Digital Security Under Authoritarianism: A Practical Defense Guide

2. Understanding your threat model

Effective security starts with realistic threat modeling. Who wants to harm you? What capabilities do they have? What are you protecting?

State adversaries: capabilities and tactics

Authoritarian states deploy surveillance infrastructure far beyond democratic norms:

• Mass surveillance: China's Great Firewall, Russia's SORM system, Iran's internet shutdowns. States monitor all internet traffic, censor content, and identify dissidents through traffic analysis. [22-24]
• Telco cooperation: Mobile carriers provide cell tower data (location tracking), call logs, and SMS intercepts to authorities without warrants. Belarusian regime identified 2020 protest participants through telco data. [3, 25]
• Facial recognition: CCTV networks with AI-powered face matching. Iranian authorities identified women removing hijabs, Hong Kong police identified protesters via subway cameras. [5, 12, 26]
• Malware and spyware: Pegasus (NSO Group), FinFisher, Predator—zero-click exploits that compromise devices without user interaction. Used by Saudi Arabia (Khashoggi case), UAE, Hungary, Poland. [27-29]
• Social graph analysis: Mapping networks through metadata: who communicates with whom, when, via which platforms. Signal and Telegram groups expose organizational structures even if message content is encrypted. [10, 30]
• Legal coercion: Arrests, detention, interrogation, torture. Belarusian activists faced beatings during detention to extract phone passwords. Iranian women faced month-long detentions for hijab violations. [3, 31, 32]

Non-state adversaries: harassment and doxxing

Even in democracies, activists face non-state threats:

• • Doxxing: Publishing personal information (addresses, phone numbers, family details) to incite harassment. Common tactic against reproductive rights activists, LGBTQ+ advocates, journalists. [33]
• • Swatting: False emergency reports to send armed police to targets' homes. Has resulted in deaths (Andrew Finch, 2017). [34]
• • Online harassment campaigns: Coordinated abuse via social media, threats of violence, reputation attacks. Gamergate (2014), Kiwi Farms campaigns (ongoing). [35, 36]
• • Employer targeting: Contacting employers to get targets fired. Common tactic against BLM activists, anti-fascist researchers. [37]

Threat model matrix: assessing your risk

3. Operational security fundamentals (OPSEC)

OPSEC is the practice of protecting information that could be used against you. In authoritarian contexts, OPSEC failures lead to arrests, network exposure, and movement collapse.

Core OPSEC principles

Common OPSEC failures (and how to avoid them)

• Bringing personal phones to protests: Cell tower data identifies participants. Hong Kong: leave phones at home, use burners with no SIM or anonymous prepaid SIMs. [4]
• Using real names/photos on Signal/Telegram: Compromised phones expose entire contact lists. Use pseudonyms, generic avatars. Iranian women activists learned this too late. [5]
• Reusing accounts across contexts: Linking activism Twitter to personal Instagram exposes identity. Create entirely separate accounts, never cross-post. [42]
• Posting photos with identifying features: EXIF data, reflections in windows, background landmarks. Hong Kong protesters wore masks, removed EXIF, avoided distinctive clothing. [43]
• Using compromised apps: Russian activists used Telegram; FSB compromised phone numbers via telcos. End-to-end encryption doesn't matter if SIM registration identifies you. [44]

4. Device security: hardening your endpoints

Your devices are the weakest link. If compromised (malware, physical access, spyware), all other protections fail.

Mobile device hardening

iOS hardening (iPhone)

• • Lockdown Mode: Enable Settings → Privacy & Security → Lockdown Mode (blocks most zero-click exploits used by Pegasus). [45]
• • Strong passcode: 10+ character alphanumeric, not biometrics (Face ID/Touch ID can be compelled in many jurisdictions).
• • Disable USB Restricted Mode: Settings → Face ID & Passcode → USB Accessories (prevent data extraction if phone seized).
• • Disable Siri on lock screen: Prevents voice access without passcode.
• • Auto-wipe after failed attempts: Settings → Face ID & Passcode → Erase Data (10 failed passcode attempts).
• • Hide notifications on lock screen: Prevents message preview if device seized.
• • Disable location services for non-essential apps: Settings → Privacy → Location Services.
• • Panic button app: Install "Wipe" (iOS) for emergency data deletion. [16]

