Protect yourself and your data when using Google services
Updated 2021
Table of Contents
...Loading Table of Contents...Setup
Know how hard it is to move what you have posted off social media
- Test how effective it is to use the "download my data" functions of each platform you use. Start the download process, then take a thorough look at what data it provides. You may find that what is downloaded is not in a format you find easy to use.
- Allow some time for this process. If you have had an account for a long time, there will be a lot of data to download, and the service may take a day or so to bundle it for your download.
- Instructions
- Select data that you believe may be relevant from this long list
Learn why we recommend this
Avoid relying on a social networking site as a primary host for your content, contacts, or other information.
Consider what you would lose access to if your government blocked a site or app. It is easy for governments to block access to social media within their boundaries if they object to what people are sharing. Social media services may also decide to remove objectionable content themselves, rather than face censorship in a particular country.
Social media might also remove content that they believe violates their policies about, for example, violent images or harassment. It is often difficult for them to understand the local context of what users have posted, particularly if it is not in English.
Decide whether you will use a real or fake name, and maintain separate accounts
- Be aware that even if you provide a fake name to a social media site, you may still be identifiable by the network you connect from and the IP address it assigns to your device unless you use a VPN or Tor to hide this information.
- Use a VPN when setting up an account for the first time to make it harder for someone to associate your profile with your IP address.
- Consider using separate accounts or separate identities/pseudonyms for different campaigns and activities. You will likely want to keep your personal and work accounts separate, at the very least.
- Remember that the key to using a social network safely is being able to trust people in that network. You and the others in your network will want to know that the people behind the accounts are who they say they are, and have ways to validate this. That does not necessarily mean you have to use your real name, but it may be important to use consistent fake names.
Learn why we recommend this
Some people maintain social media accounts with fake names, or one account with their actual name and one with a fake name, to ensure they can organize and connect with others with less risk to their free speech, safety, or liberty.
Set up with a fresh email address
- Set up a new e-mail address while using the Tor Browser or a trusted VPN.
- Suggested privacy-friendly mail services:
- Proton Mail
- If you have a friend who can invite you, Riseup Mail
- Autistici
Learn why we recommend this
Email addresses provide one of the easiest ways to search for you: you need to provide one each time you set up a new account. If you really need to hide your identity, it is best to start over with a new social media account which you do not connect to your old accounts or to existing email addresses.
Don’t associate your phone number with your account
- If possible, when setting up a new account, do not enter your phone number. Google will allow you to set up a new account with only an email address, and that can be harder to associate with you.
- In certain countries, Google launched a "People card" feature in 2020 where people can fill in information about themselves. Follow these instructions to remove a card you have made or remove your contact information from the card
Learn why we recommend this
Your phone number can be easily used to look you up and identify you. Consider whether your local law enforcement might make a legal request to social media companies to find the activity associated with your account, or whether someone seeking to harass or find you might make use of your number.
Designate someone to manage your account if you are unable to do it yourself
- Google follows a slightly different policy from most services, which for legal reasons will not give a loved one or colleague access to your account. You can set a trusted contact who will receive an email if your account is unused for a certain amount of time. That contact can then download data you have specified from your account.
- If you expect someone else will need to use your account in the event of an emergency, arrange to share your login information with them using encrypted communication or the sharing function of your password manager.
- If a colleague has been arrested or detained, contact Access Now's Helpline or Front Line Defenders for assistance in working with Google to secure access to their accounts.
Learn why we recommend this
This is something everyone should think about, regardless of their risk level. Social media sites have developed processes to handle situations where someone passes away or is seriously ill or jailed and others need to manage their account. Designating someone to care for your account can ensure others are notified of your situation, and prevent malicious people from defacing or hacking your account.
Account protection
Check recovery email and phone
Check here:
- Recovery email
- Recovery phone
- Change this information immediately if you lose access to your email address or phone number.
Learn why we recommend this
Your accounts use an email address and/or a phone number to help recover your account in case of authentication issue. The email address is also used to inform the user of any security related event. It is important to check this information to be sure that an attacker did not change them to gain control of your account later.
