Scammers, hackers, malware—there are digital security threats as old as the internet itself. But it wasn’t until recently that its bones, the infrastructure of the internet, were twisted into its own kind of threat. The commercialization of the world wide web has given preference to profit, and turned a place of connection into one of inherent exploitation. Users still contribute their time, thoughts, art, photos, videos, and personal information freely, but now pay a hidden price for doing so.

In internet time, it’s already an old adage: If the site/app/content is free, you are the product. Your attention is sold to advertisers, whose ads encroach on every corner of your screen. And God help you if you click on one—you’ve just generated a valuable insight as to what marketing techniques work on your psyche. But then again, everything you do online generates valuable insight. Social media companies’ takeover of the internet has led to a digital landscape where users expect that their posts and activity are being mined for profitable information, and sold to the highest bidder. Just logging on attracts a horde of bots and trackers eager to collect and sell information about you.

The post-Meta, profit-driven internet set the stage—an infrastructure of data mining and user exploitation—now enter the Trump administration. What the president laid out in the National Security Presidential Memorandum 7 (NSPM-7) was recently reinforced in his administration’s “2026 Counterterrorism Strategy:” if you aren’t MAGA, you will be treated as a threat. According to The Intercept, “the president is effectively siccing [the security state] on anyone who dares to disagree with him or his supporters.” These security documents explicitly mention, “secular political groups whose ideology is anti-American, radically pro-transgender, and anarchist,” as targets. But the president has also disagreed with groups such as climate scientists, experts on COVID-19, and US historians who acknowledge the realities of slavery and segregation, along with the very concepts of higher learning and academic expertise.

With the government’s generous definition of “domestic terrorist,” a clear anti-intellectualist tilt, and access to Big Tech’s data mines, it’s clear that anyone conducting research in Trump’s forbidden subjects is now under threat. Good digital security is more important than ever. I compiled a list of experts, guides, and tools for researchers looking to protect their data in May’s Prairie Fire newsletter. But since then, I was able to get in touch with a few of those experts for in-depth conversations about digital security. Here’s what I learned:

General best practice

None of the experts I spoke to seemed to think much of “general advice,” but they did give me a few tips that apply to everyone.

1) Stay on top of your apps…

“Do you know what each app on your device does?” asked Mohammed Al-Maskati, the director of Access Now’s digital security helpline. And with good reason—many innocuous-seeming apps track and store your data for no good reason, other than to sell you out to data brokers (or the US government). Cycle tracking apps like Flo Health, which illegally shared its users’ sensitive health data with Meta, are great examples of this.

You can go through each app’s access levels in your device’s privacy settings. The Electronic Frontier Foundation has a guide to show you how. Apps can also listen to your conversations through voice assistants like Siri. All About Cookies will show you how to stop your phone from selling your voice data.

2) …especially social media apps

Social media sites like X and Instagram—owned by MAGA pawn Elon Musk and MAGA opportunist Mark Zuckerburg, respectively—are notorious for collecting user data, even when you’re not actively using them. Besides that, Instagram is de-encrypting its message system, and there’s also the basic safety issues posed by careless posting—revealing your school, address, workplace, the names and occupations of your friends and family, etc.

Social media apps are designed to lull you into the endless scroll and share. They want you complacently watchingSeinfeld clips, or furiously falling for rage-bait, while it quietly farms your data for all it’s worth. Staying vigilant is like trying to walk up a downward escalator. But unfortunately, data security is not a ground floor destination.

“Build your safe environment inside social media. Don’t let social media lead you; you lead it. In this way, you can protect yourself,” says Al-Maskati.

One way to do that is to frequent the privacy settings on your device, keep your accounts private, and be careful with what you post. But Al-Maskati takes a more drastic approach.

“I don’t have social media on my phone. Everything is on the computer. If you don’t allow me to post from a computer, then I will not use it.”

3) Turn it off!

Al-Maskati says the best security advice he can give is this: “Restart your phone at least twice a day. We found that some government spyware stays in the temporary memory of the phone. If you restart it, it removes the spyware from your device, and they need to infect you again.”

It’s probably a good idea to frequently shut down your laptop or PC too. If nothing else, the reset is good for your devices’ performance.

4) Get the basics down

Create strong passwords, don’t open suspicious messages, DO NOT CLICK THAT LINK. You’ve heard it all before. But if you’ve been slacking, now’s the time to get into shape. Check out this Newsjunkie guide for a refresher.

If you have something to hide…

And with the FBI on the hunt for anyone feeling “anti-American,” who doesn’t? Researchers and journalists are already on the regime’s hit-list, and that goes double for anyone working in targeted fields like climate studies or immigrants’ and LGBTQ+ rights. If you are a small organization or individual working with data that has suddenly turned sensitive, here’s where to start.