Android hardening

• • Use GrapheneOS: Privacy-focused Android fork (hardened, de-Googled). Install on Pixel phones. [46]
• • Strong PIN/password: No biometrics (fingerprint/face unlock can be compelled).
• • Full-disk encryption: Enabled by default on modern Android, verify in Settings → Security.
• • Disable USB debugging: Prevents data extraction tools (Cellebrite, GrayKey).
• • Panic button app: Install "Ripple" (panic button that wipes data, notifies contacts). [17]
• • Remove Google account: Google tracks location, searches, contacts. Use F-Droid for apps (open-source app store). [47]
• • Use privacy-focused apps: Signal (messaging), ProtonMail (email), Firefox + uBlock Origin (browsing).

Computer hardening

Use Tails OS for high-risk activities

Tails (The Amnesic Incognito Live System) is a Linux distribution that runs from USB, leaves no traces, and routes all traffic through Tor. Essential for whistleblowers, high-profile activists, journalists with sensitive sources. [48]

• • Amnesia: Shuts down, wipes RAM, leaves no traces on host computer
• • Tor-only: All connections routed through Tor (anonymous by default)
• • Encrypted persistence: Optional encrypted USB storage for files you need to keep
• • Pre-installed tools: Tor Browser, OnionShare, KeePassXC, Thunderbird + Enigmail

macOS hardening (if Tails not feasible)

• • FileVault: Full-disk encryption (System Settings → Privacy & Security)
• • Strong password + auto-lock: 5-minute idle timeout
• • Disable Siri, Spotlight suggestions: Reduces telemetry to Apple
• • Firewall: Enable + block all incoming connections (System Settings → Network → Firewall)
• • Disable analytics: System Settings → Privacy → Analytics & Improvements (all off)
• • Use Little Snitch: Network monitoring tool (alerts on outbound connections)

Windows hardening (not recommended, but if required)

• • BitLocker: Full-disk encryption (Settings → Privacy & Security → Device Encryption)
• • Disable telemetry: Use O&O ShutUp10++ (disables Windows spying)
• • Use Linux VM for sensitive work: Qubes OS or Ubuntu in VirtualBox
• • Avoid Windows for high-risk activities: Windows 10/11 telemetry is extensive and untrustworthy

Burner devices: maximum compartmentalization

For high-risk activism, use separate devices for activism work:

• • Cheap Android phone: GrapheneOS, no Google account, anonymous SIM or no SIM (WiFi only)
• • No personal data: Only activism contacts, never personal contacts
• • Leave at home during non-protest times: Prevents location tracking
• • Wipe regularly: Factory reset after high-risk activities

5. Communications security

Secure communications protect message content AND metadata. Encryption protects content; operational security protects metadata.

Encrypted messaging: Signal vs alternatives

Signal (recommended for most users)

• • End-to-end encryption: Messages encrypted on device, Signal cannot read them
• • Open source: Audited by security researchers
• • Disappearing messages: Auto-delete after specified time
• • Sealed sender: Metadata protection (Signal doesn't know who sends to whom)
• • Registration lock: Prevents SIM hijacking (PIN required to re-register)

Caveat: Signal requires phone number. In authoritarian states, phone registration links identity to account. Use anonymous SIM or burner device. [49, 50]

Telegram (NOT recommended for high-risk use)

• • Not end-to-end encrypted by default: Only "Secret Chats" are encrypted (most users don't use them)
• • Metadata stored on servers: Contact lists, group memberships visible to Telegram
• • Cooperates with authorities: Russia, Iran, UAE have pressured Telegram to disclose user data
• • When to use: Large group coordination (protesters, community organizing) where anonymity is less critical [44, 51]

Anonymous email: ProtonMail + Tor

• • ProtonMail: End-to-end encrypted email (Swiss jurisdiction, no data retention). Register via Tor for anonymity. [52]
• • Tutanota: Alternative encrypted email (German jurisdiction)
• • Avoid Gmail, Outlook, Yahoo: All cooperate extensively with law enforcement, scan emails

