rendering a hard drive's encrypted contents permanently incomprehensible. Since the key is a tiny amount of data and can be destroyed almost instantaneously, this represents a much faster alternative to overwriting with software like Darik's Boot and Nuke, which can be quite time-consuming for larger drives. However, this option is only feasible if the hard drive was always encrypted. If you weren't using full-disk encryption ahead of time, you'll need to overwrite the whole drive before getting rid of it.

Discarding CD- or DVD-ROMs

When it comes to CD- or DVD-ROMs, you should do the same thing you do with paper―shred them. There are inexpensive shredders that will chew them up. Never just toss a CD- or DVD-ROM in the garbage unless you're absolutely sure there's nothing sensitive on it.

Secure Deletion on Solid-state Disks (SSDs), USB Flash Drives, and SD Cards

Unfortunately, due to the way SSDs, USB flash drives, and SD cards work, it is difficult, if not impossible, to securely delete both individual files and free space. As a result, your best bet in terms of protection is to use encryption. That way, even if the file is still on the disk, it will at least look like gibberish to anyone who gets ahold of it and can’t force you to decrypt it. At this point in time, we cannot provide a good general procedure that will definitely remove your data from an SSD. If you want to know why it’s so hard to delete data, read on.

As we mentioned above, SSDs and USB flash drives use a technique called wear leveling. At a high level, wear leveling works as follows. The space on every disk is divided into blocks, kind of like the pages in a book. When a file is written to disk, it’s assigned to a certain block or set of blocks (pages). If you wanted to overwrite the file, then all you would have to do is tell the disk to overwrite those blocks. But in SSDs and USB drives, erasing and re-writing the same block can wear it out. Each block can only be erased and rewritten a limited number of times before that block just won’t work anymore (the same way if you keep writing and erasing with a pencil and paper, eventually the paper might rip and be useless). To counteract this, SSDs and USB drives will try to make sure that the amount of times each block has been erased and rewritten is about the same, so that the drive will last as long as possible (thus the term wear leveling). As a side effect, sometimes instead of erasing and writing the block a file was originally stored on, the drive will instead leave that block alone, mark it as invalid, and just write the modified file to a different block. This is kind of like leaving the page in the book unchanged, writing the modified file on a different page, and then just updating the book’s table of contents to point to the new page. All of this occurs at a very low level in the electronics of the disk, so the operating system doesn’t even realize it’s happened. This means, however, that even if you try to overwrite a file, there’s no guarantee the drive will actually overwrite it, and that’s why secure deletion with SSDs is so much harder.

The instructions below should only be used for securely deleting data from spinning drives. These instructions apply only to traditional disk drives, and not to Solid State Drives (SSDs), which are standard in modern computers, USB keys/USB thumb drives, or SD cards/flash memory cards. Secure deletion on SSDs, USB flash drives, and SD cards is very hard! This is because these types of drives use a technique called wear leveling and do not provide low-level access to the bits as stored on the drive. (You can read more about why this causes problems for secure deletion here.) If you’re using an SSD or a USB flash drive, jump to this section below.

Did you know that when you move a file on your computer into your computer's trash folder and empty the trash, the file is not completely erased? Computers normally don't “delete” files; when you move a file to the trash, your computer just makes the file invisible and allows the space it took up to be overwritten by something else sometime in the future. Therefore, it may be weeks, months, or even years before that file is overwritten. Until this happens, that “deleted” file is still on your disk; it’s just invisible to normal operations. And with a little work and the right tools (such as “undelete” software or forensic methods), that “deleted” file can be retrieved.

So, what’s the best way to delete a file forever? Ensure it gets overwritten immediately. This makes it difficult to retrieve what used to be written there. Your operating system probably already has software that can do this for you—software that can overwrite all of the “empty” space on your disk with gibberish and thereby protect the confidentiality of deleted data.

On Windows, we currently suggest using BleachBit, an open-source secure deletion tool for Linux and Windows. BleachBit can be used to quickly and easily target individual files for secure deletion, or to implement periodic secure deletion policies. It is also possible to write custom file deletion instructions. You can find further information in the documentation.

Installing BleachBit

You can get BleachBit on Windows by downloading the installer from the BleachBit download page

Click on the BleachBit installer .exe link. You'll be taken to the download page.

Many browsers will ask you to confirm whether you want to download this file. Microsoft Edge 40 shows a bar at the bottom of the browser window with a blue border.

For any browser it is best to first save the file before proceeding, so click the “Save” button. By default, most browsers save downloaded files in the Downloads folder.

Keep the Windows Explorer window open and double-click on BleachBit-2.0-setup. You'll be asked if you want to allow the installation of this program. Click the “Yes” button.

A window will open asking you to select an installation language. Select the language you want and click the OK button.

The next window will show you the GNU General Public License. Click “I Agree.”

In the next window BleachBit shows some customization options. You may leave the options as they are. We recommend removing the check mark from the Desktop option. Click the Next button.

Now BleachBit will ask you to confirm where you want to install. Click the Install button.

Finally, the BleachBit installer shows a window telling you the installation is complete. Click the Next button.

The last window in the installer asks whether you want to run BleachBit. Remove the checkmark from the Run BleachBit option. Click the Finish button.

Using BleachBit

Go to the Start menu, click the Windows icon, and select BleachBit from the menu.

A small window will open and confirm you want to open BleachBit. Click the "Yes" button.

The main BleachBit window will open. BleachBit will detect several commonly installed programs and show special options for each program.

Using Presets

BleachBit can wipe the traces Internet Explorer leaves behind using the Internet Explorer preset. Check the box next to Internet Explorer. Notice how all the boxes belonging to Cookies, Form history, History, and Temporary files are also checked. You can uncheck them as needed. Click the Clean button.

BleachBit will now clean up certain files and show you the progress.

How to Securely Delete a Folder

Click the File menu and select Shred Folders.

A small window will open. Select the folder you want to shred.

BleachBit will ask you to confirm whether you want to permanently delete the files you selected. Click the Delete button.

BleachBit will now show you the files you deleted. Notice that BleachBit securely deletes each file in the folder, then securely deletes the folder.

How to Securely Delete a File

Click the File menu and select Shred Files.

A file selection window will open. Select the files you want to shred.

BleachBit will ask you to confirm whether you want to permanently delete the files you selected. Click the Delete button.

