TLDR Digital Safety Checklist

🤔 Who this guide is for

🌱 How this guide works

🕒 Last updated

🧐 Theory & science

🎯 Threat modeling

🔡 Encryption levels

  1. Not encrypted: Any third party who intercepts the data can read it as-is.
  2. Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (e.g. Google or Facebook) still has access, and may hand the data over to law enforcement if they are required to do so by the courts/the government.
  3. End-to-end encryption: the data can only be read by the original sender and receiver. This means not even the platform has access. So if law enforcement calls, the service provider can’t hand over the messages because they don’t have them either.

🧩 Metadata

💦 Level 1 recommendations

✅ Things to do now


Good passwords

Encrypt your devices


💪🏽 Habits to cultivate


Update all the things


👍 Great job! You’ve covered the basics.
👍 What about trying out the next level?

💦💦 Level 2 recommendations

✅ Things to do now

Enhance your privacy


💪🏾 Habits to cultivate

Enhance your privacy


🎉 Congratulations! You’re now reasonably
🎉 secure, which is more than most :)

💦💦💦 Level 3 recommendations

✅ To do

Lock up sensitive files

Revisit old passwords

💪🏾 Habits to cultivate

😲 Wow, you even finished the difficult
😲 digital housekeeping tasks. Well done!

💦❗️ Scenario-based recommendations

🛫 Crossing an international border

😭 Somebody took my phone/computer!

👾 I think my computer has been hacked!

🍆 Sexting & non-consensual image sharing

✊🏾 Attending a protest

In case of emergency

Store less share less


📰 I’m a journalist working on a sensitive topic

Below are some basics that all journalists should consider. If you’re working on/in a particularly sensitive story/region (e.g. a whisteblower story in the US or China), you and your team should get an tailored training session from an expert.

Be prepared

Protect yourself

Protect your sources

Protect your data

For more information

🕵🏼‍♂️ Online harassment & doxxing

Harassment and doxxing can get very specific and complicated based on the attacker, your position, the overall cultural context, etc. While we have some general suggestions below, we implore you to think about whether your situation has escalated sufficiently and whether it’s time to find professional, one-on-one help.

Recruit a trusted friend

Monitor updates & collect receipts

Remove your personal information from the internet

Obscure your personal information

Ignore/reply/report/block your harassers

For more information

👤 I don’t want to give out my real phone number for online dating/networking/organizing

For messaging apps that use phone numbers as the primary identifier/username (e.g. Signal, WhatsApp), get a secondary number from:

But keep in mind:

For true anonymity – create an untraceable online persona under a pseudonymn

💦❓ Other recommendations

This section is a catch-all for difficult or esoteric practices that do not fall under any of our scenarios above and might not have any immediate payoff for the casual user.



File storage & sharing

Messaging apps


🏆 Oh my, you made it this far.
🏆 You are a true champ!

🧠 Sources

We consulted many sources and drew upon our own experiences in creating this resource. (See our full list of sources.) If you’re not finding quite what you want here, we recommend checking out these other resources:

For a curated selection, check out Martin Shelton’s Current Digital Security Resources guide.

📝 License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.