This privacy guide is specifically designed for scientists. The digital threats faced by this group differ from those of the general population, and the privacy measures that matter most depend on the specific risks associated with their situation. In this guide, we identify the most relevant threats, recommend tailored tools and practices, and provide step-by-step instructions for building a privacy posture that addresses these unique needs in 2026 and beyond.
Threat modeling for this group begins with identifying who might want to access your data and why. Potential adversaries may include government surveillance agencies, corporations that profit from personal data, malicious individuals (stalkers, harassers, doxxers), or even well-meaning but careless associates who might inadvertently expose sensitive information. Each adversary has different capabilities and motivations, and your privacy strategy should be calibrated to defend against the most relevant threats while remaining practical for daily use.
Securing your communications is paramount. We recommend using Signal as your primary messaging application, with disappearing messages enabled for sensitive conversations. For group communication, consider using Signal groups or, for larger communities, Element (Matrix) with end-to-end encryption enabled. Avoid SMS and regular phone calls for sensitive topics, as these can be intercepted by cell-site simulators and are routinely logged by telecommunications carriers. If you must make voice calls, use Signal's encrypted calling feature or a similar end-to-end encrypted VoIP solution that prevents eavesdropping.
Device security for scientists should include full-disk encryption, a strong alphanumeric passcode (not biometrics alone, as biometrics can be compelled in some jurisdictions), and regular software updates. Consider using GrapheneOS on a Pixel phone for the strongest Android security posture, or an iPhone with Lockdown Mode enabled for high-risk scenarios. Disable unnecessary radios (Bluetooth, NFC, Wi-Fi) when not in use, and be aware that your device's baseband modem can potentially be exploited even when the main operating system is secure. Use a Faraday bag when you need to ensure your device is not transmitting.
Managing your online identity is crucial. Use separate email addresses for different purposes — one for official communications, one for online accounts, and one for sensitive matters. Each email address should be with a different privacy-focused provider (ProtonMail, Tutanota, Mailfence) to avoid a single point of compromise. Use unique, strong passwords for every account, managed by an open-source password manager like Bitwarden or KeePassXC. Enable two-factor authentication everywhere, preferably using hardware security keys (YubiKey) rather than SMS-based 2FA which is vulnerable to SIM swapping.
Network privacy for this group requires using a VPN at all times on untrusted networks. We recommend Mullvad VPN for maximum anonymity (they accept cash payment and require no email to sign up) or ProtonVPN for its integration with the Proton ecosystem. For highly sensitive browsing, use Tor Browser — but be aware that Tor usage itself may attract attention in some contexts. Configure your home network with a DNS-level ad blocker (Pi-hole or NextDNS) to block tracking at the network level, preventing apps and websites from phoning home to surveillance infrastructure.
Social media poses significant risks for this group. If you must use social media, create accounts that are not linked to your real identity, use a dedicated email address and phone number (consider a VoIP number from a service like MySudo), and never access these accounts without a VPN. Be extremely cautious about what you post, as metadata in photos (EXIF data) can reveal your location, and writing style analysis (stylometry) can potentially de-anonymize you. For safer alternatives, consider Mastodon with a pseudonymous account on a privacy-respecting instance, or avoid social media entirely for sensitive communications.
Physical security and operational security (OPSEC) complement these digital measures. Be aware of your surroundings when accessing sensitive information. Use privacy screens on laptops to prevent shoulder surfing. Vary your routines to avoid predictable patterns. If your threat model includes physical surveillance, leave your phone at home or in a Faraday bag during sensitive meetings. Practice compartmentalization — keep different aspects of your digital life separate so that a compromise in one area does not cascade to others. Maintain encrypted backups in multiple locations.
Preparing for emergencies is essential: Maintain encrypted backups of essential data in geographically distributed locations. Have a plan for rapid account lockdown if your device is seized or compromised. Know how to remotely wipe your devices and practice this procedure. Keep a physical list of emergency contacts that you can access without your phone. Consider creating a duress configuration — a secondary device profile with innocuous data that you can present if compelled to unlock your device under pressure. Review and update your emergency plan quarterly.