By Glenn Todd
The Digital Security Guide for Everyone by Glenn Todd from Action Skills is designed for beginners and non-technical people with the aim of increasing security across our whole community. The content is based on research, working with security experts and on the ground experience working with community activists and people who believe government and corporations do not have the right to spy on people by default.
Please Note: Security is always changing so do some extra research yourself about recommended tools.The safety of tools can change suddenly if we learn of new exploits or risks with tools. Sometimes great tools get sold to dodgy corporations. Please use these recommendations in context with some healthy cynicism and common sense.
If this guide feels like too much, start with these 10 things.
2 hour discussion on the content of this guide.
Many people believe that they are not worth spying on. There are many reasons to protect yourself and your community including:
- you don’t want to be spied on or tracked
- you support the concept of freedom and the right to protest
- you are a radical activist who may be targeted
- you deal with information that can affect your or other people’s safety
- to respect your privacy, privacy of others or comply with privacy law
- protect yourself from identity theft (to steal from you, commit fraud in your name or to run a public smear campaign)
- to protect the people you work with
- to protect yourself from future laws (that could be applied with today’s data)
- to reduce the effect your work has on future jobs, opportunities or health insurance.
- if you disagree with the Orwellian state surveillance system
- to build Herd Immunity – Your part in protecting everyone
Advances in technology and dodgy laws means the government can and is spying on everyone. From automated data retention of all your internet and phone data to building large scale police hacking teams. Big brother is watching you.
Orwell predicted the state would install a camera in every house. Today we carry our (phone/laptop/tv) cameras everywhere we go including into our homes. We spy on ourselves and each other, recording, locating, uploading, mapping relationships and even tagging people for facial recognition on facebook.
In 2018, Professor Shoshana Zuboff published The Age of Surveillance Capitalism, a monumental book about the new global economy, where the biggest technology corporations extract, manipulate, and trade our personal information, data about our lives, and data about our personalities, on a scale never before possible. How did this happen? In The Big Data Robbery, Zuboff starts with the volatile dot-com boom and bust of the late 1990s and 2000s. How did Google, a company created during that time, survive the bursting of the Internet bubble? Founders Larry Page and Sergey Brin discover that the “residual data” that people leave behind in their searches on the Internet is very precious and tradable, and begin as one corporation of many, the Big Data Robbery, extracting and building huge datasets about people. Zuboff takes the lid off Google and Facebook to reveal a merciless form of capitalism in which the citizen itself now serves as a raw material.
Sort of yes and mostly no.
This is done by by the top level of state spy agencies. These agencies are not linked to what we know as law enforcement. For example, they are not using this systems for what we expect law enforcement to be doing such as using this infrastructure for child sex protection. When have you ever heard of a child exploitation case being assisted by the 5-eyes system?
So private spys, federal and local police and do not have all your data.
- The 5 eyes program is illegal and the state turns a blind eye. So the people in control of 5-eyes do not want to share their resources and power, for fear of loosing it.
- Additionally there are turf wars, politics and mistrust within the system. Christopher John Boyce testified in court that his motivation for espionage was how the US was treating Australia by not sharing data.
- Encryption works against the 5-eyes. We know this, as well as other info thanks to Edward Snowden and the FBI vs apple case
- For more info on 5-eyes, check out felicityruby.com
Setup by the CIA, this venture capital firm based in Arlington, Virginia. It invests in high-tech companies for the sole purpose of keeping the Central Intelligence Agency, and other intelligence agencies, equipped with the latest in information technology in support of United States intelligence capability. Source.
They have an Australian office.
Aus Data retention Laws
Under the scheme, telecommunications companies such as Telstra, Optus, or NBN Co are required to retain information such as time of call, location data, and other so-called metadata for two years for law enforcement to access without a warrant for investigating a range of criminal activity or for missing person cases. source
This is easily overcome with a VPN and not using traditional telecommunications such as SMS and phone.
New anti-encryption laws
Under Australia’s legislation, police can force companies to create a technical function that would give them access to encrypted messages without the user’s knowledge. Law offers a safeguard which says decryptions won’t go ahead if they create a “systemic weakness”. source
- This is mathematically impossible. Encryption is either secure or not. These laws were created by a PM who said “Laws of mathematics don’t apply here” source
- These laws are a game of power – The tech industry vs the state. The tech industry is powerful so this will not be easy to enforce politically or economically.