Use strong passwords
- Use strong passwords to protect your accounts. Anyone who gets into your social media account gains access to a lot of information about you and anyone you are connected to. See our guide on how to create and maintain secure passwords for more information.
Set up multifactor authentication (2FA)
- Use a security key, authenticator app, or security codes for multifactor authentication.
- Do not use SMS or a phone call if possible, so you do not have to associate your phone number with your account. This is particularly important if your name is not already associated with your account.
- See your options for Two-Step Verification
- Turn on Two-Step Verification
Learn why we recommend this
See our guide to passwords and other login protections for more on why and how to set up multifactor authentication, sometimes known as 2FA or MFA.
Get a verification code to get back into your account
- Get backup codes
- If you have an Android device, try using a Google security code
- Store those codes in your password manager.
- Alternately, print these codes out before you are in a situation where you might need them. Keep them somewhere safe and hidden, like your wallet or a locked safe.
Learn why we recommend this
Having verification codes written down or printed out gives you another way to get back into your account if you lose access. If you are traveling, this can be especially useful when you need to get into your accounts and may not have access to wifi or cellular data to use other multifactor authentication.
If your device is lost or stolen
Compare emails you may have received about security to those the app or service says it sent you
Learn why we recommend this
Phishing messages might try to convince you they are coming from your social media, to trick you into giving someone else access to your account. If you get a security email or text from a social media site, don't click on any of its links. Also, do not provide your password. Instead, log in to your account and check the following links to confirm whether the message was legitimate.
Look for suspicious access
Check active sessions and authorized devices, review account activity and security events
- Look at the following pages listing which devices have recently logged in to your account (including using browsers or apps). Does every login look familiar?
- Look for "Recent security activity" here
- Take a closer look at those sessions
- Look for instructions on how to log out devices that are not yours.
- Note that if you are using a VPN or Tor Browser, which can conceal your location, you may see your own device, connected in unexpected locations.
- If you see suspicious activity on your account, immediately change your password to a new, long, random passphrase you do not use for any other accounts. Save this in your password manager.
- More information
Learn why we recommend this
Governments, police, domestic abusers, and other adversaries may find ways to watch your accounts by logging in from their devices. If they do so, it is possible you will be able to see it from these pages where social media services show which devices have been used to log into your accounts.
Get notified about logins
- Set notifications to be sent to the email address you associated with this account.
- Avoid using your phone number for notifications (see "avoid associating your phone number with accounts," above).
- Google automatically sends notifications of logins from new, unknown devices to your Android device or your recovery email
Learn why we recommend this
If you suspect your account may be watched, or your adversaries may break into it, use this feature of social media accounts to be notified right away when it happens.
If you think your account has been hacked
Review other sites and apps that can access your account
- Avoid using your accounts to log in to other sites (like news sites, etc.) It is convenient, but that means it is convenient for attackers as well as for you, and may also leave more evidence of what you have viewed online. Use a different password for every site, and save it in your password manager.
- Be careful when connecting your social network accounts. You may be anonymous on one site, but exposed when using another.
- Use these links to learn about sites and apps connected to your accounts
Learn why we recommend this
Most social networks allow you to integrate information with other social networks. For example, you can post an update on your Twitter account and have it automatically posted on your Facebook account as well. When other sites and apps have access, they can also be used by hackers to get into your social media accounts.
Download data for further analysis (advanced)
- Instructions
- Select data that you believe may be relevant from this long list
- Suggestions of what to look for
Learn why we recommend this
If you suspect someone has intruded on your device, you might want to download all records of activity on your account, so you or your technical support person can look for unusual activity.
Decide what to post
The more information about yourself you reveal online, the easier it becomes for the authorities and others to identify you and monitor your activities. For example, if you share (or "like") a page that opposes some position taken by your government, agents of that government might very well take an interest and target you for additional surveillance or direct persecution. This can have consequences even for those not living under authoritarian regimes: the families of some activists who have left their home countries have been targeted by the authorities in their homelands because of things those activists have posted on social media.
Information that should never be sent on social media, even via direct message (DM)
- Passwords
- Personally identifying information, including
- your birthday
- your phone number (does it appear in screenshots of communications?)
