guide · published May 12, 2026

Privacy stack for activists in 2026

A practical privacy stack for activists, organizers, and protesters in 2026 — device, network, messenger, file handling, and meeting coordination. Threat-model-first.

The “activist” persona covers a wide spectrum — from a climate-org volunteer organizing a march to someone working in a context where state-level adversaries are the binding threat. This guide assembles tools for the mid-to-high end of that range. Calibrate down if your threat model is lower; calibrate up (and seek operational training) if it is higher.

Threat model#

The default threat model:

State surveillance of communications metadata, possibly including content under court order.
Counter-protest researchers trying to identify organizers from public information.
Infiltration — bad-faith group members, intentional leaks, paid informants.
Compromised endpoints — phones lost, laptops seized, USB drives copied.

The defensive posture is to minimize what each compartment can leak and to keep the group small enough to be auditable. Tool choice matters; tool discipline matters more.

The stack#

Communications#

The right messenger depends on what threat is binding:

Signal — strong E2E cryptography, polished UX, disappearing messages, group support up to thousands. The default for coordination among people who can register a phone number. Turn on disappearing messages (1 day max for sensitive groups), screen-lock, view-once attachments where possible. Audit group membership periodically.
SimpleX — no identifier of any kind. Right for contacts who specifically cannot register a phone, or for contacts you don’t want a long-lived Signal-account link with.
Briar — peer-to-peer with Tor and Bluetooth/Wi-Fi mesh transport. Right when the network is hostile (censorship, intermittent connectivity, or a protest where Wi-Fi is shut down).
Cwtch — no central server, Tor-only. Right when “no central party in the path” is the binding requirement.

Avoid: WhatsApp (Meta operator and phone-number identity), Telegram (default chats not E2E and phone required), Slack/Discord/Teams (operator-readable everything), iMessage (Apple ID).

Network#

Tor Browser for research, signing into activist accounts that should not link to your real identity, and any session where your IP could correlate to your activism.
Mullvad VPN for general traffic when Tor is too slow or geofenced. Account-number signup, cash by mail.
Mullvad Browser when Tor Browser anti-fingerprinting is wanted without Tor’s latency.
Routine browsing on your real-name device through your normal connection is fine — threat-model the activism leg, not every leg.

Device#

For users in higher-threat environments, two practical options:

A dedicated phone for activism, used only with activist accounts. Real-name phone left at home for sensitive meetings or actions.
GrapheneOS on a Pixel for users who want a hardened mobile OS that can host both compartments with profile isolation.

For desktop, full-disk encryption (native FDE or VeraCrypt) is non-negotiable. KeePassXC for credentials. Don’t leave the dedicated device logged in.

Files and coordination#

OnionShare — transient file transfer via temporary Tor hidden service. No operator in the path.
CryptPad (cryptpad.fr or self-hosted) — end-to-end encrypted collaborative documents.
VeraCrypt — encrypted containers for documents that need to travel on USB or persist across machines.
KeePassXC — local vault for credentials and short text notes.

Avoid: Google Docs (subpoenable), Notion (operator-readable), email attachments for sensitive plans (transit metadata visible).

Email and accounts#

Proton Mail — Tor signup, disposable aliases via Proton’s built-in feature or SimpleLogin. Use one account per compartment.
Tuta — when default-on subject encryption matters.
SimpleLogin or addy.io — for per-service aliases so a single inbox isn’t bound to every account.

Mobile data and account creation#

Silent.link — anonymous eSIM data for the dedicated device. Crypto-only payment, no account.
For SMS/voice on a number that doesn’t tie to a SIM: JMP.chat (XMPP-bridged) or Crypton.sh for persistent inbound numbers.
For one-shot SMS reception to validate a Signal, Telegram or Gmail account at signup: SMSActivator — 50+ country pool, short- or long-term rentals, crypto-only.

