Happy New Year everyone! It’s time to be serious for a minute. If you’re a left leaning person, I think it’s safe to say the next 4 years are going to be something that isn’t fun to deal with. The first Trump administration had significant authoritarian tendencies, and the second will likely be even worse given the types of people he has nominated to run the DOJ and how they are attempting to weaponize the civilian agencies to crack down on protests / speech. If you are a left leaning person, and by that I mean someone who could be deemed a “radical” / antifascist, you should start thinking about your digital hygiene immediately before it’s too late.

There’s a lot of tools you can use that are alternatives to existing systems / needs. You do not have to use these tools. Privacy / security is a right, but I also believe it is a choice with compromises along the way. You do not have to make the same choices I have, and you should judge each recommendation on its on merit based on how easy it is for you to implement and the tradeoffs. Every recommendation in this post is a solution to a problem you might not even have. Some are solutions to problems I don’t have and do not use personally, but I am recommending them regardless for people who are not me. Additionally, I am predominately someone in the Apple ecosystem of products, and some of these solutions are only going to apply to Apple stuff. I’ll try to at least cover the equivalent Android / Windows thing if I can though, but you should look to the FOSS geeks if you’re on that side of the spectrum anyways.

Communication

If you do not want a third party to see your messages you need to stop using SMS / MMS. Your carrier has full, unencrypted, plain text access to every text message you send, or is sent to you. This means they can see them, and so can any government willing to put in the effort.

You should install Signal on your phone immediately. If you know why and agree just stop reading and do that. For those who don’t know, here’s why. Signal is a FOSS (free and open source) end to end encrypted messaging application. It uses a private key that is stored in your phone to decrypt messages sent to you, as well as make audio / video calls. It is more secure than a regular text message because it is not possible to read the message in transit even if you are an employee at Signal, even via HNDL / post quantum attacks. It is also more secure than iMessage because there is nor cloud storage for messages. The downside is this means your messages do not perfectly sync between devices all the time, but this is the tradeoff. iMessage also works this way if you shut off iMessages in iCloud toggle, but because this is a manual action all recipients of the message need to take with no form of verifying on the other side, you must assume all iMessages are capable of being seized upon request. Additionally, for anonymous / pseudononymous communication, Signal finally has a username system, meaning your phone number does not need to be shared with a contact to communicate with them. Even if you don’t need to use Signal regularly, you should download it on your phone so you can communicate with those who do. Assume everything else can be compromised.

You also might want to avoid downloading the app on your desktop computer or laptop if you’re a highly at risk individual. This is is because traditional classic desktop operating systems (win/mac/linux) utilize a more permissive app model than phones. On mobile, apps are all sandboxed and are restricted from accessing data outside itself, which is why entities / nation states resort to costly zero day exploits. On a desktop operating system, you can be compromised more easily by spear phishing / traditional malware. Additionally, ensure you are only using the Signal client. Do not use Beeper or anything that combines your messages into one view, as that adds additional untrusted parties. You already have one “end” you need to secure, and i’ll get into that later.

Email

Next to SMS (traditional green bubble text messages) Email is a fundamentally unencrypted service that can be easily compromised. While they are often encrypted in transit, they are unencrypted at rest (in the inbox / outbox). If you are a journalist, aid organization, or someone who communicates with sources / contacts via email you should consider paying for ProtonMail. They are the most trusted e2e email encryption / storage service, encrypting your inbox on their servers so no one has access to it (even them). If a compromise of your inbox would affect you in this way I highly recommend at least opening a new protonmail email address. The downsides of protonmail are flexibility / access. You’re restricted to using their clients for virtually everything, except on a computer where you can download the bridge, giving you access to the account on outlook, apple mail, and other clients. However, the bridge has the potential to compromise your emails if your desktop / laptop becomes infected, so keep that in mind. I personally do not use ProtonMail for my regular email, but every journalist / aid organization should be using it for everything.

Do not self host your email. It can be tempting to try this if you have the knowledge, but I highly recommend against it for a few reasons. First, any slight connection issue between you and your server will make you lose mail. Second, any mail you send will probably not get delivered since your server is not well known and will be marked as spam by everyone. Just trust me here and don’t do it unless these are not things you care about.

Cloud Storage

I use iCloud for my file storage, photo storage, message backups, and device backups. This is a personal decision and I am okay with the tradeoffs. However I am doing this in part because iCloud offers a solution to end to end encrypt almost your entire account called Advanced Data Protection. This is a new feature launched a few years ago that will encrypt everything in your account besides your email, calendar, and contacts. It’s not turned on by default due to regulatory pressure, and I highly recommend that everyone turn it on if you can. If you aren’t in Apple land, Proton (creators of ProtonMail) has their own cloud storage system that’s fully e2e encrypted that I recommend. Their premium plan will also pool together the storage for your Mail / Drive as well, just like iCloud / Google Drive.

