An Introduction to Digital Self-Defense and Security Culture
Introduction
In the 2020s, "staying safe on the internet" and "staying safe in the real world" are increasingly becoming the same thing. From bot accounts, to crypto scams, to literal cyberwarfare, the threats faced by everyday Netizens (a.k.a. "citizens of the internet") are multiplying and evolving at a dizzying pace.
Although the state of the modern web can feel overwhelming, it is important to recognize that there are steps you can (and should) take to not only keep yourself (and others) safe online; but also to help build a new internet of, by, and for Netizens.
Who is this post for?
This post is a brief overview of "digital self-defense" and "security culture" for the layperson. You don't need any prior experience, education, or supplies to get started with practicing digital self-defense, apart from an internet connection (optional) and a can-do attitude (mandatory).
What is digital self-defense?
Let's first start with defining "self-defense". Traditionally, self-defense refers to any countermeasures to combat immediate threats of harm to one's health and wellbeing. An extreme example would be fending off an armed assailant, but any act taken to protect your physical wellbeing from imminent harm can be considered "self-defense", regardless of the source of the harm.
For digital self-defense, things get a bit more complicated as the threats that we face in a globally internet enabled world aren't tangible the same way a knife-wielding assailant would be, but can be just as (if not more) destructive to your health and well-being. Think cryptocurrency pump and dump schemes that swindle thousands out of their life savings or negligent data breaches of "Health Insurance" companies that expose your personal medical history. In more extreme situations, the internet can be the vector through which a would-be assailant could "mine" your public data (e.g. social media or people search sites) to enact physical harm to you in the real world.
Digital self-defense, if practiced well, can greatly reduce your data exposure and by extension help to safeguard your health and well-being. By itself, it is not sufficient to counter any and all threats you might face, but having good digital hygiene is an essential first step towards keeping yourself and others safe online.
Practicing digital self-defense is much more a mindset than any specific set of tools or software, and there is no one-size fits all solution; anyone who says there is, is either an idiot or trying to sell you something you don't need (often both). You don't need to be a techno-wizard to be safe online, though it doesn't hurt to be friends with one or two.
What is security culture?
Staying safe on the internet in 2025 is a group effort, and that's where "security culture" comes in.
Security culture is a set of "best practices" to proactively defend against surveillance, and resist authoritarian control. The exact specifics of what constitutes "best practices" varies from group to group and region to region, and at the time of writing is a bit of a moving target globally. Broadly speaking though, we can split security culture into three categories:
- Information Security (InfoSec)
- Communications Security (ComSec)
- Operational Security (OpSec)
Information Security (InfoSec)
Information security is a whole field unto itself and not something either of us have time to fully delve into today, but at a 20,000 foot view it is a continuous process of classifying information based on how "sensitive" it is (e.g. how bad would it be if said information ended up on TikTok or lost in a fire) and then taking a holistic approach to safeguarding said information from prying eyes, or worse, careless hands.
For the purposes of digital self-defense, practicing InfoSec would be determining what information about you (or created by you) is "sensitive" and needs proactive management as it pertains to the internet. Photos of your cat are probably fine, but what about your current location? Is that something you're certain you want being streamed 24/7 to your mega-corporation of choice? What about your full-name and address? Only you can properly assess what information of yours is "sensitive" and merits heightened consideration.
Take stock of what information you currently have exposed to the internet across all your devices, accounts, and services. Is there any important information you don't have a local copy of (e.g. cloud photos, or your writings)? Is there a service that has broken your trust that you wish to migrate away from before they are inevitably caught in another scandal with your data? Do you have some old accounts laying around somewhere that you can safely close and delete?
More than anything, InfoSec is about taking proactive responsibility for your information, and the digital trail of data that you leave with every interaction with the modern web. Your data is yours, make sure that you have positive control over it.
Communications Security (ComSec)
Communications Security at first glance might seem quite similar to information security as the two tend to go fairly hand-in-hand. Where InfoSec is concerned with what information is important and how it is stored, ComSec instead focuses on how and when said information is transmitted. Data in transit is inherently more vulnerable than data at rest, hence why ComSec is a thing.
For digital forms of information transmission, the gold standard is End-to-end encryption(E2EE), as transmitting sensitive data in plaintext (as done by most major web services and all SMS/text messages) completely defeats any and all earlier InfoSec efforts. E2EE is available across a variety of consumer email and messaging services including Tuta Mail and Signal Messenger.
Setting up secure devices, internet, services, and channels to handle highly sensitive information can be a big ask for some groups and folks so don't be afraid to go low-tech when need be. A notebook kept on your person (or in a lockbox) is not going to randomly update on you and stop you from using it, nor is it going to serve as a warrant-less wiretap. If you're truly paranoid, there's nothing more secure than a face to face conversation.
Operational Security (OpSec)
If you really want to level up your digital defenses, then Operational Security is your next step. OpSec is more relevant when working in larger groups or teams to pursue a common goal, such as throwing a surprise party for your friend. You can only throw a big surprise party if you and all your other friends work together, but you have to be certain that nobody slips up and spills the beans before the big reveal.
Effective OpSec requires a grasp of both InfoSec and ComSec at a cultural level to coordinate the dissemination of information on a need-to-know basis and to mitigate the risk/damage if information is compromised. OpSec runs on the currency of trust, and an understanding that it is earned in drops, and lost in buckets. Being in the know, on a need-to-know basis, is a responsibility with obligations. If one of your friends can't keep a secret, then don't burden them with knowledge that they don't need to know.
While practicing OpSec to actively pursue an objective, it is important to be vigilant and make sure that your friend's nosy partner is either completely ignorant of the surprise party, or better yet, been recruited to the effort to properly Truman Show your best bud. OpSec demands that you be disciplined in what information you share and respect that violating OpSec risks foiling the efforts of you and your friends. Don't be that person, they don't get surprise parties thrown for them.
How to get started?
In order to properly defend yourself, it helps to know what you are defending yourself against. Not everyone faces the same risks and threats so this necessarily requires a personalized threat model to determine where you are most vulnerable and, inform effective countermeasures to safeguard yourself both on and offline.
There are a number of fairly ubiquitous threats that most everyone on the internet is exposed to such as scammers, phishing attacks, and identity theft which should be part of everyone's threat model. The best way to counter most of these is through basic digital hygiene to prevent bad actors from ever reaching you in the first place. If scammers don't have your contact information, they can't scam you.
If your threat model includes more dedicated adversaries such as stalkers, incel brigades, or authoritarian governments; your threat model should be adjusted accordingly. More paranoia around the control of your information may be justified, and may merit some cyber wargaming of known/potential adversaries to better prepare countermeasures.
Conclusion
Remember, there is no one "right" way to practice digital self-defense, but there are many wrong ways (including but most certainly NOT limited to):
- Storing your passwords in an (unencrypted) google doc.
- Doing 2FA via (unencrypted) SMS/text.
- Doing political organizer work on (unencrypted) corporately owned platforms.
- Patronizing services that are owned and operated by Nazis (regardless of encryption status).
- Putting your head in the sand and pretending that this is fine.
If you aren't on Signal Messenger yet, you should consider joining (requires a phone number for registration).
If you'd like a quickstart guide on (How to) Breakup with Big Tech I wrote one.
If you're looking for some other digital tools to add to your kit, I highly advise getting a Secure Email, and a Password manager.
If you'd like to learn more about how to keep yourself safe on the internet, I recommend Surveillance Self-Defense from the Electronic Frontier Foundation for a variety of good resources and guides to staying safe both on and offline.
Last Updated: 4 months ago