Doria Feminist Fund

Reference Guide

← Back
💬

Encrypted Messaging Apps

Signal, WhatsApp

❌ DON'T

  • Believe chats are 100% private just because app is encrypted
  • Take screenshots of sensitive information and store them insecurely
  • Add people to sensitive group chats without verifying identity
  • Use disappearing messages but then take photos of the screen
  • Back up chats to unencrypted cloud storage

✅ DO

  • Use disappearing messages for sensitive topics (Signal: tap contact → Disappearing messages)
  • Regularly clear chat history for sensitive conversations
  • Verify contacts before adding to sensitive groups (Signal: View safety number)
  • Enable screen security to prevent screenshots
  • Set registration lock to prevent SIM swap attacks
  • Turn off message previews on lock screen

💡 Why it matters: The app is secure. You might not be. A compromised device, screenshot shared with the wrong person, or a weak link in a group chat bypasses all encryption. Remember: in a group chat with 50 people, it's only as secure as the least careful person.

🕵️

Incognito Mode

Private Browsing

❌ DON'T

  • Think it makes you anonymous online
  • Believe it hides activity from ISP, employer, or government
  • Use it for sensitive research without VPN
  • Assume websites can't track you

✅ DO

  • Understand it only stops browser from saving history/cookies on your device
  • Use for logging into multiple accounts or testing websites
  • Combine with trusted VPN for real privacy from ISP
  • Use Tor Browser for anonymity (understand its limitations)

💡 Why it matters: Incognito mode hides history from your roommate, not from the government. State actors and ISPs can still see your internet activity. Assuming it provides anonymity creates dangerous false security when researching sensitive topics.

☁️

Cloud Backups

Google Drive, iCloud, Dropbox

❌ DON'T

  • Auto-sync everything without reviewing what is uploaded
  • Assume provider cannot access or be forced to hand over data
  • Store unencrypted sensitive documents (beneficiary data, strategies)
  • Use weak passwords or no 2FA on cloud accounts
  • Share links set to "anyone with link can view"

✅ DO

  • Be selective about what you sync - don't automatically backup everything
  • Use Cryptomator (free) to encrypt sensitive folders before uploading
  • Always use strong, unique password and 2FA with authenticator app
  • Review sharing permissions regularly (who has access to what?)
  • Set expiration dates on shared links
  • Use "specific people" sharing rather than "anyone with link"

💡 Why it matters: Cloud accounts are primary targets for hackers. Providers can access your data and usually comply when governments request it. Companies are often legally required to hand over data when authorities request it. Encrypt before uploading to see only gibberish.

🔐

Device Encryption

Full-Disk Encryption

❌ DON'T

  • Believe it protects devices that are on and unlocked
  • Use simple, easy-to-guess PINs like 1234 or swipe patterns
  • Think encryption makes you invincible
  • Forget to encrypt external drives and USB sticks
  • Use fingerprint/face unlock in high-risk situations

✅ DO

  • Power OFF device completely if at risk of confiscation
  • Use long alphanumeric passphrases (at least 8 characters)
  • Disable biometric unlock for high-risk situations
  • Encrypt all external drives with sensitive data
  • Use emergency features: iPhone press power 5x, Android lockdown mode

💡 Why it matters: Encryption is most powerful when your device is powered OFF. If someone has physical access and can force you to unlock it, encryption can't help. A powered-off encrypted device is significantly harder to break into. Simple PINs can be guessed from fingerprint smudges on screen.

🗑️

Secure File Deletion

Permanently Erasing Data

❌ DON'T

  • Think dragging to Trash/Recycle Bin and emptying it permanently erases files
  • Assume deleted means gone forever
  • Delete files normally before selling/donating device
  • Use "secure delete" on SSDs the same way as HDDs

✅ DO

  • Use file shredder: Windows (Eraser), Mac (Permanent Eraser), Linux (shred/BleachBit)
  • Use built-in Secure Erase/factory reset when disposing devices
  • Encrypt device from day one (makes normal deletion more secure)
  • For maximum security on old devices: physical destruction of drive
  • Before selling: backup, factory reset, reinstall OS

💡 Why it matters: Files "deleted" normally can often be recovered with simple software. If device is stolen, confiscated, or sold, sensitive data could be retrieved. Journalists and activists have had "deleted" files recovered and used against them. Note: SSDs store data differently than HDDs - full disk encryption from day one + factory reset is best approach.

🔒

VPNs

Virtual Private Networks

❌ DON'T

  • Use first "free" VPN from app stores (they sell your data)
  • Trust VPN with history of logging user data
  • Think VPN makes you completely anonymous
  • Log into personal accounts while on VPN thinking you're anonymous
  • Use VPN from company in privacy-hostile country (US, UK, China, Russia)

✅ DO

  • Use reputable, paid VPN with independently audited no-logs policy
  • Choose provider outside surveillance jurisdictions (Switzerland, Iceland, Sweden)
  • Look for kill switch feature (stops internet if VPN disconnects)
  • Understand VPN provider can see your traffic (choose trustworthy one)
  • Recommended: Proton VPN, Mullvad, IVPN, RiseupVPN (free for activists)

💡 Why it matters: Bad VPN is worse than no VPN - it gives dangerous false security while collecting all your traffic to sell to advertisers or hand over to authorities. Free VPNs make money by selling your data - that's their business model. Logging into Facebook on VPN = Facebook knows it's you.

🛡️

Antivirus Software

Protection Software

❌ DON'T

  • Install once and forget about it
  • Ignore update notifications or let subscription lapse
  • Think antivirus is substitute for safe browsing habits
  • Install multiple antivirus programs (they conflict)

✅ DO

  • Honest reality: Windows Defender (built-in) is pretty good if you're careful
  • Mac: built-in protection is decent. Don't click sketchy links
  • Enable automatic updates for both software and virus definitions
  • Run scans regularly (weekly minimum) and keep OS updated
  • Remember: safe browsing habits > antivirus. Think before you click

💡 Why it matters: Antivirus is in constant race against new viruses. If not constantly updated, it cannot protect against latest threats, giving false sense of safety. Out-of-date antivirus is almost useless. But remember: antivirus cannot stop phishing, social engineering, or you willingly installing malicious software.

📱

QR Codes & URL Shorteners

Bit.ly, TinyURL, QR codes

❌ DON'T

  • Use random online QR generators for sensitive links (they see & store data)
  • Scan QR codes in public without checking where they lead
  • Use free URL shorteners (bit.ly, tinyurl) for confidential information
  • Click shortened links without previewing destination
  • Post QR codes without physical security measures

✅ DO

  • Use offline QR generators or trusted privacy-respecting ones (DuckDuckGo)
  • Preview QR code destination before visiting (use apps that show URL first)
  • For sensitive links, use full URLs shared through secure channels (Signal)
  • Check QR codes regularly for tampering at public events
  • Print full URL below QR code so people know where it goes
  • Use preview services for short links (CheckShortURL.com, GetLinkInfo.com)

💡 Why it matters: QR codes can be physically swapped (especially at protests/events) with malicious ones. URL shorteners track everyone who clicks, expose data to third parties who may share with governments, and can be hijacked to redirect to malicious sites. For activism work, this is a real risk.