If you don’t want to trust “the cloud” altogether, you should invest in your own NAS solution that has encryption options and a decent enough interface / app support. I personally use a Synology DS920+, which can act as my photo storage / personal drives if need be, and can be easily accessed remotely / sync my phone’s photos with zero fuss. If you know what some of these words are and data security somewhat concerns you but you don’t want to become a Linux administrator, I’d say it’s worth the investment. The big tradeoff of course is that you become responsible for your data here. You set the encryption passphrase / manage the keys, and the data exists on drives you manage, meaning that in the event of any failures you could lose that data. My friend Corbin has a great writeup detailing the downsides of running your own NAS which I recommend reading if this is a path you want to go down.

Alright, that’s it for regular people. If you’re just some guy who isn’t gonna be noticed on the street, this is all the info I can really provide you. The rest is for influencers / public figures, so read on if that’s you or if you’re interested anyways.

Social Media / One to Many Communication

If you are an influencer / communicator who is at risk of losing their audience due to the actions of gatekeeper social platforms you should be investing your time and effort to drive your audience to alternative social networks, those being BlueSky and Mastodon. However today, I will be specifically talking about Mastodon, as it is the significantly more decentralized / federated of the two at this time (and possibly always). There’s benefits / drawbacks to all social media, and while I have found Mastodon to not suit my personal needs very well (I am mostly on bluesky), it can suit the needs of many journalists given the right preparations. Most journalists and influencers however are not using the platform properly, as they do not understand the full risk assessment / the possibility of losing their audience.

Mastodon is a decentralized network that allows you to bring your followers from one server / instance (the @ / domain in the username) to another, but only if you are in the good graces of your current server administrator. Any account that is banned or deleted by the server administrator loses everything and must start over. Additionally, your posts remain on the server you posted them always. Because of this, I recommend treating the network as ephemeral. Use the setting that auto deletes your posts. If you can, self host, or pay a service like masto.host to run your own instance for yourself and your company. If you do not do this, ensure your server admin does not block Meta’s Threads so you can ensure maximum reach when they enable following across instances. Additionally, use apps like Croissant or Bufferto cross post to multiple networks and ensure that the alternatives are easily accessible from your bio. Being on Twitter / X still fine, however at this point it should not be your only text platform due to risks to both your audience, and personal safety that should now be quite obvious.

If you make your social home predominantly on Mastodon or Bluesky and forgo cross posting / managing you should immediately enable Bridgy Fed for your accounts. This is a tool that allows you to “bridge” your Mastodon account to Bluesky or your Bluesky to Mastodon, so people on one platform can follow you and interact with you on the other. Ensure you have instructions on how to enable this in your bio so users can talk to you from the other side, and your profiles should show both the native username on the platform of choice, and the bridged username on the other side. Here are some examples given my current usernames.

My Bluesky is @evan.exposed

My Bluesky can be followed on Mastodon via @evan.exposed@bsky.brid.gy

My Mastodon is @evanhirsh@hachyderm.io

My Mastodon can be followed on Bluesky via @evanhirsh.hachyderm.io.ap.brid.gy

It’s not the most elegant thing in the world, which is why I recommend doing this only if you are resistant to managing multiple networks at the same time and sticking with one. If you stop posting on one of these networks, ensure that you have the bridge turned on and that you tell your audience where to find you.

Outside of social media you should be using your own website or a newsletter list to publish long form information, regardless of the CMS used. As long as your audience has a direct line of communication with a thing you have (a domain name or their email address) it can be changed at any point. I personally use micro.blog to handle all this for me, but there are many other options I recommend at this time such as Ghost depending on the size of your operation. Ultimately though as an influencer you should be using the following line of thought: that if every single for profit / free network you utilize were to vanish tomorrow (say, government pressure making Elon ban your Twitter account), you still have a primary line of communication with your audience even if the reach is somewhat diminished. If you want to go a step further and self host your email newsletter, you should read what Molly White wrote about that.

If you’re a regular person reading on, congrats! You are interested enough in this to where I can guilt trip you into making accounts on these platforms and following the creators you like there just in case. If you’re interested in Mastodon and want to know what server to pick, just do mastodon.social and ignore literally anyone telling you not to. Freedom technology, baby.