- My opinion is that they will target device operating systems through targeted OS updates. This was done at the standing rock protests as well as other dodgy stuff. This approach will not work in a mass surveillance context.
- We are waiting for leaks to see how the government is attempting to implement these laws.
Security has many levels and protects you from different levels of spies. It is important to understand, the people more likely to target you are probably the least sophisticated. This means any improvement to your security will go a long way.
ASIO, NSA and elite spies
The only way to protect yourself completely is to learn the skills and also become an elite spy yourself.
The Snowden leaks shows that the top level hackers cannot break some forms of encryption so you can still protect yourself from elite spies by learning and implementing encrypted communications and tools.
ASIO was originally created by the CIA and has a history of spying on students and activists. ASIO budgets have increased substantially in recent years while the cost of surveillance has gone down.
They dont have the same access to super computers and the most elite hackers but they have become good at catching online paedophiles. While this is great, it also means the Federal Police have good skills in targeting whoever they are ordered to hack.
Many environmental and social campaigns involve national infrastructure or other things that come under the federal jurisdiction. Federal police sometimes support state police operations.
Australia puts $230m towards fighting cybercrime, including 50 extra police
The various state police departments have various degrees of digital capacity. The funding and resources aimed at digital crime is increasing.
NSW police for example spent more than $2m on powerful spy programs in 2015. (revealed by Wikileaks)
The software – known as FinSpy – allows widespread access to computer records, including extracting files from hard drives, grabbing images of computer screens, full Skype monitoring, logging keystrokes and monitoring email and chat communications.
Police have the technology to pretend to be a specific phone tower. This allows them to place this in the vicinity of a blockade or protest and route all the phone calls and data via their system. This then allows them realtime targeted spying on that data. See more info on EFF
There are a number of companies that sell spying services and tools to companies, such as mining companies. The Leard blockade campaign uncovered two undercover spies in their camp and suspected more. Digital spying is cheaper and safer than sending in actual people to spy. It is possible that information gathered is handed to the police.
The vast majority of hacking is done by bots that are not specifically targeting you or care about your campaign. Their intent is to install malware and or use your systems to spam or hack others, Search engine scams and other non-targeted scams
Your data is being collected and sold. There are many trackers as well as platforms like Facebook that make money off abusing your privacy. They generally sell this information to advertisers but will sell to anyone for the right price. These companies also sell data to police and spy agencies.
In many cases the intelligence community owns investments with these companies such as Facebook. One of the ways they invest is via investment companies they own such as In-Q-Tel
If only a few people are protecting themselves they become targets, as it is assumed they have something worth spying on. When you and others start protecting themselves, then it gets very difficult and expensive to spy on everyone.
Don’t let Paranoia stop you organising
Although they come with risks, digital tools allow us to leverage our actions and communications in unprecedented ways. If we stop using the these tools due to security, we have lost before we have even started. Use the tools wisely. Some risks are involved but missing the big opportunities is a far bigger risk.
Convenience VS Security
Some security technologies can be less than convenient. Typing long passcodes into your phone and surfing with slower internet speeds via tor. It is up to you how much you balance security and convenience. Many security approaches and technologies do not impact on convenience so apply as many security lessons as you practically can.
High end security is very complex and can make using your technology less convenient. The aim of this guide is to implement good security and not perfect security. Security improvement is an ongoing process. Unless you understand the technologies of a technical level, always assume your system is compromised and use your technology wisely. You may have perfect encrypted messaging but your system may have malware that is recording your keystrokes.
Do not communicate naughty stuff, research naughty stuff or do very naughty stuff using the internet or digital devices unless you are prepared to do the work of learning the technology in detail. This means understanding the security technology, applying it diligently and staying updated to ensure the systems haven’t been recently cracked. Condoms have a small failure rate and can get complex if you are drunk. On the other hand, they substantially increase the protection of your sexual health. So although not perfect, if you are participating is risky sexual activity, it is really smart to use them. In the same way as digital security, we want to be smart and increase our safety. The level of protection will be up to you and your commitment.
Digital literacy – learn your technology
Computers have given us powerful tools that also need maintenance and management. Learning the basics of how your computers and phones work, will make you far more savvy in understanding digital security
Encryption involves using advanced mathematics to scramble your data, making it impossible to access without your key (password). The Snowden leaks has proven that encryption works and we can protect ourselves from spying.
