Groups & communities

Organise safely: privacy for activists and journalists

A calm, practical approach to threat modelling, vetting members, cutting metadata, and protecting sources for people whose work carries higher stakes.

Published

If you organise, campaign, or report, your privacy protects other people as well as yourself: your members, your contacts, and your sources. This guide keeps things calm and proportionate. The goal is not to become paranoid or to armour against every imaginable adversary, it is to make sensible choices that match the actual risk you face.

Start with a threat model, in plain language

A threat model is just four honest questions answered on paper or in a shared note. You do not need any technical skill to do this.

  1. What are you protecting? For example: the identity of members, the location of a meeting, a source’s name, a set of documents.
  2. Who might want it, and what can they realistically do? A curious troll is not the same as a well-resourced adversary. Be specific and realistic rather than imagining the worst possible actor for everything.
  3. What happens if they get it? Some leaks are embarrassing; some are dangerous. Sort your assets by how bad the outcome would be.
  4. How much effort is proportionate? Spend your energy where the stakes are highest. Over-securing trivial things burns people out and makes them cut corners on the things that matter.

Everything below is a menu. Pick what your threat model actually calls for.

Reduce metadata, not just message content

Encryption hides what you say. Metadata is the information around it: who contacted whom, when, from where, and how often. For higher-stakes work, metadata is often the bigger exposure, because patterns reveal relationships and movements even when content stays secret.

Practical ways to shrink it:

  • Use Signal for group and one-to-one coordination. Its content is end-to-end encrypted and it is designed to hold as little metadata as possible.
  • Turn on Signal usernames so nobody has to share a phone number. A phone number is a strong identifier that links to your real-world identity. With usernames, members can be added and can chat, including in groups, without revealing their number to strangers. It is worth understanding that Signal has several identifiers; the freedom.press explainer linked in the sources walks through them.
  • Keep groups small and purpose-built. One tight group per task leaks less than one giant group where everyone sees everyone.
  • Set disappearing messages so old coordination does not linger on every member’s device to be seized or exposed later.

Vet new members without building a dossier

Vetting is about trust, not surveillance. The aim is confidence that a new person is who they say and is there in good faith, while collecting as little about them as possible.

  • Prefer a vouch. An introduction from a trusted existing member is worth more than any form.
  • Admit deliberately. Use admin approval on join links (see the community guide) so entry is a decision, and keep a short waiting step for sensitive groups.
  • Ask only what you need, and do not store identity documents or personal details you will never use. A record you keep is a record that can be seized or leaked.
  • Watch behaviour over time, not one-off answers. Someone consistently reliable in a low-stakes space earns access to higher-stakes ones.

Device basics that carry most of the weight

Strong apps on a compromised phone are not strong. A few fundamentals protect the whole chain and are covered in depth in our device guides.

  • Lock every device with a strong passcode (not just a face or fingerprint), and enable full-device encryption, which is on by default on current phones.
  • Keep the operating system and apps updated, since most real attacks use known, already-patched holes.
  • Install only from official app stores and remove apps you do not use.
  • Think about who can physically take the phone, at a border, a protest, or a police stop, and carry as little on it as the situation allows.

For the details, see Protect your phone and Lock down your phone’s operating system.

Protecting sources: SecureDrop, OnionShare, and Tor

If you receive documents or tips from people taking a personal risk, the channel you offer them is part of their safety.

  • Tor is free software that routes your connection through several volunteer-run relays, hiding your location and making traffic hard to trace. It is the foundation the two tools below rely on.
  • SecureDrop is an open-source whistleblower submission system that news organisations run to accept documents from anonymous sources. Sources and journalists connect over Tor, the site exists only as a Tor hidden service, and each source is given a random code name rather than an account tied to their identity. It is the more rigorous option and is designed for newsrooms with the resources to run it properly.
  • OnionShare is a lighter tool for one person. It lets you send or receive files directly between devices over Tor, without uploading them to any company’s servers and without standing up infrastructure. It needs only a laptop or phone and an internet connection, which makes it practical for individual reporters and small teams.

A calm rule of thumb: point genuinely high-risk sources to a SecureDrop instance if you or a partner newsroom runs one; use OnionShare for direct, ad hoc file exchange; and never ask a source to first contact you over an unencrypted channel like email or SMS.

Keep it sustainable

Security that people cannot live with gets abandoned. Agree on a small set of shared norms (which app, disappearing-message timers, how members are vetted), write them down in one place, and revisit them when your situation changes. Consistency from everyone beats heroics from one person.

Quick checklist

  • Write a four-question threat model and match effort to real risk.
  • Coordinate on Signal with usernames so no one shares a phone number.
  • Keep groups small, purpose-built, and set to disappearing messages.
  • Vet by vouching; collect and store as little about members as possible.
  • Lock and update every device; see /en/protect/phones/ and /en/protect/phone-os/.
  • Offer sources SecureDrop or OnionShare over Tor, never plain email or SMS.

For the messaging foundation this builds on, see Set up truly private messaging.

Sources

  1. support.signal.org https://support.signal.org/hc/en-us/articles/6712070553754-Phone-Number-Privacy-and-Usernames
  2. ssd.eff.org https://ssd.eff.org/module/creating-and-managing-signal-groups
  3. securedrop.org https://securedrop.org/
  4. docs.onionshare.org https://docs.onionshare.org/2.6.1/en/features.html
  5. torproject.org https://www.torproject.org/
  6. freedom.press https://freedom.press/digisec/blog/signal-identifiers/

Last reviewed: