This project started with my blog post, A FOSTA/SESTA/CLOUD Guide to Actionable Resources, Part 1: Resource Roundup and grew into what is now this guide. I hope you find it helpful.

Check out the FAQ if you want the easy route.

Table of Contents

Making The Physical Safer

Safes

Research safes and make the purchase(s). It’s not as simple as it seems. Though the link I’ve provided is to a gun safe manufacturer, the FAQ, protection level ratings, and safe selection helper provide some valuable knowledge needed to purchase a quality safe.

Consider what you’re protecting your data from: is it fire, random burglars, snooping busybodies, or someone possibly more dangerous?

Things you need to know about safes:

There is no such thing as a “fireproof” safe on the consumer level. What’s available is “fire resistant,” which means they resist heat and smoke (and for some, water), but for only up to a certain amount of time. Check the fire rating for each safe that you research. You’ll want at least a 1-hour fire rating certified by UL.
A safe needs to have a fire seal on its door, not just for fires, but also to help seal against moisture.
If you’re storing any kind of paper (including money), you’ll want a quality composite burglary and fire safe or a high-security TL-rated fire safe.
Fire resistant safes on the consumer market are rarely safes that will withstand burglars because the metal is too thin. They’re easily opened. Instead, you’ll want to look for:
- Burglar-rated good quality composite fire safes; or
- High-security TL-rated fire safes; or
- A UL-rated fire lockbox and putting that inside one of the above; or
- Splurging on a media safe (they’re expensive).
Remember, it’s all well and good to have your stuff in a safe, but if you’re worried about someone walking off with your information, that safe needs to be secured. If you’re a renter, that can be difficult.
- If you’re a renter, I suggest welding your safe to something you own that is hard to simply carry out the door without a lot of dis-assembly. Maybe that’s your bed frame or your desk. Be creative.
If you can afford to, it’s best to store your important identification documents (passport, birth certificate, etc.) in a safe in one location and your other stuff (documents, external hard drives, photos, USB flash drives, etc.) in a separate safe in a different location. Two separate addresses work best if you have someone you trust enough to hold one of your safes.

Mobile Phones

Mobile phones aren’t as easy to secure as most people think. As far as I can tell, they’re harder to secure than most other modern devices. The safest way to use a mobile phone, other than to not use one, is to use it only once. Who can afford that?

Read The Problem With Mobile Phones by the Electronic Frontier Foundation for a more in-depth explanation on why mobile phones are so difficult to secure. Read below for a summary of best mobile phone security practices.

It’s always best to use prepaid phones. True burner phones are only used once and then lost or destroyed, hence the name “burner.” These days, “burner phone” simply means a prepaid phone. This article from 2013 is still relevant in its information on the basics of prepaid phones, laws, and, and snooping technology. There are also pseudo-burners which are worth knowing about and perhaps having one.
Always have separate devices and phone numbers for personal and business. Never the two shall meet. If you have different business ventures then have a different phone/device for each business venture. Color code them and put on separate ringtones for the phones.
Don’t have two of your own phones on at once. If you need two to be on at the same time, put one into a Faraday pouch (see below). The reason for doing this? Your phones will send signals back to the cell towers, back to social media, back to whatever you’re logged into, and it won’t take long before there’s enough data that makes it clear (even if just to those with access to cell phone records) that you’re the same person. If you’re logged into apps that suggest account profiles to others, you’ll find your personal or business account being suggested to your personal or business associates and vice versa. If your GPS is on and you’re logged into apps that suggest account profiles to others, you’ll find your business or personal account being suggested to your personal or business associates and vice versa.
Limit your apps and limit your app’s permissions. Do you want security or do you want the latest app for your phone? Read up on what it wants to access and then have a think about why it wants to access it: does it make sense, do you trust the app author, and do you understand why the app needs that permission? For example, an art app wants to access your GPS but it doesn’t integrate with any maps <—- uh oh! Pay particular attention to apps that want to access your cameras, microphone, email and messaging, contacts, GPS, WiFi, and Bluetooth.
Bonus tip: If you don’t want others to know you’re associating with someone or have been to a specific location, turn your phone off before you’re near that person or before you get there. Keep the phone off until the other person is gone or you have left the specific location.

Your security with the phone.

Make and use a signal-blocking Faraday pouch for your phone, pad, and laptop. Make one for yourself and make one for that “friend” or client that you don’t fully trust. Once sealed in the Faraday pouch, the device can’t send or receive any signal. (Turning it off does not necessarily protect you.) You might also want to consider isolating it acoustically so that it cannot record sound. Consider keeping your electronics outside of the rooms where you have sex or have certain conversations to avoid being recorded without your consent.
Call your cell phone service provider and make sure you have a PIN or passcode set up for each account.
Keep your GPS and Bluetooth off.
Keep your WiFi off if you’re not actively using it.

