Security News for Activists 1 Dec 2025
This newsletter is a free publication by the Institute for Secure Activism (ISA), a 501(c)(3) nonprofit organization dedicated to promoting personal security for activists, advocates, and the organizations that support them. ISA provides training, workshops, education materials, technical solutions, and technical consulting to civil rights and social justice advocacy organizations focused on LGBTQIA+, BIPOC, and other marginalized communities. Please consider making a tax-exempt donation to support our mission.
Giving Tuesday
Tomorrow is Giving Tuesday! Please consider making a tax-exempt donation to us here at ISA. Your donations go directly to projects supporting activists’ personal security. A few examples:
- We are about to launch a series of printed reference cards with digital security information, in both English and Spanish, to hand out at protests and other events. There will be design and printing costs.
- We’re raising money to buy encrypted radios and a corresponding FCC license which we can loan to organizers for use at events.
- We’ll be holding regularly scheduled in-person workshops and virtual seminars starting in the new year. Your donations will help with curriculum development and space rental costs.
Your donation also covers our expenses to keep our website and email list running. Every dollar helps! And remember that we’re a 501(c)(3) organization, which makes your donation tax-exempt. Also, check with your employer: many companies offer matching funds for your donations.
We accept donations via credit card, and we can also accept contributions via other means: bank transfer, Paypal, Venmo, Apple Pay, Google Pay, gift cards, cryptocurrency, stocks, mutual funds, Donor Advised Funds and Qualified Charitable Distributions. Thank you so much for your support!
Security Call To Action: Send Sensitive Files Securely
Welcome to the new Security Call To Action section! We’re going to try to include this section in future Security News for Activists newsletters. This will be some new way that each of us can improve our security practices and help our organizations, friends, and family members to do the same. Today’s Call To Action is this: build more secure file sharing habits.
How often do you send a sensitive file to another activist? Maybe that JPG contains details about an upcoming protest. Or does that Word document have other activists’ personally identifiable information (PII)? Perhaps that PDF has private information about a family your organization is supporting. What’s the best way to send that file to other activists? Many of us don’t think twice about sending an email attachment or uploading files to a cloud sharing service. And that’s the actual Call To Action: take a moment to consider who actually has access to that file when you send it or share it.
Should we email sensitive files?
Most popular email providers can (and do) access the contents of your email and attachments. As an example: there’s a lot of recent conflicting reporting about whether Google uses your private email contents to train their Gemini AI. Whatever Google does or doesn’t actually do with your content, Google doesn’t dispute this fact: they DO have access to your email content and attachments. That means that Google can provide your email contents in response to a legal warrant… which they regularly do. This is true of almost all popular personal email providers: Outlook, Yahoo, iCloud, and most others.
The only major email providers which provide full end-to-end-encryption are Proton and Tuta. It’s important to remember that an email sent from a Proton account is only fully end-to-end-encrypted when it’s sent to another Proton account. This is true of Tuta as well. So unless everyone you’re emailing also has an account with the same secure provider, your email attachments aren’t protected from either the email provider nor the government.
Should we send sensitive files through a messaging app?
Check out our last Security News for Activists newsletter for an exploration of Signal versus WhatsApp. We’ll probably explore other chat apps (Telegram, for example) in a future newsletter. But for now it suffices to say:
- Regular text messaging (SMS i.e. your “Messages” app, including iMessage if you’re messaging between an iPhone and an Android phone) is insecure and completely readable by multiple parties at multiple points along your message’s path. Typically there are attachment file size limits as well. SMS is a really bad choice.
- WhatsApp theoretically protects the content of your messages, though it collects a lot of information about who is messaging whom and where they’re located. So WhatsApp isn’t the worst option, but it isn’t the best. WhatsApp also has a 2GB limit for file attachments. That’ll be enough for a LOT of files, but might not be great for that Zip file with all the pictures from last week’s protest.
- Signal comes out on top again in terms of security and privacy, but also has file size limits. Anything other than images, videos, or GIFs is limited to 95-100MB.
What About The Cloud?
There are so many cloud-based file sharing services available today. Google Drive, Apple iCloud Drive, Microsoft OneDrive, and Dropbox, to name just a very few. None* of these are end-to-end encrypted (* Dropbox offers an end-to-end-encryption option, but only for paid accounts). You should expect that any files you upload to cloud-based file sharing services will be visible to that cloud provider and thus to any government with a warrant that provider recognizes (or capitulates to).
Secure File Sharing Services: Best For Convenience and Security
After we’ve found email, messaging, and cloud sharing services mostly wanting in one way or another, what’s left? Physical transfer via USB is probably the most secure way to share files. At least that’s the method least prone to interception during transmission… because “transmission” is someone physically carrying the thumb drive to the recipient. Obviously that’s often impractical, so where does that leave us?
There’s a niche category of online tools we haven’t looked at yet: secure file sharing services. The best of these services are end-to-end-encrypted, have high (or nonexistent) file size limits, can be set to limit downloads before deleting the file, and are quite simple to use. Here are some services to check out:
- Wormhole – Upload a file (up to 5GB), choose how soon you’d like your file to be deleted from Wormhole servers and/or how many downloads you want to allow before deletion, and then click “Copy Link”. Send that link to someone securely: we strongly recommend Signal for this step! Your file is encrypted before it leaves your browser and isn’t readable by anyone who doesn’t have the link. The Wormhole team is very transparent about who they are, and they have good credentials within the wider security community.
- Internxt Send – Very similar to Wormhole, though it lacks the timeout and download count options. Upload a file (also up to 5GB) and click “Create A Link.” Send that link to someone through secure messaging (Signal!). Internxt is very transparent about what they’re doing and who is on their team. Their software is open source and has been audited by third-party experts and their infrastructure is based in Europe rather than the US. There’s a lot to like about this company and service.
We’ll also mention two cloud sharing services with good security practices. They’re not as simple as those secure file sharing services, but might be the right answer for your organization:
- Sync – Sync.com has a good reputation for providing secure file sharing services. We list this service third simply because they ask you to sign up for a free account with an email address (though an anonymous email address will work, more on those in a future newsletter!). This is a solid alternative when you need a more robust, complex file sharing service than Wormhole or Internxt Send.
- Proton Drive – Works similarly to Google Drive, except that files are end-to-end-encrypted between web browsers. This means that neither Proton nor anyone with access to Proton’s servers can read your file contents. Access to Proton Drive comes as part of the suite of apps when you create a Proton account for their Mail, Calendar, and other services. The only reason we’re listing this service last is that it’s more complex than the first two: it takes some time and energy to invest in the Proton ecosystem. But it’s worth it!
Protect Your Files, Protect Yourself and Your People
Your Call To Action today is to be mindful about who can read your sensitive information when you send it through different channels. Now you have more insight into different file-sharing methods so you can make more informed choices.
“I did then what I knew to do. Now that I know better, I do better.”
Maya Angelou
Thank you!
As always, thanks for subscribing, send me your questions and comments, and please consider donating! We’re all in this together.
We take care of us, we keep our community safe, we look out for each other. Go do good work!