- government or other ID numbers
- medical records
- education and employment history (these can be used by untrustworthy people who want to gain your confidence)
Information that you might not want to post on social media, depending on your assessment of the threats in your region:
- Your email address (at least consider having more- and less-sensitive accounts)
- Details about family members
- Your sexual orientation or activity
- Even if you trust the people in your networks, remember it is easy for someone to copy your information and spread it more widely than you want it to be.
- Agree with your network on what you do and do not want shared, for safety reasons.
- Think about what you may be revealing about your friends that they may not want other people to know; be sensitive about this, and ask them to be sensitive about what they reveal about you.
Don’t share location
- Follow these instructions
- If you have set certain places as "home" or "work" in your "Labeled places" in Google Maps, clear that information (look for guidance here)
- Android: follow the instructions for "Stop an app from using your phone's location"
Learn why we recommend this
If you are worried about someone finding you and doing you physical harm, stop your accounts from storing your location information. Turning off location services on your device also makes your mobile device's battery charge last longer.
Share photos and videos more safely
- Consider what is visible in photos you post. Never post images that include
- your vehicle license plates
- IDs, credit cards, or financial information
- Photographs of keys (it is possible to duplicate a key from a photo)
- Think hard before you post pictures that include or make it possible to identify
- your friends, colleagues, and loved ones (ask permission before posting)
- your home, your office, or other locations where you often spend time
- if you are hiding your location, other identifiable locations in the background (buildings, trees, natural landscape features, etc)
- Google Photos performs some face recognition on photos. See "Stop letting contacts get suggestions based on your 'me' face label" here and turn off "Help contacts recognize your face"
- Stop sharing in Google Photos
- See if there are accounts Google Photos is sharing with that you don't recognize, and stop sharing
- Turn off suggestions to share with your contacts
- Follow "Pick albums to display on your device" directions heree to see which devices you may be sharing to, and remove any you do not recogniz
- Blur faces in videos you upload to YouTube
- Remove EXIF data before you post photos
Learn why we recommend this
What you share could put yourself or others at risk. Get in the habit of seeking consent before posting about others, where possible. You may want to work with your colleagues to set guidelines for what you will and won't share publicly, under what conditions.
Photos and videos can reveal a lot of information unintentionally, particularly what is in the background. Many cameras also embed hidden data (metadata or EXIF tags) about the location, date, and time the photo was taken, the camera that took the photo, etc. Social media may publish this information when you upload photos or video.
Change who can see when you "like" things
Learn why we recommend this
"Likes" and other ways you appreciate posts are sometimes shared by social media in ways that are not clear. In some countries, "likes" or other apparently harmless interaction with other social media accounts have been used in legal cases. You may want to use caution when leaving icon or comment reactions to others' content, depending on your understanding of the legal situation in your country.
Don't share your birthday
- It is always possible to give a birthday that is not your own. However, do keep track of what you enter, in case you need it to regain access to your account.
- Find and remove your birthday if needed
Learn why we recommend this
If you include your actual birthday in your account information, it can be used to identify you.
Decide who can see
Limit who can contact you
Learn why we recommend this
Limiting who can contact you can lessen the likelihood that you will be found when you are trying to be private, or targeted by people trying to falsely gain your trust or the trust of your network. This can also be useful if you are being harassed in non-public messages.
Manage advertising
Learn why we recommend this
There is a possibility governments or police forces might buy advertising data from social media companies to target you and your network with disinformation, or try to find you.
Leave no trace
Precautions when using a public or shared device
- Avoid accessing your social network account from shared devices (like an internet cafe or other people's devices).
- Delete your password and browsing history when you use a web browser on a public machine. Change the passwords of any accounts you accessed from shared devices as soon as you can, using your own device.
Delete search history
- Clear past Web & App activity
- Turn off Web & App activity tracking
- If you have been viewing Google News, you may want to clear your history
Learn why we recommend this
Some social media services keep track of things you have searched for within their sites and apps. If your account is compromised or your device is seized, your adversary could use this information against you, so it may be a good idea to clear this history out regularly, as well as clearing your browser history.