The phone’s security.

Keep your app, OS, and carrier settings regularly updated.
Only download apps from known developers with high ratings.
Limit the permissions your apps can access, such as location and microphone.
Make sure you have anti-malware software installed and updated.
Lock screen:
- Always use a 6+ digit or alphanumeric PIN or passkey.
- Never use fingerprints or face scanners.

Device Cameras

Encrypt your photos right as they’re taken with the upcoming app, Pixek (still in beta testing as of June 2020).

Reusable camera covers (these are a must).

Other Devices

Find out if you’ve been hacked.

Read How Do I Protect Myself Against Malware? by the Electronic Frontier Foundation.

Disable macros in Microsoft Office if you have Windows (a common way of transmitting malware).

Get the best possible operating system out there for those concerned about security: Tails (free; runs on a flash drive so you can have a portable, anonymous, amnesic operating system on any computer you encounter).

Best software for Windows:

Avast antivirus (free; Windows; Mac; Android).
Comodo firewall (free; Windows).
Malwarebytes (free; Windows).
Spybot Search & Destroy anti-spyware (free; Windows).
SuperAntispyware (free; Windows).

Making Our Internet Use Safer

Passwords

In an ideal world, all of our passwords would be memorized and we would change them every four weeks. We’d never forget to change them and we’d never forget the passwords. This is the type of fantasy that comforts me at night, a device in hand… Okay! But in reality, we’re fallible humans with overtasked memories.

The most highly recommended way involves coming up with a book ciphered passphrase for each password. You’re then safe to use a password manager (even one in the cloud!) after that so long as you 1) don’t write down or share the key to the cipher and 2) don’t use common phrases.

Contrary to popular belief, adding MFA/2FA (Multifactor/two-factor authentication) to your accounts might actually be a security risk. If your account insists on texting or calling you to confirm your identity, many security experts are saying this increases security risks and that you should use an alternative. I’m not an expert, but as an advocate, I agree with this assessment. The best way is to use an authentication app; FreeOTP is available for iOS and Android.

Recommended password managers

Encryptr (free; USA-No Knowledge; cloud-based).
Keepass (free; portable; Windows, Linux, Mac OS X, Android).
Password Safe (free; portable; Windows, Android, iOS, Mac).

Remember, don’t repeat, reuse, or share passwords. If you use a password manager, memorize the password you use to log into the password manager account.

Email Security

Don’t use Hushmail.

Stop email tracking (if and when you’ve viewed an email) by turning off images in your email.

If you must use Gmail, encrypt it with service such as Mailvelope (remember, the people receiving the mail must also use Mailvelope for the message to be encrypted).

Enigmail is a free encrypted email client for Mozilla Thunderbird.

Email Account Providers

Mailpile (free, encrypted; Iceland; host it on your computer or in the cloud).
ProtonMail (free, encrypted; Switzerland; Android, iOS; browser).
SAFe-mail (free; encrypted; Israel?; browser and email clients/apps).
SafeOffice (not free, encrypted; Cyprus).
Unseen (free, encrypted; Iceland; Windows; Android; iOS; Mac; Linux; browser) (note: still in service, but the website is outdated).

Use a disposable email address for creating digital accounts

Get Nada (free).
Guerrilla Mail (free).
Sharklasers (free).

Messaging Security

If you must use Slack, encrypt your Slack messages with Shhlack (free).

Encrypted messaging services:

Discord (free; encrypted; browsers, Android, iOS, Linux, Mac, Windows).
Riot.im (free; encrypted; UK; browsers, Android, iOS, Mac, Windows, Linux).
Signal (free; encrypted; USA – No Knowledge; desktop, Android, iOS).
- How to use Signal without giving out your phone number.
- Concerns about Signal.
Silence (free; encrypted; Android).
Tox (free; encrypted; distributed; Android, FreeBSD, iOS, Linux, Mac, Windows).
Unseen (free, encrypted; Iceland; Windows, Android, iOS, Mac, Linux, browsers).
Wickr (free; encrypted; USA – No Knowledge; Windows, Mac, Linux, iOS, Android).
Wire (free for personal use; encrypted; Switzerland – No Knowledge; Android, iOS, Mac, Linux, browsers).

Identity Protection

Stay as anonymous as possible on the internet.