BleachBit has a number of other features. The most useful one may be wiping free space. This will attempt to remove any traces of files you have already deleted. Often Linux will leave all or part of the data from deleted files in the remaining free space left on the hard drive. Wiping free space will overwrite these supposedly empty parts of the hard drive with random data. Wiping free space can take a lot of time, depending on how much spare capacity your drive has.

A Warning About the Limitations of Secure Deletion Tools

Remember that the advice above only deletes files on the disk of the computer you’re using. None of the tools above will delete backups that were made to somewhere else on your computer, another disk or USB drive, a “Time Machine,” on an email server, in the cloud, or sent to your contacts. In order to securely delete a file, you must delete every copy of that file, everywhere it was stored or sent. Additionally, once a file is stored in the cloud (e.g. via Dropbox or some other file-sharing service) there’s usually no way to guarantee that it will be deleted forever.

Unfortunately, there’s also another limitation to secure deletion tools. Even if you follow the advice above and you’ve deleted all copies of a file, there is a chance that certain traces of deleted files may persist on your computer, not because the files themselves haven't been properly deleted, but because some part of the operating system or some other program keeps a deliberate record of them.

There are many ways in which this could occur, but two examples should suffice to convey the possibility. On Windows or macOS, Microsoft Office may retain a reference to the name of a file in the “Recent Documents” menu, even if the file has been deleted (Office might sometimes even keep temporary files containing the contents of the file). LibreOffice may keep as many records as Microsoft Office, and a user's shell history file may contain commands that include the file's name, even though the file has been securely deleted. In practice, there may be dozens of programs that behave like this.

It's hard to know how to respond to this problem. It is safe to assume that even if a file has been securely deleted, its name will probably continue to exist for some time on your computer. Overwriting the entire disk is the only way to be 100% sure the name is gone. Some of you may be wondering, “Could I search the raw data on the disk to see if there are any copies of the data anywhere?” The answer is yes and no. Searching the disk will tell you if the data is present in plaintext, but it won't tell you if some program has compressed or otherwise coded references to it. Also, be careful that the search itself does not leave a record! The probability that the file's contents may persist is lower, but not impossible. Overwriting the entire disk and installing a fresh operating system is the only way to be 100% certain that records of a file have been erased.

Secure Deletion When Discarding Old Hardware

If you want to throw a piece of hardware away or sell it on eBay, you'll want to make sure no one can retrieve your data from it. Studies have repeatedly found that computer owners usually fail to do this―hard drives are often resold chock-full of highly sensitive information. So, before selling or recycling a computer, be sure to overwrite its storage media with gibberish first. And even if you're not getting rid of it right away, if you have a computer that has reached the end of its life and is no longer in use, it's also safer to wipe the hard drive before stashing the machine in a corner or a closet. Darik's Boot and Nuke is a tool designed for this purpose, and there are a variety of tutorials on how to use it across the web (including here).

Some full-disk encryption software has the ability to destroy the master key, rendering a hard drive's encrypted contents permanently incomprehensible. Since the key is a tiny amount of data and can be destroyed almost instantaneously, this represents a much faster alternative to overwriting with software like Darik's Boot and Nuke, which can be quite time-consuming for larger drives. However, this option is only feasible if the hard drive was always encrypted. If you weren't using full-disk encryption ahead of time, you'll need to overwrite the whole drive before getting rid of it.

Discarding CD- or DVD-ROMs

When it comes to CD- or DVD-ROMs, you should do the same thing you do with paper―shred them. There are inexpensive shredders that will chew them up. Never just toss a CD- or DVD-ROM in the garbage unless you're absolutely sure there's nothing sensitive on it.

Secure Deletion on Solid-state Disks (SSDs), USB Flash Drives, and SD Cards

Unfortunately, due to the way SSDs, USB flash drives, and SD cards work, it is difficult, if not impossible, to securely delete both individual files and free space. As a result, your best bet in terms of protection is to use encryption. That way, even if the file is still on the disk, it will at least look like gibberish to anyone who gets ahold of it and can’t force you to decrypt it. At this point in time, we cannot provide a good general procedure that will definitely remove your data from an SSD. If you want to know why it’s so hard to delete data, read on.

As we mentioned above, SSDs and USB flash drives use a technique called wear leveling. At a high level, wear leveling works as follows. The space on every disk is divided into blocks, kind of like the pages in a book. When a file is written to disk, it’s assigned to a certain block or set of blocks (pages). If you wanted to overwrite the file, then all you would have to do is tell the disk to overwrite those blocks. But in SSDs and USB drives, erasing and re-writing the same block can wear it out. Each block can only be erased and rewritten a limited number of times before that block just won’t work anymore (the same way if you keep writing and erasing with a pencil and paper, eventually the paper might rip and be useless). To counteract this, SSDs and USB drives will try to make sure that the amount of times each block has been erased and rewritten is about the same, so that the drive will last as long as possible (thus the term wear leveling). As a side effect, sometimes instead of erasing and writing the block a file was originally stored on, the drive will instead leave that block alone, mark it as invalid, and just write the modified file to a different block. This is kind of like leaving the page in the book unchanged, writing the modified file on a different page, and then just updating the book’s table of contents to point to the new page. All of this occurs at a very low level in the electronics of the disk, so the operating system doesn’t even realize it’s happened. This means, however, that even if you try to overwrite a file, there’s no guarantee the drive will actually overwrite it, and that’s why secure deletion with SSDs is so much harder.

The instructions below should only be used for securely deleting data from spinning drives. These instructions apply only to traditional disk drives, and not to Solid State Drives (SSDs), which are standard in modern computers, USB keys/USB thumb drives, or SD cards/flash memory cards. Secure deletion on SSDs, USB flash drives, and SD cards is very hard! This is because these types of drives use a technique called wear leveling and do not provide low-level access to the bits as stored on the drive. (You can read more about why this causes problems for secure deletion here.) If you’re using an SSD or a USB flash drive, jump to this section below.

Did you know that when you move a file on your computer into your computer's trash folder and empty the trash, the file is not completely erased? Computers normally don't “delete” files; when you move a file to the trash, your computer just makes the file invisible and allows the space it took up to be overwritten by something else sometime in the future. Therefore, it may be weeks, months, or even years before that file is overwritten. Until this happens, that “deleted” file is still on your disk; it’s just invisible to normal operations. And with a little work and the right tools (such as “undelete” software or forensic methods), that “deleted” file can be retrieved.