Encryption involves using advanced mathematics to scramble your data, making it impossible to access without your key (password). I will not explore the technical aspects of cryptology here.
the basics you need to know are:
- Encryption is a digital, mathematical lock
- You can encrypt computers, phones, hard drives, folders and your communications. More information
- Smart geeky people create systems that make the complex mathematics easy for us to use
- Smart geeky people audit these tools and systems and can advise us the most secure ones to use
- The Snowden leaks shows that strong encryption cannot be cracked (currently)
- If your encryption is flawed, it will still increase the time and resources needed to spy on you (the current situation is that spying on you is very easy and low cost)
- If you have the best encryption systems, you may have a virus that records your keyboard strokes so still be Geeky Street Smart
Encrypting is usually a simple matter of turning encryption on via your devices settings. By enabling encryption you make hacking your device either impossible or very difficult and resource intensive.
Encrypting is usually a simple matter of turning encryption on via your devices settings. By enabling encryption you make hacking your device either impossible or very difficult and resource intensive. “Standard” password protection usually is simple for a hacker to bypass. Encrypt all devices that you use (own), including phones, tablets, laptops and external hard drives in case they get lost, stolen or targeted.
WARNING: make sure you have backed up up your devise before encrypting it.
In addition to encrypting devices, also store your sensitive documents in encrypted folder. This gives an additional level of security and allows you to store the encrypted folder on a thumb-drive and on cloud storage such as google drive and dropbox.
Your data can be lost in many ways: Fire, theft, failure, arrest, loss etc. You can also lose data if you apply some security measures incorrectly. Make sure you have adequate backups before you start securing and encrypting.
External Drive Backups
Large external hard drives are getting cheap so you can pick up 2 x 1 terrabyte drives for less than $150. I recommend using at least 2 drives, although 3 is better. Ensure one drive is stored at a different physical location from your computer and the other drive. If you keep them all together they are at the same risk. So if someone steals you computer and all your drives, you will lose all your backups at once and all your data. Keep one backup “offsite” at a trusted location that you visit regularly. Swap the drives when you visit so they are both regularly backed up. This can be a great reason to visit your mum for a cuppa.
Make sure all your drives are encrypted. You may need to delete the data from a drive before your encrypt it, so encrypt the hard drive as the first step when using your external drives.
Cloud is a fancy word for internet storage. Dropbox and google drive are examples, however these can be accessed by law enforcement. These services can be useful, especially if you are working on small files. You can use encrypted services (above) or encrypt your files on your computer before uploading them to cloud stage.
- easy, realtime backups
- access backups from different computers
- share backups and documents
- requires internet so can be painful for large files
- very insecure if you are not encrypting
Learn the easy way
My mate had 4 hard drives in his PC that gave him 4 backups onsite. His roof leaked and all drives failed. The only family photos he has of his children growing up were a few his mates could email to him. I nagged another friend with this story and she backup her photos. When her systems failed she lost everything except her photos. Although originally thinking i was an annoying nagger, she bought me a beer with a big smile.
Update your software regular – apply updates
There is a constant loop happening: Hackers find exploits in software and the software people patch them up. Make sure you apply the latest versions to all your software including operating systems, apps and websites to ensure you have the latest secure versions. Unpatched software is a very common way to be hacked.
Lock your computer and phones. Review security settings
Turn on auto-screen lock features using passwords and 2FA. Facial recognition lock can be unlocked by cops using your face (same with fingerprint). Review and configure security settings. Review and configure app settings (eg turn off location unless it explicitly needs location). Most apps have too much permissions on by default.
Phones have become very complex and usually ship with dodgy settings out of the box so the first and most important rule about modern smart phones is DON”T TRUST THEM. Make sure your are geek street smart.
Here are some ways to improve your phone security:
- Learn your technology
- Turn on encryption (of phone and any datacards)
- Use a strong passcode
- Install an encrypted messenger such as signal
- Manage your location settings
- Remove all the apps you do not actively use.
- Choose a phone that has regular software updates and update it
- Do not install FaceBook messenger and other apps that have been proven to upload personal data to their companies servers. (you can read fB messages via the browser using mbasic.facebook.com)
- Do not use voice control as the voice is uploaded to the companies private servers to process
- Turn off permissions for your Apps that are not needed. If your mobile device does not allow you to disable specific permissions, install another app that will allow you to control permissions.
- Do not use one company such as google or apple for all your services. They are tracking and building a profile on you.