Secure file sharing

• • OnionShare: Share files anonymously via Tor (no servers, direct device-to-device). Built into Tails OS. [53]
• • SecureDrop: For whistleblowers contacting journalists. Anonymous submission via Tor, journalists retrieve from air-gapped servers. [54]
• • Avoid Dropbox, Google Drive, iCloud: All cooperate with law enforcement, lack end-to-end encryption

Metadata protection: what encryption doesn't solve

Encrypted messaging protects content but reveals:

• • Contact graphs: Who you communicate with (exposes networks)
• • Timing patterns: When you message (correlates with activities)
• • Group memberships: Signal/Telegram groups visible if one device compromised
• • Phone numbers: Signal/Telegram registration links identity

Mitigation:

• • Use burner devices with anonymous SIMs for activism accounts
• • Compartmentalize: separate Signal accounts for activism vs personal
• • Use Tor for metadata anonymity when accessing Signal/ProtonMail
• • Delete messages immediately (disappearing messages set to 1 hour max)

6. Network security: VPNs, Tor, and obfuscation

Network security protects your traffic from ISP surveillance, government monitoring, and censorship. In authoritarian states, unencrypted traffic is assumed to be monitored.

VPNs: essential but insufficient

• • What VPNs protect: Hide your IP from websites, encrypt traffic from ISP, bypass geo-blocks
• • What VPNs don't protect: Endpoint compromise, browser fingerprinting, payment tracking
• • Recommended VPNs for activism: Mullvad (accepts cash, no email), IVPN (no logs, audited), ProtonVPN (secure core)
• • Obfuscation: Use VPN obfuscation protocols (disguises VPN traffic as HTTPS) to bypass VPN blocking in China, Iran, Russia [55, 56]

Tor: anonymity through onion routing

• • How Tor works: Multi-hop routing through volunteer nodes (no single node knows both source and destination)
• • When to use Tor: High-risk communications, whistleblowing, accessing censored content, anonymity-critical scenarios
• • Tor Browser: Pre-configured Firefox with Tor integration (easiest way to use Tor) [59]
• • Tor blocking: China, Iran, Turkmenistan block Tor. Use bridges (unlisted entry nodes) or VPN → Tor [57]

VPN + Tor layering

Connect to VPN first, then Tor. Your ISP sees VPN traffic (not Tor). Tor entry nodes see VPN IP (not your real IP). Best for countries where Tor usage itself is suspicious. [58]

7. Physical security: protecting devices during searches and detention

Physical access to devices defeats digital security. Border searches, police raids, and detention scenarios require pre-planned responses.

Before: prevention and preparation

• • Minimal data on devices: Don't carry sensitive data if traveling or attending protests. Use clean burner devices.
• • Strong encryption: Full-disk encryption (FileVault, BitLocker, LUKS) with strong passphrase
• • Biometrics disabled: Power off device before border crossings (requires passcode on boot, Face ID/Touch ID disabled)
• • Cloud backups encrypted offline: Don't rely on iCloud/Google Drive. Use encrypted external drives stored separately.
• • Panic buttons configured: Wipe app (iOS) or Ripple (Android) configured to delete data with emergency gesture [16, 17]

During: search and seizure protocols

• • Never unlock device voluntarily: In many jurisdictions, passwords have legal protection (5th Amendment in US). Biometrics don't.
• • Trigger panic button if possible: Wipe sensitive data (understand legal consequences—obstruction charges possible)
• • Power off device: Modern encryption requires passcode after reboot (defeats forensic tools like Cellebrite)
• • Document everything: Names, badge numbers, timestamps, what was seized. Critical for legal challenges. [60]
• • Invoke legal rights: "I do not consent to searches. I invoke my right to remain silent. I want a lawyer." Repeat as needed.

After: damage control

• • Assume compromise: If device seized, assume all data accessible (forensic tools improve constantly)
• • Notify network: If seized device had contacts/group messages, warn network (device may be compromised)
• • Change all passwords: Email, Signal, ProtonMail, encrypted drives
• • Monitor for surveillance: Device returned may have malware. Factory reset before re-use (or destroy device)
• • Legal documentation: File complaints for illegal seizure, preserve evidence for civil suits

8. Social engineering defenses

Interrogation, coercion, and manipulation are common authoritarian tactics. Technical security means nothing if you disclose passwords under pressure.