So, what’s the best way to delete a file forever? Ensure it gets overwritten immediately. This makes it difficult to retrieve what used to be written there. Your operating system probably already has software that can do this for you—software that can overwrite all of the “empty” space on your disk with gibberish and thereby protect the confidentiality of deleted data.

On Linux, we currently suggest using BleachBit, an open-source secure deletion tool for Linux and Windows. It’s much more sophisticated than the built-in “shred.” BleachBit can be used to quickly and easily target individual files for secure deletion, or to implement periodic secure deletion policies. It is also possible to write custom file deletion instructions. You can find further information in the documentation.

Installing BleachBit

Installing with Ubuntu Software

You can get BleachBit on Ubuntu by using the Ubuntu Software application. If it’s in your favorite applications, you can click on it on the left-hand side of the screen.

Otherwise, click on the application button in the lower left-hand side of the screen and use the search field.

Type “software” in the search field and click the Ubuntu Software icon.

By default, BleachBit will not be listed. To ensure that it is listed, enable community-maintained packages by clicking “Ubuntu Software” in the top menu and then clicking “Software & Updates.”

In the new window, make sure the box next to “Community-maintained free and open-source software (universe)” is checked, then click “Close” and “Reload.”  If it is already checked, you may just click “Close.”

You can now browse through Ubuntu Software to look for BleachBit, but searching for it is faster. Use the search field by clicking the magnifying glass in the top-right corner of the window.

Then enter “BleachBit” in the search field.

Click on BleachBit and click the Install button.

Ubuntu Software will ask for your password for permission. Enter your password and click the Authenticate button.

The Ubuntu Software Center will install BleachBit and show you a small progress bar. When the installation is done you will see a “Launch” and “Remove” button.

Installing From the Terminal

You can also get BleachBit on Ubuntu by using the Terminal. Click on the application button in the lower left-hand side of the screen and use the search field.

Type “terminal” in the search field and click the Terminal icon.

Type “sudo apt-get install bleachbit” and press Enter.

You’ll be asked to enter your password to verify that you want to install BleachBit. Enter your password and press Enter.

Now you'll see the progress of the installation of BleachBit and when it is done you should be back at the command line where you started.

Adding BleachBit to Sidebar

Click on the application button in the lower left-hand side of the screen and use the search field.

Type “bleach” in the search field and two options will appear: BleachBit and BleachBit (as root).

Only use the BleachBit (as root) option if you know what you are doing because it can cause irreparable harm if you use it to delete files needed by the operating system.

Right-click on BleachBit and select “Add to Favorites.”

Using BleachBit

Click on the BleachBit icon from your Favorites on the left side of the screen.

The main BleachBit window will open and BleachBit will give you an overview of the preferences. We recommend checking the “Overwrite contents of files to prevent recovery” option.

Click the “Close” button.

BleachBit will detect several commonly installed programs and will show special options for each program.

Using Presets

Some software leaves behind records of when and how it was used. Two important examples that merely begin to illustrate this widespread issue are Recent Documents and web browser history. Software that tracks the recently-edited documents leaves a record of the names of files you've been working with, even if those files themselves have been deleted. And web browsers usually keep detailed records of what sites you've visited recently, and even keep cached copies of pages and images from those sites to make them load faster next time you visit.

BleachBit provides “presets” that can remove some of these records for you, based on the BleachBit authors' research about locations of records on your computer that tend to reveal your previous activity. We'll describe using just two of these presets so you can get an idea of how they work.

Check the box next to System. Notice that this marks all the checkboxes under the System category. Uncheck the System box and check the following boxes: Recent document list and Trash. Click the “Clean” button.

BleachBit will now ask you for confirmation. Click the Delete button.

BleachBit will now clean up certain files and show you the progress.

How to Securely Delete a Folder

Click the “File” menu and select “Shred Folders.”

A small window will open. Select the folder you want to shred.

BleachBit will ask you to confirm whether you want to permanently delete the files you selected. Click the “Delete” button.

BleachBit will show you the files you deleted. Notice that BleachBit securely deletes each file in the folder, then securely deletes the folder.

How to Securely Delete a File

Click the File menu and select Shred Files.

A file selection window will open. Select the files you want to shred.

BleachBit will ask you to confirm whether you want to permanently delete the files you selected. Click the “Delete” button.

BleachBit has a number of other features. The most useful one may be wiping free space. This will attempt to remove any traces of files you have already deleted. Often Linux will leave all or part of the data from deleted files in the remaining free space left on the hard drive. Wiping free space will overwrite these supposedly empty parts of the hard drive with random data. Wiping free space can take a lot of time, depending on how much spare capacity your drive has.

A Warning About the Limitations of Secure Deletion Tools

Remember that the advice above only deletes files on the disk of the computer you’re using. None of the tools above will delete backups that were made to somewhere else on your computer, another disk or USB drive, a “Time Machine,” on an email server, in the cloud, or sent to your contacts. In order to securely delete a file, you must delete every copy of that file, everywhere it was stored or sent. Additionally, once a file is stored in the cloud (e.g. via Dropbox or some other file-sharing service) there’s usually no way to guarantee that it will be deleted forever.

Unfortunately, there’s also another limitation to secure deletion tools. Even if you follow the advice above and you’ve deleted all copies of a file, there is a chance that certain traces of deleted files may persist on your computer, not because the files themselves haven't been properly deleted, but because some part of the operating system or some other program keeps a deliberate record of them.

There are many ways in which this could occur, but two examples should suffice to convey the possibility. On Windows or macOS, Microsoft Office may retain a reference to the name of a file in the “Recent Documents” menu, even if the file has been deleted (Office might sometimes even keep temporary files containing the contents of the file). LibreOffice may keep as many records as Microsoft Office, and a user's shell history file may contain commands that include the file's name, even though the file has been securely deleted. In practice, there may be dozens of programs that behave like this.

It's hard to know how to respond to this problem. It is safe to assume that even if a file has been securely deleted, its name will probably continue to exist for some time on your computer. Overwriting the entire disk is the only way to be 100% sure the name is gone. Some of you may be wondering, “Could I search the raw data on the disk to see if there are any copies of the data anywhere?” The answer is yes and no. Searching the disk (e.g. by using a command like grep -ab /dev/ on Linux) will tell you if the data is present in plaintext, but it won't tell you if some program has compressed or otherwise coded references to it. Also, be careful that the search itself does not leave a record! The probability that the file's contents may persist is lower, but not impossible. Overwriting the entire disk and installing a fresh operating system is the only way to be 100% certain that records of a file have been erased.