- Clean up and delete (using a shredder) old data that does not need to be on there
- Install a VPN
Old analogue phone security
The old Nokias are a favourite with activists. Yes they cannot have malware installed and hacked but don’t fool yourself into thinking they are more secure. The authorities have been tapping phones since the lines were invented and your old phone is easily tapped. Your location can also be triangulated via the phone towers. And you cannot install encrypted messagening. SO it is great you are saving resources by not upgrading but don’t think it is any safer or secure.
Heading to a protest?
Check out Electronic Frontier Foundations’s attending protest phone guide.
Secure phone communications
Anything encrypted is better. SMS and voice was built to be intercepted and recorded (since the paper telegram days). Apple messenger and Facetime are respected, however requires iphone. Older phones have lots of vulnerabilities – not recommended.
Weak passwords are a primary way to hack you. Simple passwords can be broken by a “brute force attack” where average computers have enough resources to crack them reasonably quickly. YOU NEED A PASSWORD MANAGER.
A “Password manager” allows you to store all your passwords in one place and you only need to use one really strong password to access them all. Some Password mangers include software that enables easy login to your accounts via your browser.
All Eggs in one basket
Yes you are reducing your security a bit by putting all your stuff in one place, however this is far more secure than having multiple weak passwords or using the same password for multiple services. The Password Manager allows you to easily store and use unique secure passwords for everything. Make sure your master password used to open your Password Manger is very secure and that you don’t forget it. Some people write the password on paper and stash it in a very secret location or leave it with a trusted friend in case they forget their password.
What is a secure password
- The longer your password, the more secure. Make it long
- Avoid names, places and dictionary words.
- Avoid any personal information such as your child’s birth date
- Contain a combination of numbers, symbols, upper-case letters, lower-case letters, and spaces.
How to create a secure password
One way is to write a long sentence that you will be able to remember. Try to add words, names or place names that won’t be in a dictionary. Then add some (or replace special characters, capitals and numbers.
Antivirus and scanners
Protect yourself from virus and malware which is a common way to hack you.
Your location is being tracked and recorded via your mobile device. Many private companies are recording and selling this info. Many drone assassinations in the Middle East are targeted via the location of a persons mobile device.
Turn off location (GPS)
Unless you are actively using an app that requires location such as your navigation software, switch off location. Make a shortcut in your devices settings to make it easy to switch this off.
Turn off location permissions for your Apps
There are many Apps that are sending your location back to their servers with most reserving the right to sell that data. Review all Apps that have permission to view your location and unless it directly needs to use location, disable it.
If your mobile device does not allow you to disable specific permissions, install another App that will allow you to control permissions.
Your location can be triangulated via mobile towers
Turning GPS location off removes the location data for most services and private trackers. The authorities can still locate you as your mobile device communicates to numerous mobile towers to connect to the phone system. By working out the location and your distance from the towers, they can triangulate your location.
Switch to aeroplane mode or switch off your phone.
If the privacy of your location is very important, do not not trust your mobile device and do not bring it with you. You may consider asking a friend to baby-sit your mobile device to send out dummy location data.
Photography and meta-data
Meta-data in files such as photographs can contain location data. So if you took photos of your children and posted them to social media, it may be possible for a random person to download the photos, extract the location meta-data and know where your children live.
To illustrate this concept, the website I know where your cat lives searches online for cat photos and locates them on a map.
Check all your Apps that take photo and video and switch off location data.
2FA – Two factor authentication
Sometimes called two-step verification. A process in which users provide two different methods to verify themselves. SMS or email codes in addition to your usual login user and password are common approaches. 2FA apps are a recommended approach. You will need to configure each service separately. Eg you email is seperate to your bank account.
- Don’t log into Google or logout when not using google tools.
- Use an alternative email platform to gmail
- Edit your google settings to reduce tracking. Google Privacy checkup
FaceBook is another large scale profile builder and tracker.
- Logout of FaceBook when not using it (don’t surf while logged into Facebook)
- Delete Facebook cookies
- Don’t install FaceBook App or FaceBook messenger on your phone as it will send a lot of your data back to their servers.
Private Internet – Block ads and trackers
Minimise browser plugins as some have built in trackers. Cookies are stored in your browser to personalise your experience on websites and are also used to track you. Delete these regularly (every time you quit) to reduce their ability to build a profile on you. In Brave/Chrome > clear browsing data > on exit.