Which VPN Providers Really Take Anonymity Seriously? by Torrentfreak.
Don’t connect to public WiFi without a VPN.
If you absolutely must use public WiFi and you don’t have access to a VPN, only browse the internet using the Tor browser and block your apps from accessing the internet connection.

Read the Terms of Service and Acceptable Use Policies of the sites/services that you use.

Pay cash for gift cards and use those online for services such as VPN.

Don’t login to websites or apps via Facebook, Twitter, or Google.

Don’t allow third party apps to access your accounts.

Disable geotagging in the privacy settings of the sites you post content to (such as Twitter, Instagram, etc.).

Read Why Metadata Matters by the Electronic Frontier Foundation.

Remove your metadata from the files you create. Find the right metadata removal tools for you.
Use a web proxy such as Privoxy (free), which helps eliminate metadata your device sends outward.

To search online, don’t use personally identifying information as your search terms.

If you must allow cookies, allow only session cookies, then be sure to close your browser entirely after each session (no more leaving the browser running to come back to it later).

Run BleachBit (free; Windows, Mac, Linux) after closing your browser.

Never use/view Flash.

Use Anonymouse.org (free):

Browse the internet anonymously.
Send email anonymously.

Shrink your digital footprint as much as possible.

Read How to Disappear From The Internet Today by Who Is Hosting This.
- Account Killer (free; web-based).
- Direct links and instructions to remove your account on other sites.
Delete Me ($129/yr or use their free guides).
- Removes your data and personal info like address and phone number from sites that list it.
JustDelete.me (free; web-based).
- Direct links and instructions to remove your account on other sites.

Use multiple browsers: 1 for email; 1 for social media; 1 for browsing/searching.

Browsers

Chrome, though the most popular browser, is not the best choice for security.

“Google is a company that fully cooperated with the NSA in its PRISM mass surveillance program. […] Even with all user-controlled privacy settings locked down, there is every reason not to trust Google to just not spy on you anyway.” — Douglas Crawford, BestVPN.com.

Do not use the Chrome browser to log into your Google account to check your mail or calendar.

Do not use the Chrome browser to search Google! If you can’t use another browser, at least use DuckDuckGo.

Use security plugins (add ons, browser extensions, WebExtensions) in your browsers.

Browser suggestions

Tor Browser (free; Windows, Mac, Linux).

This is essentially like running a hardened version of Firefox without having to install WebExtensions or change any settings.

Orbot/Orfox (free; mobile).

Cliqz (free; PC, Mac, Android, iOS).

Built-in search; built-in privacy features; built-in anti-tracking.

Firefox (free; PC, Mac, Linux, Android).

Make sure to harden Firefox up if this is the browser you use.

Use extensions. Note: not all of these need to be used at once.

Blur ($39/yr or free with fewer features):
- Password manager (free).
- Anonymizes email (free).
- Creates burner credit card numbers for each purchase (paid).
- Masks phone number for online forms (paid).
Canvas Defender (free; Firefox):
- Creates a unique and persistent noise that hides your real canvas fingerprint.
- This add-on will be obsolete once Mozilla releases Firefox with built-in canvas fingerprinting protection as it has been promising to do.
Cookie AutoDelete (free; Firefox):
- Automatically deletes HTTP (regular) cookies when you close the browser tab that sets them.
Container Tabs (free; Firefox):
- Similar to using multiple browsers.
Disconnect (varies):
- Blocks trackers and enables private searching on 1 browser (free).
- Block trackers & malware across 1 device. ($24.99).
- Blocks trackers & malware. Secures WiFi & provides VPN. ($35.99 per year for 3 devices).
Ghostery (free; browser extension for Cliqz, Firefox, Chrome, Opera, Safari, Edge, Internet Explorer; mobile browser on iOS and Android):
- Gives you control over ads and tracking technologies to speed up page loads, eliminate clutter, and protect your data.
HTTPS Everywhere (free; Firefox; Chrome; Opera):
- Forces your browser to connect to the SSL encrypted version of the site if available.
NoScript (free; Firefox and other Mozilla-based browsers):
- Allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice.
Privacy Badger (free; Firefox and Opera):
- Blocks spying ads and invisible trackers.
uBlock Origin (free; Firefox):
- Blocks ads.
- Blocks tracking scripts.

Data Backups

Purchase a hard drive or USB keys (I suggest those by Apricorn as they come with encryption) that can store your digital files. Encrypt it if it doesn’t come with encryption. In the future, consider purchasing multiple drives or USB keys and keeping your most valuable information in multiple places. If you bought a safe, keep your external hard drive and other backups there. Remember, multiple backups are best!

Remember to keep the originals of your photos, writing, videos, and any other content you created and own.

Back up your data and encrypt it:

Backup your contacts from your email, phone, and social media.
Backup your data, including exports of your website, social media profiles, and cloud-based storage.
Download backups off the internet to external media whenever possible. Scan for malware.

Full disk encryption (and a detailed how-to for them):

Duplicati (free; Windows, iOS, Linux).
FileVault (free; Mac).
iPhones.
Secure boot and Bitlocker (free; Windows).
VeraCrypt (free; Windows).

Making Our Content Safer

Social Networks

Recommended.

Mastodon + GNU Social (free). this is your best bet as it’s decentralized. Combine with Discord!

swingset.social is an invite-only Mastodon instance set-up and run by the folks who host the Swingset.FM podcasts.
Switter.at is a Mastodon instance by and for sex workers.

Not Recommended.

These are communities created for 18+ material that didn’t do their homework, so we’ll find out how they fare as FOSTA begins to be enforced. These are all on US-based domains which can still be seized and shut down.

A note about Sharesome:

The domain is a dot com and thus the domain can be seized by the US government at any time. It’s also hosted in the USA by Amazon. Their CEO is Tudor Bold, who claims to be in Europe on his social media. But if you look at the T&C, 2257, etc, of Sharesome, everything is addressed directly to Tudor Bold at a co-working office space (the Regus) in NY. 57 West 57th Street, 3rd and 4th Floor, New York, New York, 10019 )

Sharesome didn’t become an adult social networking site until October 28th of 2018. They don’t have an office. They claim to be European-based and they didn’t do their homework (they’re on a dot com and they’re being hosted by Amazon).

They’re not a good choice.

A note sent directly to me from Sharesome’s CEO, Tudor Bold:

Hello! I’m Tudor, co-founder of Sharesome. Congratulations for a great site filled with really useful resources. I knew about most of these services, but never saw them aggregated in a such an easy to go through way.
I noticed you mention Sharesome, and I do agree with the risk involved with having a .com domain. Just to be clear, since you refer a lot to FOSTA/SESTA, our platform explicitly forbids escorting services. We encourage content creators to promote their paysites, camsites, tubesites etc.
As for the address in NY, that’s a virtual address we use for receiving mail or sending out press releases. Our company is based in [redacted – a country that is a member of the European Union] and we have colleagues from several European countries (so no other tie to the US at this point). I wished we were even more transparent, but we’re trying to protect our privacy too – as much as possible considering we run a very public service.
Thank you and congratulations again for all your work! Best wishes! 🙂

These communities were not created for 18+ material but some still (as of 12/18/2018) allow adult content. They’re all on US-based domains which can still be seized and shut down.

Diaspora
MeWe
PillowFort
- This is a microblogging service that integrates your account with others into communities; think LiveJournal.
PoiZen.me
- for artists
pump.io
- however, .io domains technically do not allow “adult” content. so far, no one has had any trouble, but the time will likely come.
RetroShare

Self-hosted Blogs And A Note About WordPress

If you’re going to self-host or if you’re already self-hosting, there’s a lot to consider about your domain registration and your website host, as well as where in the world to locate your content, not just what blog publishing software you may have installed on your website. Please remember to take all of those factors into consideration.

Self-hosted Blogs.

Drupal (free).
Joomla (free).
WordPress.org (free).
- BuddyPress – creates a social network (free; installs on top of a WordPress.org install).
- peepso – creates a social network (installs on top of a WordPress.org install).

A note about WordPress.

Always keep your WordPress.org sites updated with the latest releases for themes, plugins, and WordPress itself.

Sites on WordPress.com may get shut down if they are in violation of the WordPress.com TOS and AUP.

Sites hosted with the standalone software from WordPress.org are hosted off WordPress.com and need to worry about the TOS and AUP of the server the site is on (generally a hosting company), not WordPress.com.

However, if you are hosting your site on a standalone installation from WordPress.org, do not install or use any of the other services or products made by Automattic (they are the makers of WordPress), as you’ll be signing up for basically the same TOS and AUP with those services and products. Many of them integrate with WordPress.com, at which point you may be in violation of their TOS and AUP.

Some of those services and products are:

Akismet Anti-Spam
- Alternatives: CleanTalk, Wordfence Security.
Jetpack
- A lot of individual plug-ins to cover everything in Jetpack, sorry. I’ll get to this soon.
VaultPress
- Alternatives: BlogVault, Darwin Backup, UpdraftPlus.
WooCommerce
- Alternatives (these have not yet been assessed for allowing adult content or for compatibility with adult payment processors): Cart66, eBook Store, eCommerce Product Catalog Plugin, eCommerce WD, Ecwid Ecommerce Shopping Cart, Easy Digital Downloads, MarketPress, Sunshine Photo Cart, WP eCommerce.
WordPress apps for iOS, Android, etc.

In addition, you’ll need to log into your site(s) via each individual log-in and not with your WordPress.com universal log-in.

Self-hosted Websites

Domain registration.

The country that is home to the service that you pay for is the country under whose jurisdiction a website falls regarding the legalities of its content. This includes freedom of speech, advertised services, and advertised products.

Owning a “.com”, “.net”, “.org”, “.co”, .or “.us” domain means that your domain name is subject to US laws and that the US government can shut the website down at any time — so consider getting a domain subjected to another country’s laws. Keep in mind that this can also happen to any service provider that you use, like your email host or your domain registrar, etc., as a U.S. government spokesperson “says it has the right to seize any .com, .net and .org domain name because the companies that have the contracts to administer them are based on United States soil.” By “the contracts to administer them,” they’re talking tech: it’s a way of saying those websites have contracts with their domain registrars. A popular domain registrar in the USA is GoDaddy, for example.

This means using a “dot-something” (a top-level domain) or…, wait, Wikipedia explains this better than I can.

“A domain name registrar is an organization that manages the reservation of Internet domain names. A domain name registrar must be accredited by a generic top-level domain (gTLD) registry or a country code top-level domain (ccTLD) registry. A registrar operates in accordance with the guidelines of the designated domain name registries.
Wikipedia. https://en.wikipedia.org/wiki/Domain_name_registrar

Bottom line is that if you use a USA-based registrar, your domain can be seized. I think this holds true even if you have registered a non-US-based domain, but I need to do more research.

What you need to do is use a non-US-based registrar. I recommend:

.gdn (United Arab Emirates; Anti Abuse Policy [link goes to PDF]).
.one (Denmark).
.ooo (India; Acceptable Use Policy).
.top (China).

You could also register with a country’s domain. I’d recommend using Iceland (.is) or Switzerland (.ch). Make sure to choose a country that doesn’t practice data surveillance with the USA.

It’s also a good idea to start by using a service like Njalla (15 € per year; the Federation of Saint Kitts and Nevis [located in the West Indies]. Note: This is a service that owns your domain for you and acts as a mask between your registration and the world. It is not a domain registrar but acts as a liaison between the registrar and you, thereby granting you privacy.)

Web hosting considerations.

Always encrypt your website(s). Let’s Encrypt does it for free.

Things to know about any potential web host before transferring your site to them. If they don’t or won’t provide answers to these questions, be very wary! (Please check the TOS, AUP, and other information provided by the hosting provider before asking these questions directly.)

Server Security Considerations.

Does whoever is providing hosting own the server or is it leased from someone else? Do the owner(s) of the server have a business or other license (and applicable business insurance that covers property) in their jurisdiction?
Where is the server located — in a secure facility such as a server farm, complete with temperature control, guarded access, UPS power back-ups, daily off-site tape back-ups, etc., or somewhere else?
What kind of ongoing security measures are in place for the server? For example, file auditing/IDS, firewalls, service auditing, SSH key authentication, SSL-forced logins, and user traffic, timely updates and upgrades, etc.
Does the hosting provider keep logs of you accessing your account (website, email, etc.)? If so, for how long? If so, if the log archives are rotated (so that only the most recent logs exist), how are the old logs destroyed?

Technical Considerations.

What are the technical specs on the server? Disk space, memory, processor(s), fans, bandwidth, etc? What happens when these start getting maxed out?
What operating system is installed on the server? What GUI hosting management software, if any, is installed on the server? What will hosted websites have access to (shell? webmail? streaming video stored in the server? SSL? e-commerce? etc.)?
What are the bandwidth and disk space limits, if any, for each person’s hosted services? What happens when these start getting maxed out?
Does hosting come with technical support of any sort? If so, does it come from the person/company/service providing hosting or does it get filtered through a hosting company to whoever is providing hosting and then on to you? Will direct technical support be available at all? If support is offered, what is covered by support and is it free?

Adult Content Considerations.

What are the laws regarding adult content in the country where the server is located?
- Are there limitations to the types of adult content that can be hosted, and if so, what are those limitations?
- If the content in your account will not be legal in the country where the server is located what legal measures might be brought against you? (For example, pornography is illegal in Iceland, but it’s rarely targeted for prosecution.)
Will the owner(s) of the server extend hosting to adult content sites? If so, what, if any, are the limitations to content and services that can be provided on the hosted websites?
Will the hosting provider or server owner(s) shut websites down due to adult content if there is intervention from law enforcement, a change to the hosting provider’s TOS/AUP, or another reason? If so, what does shutting down entail?
- Is there a warning to the account owner? If so, how is that warning provided?
- Does the website get shut down, but not the account (so that the account owner can still log-in to access the account’s website content, email, etc.), or does the entire account get suspended?
- Does a notice of the account being shut down get put on the website in place of its content? For example, taking down the site and putting up text that says the account was in violation of TOS or something similar?
If it’s a person (versus a hosting company) offering to host, is there a vetting process to decide who and what sites get to be hosted by? Will they accept every site or are there guidelines?

Other Legal Considerations.

Does the country where the server is located have any MLAT or surveillance agreements with the United States? If so, how do they respond to these requests?
Does the country where the server is located have a good rating for freedom of the press (freedom of information)? Has the country been upholding those practices or is their rating in decline?
Does the country where the server is located have privacy protections for non-citizens, for data, and for business? Recently, has the country been upholding those protections?
Will the hosting provider stand by their TOS regarding legal pressure? For example:
- Some hosting providers refuse to comply with court orders, law enforcement, etc.
- Some hosting providers stand by No Knowledge or Zero Knowledge lack of access.
If the hosting provider states that they comply with legal requests for access and/or legal requests to shut down access, does the hosting provider have measures in place that prevent each account’s content being traced to the account’s owner or account manager?

Ethical and Safety Considerations.

If it’s a person offering to host (versus a hosting company), does all the money from hosting go back into hosting? Will they be transparent about the finances? If it isn’t all used for financing, what else will it be used for? (Personal? Donation?)
How long has this person or company been hosting websites and content?
- Particularly, how long before 2018? How much technical experience do they have? How much legal experience do they have?
- If this is a new web hosting provider, what guarantees do you have that
  - 1, you’ll receive the services that you purchase,
  - 2, you won’t lose your data, and
  - 3, your web hosting provider won’t turn your identity over to authorities, or worse, implicate you in something you haven’t done?

Payment Considerations.

Does the web hosting provider require a name that matches a credit card for payment?
Does the web hosting provider accept payment forms that you prefer to use? For example, gift cards, cryptocurrency, non-verified PayPal accounts, etc.
Does the web hosting provider do recurring billing or are you responsible for arranging payment with each billing cycle?
How long are the billing cycles? Can payment be provided in advance? Is payment required in advance?
Is there a security deposit or a minimum length of time you can pay for?
Will you get your money back if you pay in advance and decide to take your business elsewhere?

Cloud File Services

Audit your cloud storage. Where are your files stored? What kind of information is stored? Where’s the most sensitive information?

Encrypt your data with a service like Boxcryptor before sending it to the cloud or to your external storage device.

Cloud file storage and file sharing providers.

AxCrypt (prices vary; Sweden; encrypted file storage).
Backblaze (prices vary; USA – complies with a subpoena; encrypted file storage).
file.io (free; USA; encrypted file sharing).
Mega (prices vary; New Zealand; encrypted file storage).
pCloud (prices vary; Switzerland; varying forms of encryption file storage).
SpiderOak (prices vary; USA – No Knowledge; encrypted file storage).
Storegate (prices vary; Switzerland; encrypted file storage).
Transmit (free; USA; Mac and iOS-only; encrypted file transfer).
Tresorit (prices vary; Switzerland; encrypted file storage).

Collaborative documents and project management providers.

CryptPad (free+; France; encrypted)
Mega (prices vary; New Zealand; encrypted).
Nextcloud (expensive!; self-hosted; Germany; encrypted).
OpenProject (varies; Germany).
Storegate (prices vary; Switzerland; encrypted).

Extras

Data Surveillance

Read up on Mutual Legal Assistance Treaties (MLAT).

Read up on global data surveillance programs PRISM, MYSTIC, and BULLRUN. Learn how they can impact you if you aren’t careful. Learn how to opt out and start making plans to do so.

Read up on other data surveillance systems like XKeyscore, WARRIOR PRIDE, Tempora, Stormbrew, Pinwale, MUSCULAR, MARINA, MAINWAY, Magic Lantern, ICREACH, Financial Crimes Enforcement Network, Fairview, FASCIA, and DISHFIRE.