Secure Deletion When Discarding Old Hardware

If you want to throw a piece of hardware away or sell it on eBay, you'll want to make sure no one can retrieve your data from it. Studies have repeatedly found that computer owners usually fail to do this―hard drives are often resold chock-full of highly sensitive information. So, before selling or recycling a computer, be sure to overwrite its storage media with gibberish first. And even if you're not getting rid of it right away, if you have a computer that has reached the end of its life and is no longer in use, it's also safer to wipe the hard drive before stashing the machine in a corner or a closet. Darik's Boot and Nuke is a tool designed for this purpose, and there are a variety of tutorials on how to use it across the web (including here).

Some full-disk encryption software has the ability to destroy the master key, rendering a hard drive's encrypted contents permanently incomprehensible. Since the key is a tiny amount of data and can be destroyed almost instantaneously, this represents a much faster alternative to overwriting with software like Darik's Boot and Nuke, which can be quite time-consuming for larger drives. However, this option is only feasible if the hard drive was always encrypted. If you weren't using full-disk encryption ahead of time, you'll need to overwrite the whole drive before getting rid of it.

Discarding CD- or DVD-ROMs

When it comes to CD- or DVD-ROMs, you should do the same thing you do with paper―shred them. There are inexpensive shredders that will chew them up. Never just toss a CD or DVD-ROM in the garbage unless you're absolutely sure there's nothing sensitive on it.

Secure Deletion on Solid-state Disks (SSDs), USB Flash Drives, and SD Cards

Unfortunately, due to the way SSDs, USB flash drives, and SD cards work, it is difficult, if not impossible, to securely delete both individual files and free space. As a result, your best bet in terms of protection is to use encryption. That way, even if the file is still on the disk, it will at least look like gibberish to anyone who gets ahold of it and can’t force you to decrypt it. At this point in time, we cannot provide a good general procedure that will definitely remove your data from an SSD. If you want to know why it’s so hard to delete data, read on.

As we mentioned above, SSDs and USB flash drives use a technique called wear leveling. At a high level, wear leveling works as follows. The space on every disk is divided into blocks, kind of like the pages in a book. When a file is written to disk, it’s assigned to a certain block or set of blocks (pages). If you wanted to overwrite the file, then all you would have to do is tell the disk to overwrite those blocks. But in SSDs and USB drives, erasing and re-writing the same block can wear it out. Each block can only be erased and rewritten a limited number of times before that block just won’t work anymore (the same way if you keep writing and erasing with a pencil and paper, eventually the paper might rip and be useless). To counteract this, SSDs and USB drives will try to make sure that the amount of times each block has been erased and rewritten is about the same, so that the drive will last as long as possible (thus the term wear leveling). As a side effect, sometimes instead of erasing and writing the block a file was originally stored on, the drive will instead leave that block alone, mark it as invalid, and just write the modified file to a different block. This is kind of like leaving the page in the book unchanged, writing the modified file on a different page, and then just updating the book’s table of contents to point to the new page. All of this occurs at a very low level in the electronics of the disk, so the operating system doesn’t even realize it’s happened. This means, however, that even if you try to overwrite a file, there’s no guarantee the drive will actually overwrite it, and that’s why secure deletion with SSDs is so much harder.

If you have a smartphone, laptop, or tablet, you’re carrying a massive amount of data with you at all times. Your social contacts, private communications, personal documents and personal photos (many of which have confidential information of dozens, even thousands of people) are just some examples of things you may store on your digital devices. Because we store and carry so much data, it can be hard to keep it safe—especially because it can be taken from you relatively easily.

Your data can be seized at the border, taken from you in the street, or burgled from your house and copied in seconds. Unfortunately, locking your device with passwords, PINs, or gestures may not protect your data if the device itself is seized. It’s relatively easy to bypass such locks because your data is stored in an easily-readable form within the device. An adversary would just need to access the storage directly in order to copy or examine your data without your password.

With that said, you can make it harder for those who physically steal your data to unlock its secrets. Here are a few ways you can help keep your data safe.

Encrypt Your Data

If you use encryption, your adversary needs both your device and your password to unscramble the encrypted data. Therefore, it's safest to encrypt all of your data, not just a few folders. Most smartphones and computers offer complete, full-disk encryption as an option.

For smartphones and tablets:

• Android offers full-disk encryption when you first set up your device on newer devices, or anytime afterwards under its “Security” settings for all devices.
• Apple devices such as the iPhone and iPad describe it as “Data Protection” and turn it on if you set a passcode.

For computers:

• Apple provides a built-in, full-disk encryption feature on macOS called FileVault.  
• Linux distributions usually offer full-disk encryption when you first set up your system.
• Windows Vista or later includes a full-disk encryption feature called BitLocker.

BitLocker's code is closed and proprietary, which means it is hard for external reviewers to know exactly how secure it is. Using BitLocker requires you trust Microsoft provides a secure storage system without hidden vulnerabilities. On the other hand, if you're already using Windows, you are already trusting Microsoft to the same extent. If you are worried about surveillance from the kind of adversaries who might know of or benefit from a backdoor in either Windows or BitLocker, consider an alternative open-source operating system such as GNU/Linux or BSD, especially a version that has been hardened against security attacks, such as Tails or Qubes OS. Alternatively, consider installing an alternative disk encryption software, Veracrypt, to encrypt your hard drive.

Remember: Whatever your device calls it, encryption is only as good as your password. If an adversary has your device, they have all the time in the world to figure out your passwords. An effective way of creating a strong and memorable password is to use dice and a word list to randomly choose words. Together, these words form your “passphrase.” A “passphrase” is a type of password that is longer for added security. For disk encryption we recommend selecting a minimum of six words. Check out our guide to Creating Strong Passwords for more information.

It may be unrealistic for you to learn and enter a long passphrase on your smartphone or mobile device. So, while encryption can be useful to prevent casual access, you should preserve truly confidential data by keeping it hidden from physical access by adversaries, or cordoned away on a much more secure device.