1) Map your digital footpaths

Everyone’s security needs are different. It all depends on where you are, who you are, and what kind of information you’re working with. Which is why the experts I talked to were so hesitant to offer one-size-fits all advice.

“We don’t rush advice. We want to understand your needs first, and then we give advice. I always say that we are like hospitals, doctors, and nurses. Can I give you medicine without a scan? Without a blood test?” explained Al-Maskati.

In digital security, this first-step diagnostic scan is what Laura Ranca, an investigative researcher with Tactical Tech, calls an “environmental assessment.”

“Map your actions carefully, then map your interactions, then map every device that holds any trace of those actions—including the phone you carry with you everywhere,” she says. “This sounds obvious, but people forget a lot of their regular actions because they're so embedded in daily practice. They say ‘I conduct research online’ but that's not all they do. They store things, send things, save things, make copies. Do you know where all the copies are?”

2) Know thy enemy

After you know what you have, the next step is to identify who might want to take it from you, and the tools at their disposal.

Be aware that there are some enemies you won’t be able to vanquish. Ranca points out that if the US government is truly after you, there’s not much you can do to throw them off the scent.

“These are governments with massive technological and financial power and very skilled institutions. If you work transparently and publicly, it's very hard to hide. So either you change your practices substantially…, or you accept you can't hide completely.”

If you can, try not to attract their attention in the first place.

“You take steps to be less obvious,” says Ranca. “And you protect the most sensitive steps you take.”

But if it’s likely that you’ve already been labeled as an enemy of the Trump regime, perhaps the best thing to do is to stay visible, and stay defiant. Your best protection may be in numbers. Don't let a fear of speaking out put you, and others who won’t be able to hide, in greater danger.

3) Identify your weak points

Now that you know what you have, and who wants it, it’s time to find their windows of opportunity, and narrow them.

“Ask yourself: where do you feel you're at the biggest risk? Is it while you're browsing and collecting information? Storing? Downloading? Traveling with devices?” says Ranca.

4) Collect with care

Another way to limit your risk is to limit your data collection. Only take what you absolutely need. If you are conducting surveys, for example, and you know the final publication will keep respondents anonymous, then consider whether you need to collect their names at all.

Be aware of information you may be collecting or generating unintentionally. If you are collecting survey responses, are you also collecting respondents’ metadata? Even if you aren’t, someone else might be. The QR code creator you used so respondents could scan your survey onto their devices may be collecting and selling their data.

Use secure platforms and tools whenever you can. You’re looking for software that’s open source and, ideally, keeps your communication encrypted. Open source software allows you (or other watchdogs) to scan the code for any kind of spyware. End-to-end encryption is meant to keep it so the only eyes on your communications are yours, and your contacts. Signal, Wire, and RedCap were all brought up as secure tools that may be of use to researchers. I’ll be updating our DIY resource page with links to these and other secure research tools.

You should also be aware of where you’re storing your data. Al-Maskati recommends European over US servers, since their General Data Protection Regulation (GDPR) offers more protection than our skimpy privacy laws. Ranca specifically mentioned Iceland as the country with the best data protection laws, though Al-Maskati warned that nothing is set in stone.

“Today it is Iceland, yesterday it was Switzerland, tomorrow, I don’t know. These data-retention and legal situations keep changing,” he said. “I would think about encrypting the data and then hosting it anywhere, rather than keeping the data unencrypted and hosted in a very strong country. “

5) Delete after use

Of course, the best protection for vulnerable data is to not have it at all. That’s why Black & Pink, a research and advocacy organization that conducts surveys of incarcerated LGBTQ+ people developed a plan to delete their survey data after a certain amount of time. While they immediately deleted identifying information from their survey responses, the group was advised by the Digital Defense Fund to scrub the rest of the data after they finished the report.

“In these times, we cannot have trans and queer people vulnerable to hackers, or to the government,” said Kenna Barnes, a Black & Pink researcher.

6) Layer your protection

All the encryption in the world won’t make a difference if your laptop gets stolen. Physical protection is another angle here, and you need to cover as many as you can.

From Al-Maskati: “If you are stopped by the police and give them your password, then even if you secured your app and your device, everything can still be exposed. You need to think about different layers of protection: the app, the device, and a strategy for what happens if your device is confiscated or taken.”

That’s why Wired warns against fingerprint and face recognition (it’s easy for others to force you to open your devices that way). Check out their other tips for locking down or wiping your phone in the event of apprehension.

7) Don’t get comfy (sorry)

“Think of this as a process you revisit regularly, not something you do once,” said Ranca. “And when the government changes or escalates—as has happened in the US—revisit the whole plan, especially the interaction with sources, because what was acceptable risk before may no longer be. Whatever you built before, it now has to be completely reinforced.”