Read up on Five Eyes (also known as FVEY, Nine Eyes, Fourteen Eyes, and SIGINT Seniors Europe/SSEUR). Note that Five Eyes includes New Zealand, Nine Eyes includes the Netherlands, and Privacy International believes that there is “a shared effort of the Five Eyes nations in ‘focused cooperation’ on computer network exploitation” with nineteen other countries, including Iceland, the Netherlands, and Switzerland.

5 Eyes, 9 Eyes, 14 Eyes – Explained by Restore Privacy.

Read up on Switzerland’s mass surveillance program, Onyx. The former director of the parent agency to the Swiss Federal Intelligence Service, NDB, denied that it cooperates with the NSA, but acknowledged that it is possible for other US intelligence agencies to gain access to Onyx. However, other Swiss parliamentarians disagree with the denial and believe that Onyx collaborates with the NSA.

Internet Freedom

Read up on the importance 1, 2 of free and open-source software. (Note: not all free software is open-source, though most open-source software is free.) Learn how this relates to internet freedom.

Where Should I Host My Content?

Keeping in mind data surveillance and internet freedom, where should I host my content?

I used the U.S. Department of State’s fact sheet that lists the 195 independent states in the world that were recognized as of May 30, 2018, to cross-reference against Access Now‘s list of all the Mutual Legal Assistance Treaties (MLATs) that are between another country and the USA. For every country that is joined to the USA via an MLAT, I crossed it off the list of the 195 independent states that were in existence when I began.

If it were just data surveillance, you’d want to choose from a country or other area that doesn’t have an MLAT (Mutual Legal Assistance Treaty) with the USA. The countries without an MLAT with the USA are:

Afghanistan
Albania
Algeria
Andorra
Angola
Armenia
Azerbaijan
Bahrain
Bangladesh
Belarus
Benin
Bhutan
Bolivia
Bosnia and Herzegovina
Botswana
Brunei
Burkina Faso
Burma
Burundi
Cabo Verde
Cambodia
Cameroon
Central African Republic
Chad
Chile
Colombia
Comoros
Congo (Brazzaville)
Congo (Kinshasa)
Costa Rica
Côte d’Ivoire
Cuba
Djibouti
Dominican Republic
Ecuador
El Salvador
Equatorial Guinea
Eritrea
Eswatini
Ethiopia
Fiji
Gabon
Gambia
Georgia
Ghana
Guatemala
Guinea
Guinea-Bissau
Guyana
Haiti
Holy See
Honduras
Iceland
Indonesia
Iran
Iraq
Jamaica
Jordan
Kazakhstan
Kenya
Kiribati
Korea, North
Korea, South
Kosovo
Kuwait
Kyrgyzstan
Laos
Lebanon
Lesotho
Liberia
Libya
Macedonia
Madagascar
Malawi
Maldives
Mali
Marshall Islands
Mauritania
Mauritius
Mexico
Micronesia, Federated States of
Moldova
Monaco
Mongolia
Montenegro
Morocco
Mozambique
Namibia
Nauru
Nepal
New Zealand
Nicaragua
Niger
Nigeria
Norway
Oman
Pakistan
Palau
Panama
Papua New Guinea
Paraguay
Peru
Qatar
Rwanda
Samoa
San Marino
Sao Tome and Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Singapore
Solomon Islands
Somalia
South Sudan
Sri Lanka
Sudan
Suriname
Syria
Tajikistan
Tanzania
Thailand
Timor-Leste
Togo
Tonga
Tunisia
Turkey
Turkmenistan
Tuvalu
Uganda
United Arab Emirates
Uruguay
Uzbekistan
Vanuatu
Vietnam
Yemen
Zambia
Zimbabwe

But it’s not just surveillance, it’s also about freedom.

Freedom House, “an independent watchdog organization dedicated to the expansion of freedom and democracy around the world,” has ranked internet freedom for dozens of countries for several years. Their latest reports (2020) put Iceland in first place for internet freedom and Estonia in second place.

Reporters Without Borders have released their 2020 report which ranks countries according to freedom of information (freedom of the press). Of note: #5 the Netherlands, #8 Switzerland, #9 New Zealand, #14 Estonia, and #15 Iceland.

Therefore, with both surveillance and freedom under consideration, I feel comfortable making the following recommendation of Orange (their TOS) (price varies; Iceland).

Money Matters

Crowdfunding providers.

Selfstarter (create your own crowdfunding).

Payment processor providers.

Dwolla (no escort business).
IcePay.
Paxum.
Payoneer (must use with partner site; US Payment Service not available to US residents).
Soar Payments.
USAepay.
Verotel (only online adult services; no in-person adult services).