Create a Secure Device

Maintaining a secure environment can be hard. At best, you have to change passwords, habits, and perhaps the software you use on your main computer or device. At worst, you have to constantly think about whether you're leaking confidential information or using unsafe practices. Even when you know the problems, you may not be able to employ solutions because sometimes people with whom you need to communicate use unsafe digital security practices. For instance, work colleagues might want you to open email attachments from them, even though you know your adversaries could impersonate them and send you malware.

So what’s the solution? Consider cordoning off valuable data and communications onto a more secure device. You can use the secure device to keep the primary copy of your confidential data. Only use this device occasionally and, when you do, consciously take much more care over your actions. If you need to open attachments, or use insecure software, do it on another machine.

An extra, secure computer may not be as expensive an option as you think. A computer that is seldom used, and only runs a few programs, does not need to be particularly fast or new. You can buy an older netbook for a fraction of the price of a modern laptop or phone. Older machines also have the advantage that secure software like Tails may be more likely to work with them than newer models. Some general advice is almost always true: When you buy a device or an operating system, keep it up-to-date with software updates. Updates will often fix security problems in older code that attacks can exploit. Note that some older operating systems may no longer be supported, even for security updates.

When Setting up a Secure Computer, What Steps Can You Take to Make it Secure?

1. Keep your device well-hidden and don’t discuss its location—somewhere where you are able to tell if it has been tampered with, such as a locked cabinet.
2. Encrypt your computer’s hard drive with a strong passphrase so that if it is stolen, the data will remain unreadable without the passphrase.
3. Install a privacy- and security-focused operating system like Tails. You might not be able (or want) to use an open-source operating system in your everyday work, but if you just need to store, edit, and write confidential emails or instant messages from this secure device, Tails will work well and defaults to high security settings.
4. Keep your device offline. Unsurprisingly, the best way to protect yourself from Internet attacks or online surveillance is to never connect to the Internet. You could make sure your secure device never connects to a local network or Wifi and only copy files onto the machine using physical media, like DVDs or USB drives. In network security, this is known as having an “air gap” between the computer and the rest of the world. While extreme, this can be an option if you want to protect data that you rarely access, but never want to lose (such as an encryption key, a list of passwords, or a backup copy of someone else's private data that has been entrusted to you). In most of these cases, you might want to consider just having a hidden storage device, rather than a full computer. An encrypted USB key kept safely hidden, for example, is probably as useful (or as useless) as a complete computer unplugged from the Internet.
5. Don’t log in to your usual accounts. If you do use your secure device to connect to the Internet, create separate web or email accounts that you use for communications from this device, and use Tor (see guides for Linux, macOS, Windows) to keep your IP address hidden from those services. If someone is choosing to specifically target your identity with malware, or is only intercepting your communications, separate accounts and Tor can help break the link between your identity, and this particular machine.

While having one secure device that contains important, confidential information may help protect it from adversaries, it also creates an obvious target. There’s also a risk of losing the only copy of your data if the machine is destroyed. If your adversary would benefit from you losing all your data, don't keep it in just one place, no matter how secure. Encrypt a copy and keep it somewhere else.

A variation on the idea of a secure machine is to have an insecure machine: a device that you only use when going into a dangerous place or attempting a risky operation. Many journalists and activists, for instance, take a basic netbook with them when they travel. This computer does not have any of their documents or usual contact or email information on it so there’s minimal loss if it is confiscated or scanned. You can apply the same strategy to mobile phones. If you usually use a smartphone, consider buying a cheap throwaway or burner phone when travelling for specific communications.

Social networks are among the most popular websites on the Internet. Facebook has over a billion users, and Instagram and Twitter have hundreds of millions of users each. Social networks were generally built on the idea of sharing posts, photographs, and personal information. Now they have also become forums for organizing and speech. Any of these activities can rely on privacy and pseudonymity.

Thus, the following questions are important to consider when using social networks: How can I interact with these sites while protecting myself? My basic privacy? My identity? My contacts and associations? What information do I want keep private and who do I want to keep it private from?

Depending on your circumstances, you may need to protect yourself against the social network itself, against other users of the site, or both.

Tips to Keep in Mind When Creating an Account

• Do you want to use your real name? Some social media sites have so-called “real name policies,” but these have become more lax over time. If you do not want to use your real name when registering for a social media site, do not.
• When you register, don't provide more information than is necessary. If you are concerned with hiding your identity, use a separate email address and avoid giving your phone number. Both of these pieces of information can identify you individually and can link different accounts together.
• Be careful when choosing a profile photo or image. In addition to metadata that might include the time and place the photo was taken, the image itself can provide some information. Before you choose a picture, ask: Was it taken outside your home or workplace? Are any addresses or street signs visible?
• Be aware that your IP address may be logged at registration.
• Choose a strong password and, if possible, enable two-factor authentication.
• Beware of password recovery questions such as “What city were you born in?” or “What is the name of your pet?”  because their answers can be mined from your social media details. You may want to choose password recovery answers that are false. One good way to remember the answers to password recovery questions, should you choose to use false answers for added security, is to note your chosen answers in a password manager.

Check the Social Media Site's Privacy Policy

Information stored by third parties is subject to their own policies and may be used for commercial purposes or shared with other companies, like marketing firms. While reading privacy policies is a near-impossible task, you may want to read the sections that describe how your data is used, when it is shared with other parties, and how the service responds to law enforcement requests.

Social networking sites are usually for-profit businesses and often collect sensitive information beyond what you explicitly provide—where you are, what interests and advertisements you react to, what other sites you've visited (e.g. through “Like” buttons). Consider blocking third-party cookies and using tracker-blocking browser extensions to make sure extraneous information isn't being passively transmitted to third parties.

Change Your Privacy Settings

Specifically, change the default settings. For example, do you want to share your posts with the public, or only with a specific group of people? Should people be able to find you using your email address or phone number? Do you want your location shared automatically?

Even though every social media platform has its own unique settings, you can find some patterns.

• Privacy settings tend to answer the question: “Who can see what?” Here you’ll probably find settings concerning audience defaults (“public,” “friends of friends,” “friends only,” etc.), location, photos, contact information, tagging, and if/how people can find your profile in searches.
• Security (sometimes called “safety”) settings will probably have more to do with blocking/muting other accounts, and if/how you want to be notified if there is an unauthorized attempt to authorize your account. Sometimes, you’ll find login settings—like two-factor authentication and a backup email/phone number—in this section. Other times, these login settings will be in an account settings or login settings section, along with options to change your password.