Operating Systems / Devices

To put it frankly, you are either a target of a nation state or you aren’t. If you are, you know you are, and if you aren’t, what you’re using is probably okay with one important stipulation that i’ll get to later. For now, great job! Assuming you followed all the above recommendations to the letter, you have encrypted your email and your messages end to end. Because of this, governments are now going to try and target the “end” where they’re decrypted, which is to say, your phone. by compromising the operating system of your devices using zero day exploits. These are vulnerabilities in operating systems that are kept secret from the companies developing them, because otherwise they’d be fixed. Governments pay insane sums of money for exploits from security contractors, or invest a lot so their agencies can find them first. Not to freak you out, but this is how  Jamal Khashoggi  was allegedly murdered.

Onto the journalists / targets, there’s a few recommendations depending on the level of paranoia. First if you have an iPhone / iPad / Mac, you can turn on Lockdown Mode in Privacy & Security. This turns off many features that make your devices usable to most people (link previews, some javascript on the web, all EDGE cellular connections), but it will possibly protect you against zero click exploits like Pegasus. Again I want to stress, if you are not a target of nation states (journalists, foreign individuals) you do NOT NEED THIS. I do not personally have this turned on. If your phone does not have this option you need a new phone.

If you are on Mac, you should have at least a way to scan for malware periodically, because despite what you may have been told it does exist on macOS. I use CleanMyMac, but options such as Microsoft Defender work too. Avoid downloading apps from the web if you can and use the app store or a package manager such as Homebrew. Never ever disable system integrity protection for any reason. Ensure your password is decently long and differs from any other password you have, as it is the encryption key for your entire device. Avoid using third party browsers that have smaller market shares (Arc, Brave, etc).

If you are on Windows (disclaimer: made by my employer who, my views do not represent), you should ensure that Defender is enabled with every single option in the settings turned on. You should have Secure Boot enabled to prevent physical compromise. You should have a modern device with a TPM and shut off almost all possible telemetry. You should be actively installing security updates. Additionally I recommend prioritizing web apps over desktop apps if you can for messaging platforms such as Discord, given their reduced permissions / better sandboxing from the OS. You should have bitlocker turned on for all your hard drives, and an encryption key stored somewhere safe.

If you are on Android your phone should be getting updates. If it’s not, you are fucked and you need to buy a new phone. If you want to be ultra paranoid and protect against notification data leakage on any OS, I recommend getting a phone that you can install Lineage onto, with Micro G to replace Google Play Services. I don’t want to get too much into why, but according to my very knowledgable security / Android friends it’s a path that removes the middleman from intercepting unencrypted push notification data, which can be a problem. If you want maximum security though, make sure that you re lock your bootloader. If you want a burner phone i’ll get more into that later.

If you are in a position where you do not want to trust any closed source software, you should be looking into using an encrypted Linux installation on your desktop or laptop computer. There are many installations that can suit your needs and UX preferences, so I will list off a bunch of recommendations based on trustworthiness of the maintainer. If you are coming from Windows and prefer the old Windows UX, I recommend a KDE desktop such as Kubuntu or KDE Neon. If you want the Honda Civic of Linux, download Ubuntu. If you want a Linux that is free of any corporation / non profit entity, you should try Debian. If you still wish to play games with the least amount of effort and are hardening a gaming PC, try Bazzite. If you have heard of all these words and phrases, you don’t need to be reading this at all and can use whatever you want. If you are in a place where your physical device might be compromised I recommend both ensuring you are encrypting your linux install with a passphrase that you must enter upon boot so your data can’t be compromised if someone steals your hard drive. Also for physical security I recommend keeping secure boot enabled and using a distribution that supports it such as Ubuntu, Debian, Fedora, RHEL, or Elementary OS, as this prevents third parties from tampering with the OS.

Additionally, try to use the built in app stores to download your apps. They’re generally more sandboxed, and less susceptible to supply chain attacks due to their respective review processes. Do not use them as discovery tools though, random spam apps in the store can compromise your security on any device. Download official trusted apps for services (The official ChatGPT app vs a random “AI Chat” application) as the later can leak data.

Preventing Tracking

There is a multi trillion dollar economy devoted to figuring out who you are, both literally and metaphorically, so that they can sell advertisements to you. They do this by implementing tracking / fingerprinting systems that can follow you across the pages you view on the web, across the apps on your phone, and even across devices and platforms. If you are curious as to how this works, I highly recommend going into the privacy settings of your phone and turning on the App Transparency Report on the iPhone, or the Privacy Dashboard on Android. What you will find here may be startling.

As an example, The Verge, a website I love, sends information on the pages that I visit to Google, Facebook, Amazon, TikTok, and Twitter / X. Every site you visit knows how you got there, and in the case of a search engine the search terms you utilized. This is all information they collect. Even while logged out they are capable of fingerprinting you based on other forensics such as the type of device you use, the size of the screen, the operating system version, and other bits of information your browser volunteers.

This is how the information economy fundamentally works. It is how Instagram and TikTok know what to show you when you open their apps even if you ignore every cat video you find. So why do they do this, and what’s sending it to them?