Ongoing patronage/membership program providers.

Steady is your best bet. It’s out of Germany. Read their community guidelines.
Liberapay is now only using Stripe and Paypal, which means they’re not the option they once were. Use with extreme caution.

Cryptocurrencies.

There are currently 3,500+ cryptocurrencies in the world. Use a service like CoinMarketCap (free) to see what they’re currently trading at. I’d recommend using intimate, which was created to be a cryptocurrency for adult content and services.

Personally, I advise against using any of the cryptocurrencies. I understand the appeal and the situations where it might seem to make transactions smoother. If I have the time, I might add more here later.

Other Tools

Data recovery tools (just in case!).

If you encrypt your data, these won’t work.

Disk Drill (free; Windows, Mac).
PhotoRec (free; Windows; Mac; Linux; it hasn’t been updated since 2015.).
Recuva (free; Windows).

Permanently delete files for added security.

If you use these, the data recovery tools won’t work.

Bleachbit (free; Linux).
DBAN & Blancco Drive Eraser (free; Windows).
Bleachbit (free; Windows).

Resources & Recommendations

Other resources.

#SurvivorsAgainstSESTA which is sadly not being updated the way it ought to be (not since March 2019).
Hacking//Hustling was an event in NYC on 9/18, but the website remains a valuable resource.
Obfuscation: A User’s Guide for Privacy and Protest by Finn Brunton and Helen Nissenbaum.
Post-SESTA/FOSTA Self-Censoring for Twitter, Reddit, and Other Social Media by Liara Roux.
Preventing Doxing by Crash Override Network.
PRISM BREAK details more apps and software than I was able to list.
Privacy Enhancing Tools is another good list.
Purism makes the world’s most secure laptops and phones (phone is available for pre-order).
Security in-a-Box: digital security tools and tactics.
So You’ve Been Doxed: A Guide to Best Practices by Crash Override Network.

Excellent Groups & People.

Electronic Frontier Foundation.
Frank M. Ahearn is one of the world’s leading experts in disappearing (off the internet as well as real life) and privacy protection. I highly recommend his books.
Free Software Foundation.
Privacy International.
Restore Privacy.
Sex Tech Law.

FAQ

What country is best to have my self-hosted content managed?

That’s a million dollar question. I’ve only begun to provide the really complicated answer to that question here.

“__________ [cryptocurrency]?”

Oh dear. There’s info on cryptocurrency here, yes.

Will you host my blog/website/content for me?

Sorry, but no. Despite what you may have heard, that’s in the past for me.

Will you advise me/help me secure my content?

Possibly, depending on my availability and how I’m feeling. Contact me to find out.

This project itself advises against newly sprung services cashing in on folks seeking respite from recent legislation, so what gives?

I’m not offering any services at all, none. I gathered up resources and wrote up some words and am offering all of that for free; if you want to tip me for that, it’s up to you.

Who am I to make these suggestions?

That’s a good question and I hope you’re asking it of yourself. Your lives and your content are at risk and I know better than most how the two can be directly tied together.

Please be wary right now before signing on with new-to-you and/or new-to-the-public tech providers. Do your homework, ask around. It’s easy to start something and harder to stick with it; that, too, I know better than most.

I know a little bit about tech stuff, more than the average person, to be sure. I’ve been online since 1996 and started hosting websites in 1997. I managed a cooperatively owned web server from 1999-2017.

I know it’s easy to set-up off-shore hosting. It’s easy to offer it to others. It’s completely another thing to maintain that hosting — let alone securely and safely — year after year, particularly without staff. Which is why I hesitate when people talk about setting up their own web server for others to use. It’s very, very hard to succeed at this in the long-term.

While cybersecurity isn’t fully my world and certainly isn’t my line of work, I know folks who work in cybersecurity. Some are ethical hackers, some work for the Fed for Homeland Security. We’ve had long talks about Best Practices regarding what’s in this project. My friends can’t put their names on this because of their line of work and my line of interests, but that’s who is advising this project.

Transparency

I have no certification or education or professional background that “qualifies” me to make these suggestions. If you need to base your safety on respectability politics, I won’t be able to help you.

I’m not selling you any tech products. I’m not getting any referral or affiliate fees. I don’t have a server anymore, so I’m not trying to get you to sign up with my web hosting cooperative. I don’t have any friends in tech whose services I’m suggesting.

I saw a need that a lot of folks have. I’m afraid for us, so I’m trying to fill that need a bit.

Playing it safe(r): a security guide