Afghanistan Digital Care Guide - English
Download full guide as PDF: digital-only version | printable version
Care is Resistance
"Caring for myself is not an indulgence, it is self-preservation and that is an act of political warfare" (Audre Lorde)
Taking care of your device and data is not only to protect yourself, but also your whole community.
Journalists, media workers, and activists run the risk of their lives, in case, online and other data, apps, and/or contacts are being used as evidence against them or someone linked to them. Access to this data, apps etc. might be gained. The following scenarios might occur:
- Confiscation of, and access to phones, tablets, computers, smart watches, and other storage devices (USBs, external hard drives, etc.) during raids, searches, detention, at check-points etc.
- Surveillance of digital communication and online connections
- Digital attacks on devices and accounts
- Open Source Intelligence: research on publicly available platforms like Facebook or Wikipedia
Being aware, that not all risks can be prevented, certain steps such as having less data on our devices, using secure channels of communication and securing our devices can reduce the likelihood or impact of, that data or apps being turned into evidence. At the same time, some of these secure practices can turn into risks, if secure apps would be detected and framed as indicators of being linked to the wrong actors (e.g. international community or alike).
|Risk||Prevention steps||Response steps||Remarks|
Confiscation of and access to phones, tablets, computers and smart watches during raids, searches, detention and checkpoints etc.
| || || |
|Surveillance of digital communication and online connections (by authorities, their allies, internet service providers, telecommunication companies)|| || || |
|Digital attacks on devices and accounts (spyware and hacking attacks and planting of evidence by authorities and their allies, criminals)|| || |
|Open Source Intelligence (OSINT): research on publicly available platforms like Facebook or Wikipedia|| || || |
1. Emergency hotlines for digital emergencies
If you are a journalist, activist, or civil society member who needs emergency assistance, Access Now’s Helpline provides 24/7 digital security support. Please note: The Helpline team does not speak local Afghan languages.
- Digital Rights Foundation can also take cases via firstname.lastname@example.org
- If you suspect, that your phone got attacked with spyware or alike, the Emergency VPN by the Civilsphere project can help you check: https://www.civilsphereproject.org/emergency-vpn
2. Prepare for digital emergencies, detention and check-points: make a plan
To build online safety, determine what threats you face and which of your online activities might put you at risk — your threat model. This first look at digital security: https://www.accessnow.org/first-look-at-digital-security/ can help you get started in answering those questions. When thinking about risks, please keep the following in mind:
2.1 Make a plan for the possibility that you or someone you know could be detained by authorities. Take a look at this guide: https://digitalfirstaid.org/en/arrested/ by RaReNet and CiviCERT — which includes digital security precautions — for more. There is also the Coping-with-Prison-Guide: https://coping-with-prison.org which includes tips for families, supporters and lawyers of detained persons.
2.2 At checkpoints and during raids, be prepared that authorities could confiscate or force you to unlock your device. Do not take your phone with you when going out. Or take a phone, which has no sensitive data like contacts or alike with you. Minimize the amount of data you save on your devices, especially on mobile ones.
- The golden rule is: if in doubt, delete! No information is worth risking your life or to putting friends at risk. (Tips below on how to delete content and accounts.)
- Make up your mind, if you would give access to your devices or not. It is not an easy decision, but good to think about it before it happens. Be aware, that fingerprint or Face-ID can be easily unlocked by force, if you are present. On iOS there is the emergency option to switch from FaceID or Fingerprint to passcodes by pressing the power button several times (older iPhones) or by initiating power off/Emergency SOS by pressing and holding either volume button and the side button simultaneously for 2 seconds (newer iPhones). Make yourself used to this option, if you might need to use it.
Apps that can pose security risks, for you or others:
- Address & Contact List
- Messenger Apps
- Facebook Account
- Twitter or other Social Media Accounts
- Notes & voice notes
- Search and Web history
- Youtube videos you have watched / Google account
- Documents you have stored on your laptop or phone
- VPN Apps
- Google/Apple Maps data and location history (significant locations for Apple, location history for Google)
- Calendar App may contain sensitive entries as well
- Music Apps (some music might be taken as "politically or religiously inappropriate")
- Dating Apps
Be aware, that you need to clean the bin of deleted items and that a thorough forensic analysis might bring back traces of these deleted contents.