It’s the fucking ads

It may sound like a no brainer, but every single platform that The Verge sent data to runs ads / sells you things as their primary business models. The Verge like many websites uses ads to generate revenue, and every ad network’s job is to target you as a user harder than the others. They do this by building up profiles on who you are so they can sell to you independently of these websites. I go to Google and place an ad targeting 25-32 year old software engineers in Seattle interested in retro gaming, and regardless of the website I visit it has the chance of being visible to me. It is rare that an advertiser directly advertises on a website, they always go through these networks, and these networks are what tracks you. There are many conspiracy theories that Instagram listens to your microphone, but the truth is unfortunately Occam’s razor applies here. This is how it actually works, and it’s such an industry standard that they teach you how it’s’s done in any undergraduate program worth their salt. They taught me in mine.

So what do you do? Unfortunately, you block the ads, and all other forms of invisible trackers that lurk alongside them. This data can be requested by organizations as well just like everything else. This effectively gives someone access to your browsing history, just with a few extra steps. There’s a lot here, and I am tired of writing paragraphs at this point, so I am making a Jenny Nicholson style numbered list.

1. Telemetry

• Download an ad blocker on your browser, and the browsers of the people you care about. This is very easy and you can do it now. At the time of writing this, UBlock Origin is still a fine option on Chrome, Edge, and Firefox. For Safari, I personally use 1Blocker. Unfortunately this only blocks ads on a browser and not trackers in apps or smart devices (such as your TV). So your next step if you want that is…
• Switch to a DNS blocker such as NextDNS (or PiHole if you have a Raspberry Pi and want to deal with that). This allows you to set lists that block requests from all devices at the router level, and encrypt your DNS requests at the device level. The cost is 30 dollars a year, but you can create multiple profiles to use with your family. For my parents, I use it to help block scam websites that they may fall victim to. I recommend NextDNS over PiHole because it provides an excellent mobile app that works outside your home network.

2. Location

• You should turn off “Always Use Location” for every app on your phone. Your location can be determined by your government and even local police precinct without this data for sure, but your movements / patterns can also be sold to foreign powers as well if they are being shared with private companies constantly. Additionally, the government has to go through a warrant process to get your location data via cell carriers, which they side step by going to the data brokers.
• After you do that, you should be using a VPN such as MullVad (or Proton VPN) to mask your real location so apps can’t triangulate it via the exit node of background requests, as your general location (city / neighborhood) can be figured out with just an IP address. Perhaps use an exit node that is out of the country. MullVad also has integrated DNS blocker options eliminating the need for multiple apps.

3. Identity

• If you are pseudonymous or do not want to compromise your personal life in the event of a zero day attack, you should try a burner phone or laptop (iPhone SE / Pixel A series are good choices). You can grab a cheap esim and tether your existing phone to it, or use a regular sim with a burner. Make sure it can be remotely wiped by you, somehow. Make sure the burner is not old as dirt and the OS is somewhat modern so it’s not as easily cracked by physical attacks. For maximum security on that burner, ensure it is not tied down to either an Apple / Google account you own.
• Ensure you have long unlock passwords on your devices, as those are the decryption keys for your accounts. In the event of a password / 2FA compromise, an attacker can gain access to your account this way. Make sure the password is long as hell, perhaps a sentence you’ve memorized. If you or chatgpt can write a python script to crack your password in a minute or two with brute force its too easy.
• Buy a Yubikey and use it for every account you can’t afford to lose. Remove all other forms of 2FA. Print out the encryption key and store it in your house.

So why do all this? In the same way I often state my pronouns as a cis man in solidarity with my friends who aren’t, I attempt to use privacy preserving technology in solidarity with those who don’t have the choice. By encrypting as much data as I can, I am helping prevent the leakage of data and making it harder for bad actors to compromise the data / messages of my friends. In many respects it’s less about my messages than it is about the messages of friends who, say, need to travel across state lines to get contraceptives Even if you don’t have a reason to specifically need these tools or services, there’s a case to adopt as many as seem reasonable just in case. The more data that is encrypted and protected, the better. Do not be the weakest leak in the chain that lets bad actors go after your friends.

Personally, while I care and am invested in who the president is, this is a problem regardless of a second Trump term. Most of the methodology for digital surveillance were built under the Obama administration, and at risk of being weaponized by any administration capable of bending the law for their own benefit to hurt their enemies. Given how frequently my views and the views of my friends have been deemed by the incoming president as “a threat to national security” though, I will take every precaution that I can to ensure they have nothing against me. If you feel the same way, I hope you do too.

If you have any correction to make or additional suggestions please feel free to post them below, and I may edit this post to add them.