• Talking to the police cannot help you; it can only hurt you. What you tell the police can only be used against you by the prosecution.
• Talking to the police may implicate you in a crime you didn't realize you were committing.
• Lying to the police is illegal, even if it's by accident. Accidentally lying to the police is easy to do.
• Information you give the police can be used to convict you, even if you're innocent.
• Police can misremember facts about your conversation.
• Police can and will lie to manipulate you into revealing information.

What are you trying to protect yourself from?

• Having your data stolen?
• Having your accounts taken over?
• Having your privacy or anonymity compromised?
• Attacks on your physical security?
• Legal prosecution?

Who are you trying to protect yourself from?

• Common criminals?
• Hate groups?
• Local government?
• The federal government?

What are your risk factors?

• Are you a journalist, activist, or otherwise more likely to be targeted by law enforcement?
• Do you regularly attend protests, cross the border, or otherwise encounter law enforcement?
• Are there circumstances making it more likely for law enforcement to be able to secure a warrant to search your devices or request your data from companies?
• Do you belong to a marginalized group that is more likely to be targeted by law enforcement or hate groups?
• Could having your privacy compromised make you a target for hate groups?

Let your password manager generate a long, completely random password for each site. It doesn't have to be memorable; that's what the password manager is for. If you get the browser extension, it will autofill your passwords when you visit a site. If you get the mobile app, you can look them up on your phone.

For sites that ask you to answer "security questions", do not give honest answers. Often the answers are public information that a determined attacker can look up. Instead, give a fictional or random answer and store it in your password manager alongside your password.

Web browsers like Chrome, Firefox, Edge, and Safari have features built in to save your passwords for you. This is less secure than using a dedicated password manager, but still better than no password manager at all.

In many cases, an attacker can easily trick your phone carrier into giving them access to your SMS messages. However, SMS-based 2FA is still better than none.

Some sites now offer a new form of authentication called passkeys, which replace passwords entirely. Unlike passwords and other 2FA methods, passkeys can't be phished. Use them when you can. Store your passkeys in your password manager so that they're available across your devices and you don't have to worry about getting locked out of your accounts if you lose a device.

Many devices—particularly ones made in the past couple of years—have device encryption enabled by default. Others may require you to enable the feature in settings. This can vary by operating system, manufacturer, and how old the device is, so it's worth checking.

You will need to consider who has the ability to unlock your device and read the data on it. Windows, iOS, and macOS devices have a feature that gives Microsoft or Apple a key to unlock your device. This is convenient if you lose your password, but also gives them the opportunity to hand that key over to law enforcement if required to do so. The alternative option is that only you are given a copy of the key, which you can store someplace safe like a password manager.

If you're not able to fully power down your device, disable biometric unlock (fingerprint and face unlock) and hide lock screen notifications. Both iOS and Android have a feature that allows you to do this quickly and discreetly without digging into settings. In both cases, it disables biometric unlock and lock screen notifications only once, until you next unlock your phone.

Additionally, both iOS and Android have a feature that allows you to take photos and videos from the lockscreen, without unlocking the device.

iOS has a feature called Lockdown Mode, which disables many features of your device to enhance security. This is intended for extreme cases where you expect to be personally targeted by sophisticated attacks. Enabling this feature means making a big compromise in terms of usability and convenience, which may or may not make sense for you. Do not confuse this with the Android feature that disables biometric unlock and lock screen notifications, also called lockdown mode on some devices.

Noncitizens may be denied access into the country for refusing to unlock their devices. Citizens cannot be denied access into the country, but may be detained or have their devices seized.

If you're crossing the US border, your best defense is limiting the information you bring with you. If you're a noncitizen who needs access to the country, and giving law enforcement access to your data has the potential to be incriminiating, consider wiping your device or bringing a burner phone, then downloading your data from the cloud once you're in the country.

Note that having your rights respected at the border is not guaranteed under the Trump administration. Lawful permanent residents and even some US citizen—such as those from Puerto Rico—have been caught up in Trump's racist and draconian immigration policy.

If you're going to be taking photos at a protest, be aware that photos contain invisible metadata that could be used to identify you, including the exact time, location, and camera used to take them. An easy way to avoid sharing sensitive metadata is to only share these photos via Signal, which removes metadata when sharing images. If you need to share a photo elsewhere, you can send a copy to yourself in the Signal app and then download it to get a metadata-free copy.

• VPNs do not protect you from all threats. They provide marginal additional security over standard internet connections, which are almost always encrypted. You're much more likely to get hacked because of a phishing scam, which VPNs do not protect you against. For that, you'll need to secure your passwords and accounts.
• VPNs do not fully protect you against law enforcement. In many cases, law enforcement can go to the VPN provider with a warrant and request your information.
• VPNs are not a tool for total anonymity. For that, use Tor.
• VPNs are not necessary to use public Wi-Fi networks. This guidance may have been true in the past, but is not relevant these days.

VPNs are primarily useful for circumventing internet censorship. They can make it appear that you're connecting from a different location, bypassing some geographic restrictions.

Note however that many sites and services block traffic from VPNs.

• Tor can't protect you if you use it to log into existing accounts. If you're the only one with access to an account, they won't suddenly think you're someone else because you're using Tor.
• Tor can't protect you if you provide websites with personally identifiable information. Unless it's end-to-end encrypted, you must assume that anything you type into a website could be recovered by law enforcement. They may not even need a warrant; data brokers will sell it to them freely.
• Tor does not prevent other apps on your computer from compromising your anonymity. For that, you'll need Tails.
• While they cannot see which websites you're visiting, some people, such as your internet service provider, may be able to see that you're using Tor. Using Tor isn't illegal, but could bring attention to you if someone is looking for it.