In case you want to delete everything from your phone: keep at least some personal images to show the use of the phone.
2.3 Change contacts in your address book into Dari or Pashtu language and spelling and check if you need to remove international numbers.
- Your address book, messenger contacts and chat histories should not contain foreign-sounding names or addresses.
- If you need to preserve a list with those addresses, do not keep them on your phone or laptop! Send them to yourself on an email account that is not your primary address. Do not save the password for that account on your phone or laptop and do not leave a reference of this email on your device (e.g. if sending an email from your primary email account to your other email address, the email is still in the sent-folder).
- Delete any harmful emails from your Inbox, Archive, Sent, and Draft folders. Make sure to clear the bin after deleting the emails
2.4 For messengers and other online-groups: Activate several admins beforehand for each chat group, so several people/admins can actually do a kick-out of a member contact if needed (e.g. if someone's phone gets confiscated).
2.5 Don’t respond to contact requests via social media, if they don’t come via friends or trusted channels. There are cases, the T. "dressed" as foreign journalists, requested interviews and, afterwards abused the information and tracked the victim down.
2.6 Create functional email addresses instead of personalized ones, so not to contain names or alike, which could identify you.
3. Special advice for women journalists
If you are identified as a woman, you may face unique digital security threats. Check out this guide: https://digitalrightsfoundation.pk/wp-content/uploads/2017/11/Hamara-Internet-Guidebook-English-Version-2016.pdf from the Digital Rights Foundation for tips; they also provide services in Pashto: https://digitalrightsfoundation.pk/services/
For women facing abuse, there is an online safety guide by Chayn (https://www.chayn.co/) in several languages below.
- Farsi فارسی : https://chayn.gitbook.io/diy-online-safety/farsi-farsy
4. Secure your online accounts, phone, tablet & computer
4.1 Require passwords to unlock your phone and computer, and enable full-disk encryption (if you think, this might trigger attention if your device is searched, have a story ready to justify or just secure your data on the laptop securely. Turn the device off if left unattended and when going through a security check. See point 2, if you will be willing to share your passwords or access to your devices or not.
4.2 Use an end-to-end encrypted messaging app, like WhatsApp: https://whatsapp.com or Signal: https://signal.org or Wire: https://wire.com for texting and enable disappearing messages and/or clear chats regularly. Be aware, that apps like Signal or Wire, which are not so frequently used or only used by “international” non-governmental organizations (INGOS) or “NGO people” might trigger attention, although they might be as such safer than Whatsapp. An alternative to Signal for Android is a Signal-based messenger, called Molly, which might not trigger attention: https://molly.im/
4.3 Check the security settings on your accounts. See whether you have missed any important action items, and set up security alerts. If possible enable 2-Factor-Authentication (2FA) using an authentication app like freeOTP: https://freeotp.github.io/ or Aegis for Android (as it has a lock with password feature): https://getaegis.app/ and Raivo for iOS: https://apps.apple.com/us/app/raivo-otp/id1459042137
- Google (on mobile phones): https://myaccount.google.com/security-checkup/ Be aware, that if you connected your account to a phone number, your account might become traceable through the phone number!
- Facebook: https://www.facebook.com/help/799880743466869/ If you are using Facebook Messenger, it is better to use “Secret Conversations.”
- WhatsApp: https://faq.whatsapp.com/general/verification/how-to-manage-two-step-verification-settings/?lang=en
- Telegram: https://telegram.org/blog/sessions-and-2-step-verification
- https://2fa.directory/#email links to documentation for all email providers
- Make sure to write down the backup or recovery codes you get and keep them separate from your phone to recover your account if your phone is broken/stolen/out of battery!
- More info: https://ssd.eff.org/en/module/how-enable-two-factor-authentication
4.4 If you want to change your phone or phone number due to anonymity reasons, be aware, that you always need to change both the phone AND the SIM-card. As both identify separately but at the same time to the phone towers (SIM-card number plus IMEI-Number of the phone), changing only one of them won’t suffice because, the other one still identifies you!