Interrogation resistance basics

• • Invoke legal rights immediately: "I want a lawyer. I will not answer questions." Repeat endlessly.
• • Resist pressure to cooperate: "Good cop" tactics, promises of leniency, threats—all designed to extract information. Give nothing.
• • Assume recording: Everything you say can be used against you and your network. Silence is your only defense.
• • Know your legal protections: In US: 5th Amendment (self-incrimination), 6th Amendment (right to counsel). Varies by jurisdiction.

Plausible deniability: decoy systems

• • VeraCrypt hidden volumes: Encrypted container within encrypted container. Reveal decoy volume, hide real data. [61]
• • Separate "work" and "personal" devices: If forced to unlock, reveal least sensitive device
• • Clean social media: Maintain plausible "normal" persona (decoy accounts with innocuous content)

Community support during detention

• • Emergency contact protocol: Pre-arrange "I've been detained" signal (missed check-in, codeword)
• • Legal support networks: EFF, ACLU, National Lawyers Guild provide hotlines [62, 63]
• • Public pressure campaigns: Documenting detention on social media, contacting press—makes abuse costlier

9. Legal preparation

Know your legal rights before you need them. Documentation and legal support can mean the difference between short-term detention and years in prison.

Know your legal protections (jurisdiction-specific)

• United States:
  • • 1st Amendment: Freedom of speech, assembly, press
  • • 4th Amendment: Protection against unreasonable searches
  • • 5th Amendment: Right against self-incrimination (passwords protected)
  • • 6th Amendment: Right to legal counsel
  • • Caveat: Biometrics (fingerprint/face) not protected [64]
• European Union:
  • • ECHR Article 8: Right to privacy
  • • ECHR Article 10: Freedom of expression
  • • GDPR: Data protection, right to erasure, access requests
  • • Varies by member state (Hungary, Poland weaker enforcement) [65]
• Authoritarian states (Russia, China, Iran):
  • • Legal protections largely theoretical, rarely enforced
  • • Document violations for future accountability (if safe to do so)
  • • International pressure (UN, human rights orgs) sometimes effective

Document state violations

• • Contemporaneous notes: Names, badge numbers, timestamps, what was said/done
• • Photos/videos: If safe, document police violence, illegal searches (encrypted cloud backup)
• • Medical records: Document injuries from police violence (critical for legal cases)
• • Witness statements: Collect statements from others present (secure, encrypted storage)

Legal support organizations

• • EFF (Electronic Frontier Foundation): Digital rights legal support (US) [62]
• • ACLU (American Civil Liberties Union): Constitutional rights defense (US) [63]
• • National Lawyers Guild: Legal observers at protests, hotline for arrests [66]
• • Access Now: Digital security helpline (global) [67]
• • Reporters Without Borders: Journalist protection (global) [68]

10. Community security

Individual security is necessary but insufficient. Movements survive through collective security practices.

Cell structure and compartmentalization

Organize in small, isolated cells (3-5 people). Each cell knows only its own members and one liaison to other cells. If one cell is compromised, others remain intact. Used by Hong Kong protesters, Belarusian dissidents. [4, 3]

Shared threat intelligence

• • Security bulletins: Share information about arrests, surveillance tactics, new threats
• • Encrypted channels: Signal groups for security updates (separate from operational planning)
• • Vetting protocols: Standardized process for verifying new members (reduces infiltration risk)

Mutual aid and support

• • Legal defense funds: Pooled resources for bail, legal fees
• • Safe houses: Temporary refuge for activists facing immediate threat
• • Mental health support: Activism under authoritarianism causes trauma. Peer support, counseling critical.

Emergency evacuation networks

For high-profile activists: pre-planned routes out of country, emergency funds, safe contacts abroad. Iranian activists fled to Turkey, Iraqi Kurdistan. Hong Kong activists fled to UK, Taiwan. [69, 70]

11. Emergency protocols

When you're targeted, seconds matter. Pre-configured emergency responses create critical time.

