# Social Media and Communications # Best Practices for Secure Communications 1. **Use Encrypted Platforms** - Use Signal for sensitive discussions. It offers end-to-end encryption, minimal metadata retention, and open-source transparency . - Turn on disappearing messages, registration lock, and screen lock. 2. **Secure Accounts and Devices** - Use strong, unique passwords and enable two-factor authentication (2FA) or passkeys on all communication apps. - Store passwords in a manager such as 1Password or Bitwarden. - Keep apps and operating systems updated to close security vulnerabilities. - Use long log-in passwords on your devices and disable message previews on lock screens. 3. **Protect Shared Files and Metadata** - Before sharing, strip metadata from Word and PDF files using the Document Inspector in Word or Remove Hidden Information in Adobe Acrobat . - For highly sensitive material, share sanitized versions via encrypted services such as Tresorit, which provides end-to-end encryption. 4. **Establish Organizational Communication Protocols** - Designate which platforms are approved for which types of communication (e.g., Signal for private, email or Slack for non-sensitive). - Use separate channels for internal and external communication. - Label sensitive topics and documents clearly. - Include secure-comms guidance in your incident response plan (who to contact, when to switch to encrypted tools). 5. **Minimize Data Exposure** - Collect and share only essential personal information. Avoid over-collection in communication platforms and forms. - Train staff on privacy principles and proper use of encrypted tools. 6. **Maintain Privacy in Collaboration and AI Tools** - Avoid uploading personal or confidential data to generative AI systems; use placeholder text in drafts. - Keep advocacy or campaign plans off open systems unless sanitized. # Tips for Using Facebook and Meta Accounts Safely #### 1. Use Strong, Unique Passwords - Don’t reuse the same password on more than one website. - Make it long, using a mix of letters, numbers, and symbols. - Never share your password with anyone, even if they claim to be “Meta support.” #### 2. Use a Password Manager - A password manager stores all your passwords safely in one place. - It can create strong passwords automatically so you don’t have to remember them. - You only need to remember one master password for the manager itself. - Good options include 1Password, Bitwarden, or Dashlane. #### 3. Turn On Two-Factor Authentication (2FA) - This adds a second step — like a text code or app confirmation — when you log in. - Go to Settings → Security and Login → Two-Factor Authentication to turn it on. - Even if someone steals your password, they still can’t get in without that second code. #### 4. Try Passkeys (Newer and Safer Login Option) - Passkeys let you log in using your phone’s fingerprint, Face ID, or device PIN — no password needed. - They’re stored securely on your device, not in the cloud. - Meta now supports passkeys — turn them on in Facebook Settings → Password and Security → Passkeys. - Passkeys protect you from phishing attacks because they only work on the real Facebook site. #### 5. Watch for Fake Messages - Hackers send fake warnings that look like they’re from Facebook or Instagram. Never click links in these messages. - Check official notices at [facebook.com/security](https://facebook.com/security) instead. #### 6. Review Your Security Settings Regularly - In Facebook’s Settings → Security and Login, review: - Devices you’re logged into - Apps connected to your account - Where you’ve used your password - Log out of devices or apps you don’t recognize. #### 7. Keep Everything Updated - Always install the newest updates for your Facebook app, phone, and browser. - Updates fix bugs and close security holes. #### 8. If You Think You’ve Been Hacked - Go to [facebook.com/hacked](https://facebook.com/hacked) immediately. - Change your password and review your recent logins. - Turn on 2FA or passkeys right away to prevent future hacks. # Moving Sensitive Communications to Signal or WhatsApp # Moving Sensitive Communications to Secure Messaging Email and workplace chat platforms like Slack are not designed for sensitive communications. While convenient for daily operations, they create permanent, searchable records that are vulnerable to subpoenas, breaches, and surveillance. This guide explains when and how to move sensitive conversations to encrypted messaging platforms, primarily Signal and WhatsApp. --- ## Concerns about Email and Slack ### Why Email is Insecure for Sensitive Communications **Fundamental Vulnerabilities:** - Email travels between servers as plain text (encrypted "in transit" but viewable by Google, Microsoft, etc.) - Messages are stored permanently on multiple servers (from senders and receivers) - Subject lines are never encrypted - Easy target for subpoenas and legal discovery - Metadata (who, when, to whom) is always visible - NOTE: Even "secure" email from Proton isn't encrypted if the recipients are Google or Microsoft users **When Email is Acceptable:** - Public communications (press releases, newsletters) - Routine coordination that isn't sensitive - Communications that you'd be comfortable being publicly disclosed ### Why Slack/Teams Aren't Secure Channels **Critical Limitations:** - No end-to-end encryption (providers can read all messages) - Complete message history stored on company servers (for paid accounts) - Administrator access to all conversations - Vulnerable to subpoenas, e-discovery, and data requests - Often mistaken as secure due to business/professional use - Compliance tools may monitor all activity **When Slack/Teams are Acceptable:** - General team coordination - Project management discussions - Non-sensitive organizational communications - When transparency and searchability are priorities --- ## Secure Messaging ### What Makes Messaging Platforms Secure? **End-to-End Encryption (E2EE):** - Messages encrypted on your device - Only the recipient can decrypt - Service provider cannot read message contents - Protection from server breaches and legal requests **Additional Security Features:** - Disappearing messages (auto-delete after set time) - Screenshot notifications - Minimal metadata collection - Open source code (for verification) --- ## Signal ### Why Signal is Recommended **Technical Security:** - End-to-end encryption by default for all communications - Trusted open source protocol audited by security researchers - Minimal metadata collection (phone numbers encrypted) - Disappearing messages for all conversations **Organizational Structure:** - Operated by Signal Foundation, a nonprofit - U.S.