Take advantage of security and privacy “check-ups.” Facebook, Google, and other major websites offer “security check-up” features. These tutorial-style guides walk you through common privacy and security settings in plain language and are an excellent feature for users.

Finally, remember that privacy settings are subject to change. Sometimes, these privacy settings get stronger and more granular; sometimes not. Pay attention to these changes closely to see if any information that was once private will be shared, or if any additional settings will allow you to take more control of your privacy.

Keep Separate Profiles Separate

For a lot of us, it’s critical to keep different account’s identities separate. This can apply to dating websites, professional profiles, anonymous accounts, and accounts in various communities.

Phone numbers and photos are two types of information to keep an eye on. Photos, in particular, can sneakily link accounts you intend to keep separate. This is a surprisingly common issue with dating sites and professional profiles. If you want to maintain your anonymity or keep a certain account’s identity separate from others, use a photo or image that you don’t use anywhere else online. To check, you can use Google’s reverse image search function. Other potentially linking variables to watch out for include your name (even nicknames) and your email. If you discover that one of these pieces of information is in a place you didn’t expect, don’t get scared or panic. Instead, think in baby steps: instead of trying to wipe all information about you off the entire Internet, just focus on specific pieces of information, where they are, and what you can do about them.

Familiarize Yourself With Facebook Groups Settings

Facebook groups are increasingly places for social action, advocacy, and other potentially sensitive activities, but group settings can be confusing. Learn more about group privacy settings and work with group members to keep your Facebook groups private and secure.

Privacy Is A Team Sport

Don’t just change your own social media settings and behavior. Take the additional step of talking with your friends about the potentially sensitive data you reveal about each other online. Even if you don’t have a social media account, or even if you untag yourself from posts, friends can still unintentionally identify you, report your location, and make their connections to you public. Protecting privacy means not only taking care of ourselves, but also taking care of each other.

This is a short overview to circumventing online censorship, but is by no means comprehensive.

Governments, companies, schools, and Internet providers sometimes use software to prevent their users from accessing certain websites and services. This is called Internet filtering or blocking, and it is a form of censorship. Filtering comes in different forms. Censors can block individual web pages, or even entire websites. Sometimes, content is blocked based on the keywords it contains.

There are different ways of beating Internet censorship. Some protect you from surveillance, but many do not. When someone who controls your net connection filters or blocks a site, you can almost always use a circumvention tool to get to the information you need. Note: Circumvention tools that promise privacy or security are not always private or secure. And tools that use terms like “anonymizer” do not always keeps your identity completely secret.

The circumvention tool that is best for you depends on your threat model. If you’re not sure what your threat model is, start here.

In this article, we'll talk about four ways to circumvent censorship:

• Visiting a web proxy to access a blocked website.
• Visiting an encrypted web proxy to access a blocked website.
• Using a Virtual Private Network (VPN) to access blocked websites or services.
• Using the Tor Browser to access a blocked website or protect your identity.

Basic techniques

Circumvention tools usually work by diverting your web traffic so it avoids the machines that do the blocking or filtering. A service that redirects your Internet connection past these blocks is sometimes called a proxy.

HTTPS is the secure version of the HTTP protocol you use to access websites. Sometimes a censor will only block the insecure (HTTP) version of a site. That means you can access the blocked site simply by entering the version of the web address that starts with HTTPS.

This is useful if the censorship you are fighting blocks individual web pages based on their contents. HTTPS stops censors from reading your web traffic, so they cannot tell what keywords are being sent, or which individual web page you are visiting.

Censors can still see the domain names of all websites you visit. So, for example, if you visit “eff.org/https-everywhere” censors can see that you are on “eff.org” but not that you are on the “https-everywhere” page.

If you suspect this type of simple blocking, try entering https:// before the domain in place of http:

Try installing EFF’s HTTPS Everywhere extension to automatically turn on HTTPS where possible.

Another way that you may be able to circumvent basic censorship techniques is by trying an alternate domain name or URL. For example, instead of visiting http://twitter.com, you might try the mobile version of the site at http://m.twitter.com. Censors that block websites or web pages work from a blacklist of banned websites, so anything that is not on that blacklist will get through. They might not know of all different versions of a particular website's name—especially if the administrators of the site know it is blocked and register more than one domain.

Web-based proxies

A web-based proxy (such as http://proxy.org/) is a website that lets its users access other blocked or censored websites. It is therefore a good way to circumvent censorship. In order to use a web-based proxy, visit the proxy and enter the web address that you want to see; the proxy will then display the web page you asked for.

However, web-based proxies don’t provide any security and will be a poor choice if your threat model includes someone monitoring your internet connection. They will not help you to use blocked services such as your instant messaging apps. The web-based proxy will have a complete record of everything you do online, which can be a privacy risk for some users depending on their threat model.

Encrypted proxies

Numerous proxy tools utilize encryption to provide an additional layer of security on top of the ability to bypass filtering. The connection is encrypted so others cannot see what you are visiting. While encrypted proxies are generally more secure than plain web-based proxies, the tool provider may have information about you. They might have your name and email address in their records, for instance. That means that these tools do not provide full anonymity.

The simplest form of an encrypted web proxy is one that starts with “https”— this will use the encryption usually provided by secure websites. However, be cautious—the owners of these proxies can see the data you send to and from other secure websites. Ultrasurf and Psiphon are examples of these tools.

Virtual Private Networks

A Virtual Private Network (VPN) encrypts and sends all Internet data from your computer through another computer. This computer could belong to a commercial or nonprofit VPN service, your company, or a trusted contact. Once a VPN service is correctly configured, you can use it to access webpages, e-mail, instant messaging, VoIP, and any other Internet service. A VPN protects your traffic from being spied on locally, but your VPN provider can still keep logs of the websites you access, or even let a third party snoop directly on your web browsing. Depending on your threat model, the possibility of a government listening in on your VPN connection or getting hold of VPN logs may be a significant risk. For some users, this could outweigh the short-term benefits of using a VPN.

For information about specific VPN services, click here.

We at EFF cannot vouch for this rating of VPNs. Some VPNs with exemplary privacy policies could be run by devious people. Do not use a VPN that you do not trust.

Tor

Tor is open-source software designed to give you anonymity on the web. Tor Browser is a web browser built on top of the Tor anonymity network. Because of how Tor routes your web browsing traffic, it also allows you to circumvent censorship. (See our How to: Use Tor guides for Linux, macOS and Windows).