A VPN works by connecting your computer (using encryption) to another computer located somewhere else in the world. Your access to the internet then comes from that computer located somewhere else in the world. So if the computer is located in France, then you are surfing from France. This simple technology thwarts the mandatory data retention scheme implemented by the Australian government. This also makes it harder for you to be tracked generally. Be warned that this alone will not offer substantial protection if you are subject to a targeted digital investigation. As an added bonus a VPN allows to to access content that has been geographically restricted such as the BBC.
There are many companies providing VPN services. Some may be owned by the intelligence community or dodgy in some way. Do a bit of research before choosing your VPN provider.
A decent VPN will cost some money and we recommend this spend.
Private Internet – Tor – Anonymous Browsing
Bounces internet users’ and websites’ traffic through “relays” run by thousands of volunteers around the world, making it extremely hard for anyone to identify the source of the information or the location of the user. Use tor with your VPN and ideally with a secure OS and burner laptop. Unfortunately Tor can slow your internet.
Private Internet – Anonymous Connection
You could use a public wifi but be careful and use a VPN as they are insecure and can be used to hack you. You can also order an overseas SIM online with Australian data roaming – that doesn’t require ID.
Private internet – commerce
There are two major ways to buy things anonymously online. The first one is using Visa or Mastercard gift cards. These can be bought with cash at many supermarkets and at Australia Post. The other way is using the crypto-currency: Bitcoin. Please search for more information on the Bitcoin technology and how to use it.
So you want to be a ninja online? Like martial arts to be truly invisible online you need to spend a lot of time becoming an expert in the technology. There are no shortcuts to becoming a martial arts ninja but there are some ways to skill up without being a top level security geek.
Use a secure operating system
Assume your system is compromised
Although my eco-heart pains to say this, a new machine paid for with cash from a realworld computer store is the safest approach to using your existing machine. Some geeks buy a second machine and set it up specifically for security which restricts a lot of uses.
Implement as much security and privacy as possible including Tor. Then search “How to buy Drugs online”.
Here is an interesting fact. People who trade in illegal drugs online are good at digital security and are much better at writing tutorials and instructions than geeky cryptologists.
Security culture is an agreement made by a group which outlines the minimum security, tools and security processes the group will use. This allow individuals to understand their personal risk as well as the risk to the group and the groups actions.
Security culture also build the skills of members who are lacking in technical skills as they will be the “weakest link” in the security and the group will need to have them collectively at the minimum level.
An example is from the DAM group:
- We should remain consistent in our practices so that it becomes habit.
- “Need to know” ?? This is a large issue and still needs to be specifically discussed and figured out with the group.
- Phones off, laptops off (unless temporarily required) and placed outside the room, if it is safe to do so.
- Do not include dates, times, related to any specific actions within the same email.
- Do not include any specific locations and names (this includes full names of people involved, as well as places, corporations, etc) out of any emails and electronic documents.
- Communicate sensitive information face to face.
- If needed, use Code words for targets, locations etc.
- No recorded details of full names on who is responsible for what, or details on campaign tactics.
- Password protected laptops.
- If possible, try to avoid venues that we know/suspect are bugged.
- Clue in all DA volunteers/participants on this security protocol, by bringing it up at pre-action trainings and having a hand-out with easy to follow dot-points
- DAM organiser meetings to be attended by those already inducted as DAM organiser members. New attendees must be vouched for by two current members.
- Avoid storing any information online that contain any action specific details.
- Keep the data securely. Only keep data for as long as you need it. Eg. Don’t store information in emails. Delete old emails, from sent inbox too! Destroy data securely (completely) You may need a specific “data shred” program to do this effectively.
Slack, Google and similar tools are not encrypted: authorities can request the hosting companies to hand over the documents, user list and the chat logs. Nextcloud is a secure replacement for the google collaboration ecosystem. Even if you delete a message on Slack, we cannot be sure Slack actually deletes them from their servers or their backups. It is important to know that regular phone conversations or popular VoIP tools like Skype or Google Hangouts have wiretapping capabilities built-in. Authorities can request Microsoft to record and hand over conversations with a warrant.
Nextcloud is a secure replacement for the google collaboration ecosystem – Share and collaborate on documents, send and receive email, manage your calendar and have video chats without data leaks. As fully on-premises solution, Nextcloud Hub provides the benefits of online collaboration without the compliance and security risks. Nextcloud is self hosted allowing you to control where data is stored. This is more complex or you can rent a hosted service. Nextcloud is the system used by Extinction rebellion for their digital collaboration
Crypt pad is realtime Collaborative docs simplar to google docs. Due to its secure nature it laks an easy way to group documents, requiring the need to create and manage an inventory of the secure URLs. You can also use a desktop text or document editor and share by encrypted channel (not realtime).