Learn what social media will turn over to governments or law enforcement
- Search for "Google" and the name of your country or jurisdiction on Lumen
- Google's policy on law-enforcement requests
Learn why we recommend this
Social media sites may give your information, including information you were trying to keep private, to governments or law enforcement if requested. Look through the following links to learn more about the conditions under which they will do so.
Handle abuse
Report abuse
Learn why we recommend this
Social media have unfortunately become a favorite method of harassment and disinformation worldwide. If you see malicious impersonation, hashtags being flooded, disinformation being spread, or you or your colleagues are being targeted and harassed, you are not alone and there may be help. Review the processes for reporting using the following links.
Report harassment that reveals information about you
- Remove select sensitive information from Google searches
- Use this form to select Google services you are requesting assistance with (including YouTube, Blogger, and Google Search)
Learn why we recommend this
Some abusers may try to target you by revealing information about where you live or work, your family or friends, or other personal details including images. In many cases you have a right to have this taken down, even if that information is true. Review the following links for information on how to get that information removed.
Identify and report coordinated inauthentic activity (botnets and spam)
- Look for a "(Send) Feedback" option in most Google products: for example, Search
- In Gmail or Google Messages, report spam
Learn why we recommend this
Some harassment and disinformation is posted through automated means, rather than by individual people. If you suspect that you are seeing this "coordinated inauthentic activity," you can report it to the social media sites and they may ban those automated systems. While automation can be hard to prove, there are some cases in which reporting coordinated inauthentic activity might be more successful than reporting harassment, if you suspect the social media site will not understand the context of the harassment.
Report impersonation
- Google will not assist in removing impersonation per se, but it will assist in removing fake pornography targeting someone
Learn why we recommend this
Impersonation in the form of parody is usually accepted as free speech by most social media platforms, and will not be removed. However, impersonation for the purposes of defamation of character may not be, and you can report it.
Hide stressful content
- On Google Search, SafeSearch can block adult content
- On YouTube, Restricted Mode can block adult and violent content
Learn why we recommend this
Any of us may find some content more distressing than other people do, whether it be information on the death of a friend, public arguments which devalue us because of who we are, or frightening events in the news. If you need a break from this stress, here are some tools which can help hide content you do not wish to see, for as long as you wish.
Learn how to recover your account if it is disabled or suspended
Learn why we recommend this
For one reason or another, social media sites will sometimes disable an account. Human rights defenders have sometimes had their accounts shut down because they are documenting human rights abuses with violent scenes that violate the social media platforms's policies; because they have been reported by government, police, or other people who disagree with them; or even because the social media platform does not understand their context well enough to make sense of what they are posting. If this happens to you, you can appeal the decision and ask to have your account restored. Review the links below for information on how.
Take a break from your account
Learn why we recommend this
If you want to stop people from posting to your account because you will not be able to access it for a while-- you suspect you may be detained or jailed, or just because you need to take a break!--you may be able to temporarily deactivate your account on some social media. This can be useful if you face harassment or defamation. On other accounts, like email, you may not be able to stop incoming messages, but can set your account to automatically respond that you are away.
Learn how social media use your information
- For a useful add-on which clarifies the Terms of Service of many popular sites, see Terms of Service; Didn't Read.
- Google's privacy policy
Learn why we recommend this
It is often unclear what social media will do with your information when you share it. Are they combined with other data to guess things about you? Are they sold to other companies that may share that information even if you did not want it to be shared? Read the End User Licence Agreement and Privacy Policy or Data Use Policy for social media sites to find out.
Check forwarding settings
- Google notifies you both in the interface and by email when auto-forwarding is enabled, but you should still check to ensure your mail isn't forwarded. To see this setting, go to your account's Settings > Forwarding and POP/IMAP, or look here for more instructions
- Delete any email address you do not own or trust.
- Also check if POP and IMAP are enabled; turn them off if you are only using your browser and mobile app to access Gmail.
Learn why we recommend this
Auto-forwarding is an easy way for an attacker to access your email after compromising your account, by having it redirect all of your mail to them.