Movement infrastructure#

If the collective runs public infrastructure (a campaign site, an action archive, a tip-line for sources) the hosting layer needs to match the threat model:

OffshorePress — niche operator oriented around press- and leak-media hosting on Tor onion services. No-KYC, Monero-accepted.
BulletHost, XMRHost, SilentHosts — bulletproof-style operators that advertise non-response to DMCA notices and law-enforcement requisitions.
BunkerDomains — no-KYC offshore registrar to match the host posture.

Bulletproof-style hosting is the right fit when mainstream takedown pressure is a recurring risk; the trade-off is shorter operator track records than privacy-leaning hosts like Njalla or 1984.

Operational hygiene#

The single most important practice is compartmentalization. Keep activist accounts, activist phone, activist messenger contacts strictly separate from your real-name identity. Don’t log into your real Twitter from the dedicated device. Don’t carry the dedicated phone alongside your real-name phone unless you have to — co-location across multiple sessions is identifying.

For group coordination:

Three-to-six-person tight working groups with explicit roles. Add to the larger group only what the larger group needs to know.
Disappearing messages on by default. Long-running context is operator-and-court-readable in a way short-lived context isn’t.
Membership audits — periodically review who is in each group, why, and whether they should still be.
Explicit deletion policy for documents and chat history after the action.

For physical actions:

Phones in Faraday bags or left at home for sensitive meetings. Phones are tracking devices first; communication devices second.
Pre-arranged check-in times rather than continuous comms.
Legal-aid numbers memorized or carried in a tamper-evident form (written on the arm, in a locket).

What this stack does NOT protect#

Coercion. No tool defeats a knock at the door.
Endpoint compromise. A keylogger or phone-confiscation reads everything.
Pattern-of-life identification across your real-name and activist identity if compartmentalization fails.
Bad-faith group members who screenshot. Trust calibration is a human problem.
Jurisdictions where the activity itself is illegal. Privacy posture is not legal armor.

See also#

EFF Surveillance Self-Defense — the comprehensive operational training reference.
Privacy stack for journalists — overlapping but different threat model.
Operational privacy — combining tools — the layered model.
Best privacy messengers in 2026 — for the Signal vs SimpleX vs Briar vs Cwtch pick.

FAQ

What's the single biggest mistake activists make?: Treating private messengers like public Slack channels — admitting too many people to a group, never reviewing membership, never deleting old context. A 200-person Signal group is metadata-leaky and operationally porous. Three-to-six-person tight groups with explicit roles is the durable pattern. Audit membership periodically.
Should I use a burner phone for activism?: Often yes, especially if your real-name phone is tied to your identity in a way that matters in your jurisdiction. For SIM-registration jurisdictions, use a Silent.link or other anonymous eSIM on a separate device. For non-SIM-registration jurisdictions like the UK, a cash-prepaid SIM works.
What about meeting coordination across cities?: Use Signal with disappearing messages on (1 day max). For meeting-prep documents, use OnionShare for transient sharing or CryptPad for collaborative editing. Never use Google Docs or Notion for sensitive plans — both are subpoenable and operator-readable.
How do I keep notes from a protest planning meeting?: KeePassXC for short text-and-credentials. VeraCrypt container on a USB drive for documents. Both decrypt only with a key you hold. Don't sync to cloud unless the cloud is end-to-end encrypted and you accept the operator-trust posture.
Is using Tor or a VPN suspicious by itself?: In some jurisdictions, yes — using Tor places you in a smaller cohort and may attract additional scrutiny under traffic-analysis regimes. The mitigation is to use Tor habitually for routine browsing too, so that Tor use is not anomalous for you specifically. Mullvad Browser used with a regular VPN is a lower-friction alternative when Tor's anomaly cost is too high.
What about the legal side?: This guide is operational, not legal. For protest and activist legal questions, retain or consult a movement-lawyering organization in your jurisdiction (NLG in the US, Bindmans / Liberty in the UK, etc.). Privacy posture is not legal armor.

Sources

EFF — Surveillance Self-Defense · accessed May 12, 2026
AnarSec — guides for anarchists · accessed May 12, 2026
Privacy Guides · accessed May 12, 2026

Referenced by

Topic hubs

Other guides

Privacy stack for whistleblowers in 2026

Quick answers

What is Tails OS and should I use it?