Update: February 23, 2023 – As of March 20, Twitter will no longer allow people to use text message/SMS for two-factor authentication (2FA), unless they are Twitter Blue subscribers. 2FA is still possible through other methods, such as using a security key or an authentication app. We’ve updated our guidance below accordingly.
In the weeks since tech billionaire Elon Musk completed his acquisition of Twitter, we’ve seen plenty to worry about. Among Musk’s most troubling moves: cutting staff from its trust and security workforce. Activists around the world are nervous, and with good reason. If you choose to stay on Twitter, migrate to another platform, or maintain accounts on multiple platforms, it’s imperative you take steps to increase your digital safety.
To help you do that, our Digital Security Helpline, a free 24/7 digital safety resource for civil society around the world, has prepared some basic guidelines. But remember: everyone has a unique security profile, and there are no one-size-fits-all solutions for increasing digital safety. If you’re a human rights defender, journalist, or activist, you may need emergency assistance or advice tailored to you and your specific circumstances. If that’s the case, contact us directly.
Here’s an excellent comprehensive guide for managing your Twitter account safely.
If you keep a Twitter account open, follow these digital safety tips:
- Archive and preserve your posts by downloading your posts and private messages. It’s not clear yet how stable Twitter will be or whether your data will be protected. Archiving is a good option for preserving what you have now. Here’s a good guide to the process.
- Protect your account through multi-factor authentication. The recent mass layoffs have affected the entire company, including Twitter’s engineering and security teams. This means that, in the event of a data breach or loss, recovering your account may take longer or be more complicated. To avoid delays, make sure that your contact information is up to date, and that you have enabled multi-factor authentication and additional password protection on your account.
- Note: As of February 15, 2023, Twitter is no longer allowing accounts to register for 2FA using SMS/text message, unless they are signed up to the paid Twitter Blue subscription service. To continue or start using 2FA to secure your account, you’ll need to purchase and use a security key (not available in all countries), or download an authentication app onto your smartphone, such as Ravio OTP for iOS, Aegis for Android, or Authy for iOS and Android. If neither of these options works for you, you can use a one-time-password (OTP) token through common password managers such as BitWarden, which have desktop apps. You can find more information about which different 2FA options work with your preferred social media platforms or online communications tools here.
- Reconsider using the “sign in with Twitter” feature. You don’t want to rely on Twitter as an “identity provider.” If you’re using this feature to access other sites you rely on, we recommend changing to a standalone username, password, and multi-factor authentication, or switching to another identity provider.
- Delete old tweets and private messages. Your Twitter DMs are not encrypted, and you should not use Twitter for sharing sensitive information. While concerns about the privacy and security of Twitter messages are nothing new, in the wake of Musk’s takeover, you should consider deleting your old public tweets, as well as any private messages you don’t want public. You can either do this manually or use a tool such as Semiphemeral, which allows you to easily automate deleting your old tweets, likes, and private messages. If the latter are particularly sensitive, remember to ask the recipient to do the same, as they will otherwise retain a copy of the messages sent, even if deleted from your mailbox.
- Disable discoverability and location tracking. Keep your activities on Twitter as private as possible, by disabling people from discovering your account through your phone number or email address, and by disabling location information from being attached to your tweets.
Here are some extra digital safety tips you can follow to continue using the platform as securely and privately as possible, compiled by PEN America.
We also encourage you to take proactive care of your mental health. Remember, you can block, mute, and restrict accounts with content you don’t want to see or engage with. If you see other people being abused or harassed, here’s how you can help as an online bystander.
If you explore other platforms, or open an account elsewhere
If you decide to leave Twitter and/or explore other platforms, we advise that you carefully consider the risks and benefits. Many people are joining Mastodon, an open-source network made up of multiple servers, or “instances,” that are run by different people or organizations. If you decide to do the same, you should take similar security measures, including using multi-factor authentication. You should also take care when choosing your instance, as you put the same level of trust into the administrators of a Mastodon instance as you do with Twitter. (If you want to learn more about the rise of Mastodon and similar platforms, check out EFF’s series on the “fediverse.”)
The bottom line
Despite its flaws and the current uncertainty about its future, Twitter remains a vital tool for activists, journalists, and human rights defenders to share information, connect with each other, and organize. Regardless of whether Twitter survives this crisis, our movements matter. We hope to see the new Twitter recognize the value of protecting civil society voices and ensuring the exercise of basic human rights on the platform, and we’ll keep fighting to help keep you safe.