5. Delete your digital history and minimize your online footprint
It’s uncertain if and to what extent Taliban forces are currently surveilling people, notably human rights defenders and journalists, online. The situation is developing quickly, and it could be helpful to delete online information (https://news.trust.org/item/20210817111442-4d73x) that may hurt your online safety in Afghanistan. Following is some guidance from WIRED: https://www.wired.com/story/how-to-clean-up-your-digital-history/ and Human Rights First: https://www.humanrightsfirst.org/sites/default/files/How%20to%20delete%20your%20history_updated.pdf; Farsi version here: https://twitter.com/dooley_dooley/status/1427223031429181441
1. Be careful about giving personal information to third-party services.
2. Some platforms have data retention policies that archive accounts for law enforcement.
3. Your deleted data may still be retained locally on your laptop or phone.
5.1 How to delete selected content, like photos and posts and secure use
A general short guide in Farsi: https://twitter.com/dooley_dooley/status/1427223031429181441 and for Facebook: https://www.facebook.com/help/261211860580476/
- The Taliban have an active presence on Facebook and may use FB to identify who is openly opposed to them, who works with foreigners, and who has resources that might be exploited.
- Facebook has launched a one-click-tool to quickly lock down their account. When their profile is locked, people who aren’t their friends can’t download or share their profile photo or see posts on their timeline: https://twitter.com/ngleicher/status/1428474008295464965
- Create a ‘local’ account with only local friends that you keep on your phone app to avoid being associated with your international contacts. Keep your account as generic as possible, no political or religious content. Use a generic photo as profile picture, you might want to use a pseudonym. Be aware, that if you bind your new account to a phone number, your account might become traceable through the phone number!
- Make sure the “about” section of your account is not visible to the public. Do not add any job history to your account. Make sure your previous affiliations with any foreign entity including your job history is not visible on your account.
- If you want to keep your ‘international account,’ only log on to it when you are in the safety of your home. Do not store the password on your phone or your laptop.
- Check your Facebook posts (delete ANYTHING that is potentially objectionable), your friends’ list (delete anybody who may raise suspicion, especially if foreign), and check what groups and pages you have liked in the past.
- Check your Facebook photos, especially profile and cover photos. Check the settings of all these photos, including the old photos, and make sure these photos are not visible to the public and only your trusted friends can view them. If you have any “questionable” photos, delete them.
- Restrict who can see your friend lists (and ask all friends to do the same). This can be done in Settings: “How People find and contact you" - “Who can see your friends list?” - “Only me.”
- Do not tag fellow Afghans in Facebook
- Disable the functionality that others can tag you in photos: https://www.hongkiat.com/blog/prevent-facebook-tagging/amp/
Review posts and photos that people, including your friends, have tagged you in the past, and if “problematic”, remove the tags.
- Similar rules (as for Facebook) apply for twitter or other social media accounts. Review your list of whom you follow, and unfollow anyone or delete any tweets that could be objected to by the Taliban.
- Make sure you have not activated “tweet with location” in your Twitter setting. If you have, disable
- Delete old tweets: https://semiphemeral.com
- Instagram: https://help.instagram.com/997924900322403
- Wikipedia: If you find information on Wikipedia or other Wikimedia projects that could cause harm to you or other people in Afghanistan, please email email@example.com and put AFG in the subject line. Review your friends’ profile pictures and cover photos. If any of them has a “questionable” photo (for example: showing a flag or a banner that could be considered Anti-Taliban), ask them to change their it. If in doubt, delete this contact.