When you first start the Tor Browser, you can choose an option specifying that you are on a network that is censored:

Tor will not only bypass almost all national censorship, but, if properly configured, can also protect your identity from an adversary listening in on your country’s networks. It can, however, be slow and difficult to use.

To learn how to use Tor on a desktop machine, click here for Linux, here for macOS, or here for Windows, but please be sure to tap “Configure” instead of “Connect” in the window displayed above.

You have probably heard the term “encryption” used in several contexts and associated with different words. Generally, encryption refers to the mathematical process of making a message unreadable except to a person who has the key to “decrypt” it into readable form.

Throughout history, people have used encryption to send messages to each other that (hopefully) couldn’t be read by anyone besides the intended recipient. Today, we have computers that are capable of performing encryption for us. Digital encryption technology has expanded beyond simple secret messages; today, you can use encryption for more elaborate purposes, for example, to verify the author of messages.

Encryption is the best technology we have to protect information from bad actors, governments, and service providers, and it has developed to the point that it is virtually impossible to break—when used correctly.

In this guide, we’ll look at two major ways encryption is applied: to scramble data at rest and data in transit.

Encrypting Data At Rest

Data “at rest” is data that is stored somewhere: on a mobile device, laptop, server, or external hard drive, for example. When data is at rest, it is not moving from one place to another.

One example of a form of encryption that protects data at rest is “full-disk” encryption (also sometimes called “device encryption”). Enabling full-disk encryption encrypts all the information stored on a device and protects the information with a passphrase or another authentication method. On a mobile device or laptop, this usually looks just like a typical device lock screen, requiring a passcode, passphrase, or thumbprint. However, locking your device (i.e., requiring a password to “unlock” your device) does not always mean that full-disk encryption is enabled.

A smart phone and laptop that each have a password-protected “lock” screen.

Be sure to check how your operating system enables and manages full-disk encryption. While some operating systems have full-disk encryption enabled by default, some operating systems do not. That means someone could access the data on your mobile device by merely breaking the device lock, but not having to break the encryption key since the device itself is not encrypted. Some systems still store unencrypted plaintext on RAM, even when you are using full-disk encryption. RAM is temporary storage, which means that shortly after your device is powered down the memory typically can't be read, but a sophisticated adversary could attempt a cold boot attack and conceivably retrieve the RAM contents.

Full-disk encryption can protect your devices from people who have physical access to them. This is useful if you want to protect your data from roommates, coworkers or employers, school officials, family members, partners, police officers, or other law enforcement officials. It also protects the data on your devices if they are stolen or lost, like if you accidentally leave your phone on a bus or at a restaurant.

There are additional ways to encrypt data at rest. One option, known as “file encryption,” encrypts only specific, individual files on a computer or other storage device. Another option is “drive encryption” (also known as “disk encryption”): this encrypts all of the data on a specific storage area on a device.

You can use these different types of encryption at rest in combination. For example, let’s say you wanted to protect sensitive information on your medical documents. You can use file encryption to separately encrypt an individual medical file stored on your device. You can then use drive encryption to encrypt the part of your device that this medical information is stored on. Finally, if you have enabled full-disk encryption on your device, everything—all medical information as well as every other file on the drive, including the files for the computer’s operating system—is encrypted.

On Surveillance Self-Defense, we’ve written a couple guides for enabling encryption on your devices. Although you can find in-depth descriptions of encryption at rest options online (and here on SSD!), be aware that these options change frequently and instructions can become outdated quickly.

Encrypting Data In Transit

The diagram shows unencrypted data in transit—which is often the default setting for Internet service providers. On the left, a smartphone sends a green, unencrypted message to another smartphone on the far right. Along the way, a cellphone tower passes the message along to company servers and then to another cellphone tower, which can each see the unencrypted “Hello” message. All computers and networks passing the unencrypted message are able to see the message. At the end, the other smartphone receives the unencrypted “Hello” message.

Data “in transit” is information that is moving over a network from one place to another. When you send a message on a messaging app, for example, that message moves from your device, to the app company’s servers, to your recipient’s device. Another example is web browsing: when you go to a website, the data from that webpage travels from the website’s servers to your browser.

Some popular apps offer features that seem to protect messages, such as disappearing messages. However, just because a communication (like a chat or message) can feel secure, doesn’t mean that it actually is secure. Computers passing along your message may be able to look at the contents of your message.

It’s important to verify that conversations between you and your recipient are encrypted—and to know whether they are encrypted via transport-layer encryption or end-to-end encryption.

There are two ways to encrypt data in transit: transport-layer encryption and end-to-end encryption. The type of encryption a service provider supports can be an important factor in deciding what services are right for you. The examples below illustrate the differences between transport-layer encryption and end-to-end encryption.

Transport-layer encryption

The diagram shows transport-layer encryption. On the left, a smart phone sends a green, unencrypted message: “Hello.” That message is encrypted, and then passed along to a cellphone tower. In the middle, the company servers are able to decrypt the message, re-encrypt it, and send it along to the next cellphone tower. At the end, the other smartphone receives the encrypted message, and decrypts it to read “Hello.”

Transport-layer encryption, also known as transport layer security (TLS), protects messages as they travel from your device to the app’s servers and from the app’s servers to your recipient’s device. In the middle, your messaging service provider—or the website you are browsing, or the app you are using—can see unencrypted copies of your messages. Because your messages can be seen by (and are often stored on) company servers, they may be vulnerable to law enforcement requests or leaking if the company’s servers are compromised.

Transport-layer encryption example: HTTPS

Do you notice the green lock and “https://” beside the web address for ssd.eff.org in the web address part of your browser window? HTTPS is an example of transport-layer encryption that we encounter frequently on the web. It provides more security than unencrypted HTTP. Why? Because the servers of the HTTPS website you are browsing can see the data you enter while on their site (for example, messages, searches, credit card numbers, and logins) however this information is unreadable to eavesdroppers on the network.

If someone is spying on the network and trying to see what websites users are visiting, an HTTP connection offers no protection. An HTTPS connection, on the other hand, hides which specific page on a website you navigate to—that is, everything “after the slash.” For example, if you are using HTTPS to connect to “https://ssd.eff.org/en/module/what-encryption” an eavesdropper can only see “https://ssd.eff.org”.