Panic button setup

• • iOS: Wipe app - Emergency gesture (triple-tap power button) wipes sensitive apps/data [16]
• • Android: Ripple app - Panic button sends alerts to contacts, wipes data [17]
• • Test regularly: Emergency tools that don't work under stress are useless. Practice activation.

Dead man's switch

• • Concept: Information released automatically if you fail to check in (proves detention)
• • Implementation: Encrypted archive + instructions sent to trusted contacts. If you don't check in weekly, they release it.
• • Used by: Whistleblowers (Snowden), journalists with sensitive sources

Emergency contact protocols

• • Check-in schedule: Daily/weekly check-ins with trusted contact. Missed check-in = potential detention.
• • Code words: "I'm fine" (actually means "under duress"). Agree on signals beforehand.
• • Legal hotlines memorized: EFF, ACLU, National Lawyers Guild numbers memorized (can't access phone in detention)

What to do if detained

12. Case studies

Real-world examples show what works and what fails. Learn from others' successes and mistakes.

Hong Kong pro-democracy protests (2019-2020): OPSEC success

• • Strategy: Burner phones (no SIM or anonymous prepaid), masks/helmets, Telegram for coordination, cash-only transportation
• • Success: Millions protested; relatively few de-anonymized (compared to scale)
• • Lessons: Compartmentalization works. Physical security (masks) as important as digital. Mass participation protects individuals. [4, 9]

Belarus protests (2020-2021): telco data failure

• • Strategy: Telegram coordination, mass protests
• • Failure: Regime accessed telco data (cell tower logs), identified protest participants via phone presence at protest sites
• • Lessons: Personal phones at protests = tracking. Burner devices or no phones essential. [3, 25]

Iran women's rights protests (2022-2023): CCTV identification

• • Strategy: Women removing hijabs in public, filming protests
• • Failure: CCTV + facial recognition identified participants. Arrests followed weeks later.
• • Lessons: Physical appearance matters. Masks, disguises, avoiding CCTV zones. Digital security insufficient if physically identifiable. [5, 12]

Edward Snowden (2013): OPSEC success

• • Strategy: Air-gapped computers, encrypted communications (Laura Poitras, Glenn Greenwald), Tails OS, Hong Kong → Russia asylum
• • Success: Revealed NSA mass surveillance; evaded capture
• • Lessons: Perfect OPSEC is possible with discipline. Compartmentalization, secure communications, legal preparation (asylum), and trusted journalists all critical. [71, 72]

Reality Winner (2017): OPSEC failure

• • Failure: Printed classified document with printer tracking dots (yellow dots encoding printer ID, timestamp). NSA traced leak to her.
• • Lessons: Physical forensics matter. Metadata in printed documents. Use photocopies of photocopies (loses tracking dots), or photograph screens. [73, 74]

13. Resources and support networks

You are not alone. These organizations provide training, legal support, and emergency assistance.

Digital security support

• • Access Now Digital Security Helpline: 24/7 support for activists, journalists under threat. accessnow.org/help [67]
• • EFF Surveillance Self-Defense: Comprehensive guides on digital security. ssd.eff.org [75]
• • Security in a Box: Digital security toolkit for activists. securityinabox.org [76]
• • Tor Project: Anonymous communication tools. torproject.org [59]

Legal support

• • EFF (Electronic Frontier Foundation): Digital rights legal defense. eff.org [62]
• • ACLU (American Civil Liberties Union): Constitutional rights defense. aclu.org [63]
• • National Lawyers Guild: Legal support for activists (US). nlg.org [66]
• • Reporters Without Borders: Journalist protection (global). rsf.org [68]

Tools and software

• • Signal: Encrypted messaging. signal.org [49]
• • ProtonMail: Encrypted email. proton.me [52]
• • Tails OS: Amnesic operating system. tails.boum.org [48]
• • VeraCrypt: Full-disk encryption. veracrypt.fr [61]
• • OnionShare: Anonymous file sharing via Tor. onionshare.org [53]
• • SecureDrop: Whistleblower submission system. securedrop.org [54]

Training and education

• • Level Up: Digital security training curriculum for trainers. level-up.cc [77]
• • Tactical Tech: Digital security resources for activists. tacticaltech.org [78]