5.2 How to delete entire accounts
- Facebook: https://www.facebook.com/help/224562897555674/
- Twitter: https://help.twitter.com/en/managing-your-account/how-to-deactivate-twitter-account
- LinkedIn: https://www.linkedin.com/help/linkedin/answer/63?lang=en
- Instagram: https://help.instagram.com/448136995230186/
- Signal: https://support.signal.org/hc/en-us/articles/360007061192-Unregister-or-Delete-Account
- Telegram: https://my.telegram.org/auth?to=delete
- WhatsApp: https://faq.whatsapp.com/android/account-and-profile/how-to-delete-your-account/?lang=en
- Google: https://support.google.com/accounts/answer/32046?hl=en - Additionally, request to delete cached Google results here: https://google.com/webmasters/tools/removals
- Microsoft/Hotmail: https://support.microsoft.com/en-us/help/12412/microsoft-account-how-to-close-account
- Yahoo: https://en-global.help.yahoo.com/kb/SLN2044.htm
- Protonmail: https://proton.me/support/delete-account
5.3 How to deal with photos
- Make sure you review all of the photos you keep on your phone to make sure that there are no "objectionable" photos (such as of you with an American flag, you with foreigners, or of women without hijab or your family abroad).
- If in doubt, delete! It is understandably hard for you to delete photos that mean something to you, but remember they could potentially put you or others at risk.
- If you want to keep them, store them in the cloud, which does not use your main account, under a name and password that is not recorded anywhere, and delete them from your phone. See for example: What is and how to use Google Drive (English Video with Persian subtitle): https://youtu.be/EbVnObwFJic
- There are some apps that allow you to keep photos hidden behind a ‘decoy’ folder or that pretend to be another app (such as Secret Calculator or Private Photo Vault), but remember this is not safe because other people know about these types of apps, too.
5.4 Online searches – Google – Youtube
Before browsing websites that could be seen as Anti-Taliban:
- Enable the private browsing mode in your browser
- If possible do not accept cookies
- Do not save bookmarks
- Do not save login data or passwords
- Do not login to websites with Google or Facebook or connect them to a third party website account
- Try to use browsers (like Mozilla Firefox) that protect your privacy and enable additional privacy settings
- Make sure to build a history of “safe” websites you visited (i.e. do not always surf in privacy mode). Your computer should show some entries so that no one will get suspicious.
- Make sure you are not logged in to browsers such as Firefox or Google Chrome (for example, make sure you are not logged in to Chrome browser with your Google/Gmail account). If you browse the internet while logged in to your account, your account will keep a record of all your activities.
Remove sensitive search results:
Request removal of actual site content: Removing the search result does not remove the content. You will have to work with the owner of each site to remove your information from that site.
On Youtube & Google:
- Remember that if you search youtube videos, this may show on your google account on your phone (the two accounts are usually linked)
- Regularly delete the “search history” on your YouTube and Google accounts. See how to delete Google activity: https://support.google.com/accounts/answer/465
This “self-doxing” guide: https://guides.accessnow.org/self-doxing.html might also be useful for understanding how much information about you is publicly available and minimizing things that can put you at risk, especially for activists who are detained and questioned about their views. You could be newly targeted for things you’ve posted, or based on your networks: https://twitter.com/BBCWomansHour/status/1427287851016798213
If you discovered particularly sensitive information on a site, and you’ve been able to remove it from the site, also enter the URL of the specific page where the information was on https://archive.org/web/
If there is an archived copy there, please contact firstname.lastname@example.org for support.
6. What to do if you lost your device
If that happens, it’s important to act quickly to lessen the risk of someone else accessing your accounts, contacts, and personal information.
Check out this Digital First Aid guide: https://digitalfirstaid.org/en/topics/lost-device/ to learn how to assess your risk, and what to do next.
6.1 If possible, lock and wipe the phone remotely
- Android: https://support.google.com/accounts/answer/6160491?hl=en
- Samsung: https://www.samsung.com/za/support/mobile-devices/how-do-i-use-find-my-mobile-to-remotely-wipe-my-samsung-galaxy-s6-edge-plus/
- iPhone: https://www.igeeksblog.com/how-to-erase-data-from-lost-stolen-iphone-ipad-remotely/
6.2 Kick the number of the lost phone out of all social media groups (to prevent that the person finding the phone might gain access to those social media groups). For this, activate several admins beforehand for each chat, so several people/admins can actually do this kick-out
6.3 Change all passwords for all accounts affected (including for their reset/recovery email addresses) and enable 2-Factor-Authentication on these accounts where possible.