Google and similar tools are not encrypted: authorities can request the hosting companies to hand over your data. Secure email can be simplified by your group using only one email service such as riseup, tutanota, or protonmail. This means the “end to end” (from your email to your friends email) encryption is managed by the browsers and the email provider. The encryption only works if you use the same provider, meaning some or most people will need to create new email addresses.
Don’t use gmail and outlook
As well as your email, google gathers and stores a vast amount of personal information about you including your web searches. The less information you have stored with one company, the harder it is to build a profile on you. The same concept applies with Microsoft services such as outlook.com and hotmail.com
Full email encryption
To encrypt email across multiple email addresses and services will requires a tool called PGP and requires more complexity not covered here.
- Keybase group chat/collaboration + files sharing (similar to slack) (easy to use) (unfortunately bought out by zoom)
- Semaphor I have not used this since the new version which is now free. Recommend by security geeks
- Matrix riot Security notices can be a barrier for non-tech people
- Signal Small groups – (large groups make it annoying to use as main sms replacement)
We are looking for a better option for video conferencing. It is important to know that regular phone conversations or popular VoIP tools like Skype or Google Hangouts have wiretapping capabilities built-in. Authorities can request Microsoft to record and hand over conversations with a warrant.
- jitsi The best ethical choice – turn on the encryption. Can be unstable
- Zoom only uses encryption for paid uses and it needs to be switched on. Zoom works with law enforcement and Chinese authorities so cannot be trusted
- Facetime Apple has a good reputation or security but requires an iphone or mac.
- Signal Signal is good for one on one video
Phones and laptops in meetings
Microphones and cameras can be remotely activated without you knowing and can be switched on remotely. Good practice is to gather all devices and remove them from meetings. Even if they have dead batteries, this encourages good security culture. Some people place tape over their laptop camera because someone watching you remotely is creepy.
(In our context ) A database is a collection of information on people. A CRM (Client Relationship Manager) is a specialised database for managing people’s information, interactions and relationships with people. As database tools become more advanced, we are increasingly building up a lot of information so we need to pay special attention to privacy.
We cover a lot of database stuff in our webinar: Organising people with databases
This area is a MASSIVE GAP in secure organising. Many organisations are moving to hosted solutions such as Nationbuilder and Mailchimp (just to name two). Having your data hosted on a private company’s servers allows law enforcement access, and requires you to trust this companies ethics and ability to secure their system.
Never assume Databases are secure
Popular database tools such as NationBuilder, Mailchimp and Google spreadsheets are American companies. Under US law, an Australian is classed as a foreign national. American companies must provide access to the American intelligence community, all data of foreign nationals held on US servers without warrant or your knowledge. That means they have access to your databases and your CRM. Local spy agencies have relationships with American spy agencies that involve data sharing and may involve access to your databases and CRM. Understand this when building databases of information about people.
Consider how dangerous your database could be
Picture the authorities accessing a database complied as “Radical Activists”. This will draw attention to people who wish to remain anonymous. Think carefully about:
- what databases you are building,
- what information they will hold (what is absolute necessary)
- what tools you use to mange them
- are you able to protect peoples privacy?
- do your people want to be data-based in this way?
The ability to tag people into interest groups is a very powerful feature of many database tools. Think carefully how you categorise or tag people. If you need to tag people in a way that is not desirable such as “participated in NVDA”) use alternative code terms.
IBM’s Hollerith Machine used by the Nazi’s to build and mange the databases (via punch cards) used to mange the Nazi concentration and death camps. More info
Ensure you have a policy on how people in your organisation will access and use data. Ensure that every person who is given access to any information agrees to a code of practice that outlines how data can be used.
Email list management
Should be self-hosted somewhere overseas. The servers hosting the email list management software contain the list of all email subscribers. Ideally, all subscribers should use a brand-new email account solely dedicated for receiving emails from the email list.
More digital security guides
Produced by Glenn Todd. Contribution by Gabor Szathmari and experience from FLAC. Eye Image by Eiti Kimura. Entire resource is licensed Creative Commons Attribution 4.0 International License. Updated July 2020.