Stay safe posting to social media in Ukraine

These kinds of posts have flooded in since Russia launched its attack against Ukraine this week. Most of the accounts don’t belong to professional journalists or activists, but to regular people coping with a traumatic situation or to make their opposition heard. That means most people may not have the security experience or knowledge to protect their identities or location. Without the right settings, a simple social media update could expose people to Russian military intelligence and they could even be targeted for retaliation, either online or in real life.

It’s a worst-case scenario that social media companies are all too familiar with from other conflicts around the world and even protests in the United States.

In the past few days, some major tech companies have announced ways to help Ukrainians and others protect and even delete their accounts. Google on Friday tweeted that it had automatically increased security protections for people with Google accounts in the area. Google’s announcement came after Twitter ran down the basic precautions people in conflict zones should take when posting online in a thread earlier in the week. On Thursday, Facebook’s head of security policy, Nathaniel Gleicher, said the service had turned on a new feature in Ukraine that lets people lock down their accounts by turning on certain privacy settings.

“When their profile is locked, people who aren’t their friends can’t download or share their profile photo or see posts on their timeline,” Gleicher said in a tweet.

Additionally, you can no longer see Ukrainian Facebook users’ friends lists, the company announced Saturday. On Instagram, all users in the Ukraine will get a notification warning people with public accounts that their posts are visible, and reminding those with private accounts to use proper security. On Meta’s chat-app Messenger, users in Ukraine should now have access to recently added safety features, including disappearing chats and notifications when a party takes a screenshot of any conversation.

The primary concern experts have is making sure people don’t put themselves in any physical danger by attempting to document something dangerous without proper protections or training.

“The first thing I would say is your own physical safety is important,” says Jon Callas, director of technology projects at the nonprofit digital rights group Electronic Frontier Foundation. Callas has worked on encryption for more than 25 years, including advising people in war zones. “What they can document is going to be good for historic purposes rather than tactical purposes.”

For anyone in Ukraine, protesting in Russia or in a similar high-risk situation, there are a number of standard precautions that should be in place when posting to social media or using messaging apps. Some of the safety features are built in for all users but are not on by default. Others are only necessary in specific situations such as secure-messaging app Signal’s Censorship Circumvention or proxy settings, which help get around a government’s attempt to block access to the app.

Here are some additional steps people can take to stay safe when going online.

Minimize identifying information

When it comes to sharing information publicly, you’ll want to minimize identifying information like your name, and be particularly cautious about location. That means turning off location tagging on any posts and stripping out geotags on media like photographs. You can usually do this manually for each photo on your phone, or take a screenshot of the image in a pinch. The social media tools themselves can add location data, so make sure that those settings are off in the app’s own settings or that access to your location is turned off in your phone’s settings.

“In the past when I worked with people in Syria, they could end up being targeted for gunfire, rocket grenades and things like that, if the military and other armed people knew where they were,” Callas said.

If you’re sharing sensitive information, you can set up a fresh account with a burner email and alias — it will be harder to trace back to your real world identity (but also more difficult for strangers to determine if you’re spreading misinformation).

There are concerns that real accounts could be compromised and hacked, either to shut them down or to share disinformation. Common security measures include locking your account down with a strong unique password and two-factor authentication, or deleting it entirely if that’s what is necessary to keep you safe.

Limit where you communicate

When it comes to communicating privately, avoid unencrypted chats like Twitter DMs and choose an encrypted chat app. Signal offers end-to-end encryption, though Callas doesn’t recommend Telegram if you’re chatting with multiple people, as those conversations aren’t encrypted. Both apps have seen an increase in usage in Ukraine over the past few days.