6.4 Inform your contacts about the loss of the phone and the risk that your contacts might be abused by the person finding and accessing your phone.
7. Recover your account
Most social media platforms, email services, and other sites have resources to help you recover your account. Major platforms also typically have ways to report any unusual account activities. We’ve listed several guides below. And also check out this first-aid guide: https://digitalfirstaid.org/en/topics/account-access-issues
- Google (Recover): https://support.google.com/accounts/answer/183723
- Facebook (Report): https://www.facebook.com/hacked - (Recover): https://www.facebook.com/notes/10157814523321886/
- Instagram (Support steps): https://help.instagram.com/149494825257596
- Twitter (Support steps): https://help.twitter.com/en/safety-and-security/twitter-account-hacked
8. VPNs: protecting against spying, attacks & censorship
VPNs build an encrypted tunnel between your device and the exit provided through the VPN. So it can not only access websites etc, which might be blocked and censored, but protect your surfing and traffic from being surveilled.
- If you are already using a VPN, continue with the same one, but check, if it is working properly. If you don't use a VPN so far, it might draw attention to you! Check out, which VPNs are mostly used to hide well in the crowd.
- All of this only helps if you download these tools before censorship or network shutdowns happen. Your use of these tools can often be detected by your Internet provider, and show up as installed apps visible to anyone looking at your unlocked phone.
- Once installed and running, check, if your VPN is working properly: https://ipleak.net
VPNs with good anti-censorship track records:
- TunnelBear: https://www.tunnelbear.com/download - (Windows, MacOSX, Linux, iOS, Android)
- NOTE: Tunnelbear is currently free for users in Afghanistan for up to 10G/month. Not available in Google App store, but users can download an APK from the official Telegram channel (Global) https://t.me/tunnelbearofficial
- If people are having problems connecting to Tunnelbear, report issues: https://forms.office.com/Pages/ResponsePage.aspx?id=jONDSdRtjEKIbSSTK8LV3qF7yXc9pWZBuoBU9l0NfhJUREEyUlBTUFZSNzRONFY3R0kwWFBTTVRWTS4u&locale=fa
- Mullvad: https://mullvad.net/en/download/ (Windows, MacOSX, Linux, iOS, Android) €5 per month; free licenses available from helplines like email@example.com, anonymous purchasing method without sign-up and also accepts cash and crypt.
- VPNGate: https://www.vpngate.net/ (Windows, MacOSX, Linux, iOS, Android) a list of public VPN relay servers hosted by volunteers around the world.
- ProtonVPN: https://protonvpn.com/ (Windows, MacOSX, Linux, iOS, Android, Chromebook) Free tier available.
- Bitmask: https://bitmask.net/ (Windows, MacOSX, Linux, Android) is an open source VPN. You can use a built in provider (riseup.net or calyx.net) or start your own. Many other VPNs are available out there, but not all have made efforts to evade censorship or have good and proven security, privacy, and business practices. This review is a good place to start if you are looking for additional options: https://www.nytimes.com/wirecutter/reviews/best-vpn-service/
A good resource for how VPNs work, what they do and what they don't help with is here: https://ssd.eff.org/en/module/choosing-vpn-thats-right-you
Please note that most (if not all) VPN “review” sites profit off of VPN purchases and/or are owned by the same companies which own the VPNs.
Dedicated anti-censorship tools:
Make your risk assessment, if these apps could pose a risk to you (like triggering attention), if they are found on your devices or their use otherwise discovered.
- Psiphon is a free and open source censorship circumvention VPN that uses a variety of techniques to bypass Internet censorship: https://www.psiphon3.com/en/download.html (iOS, Android, Windows)
- Download via email: Send an email to firstname.lastname@example.org to receive mirror download links of Psiphon in multiple languages.
- Lantern is a free and open source censorship circumvention VPN that uses a variety of techniques to bypass Internet censorship.
- https://getlantern.org/en_US/index.html (Windows, MacOSX, Linux, iOS, Android)
- Download via email: Send a request to GetTor (email@example.com ) specifying your operating system (and your locale). Ex: "windows fa"
9. Secure video conferencing
Messengers which allow for secure video calls. Be aware, that Signal and Wire might trigger attention, as they might not be so widely used in your communities.