The web is in the middle of a large shift to using HTTPS for all webpages. This is because HTTP lacks any meaningful security, and HTTPS is secure by default. Webpages that come to you over HTTP are vulnerable to eavesdropping, content injection, cookie stealing, login and password stealing, targeted censorship, and other problems.

We recommend using EFF’s browser extension HTTPS Everywhere to receive the greatest amount of protection with HTTPS. HTTPS Everywhere ensures that if a website we know about offers HTTPS as well as HTTP, you’ll always be using the secure HTTPS version of the site.

Just because a service uses HTTPS does not mean that the service necessarily protects the privacy of its users visiting its website. For example, an HTTPS-protected site may still use tracking cookies or host malware.

Transport-layer encryption example: VPN

A Virtual Private Network (VPN) is another example of transport-layer encryption. Without a VPN, your traffic travels over your Internet service provider’s (ISP’s) connection. With a VPN, your traffic still travels over your ISP’s connection, but it will be encrypted between you and your VPN provider. If someone is spying on your local network and trying to see what websites you’re visiting, they will be able to see that you’re connected to a VPN, but not able to see what websites you are ultimately visiting. Your ISP can detect who your VPN provider is.

While using a VPN hides your traffic from your ISP, it also exposes all your traffic to the VPN provider itself. The VPN provider will be able to see, store, and modify your traffic. Using a VPN essentially shifts your trust from your ISP to the VPN, so it’s important to make sure you trust your VPN provider to protect your data.

For further advice on choosing a VPN that’s right for you, read SSD’s guide on VPNs.

End-to-End Encryption

The diagram shows end-to-end encryption. On the left, a smart phone sends a green, unencrypted message: “Hello.” That message is encrypted, and then passed along to a cellphone tower and company servers. At the end, the other smartphone receives the encrypted message, and decrypts it to read “Hello.” Unlike with transport-layer encryption, your ISP servers are not able to decrypt the message; Only the endpoints (the original devices sending and receiving encrypted messages) have the keys to decrypt the message.

End-to-end encryption protects messages in transit all the way from sender to receiver. It ensures that information is turned into a secret message by its original sender (the first “end”) and decoded only by its final recipient (the second “end”). No one, including the app you are using, can “listen in” and eavesdrop on your activity.

Accessing end-to-end encrypted messages in an app on your device actually means that the app company itself can’t read them. This is a core characteristic of good encryption: even the people who design and deploy it cannot themselves break it.

On Surveillance Self-Defense, we offer guides for using end-to-end encryption tools in our Communicating With Others guide.

Transport-Layer Encryption or End-to-End Encryption?

Important questions to ask to decide whether you need transport-layer encryption or end-to-end encryption are: Do you trust the app or service you are using? Do you trust its technical infrastructure? How about its policies to protect against law enforcement requests?

If you answer “no,” to any of these questions, then you need end-to-end encryption. If you answer “yes” to them, then a service that supports only transport-layer encryption may suffice for you—but it is generally better to go with services that support end-to-end encryption when possible.

We created the animation below to demonstrate how end-to-end and transport-layer encryption work for data in transit. On the left is an end-to-end encryption chat tool (a chat box using the Off-the-Record (“OTR”) instant messaging encrypted protocol). On the right, is a transport-layer encryption chat box (encrypted through the Google Hangouts’ website use of HTTPS).

In the GIF, the primary user types a message in the Google Hangouts chat box:

“Hi! This is not end-to-end encrypted. Google can see our conversation.”

This user also has an Off-the-Record (OTR) chat box open and enables the “private conversation” setting. On the OTR chat box, the descriptive text says:

“Attempting to start a private conversation with [gmail account]. Private conversation with [gmail account] has started. However, their identity has not been verified.”

Simultaneously, in the Google Hangouts chat box, gibberish ciphertext is being exchanged, showing that the users are now on the Off-the-Record (OTR) end-to-end encryption protocol. Every message passed through OTR chat box also appears in the Google Hangouts chat box, however, instead of being readable, it appears as gibberish. The other user types a message in the OTR client:

“It looks like gibberish to anyone else.”

The primary user writes:

“Yup, it looks like nonsense.”

The other user sends a smiley emoji.

What Encryption In Transit Does Not Do

Encryption is not a cure-all. Even if you are sending encrypted messages, the message will be decrypted by the person with whom you are communicating. If your endpoints (the devices that you are using for communication) are compromised, your encrypted communications can be compromised. Additionally, the person with whom you are communicating can take screenshots or keep records (logs) of your communication.

If you automatically store backups of encrypted conversations to “the cloud” (other computers), be mindful to check that your backups are also encrypted. This ensures that your conversations are not only encrypted in transit, but also at rest.

If you encrypt data in transit, it will protect the content of your communications, but will not encrypt metadata. For example, you can use encryption to scramble the messages between you and your friend into gibberish, but it does not hide:

• that you and your friend are communicating.
• that you are using encryption to communicate.
• other types of information about your communication, such as the location, times and length of communication.

People with heightened surveillance concerns (such as those worried about active monitoring of their networks) can put themselves at risk by only using encryption during sensitive times or for specific activities. Why? If you only use encryption sometimes, it could tie your metadata to important dates and times. Therefore, use encryption as much as possible, even for mundane activities.

Also, if you’re the only person using encryption on a network, this metadata may be seen as suspicious. This is why many encryption enthusiasts encourage everyone to use encrypted tools whenever they are able: to normalize the use of encryption for people who really need it.

Putting It All Together

Together, encrypting both data in transit and at rest will offer you more comprehensive security than using just one or the other. This is what information security experts call “defense in depth.” By utilizing multiple methods to defend your data, you can achieve a deeper level of protection.

For example, if you send unencrypted messages (not encrypting your data in transit) from an encrypted mobile device (encrypting your data at rest), those messages will still be vulnerable to network eavesdropping and interception from governments, service providers, or technically-skilled adversaries. The record of the messages on your mobile device, however, will be protected from someone with physical access to your mobile device if they don’t have the passcode.

Conversely, if you send end-to-end encrypted messages (encrypting your data in transit) on an unencrypted device (not encrypting your data at rest), those messages will be impermeable to snooping and eavesdropping on the network. If someone gets physical access to your mobile device, however, they will be able to access and read the messages.

With these examples in mind, encrypting your data both while it’s in transit on the network and while it’s at rest on your device is ideal for protecting yourself from a wider range of potential risks.

For a deeper dive on how to use encryption, please continue onto our guide Key Concepts in Encryption.