Introduction

Researchers studying everything from sexual health to COVID-19 to gun violence are increasingly likely to be targeted because of their work. While research institutions have rules and guidelines for safeguarding sensitive information, these usually do not address the problem of keeping individuals safe from either targeted attacks like Climategate [Nature2010] or the kinds of "drive-by" threats that everyone now faces regardless of their occupation.

Hollywood depictions of everyday threats are as far from reality as their portrayals of scientists, but more realistic guidance for personal digital security is now freely available [FLD2020,EFJ2015,EFF2020]. The ten quick tips in this paper are a starting point: while they apply to everyone, they were developed with researchers in mind. While researchers expect their work to be scrutinized by the academic community, they should not expect to endure harassment due to the visibility of their published works. These rules do not guarantee complete safety, any more than seatbelts guarantee safe driving, but following them greatly reduces the likelihood of harm.

Put On Your Own Mask

The first and most important rule is that we should not rely on companies, universities, and other institutions to protect us, for the simple reason that they are not penalized if they don't. As recently as ten years ago we could blame the lack of meaningful institutional liability for data breaches on the law being slow to catch up with rapidly-changing technology. Accountability for these breaches is practically non-existent: data breaches have minimal impact on companies' profitability and individuals are almost never fined, much less jailed.

Much of what institutions force us to go through is security theater intended to make us believe something is being done rather than to actually make us safer. Requiring people to take off their shoes at airports is one example; random searches of backpacks and bags at the entrance to the subway is another, since it's hard to imagine that a would-be attacker wouldn't just go to another entrance. ([Schneier2020] has many examples of security theater and the harm it does.)

Security theater is counter-productive because it encourages us to cut corners in ways that actually make us less safe. For example, forcing people to change passwords every three months encourages people to choose memorable (and therefore easy-to-guess) passwords.

Digital Security is Rarely the Weakest Link

The second rule is to remember that most attacks take place offline, and that the most effective ones are often the simplest. At an airport several years ago, one author heard a professor of computer science try to reset an online account over the phone. In just a couple of minutes, they had inadvertently told everyone in the lounge their full name, their date of birth, the three-digit verification code on the back of their credit card, and what was almost certainly their mother's maiden name.

The moral of this story is that safety comes from good habits, not technology. Social engineering is far more common than hacking: in practice it is far easier to trick someone into giving you their password than to break into their devices digitally.

The key practice is situational awareness, which is a fancy way of saying, "Pay attention to what's happening and respond accordingly." If you start working on a high-profile subject that will likely attract controversy you should take more precautions than usual. For example, someone should recognize that agreeing to be an expert witness increases the odds that they will be targeted, and should be more careful about what he puts into email while preparing and delivering his testimony.

The corollary to situational awareness is to de-escalate when you can. Being on guard all the time is exhausting and leads to security fatigue [Stanton2016]. If you are too tired to follow good practices, knowing them does you no good.

Two technologies that are useful, but only to a certain extent, are Virtual Private Networks and a specialized web browser called Tor. A Virtual Private Network (VPN) connects your device to a server, then has the server make connections to other machines on your behalf. All messages between your device and the server are encrypted, and the server can be managed by professional IT staff in a jurisdiction with tight privacy laws to increase your safety. Tor routes messages randomly through a network of servers, making traffic much harder to track. Both reduce risk, but neither eliminates it if your device is compromised, if the VPN is subpoenaed, or if you log in to accounts over Tor (thereby revealing your identity to those sites).

Acknowledgments

FIXME