-based but with strong privacy commitments - Limited data to provide in response to legal requests (no messaging data and almost no metadata) - Transparent about government requests (publishes reports) **Practical Features:** - Voice and video calls (also encrypted) - Group messaging with admin controls - File sharing (encrypted) - Desktop applications available - Relatively simple to use -- feels like a "regular" chat app ### When to Use Signal **High Priority Scenarios:** - Campaign strategy discussions - Legal strategy or attorney communications - Confidential partner communications - Internal discussions about sensitive operations - Anything you wouldn't want leaked to opposition or adversaries - Communications involving vulnerable individuals - Financial or donor information discussions **Organizational Use Cases:** - Executive team sensitive discussions - Board communications on confidential matters - Crisis response coordination - Incident response team communications - Legal compliance discussions - Sensitive conversation with external partners ### Signal Best Practices **Setup and Configuration:** 1. **Enable Registration Lock**: Prevents someone from registering Signal with your number 2. **Set Disappearing Messages**: Default to 1 week or 4 weeks for most conversations 3. **Enable Screen Security**: Blocks screenshots (on Android) 4. **Use PIN**: Protect account recovery with secure PIN **Operational Security:** - Create dedicated Signal groups for specific sensitive projects - Name groups descriptively but not identifiably ("Project Alpha" not "Litigation Strategy") - Regularly review group membership - Use Signal for sensitive one-on-one check-ins - Turn on disappearing messages --- ## WhatsApp ### Understanding WhatsApp's Security **What WhatsApp Does Well:** - End-to-end encryption using Signal Protocol - Encrypted voice/video calls - Enormous, global existing user base (easier adoption) - Feature-rich (compared to Signal) - Disappearing messages available **Critical Limitations:** - Owned by Meta (Facebook company) - Collects extensive metadata (who you talk to, when, how often) - Shares metadata with Meta for advertising/analytics - Cloud backups not end-to-end encrypted by default - Terms of service allow data sharing within Meta companies - Subject to Meta's broader surveillance advertising business **Metadata Risks:** - Social graph mapping (who knows whom) - Communication pattern analysis - Geographic tracking - Device information collection - Contact list upload **Lower-Risk Scenarios (when it's ok to use WhatsApp):** - Communications with international partners where WhatsApp is standard - Coordination that isn't highly sensitive but needs encryption - Communities where Signal adoption would be a major barrier - When the content is sensitive but metadata exposure is acceptable (it's ok to expose who you're talking to) ### WhatsApp Risk Mitigation If you must use WhatsApp: 1. **Minimize Metadata Exposure:** - Don't use it for highly sensitive contacts - Assume Meta knows you're communicating with this person - Consider what communication patterns reveal 2. **Secure Settings:** - Enable disappearing messages - Disable read receipts - Turn off automatic media download - Disable cloud backups (or ensure they're encrypted) - Enable two-step verification - Advanced Chat Privacy: Admins can turn this on, users can't save media to their device or export chats 3. **Behavioral Safeguards:** - Use for logistics, not strategy - If possible, move highly sensitive conversations to Signal - Don't use for communications involving vulnerable people - Assume metadata is being collected and potentially shared # How to Keep Your Facebook Account Private Facebook is designed for sharing with friends, so you can't make a profile that hides everything from friends too. The closest you can get is: - Hide everything from non-friends (the public). - Use the "Only me" setting on individual fields you don't want anyone to see, including friends. - Put specific friends on a Restricted list so they only see what you make public. A few things stay visible no matter what: your name, your profile picture, your cover photo, and your activity in public groups. ### Basic protections Go to **Settings & privacy** → **Settings** → **Privacy** (or **Audience and visibility** on newer layouts). Set each item below. **Your posts and stories** - Who can see your future posts: **Friends** (or **Only me** if you want a quiet profile) - Limit past posts to friends: **Yes** - Who can see your stories: **Friends** **Your profile details** (under **Profile details** or **Profile information**) - Set each field (birthday, hometown, current city, relationship, email, phone, employer, education) to **Only me**. This hides them from friends too. **Your friends list** - Who can see your friends list: **Only me** **Pages you follow** - Who can see the pages you follow: **Only me** **Finding you** - Who can send friend requests: **Friends of friends** - Who can look you up by email or phone: **Friends** - Search engines linking to your profile: **Off** **Tagging** - Review tags before they appear on your profile: **On** - Who can see posts you're tagged in: **Friends** or **Only me** **Active status** - Show when you're active: **Off** ### Hide things from specific friends without unfriending them Add them to your Restricted list: **Settings** → **Privacy** → **Blocking** → **Restricted list**. They stay friends, but only see what you post as Public. ### Check what others actually see On your profile, click the three dots near your name → **View As**. This shows your profile from a non-friend's perspective. Anything you still see there is still public. ### What you can't hide - Your name, profile picture, and cover photo are always public. - Posts you make in public groups are visible to anyone in those groups. - Comments you leave on public posts are visible to anyone who can see that post. - Facebook itself sees everything regardless of these settings. ### While you're in there: lock the account - **Settings** → **Security and login**: turn on **two-factor authentication** (authenticator app, not SMS, if possible) and **login alerts**. - Use a unique password from your password manager.