Tor for Human Rights Defenders: A Practical Security Guide

Effective security begins with understanding your specific threat model. HRDs should consider: who is the adversary (local police, intelligence services, state-sponsored hackers), what can the adversary access (network traffic, devices, physical access to home/office), what are they looking for (contacts, communications, evidence of activism), and what harm would exposure cause (imprisonment, physical violence, professional consequences). Not every HRD faces nation-state adversaries - local activists may face primarily corporate surveillance or less sophisticated law enforcement. Calibrate security measures to the threat level: excessive security can impede work, insufficient security creates unacceptable risk. Resources for threat assessment: Front Line Defenders, EFF's Security in a Box, and Security Without Borders provide professional assessments for high-risk HRDs.

Before addressing network security (Tor), establish device security: full disk encryption enabled on all devices (FileVault on Mac, BitLocker or VeraCrypt on Windows, LUKS on Linux, built-in encryption on modern iOS/Android). Strong device passwords (biometrics are not safe if you can be physically compelled to authenticate with your finger or face - use PIN or password in high-risk situations). Regular software updates (patch security vulnerabilities). Remove sensitive apps not needed for your work (reduce attack surface). For highest-risk environments: consider separate devices for sensitive activism and daily personal use. Physical security: devices should be locked when not in use. Consider Tails OS (no persistent traces after shutdown) for highest-sensitivity work.

Layered communication security for different contact types: for anonymous contact with unknown sources (journalists, tipsters): use SecureDrop or Session (no phone number required). For known trusted contacts: Signal with disappearing messages (24-hour or shorter). For organizational communications: Signal groups or an organization-run Matrix server accessible via Tor. For contact with lawyers: PGP-encrypted email, in-person with no electronic devices for highest-sensitivity discussions. Key principles: separate communication channels for different relationships (do not mix personal and activism contacts on the same app). Enable disappearing messages on all conversations. Regularly audit who has access to organizational communication channels.

HRDs crossing borders into or from authoritarian countries face device search risk. Before crossing: determine whether you need all devices and files at the border (can you leave sensitive devices with trusted parties instead?). Log out of all sensitive accounts. If legally permissible, enable full disk encryption with a strong password (border agents cannot compel passwords in many jurisdictions). Consider 'travel devices' with minimal sensitive data, restoring your full setup from encrypted backups after safely crossing. If legally required to provide device access: have an attorney advise before the trip. Document what devices and accounts border agents accessed if a search occurs. After crossing: assume any device that was accessed or left unattended with border agents is compromised - treat it as untrusted hardware.

High-risk HRDs should have pre-planned emergency protocols: a trusted contact list who will notice if you go silent, a pre-arranged signal that indicates you are in trouble, a protocol for remotely wiping devices (enable remote wipe on iOS/Android, iCloud or Google Account), secure backup of essential data (contacts, key documents) in encrypted form outside your primary devices, and knowledge of your country's legal rights during arrest (right to lawyer before answering questions, right to remain silent). Organizations like Front Line Defenders, Access Now, and Rapid Response Network provide emergency support for HRDs facing digital threats. Save their emergency contact information in a place accessible without your primary device (printed, memorized, with a trusted contact outside the country).