End-to-end encrypted video calls available for up to 8 participants
Tied to the mobile phone number
End-to-end encrypted video calls available for up to 4 participants (free version)
Possibility of signing up without phone number
End-to-end -encrypted video calls available for up to 4 participants
Part of META-company (formerly Facebook, so meta-data is going to be captured)
Video calls for up to 25 participants on trusted servers and free to use
On computers access with browsers, apps available for Android and iOS
Trusted Providers: https://meet.greenhost.net/ and https://meet.systemli.org/
Secure use guides:
App downloads for phones:
If you need to use conferencing tools like zoom.us make sure, that you enable the end-to-end -encryption feature: https://support.zoom.us/hc/en-us/articles/360048660871-End-to-end-E2EE-encryption-for-meetings
10. Secure file sharing & online storage
For storing documents securely on your computer or securing (encrypting) files before uploading them for online sharing and storage, the app Veracrypt: veracrypt.fr allows to save encrypted containers (folders) on harddrives and online storages, Google Drive or on Dropbox, which to outsiders look like normal or system files. After using Veracrypt to encrypt a document like this, opt for deleting the application afterwards (including from Trash), to avoid that the app draws attention. See: How to Use Veracrypt (English Video with Persian subtitle): https://youtu.be/C25VWAGl7Tw
10.1 File Sharing: Secure (end-to-end encrypted) options
- https://ufile.io for non-registered users: max 10 files (max 5GB per file), max 30 days hosting
- https://send.tresorit.com/ for non-registered users: up to 5GB
- https://send.tresorit.com/ upload is limited to 50MB and files are stored no longer than 12 hours!
- https://cryptpad.fr/drive/ anonymous registration necessary: up to 1GB free hosting - The name might draw attention!!!
10.2 Online Storage
Use online storage only through browser, not through installed apps!
- If you use a cloud-access from an organizational server, be aware, that the URL/Link used might give away the name of the organisation and this can be seen by the Internet Service Providers. In this case the use of a VPN is reducing the risk.
- these commercial ones might draw less attention: https://mega.io/ (20GB for free); https://sync.com (5GB for free)
- https://cryptpad.fr/drive - The name might draw attention!!!
- Google Drive and OneDrive and iCloud are not end-to-end-encrypted, so the servers can see, what you have uploaded, if you don't protect it beforehand (like ZIP-file with password on it or something similar).
- You may have a need to store documents somewhere (such as copies of your family’s passports, your employment contracts, papers that document danger you have been exposed to).
- The best thing to do is to ensure these documents are saved in a secure cloud storage that does not use your main email account, or sent to a secure email address that you can access but is not your main known account, and not stored on your phone or your computer.
- Academics/students who need to save sensitive documents and/or information can use the Article 26 Backpack initiative by the University of California, Davis. Documents will be saved on cloud. Instructions available in English, Farsi and Dari: https://backpack.ucdavis.edu/ and https://human-rights.ucdavis.edu/news/afghanistan-emergency-resource-information
This guideline is based on interviews with Afghan journalists as well as on these guides:
1. Online safety resources for Afghanistan’s human rights defenders (EN): https://www.accessnow.org/online-safety-resources-afghanistan/
2. Checklist for Afghans. Minimise Risk through Data on Phones/Devices (20 August 2021; EN, Dari, Pashto): https://docs.google.com/document/d/19GPJDmMLPagNnbumZwmKZGJaIiRMFmHiJKtuvmL6wl8/edit
3. Digital Security Resources for Afghanistan. Internet Shutdowns, Online Privacy (EN, Dari): https://drive.google.com/drive/folders/1v9WvDvoCPjP13Y2Lsd0hqwDt6mqEgvtW
Please note: The information and resources provided in this guide are current as of May 2022. We plan on making an updated version available every six months for at least next two years. The updates will be available for download at: https://helpdesk.rsf.org/digital-security-guide/afghanistan-digital-care-guide/