Privacy

UK surveillance self-defence

A practical guide to defending your privacy in one of the most heavily surveilled democracies on Earth. Threat-model first, scenarios second, tools third — written for a UK reader, with British law, British helplines, and British-specific risks. Inspired by the EFF's Surveillance Self-Defense; not a translation of it.

Last updated: 10 May 2026. This is not legal advice — see "talk to a lawyer" below.

Why a UK version

The EFF's Surveillance Self-Defense is the canonical English-language resource on practical privacy. It is also written, inevitably, for a US reader. The legal landscape it describes is the Fourth Amendment, federal warrant law, and the threat model of US federal and state agencies. UK readers borrowing from it have to mentally translate every page — and a lot of advice that makes sense under US law (don't talk to police without a lawyer; the government needs a warrant for X) doesn't translate cleanly to the British context, where Schedule 7 of the Terrorism Act can detain you at the border for six hours without suspicion, the Investigatory Powers Act 2016 permits bulk collection on a scale unimaginable in most of Europe, and your local council can surveil your bins under RIPA.

This page is the British version of that conversation. Read it; then read the EFF original for the deeper detail; then come back for the UK helplines and the Schedule 7 advice.

The UK surveillance landscape, briefly

The four legal and infrastructural facts that shape the British threat model:

  • The Investigatory Powers Act 2016 — the "snooper's charter" — is the most permissive surveillance regime in any major democracy. It explicitly authorises bulk interception of communications, bulk acquisition of communications data, bulk personal datasets (the "BPD" regime), and equipment interference (state hacking) at scale. Internet Connection Records — twelve months of every website you visited — are retained by your ISP and accessible to a long list of public authorities, of which the police and security services are only the top of the list. Local councils, the Department for Work and Pensions, the Food Standards Agency, and the Gambling Commission are all on the list.
  • Schedule 7 of the Terrorism Act 2000 — at any UK port or airport, an examining officer can stop you, detain you for up to six hours, demand you hand over the passwords to your devices, and copy the contents. There is no requirement of suspicion. Refusing to comply is a separate criminal offence. This regime has been used against journalists (David Miranda), human-rights workers, lawyers (Cori Crider), and a long list of less well-resourced people.
  • The ANPR network — the UK operates one of the densest automatic-number-plate-recognition camera networks in the world, capturing roughly 75 million reads per day. The data is retained for two years and queryable by every UK police force. Your movements by car are, in a meaningful sense, public information.
  • Live Facial Recognition — the Met Police, South Wales Police, and others routinely deploy LFR vans at protests, sporting events, concerts, and shopping centres. The technology is under-regulated and has been challenged repeatedly in court. Operating assumption: at any large public gathering in the UK, your face has been captured against a watchlist.

The Online Safety Act 2023, the Investigatory Powers (Amendment) Act 2024, and the proposed expansion of facial recognition all add to this landscape rather than constraining it. The political consensus across the major parties on surveillance is broader than most British people realise.

Threat-modelling — the five questions

Privacy is a means, not an end. You can't optimise for "more privacy" the way you optimise for "less spam". You have to start by being clear about what you are protecting and from whom. The five questions, borrowed from the EFF framework and adapted for UK context:

  1. What do I want to protect? Your messages? Your location? Your identity? Your sources? Your contacts list? Your face on a database? Your specific physical safety from a specific person? The protection differs.
  2. Who do I want to protect it from? A nosy ex-partner? An abusive family member? Your employer? A criminal stalker? An organised-crime adversary? UK law enforcement? UK security services? A foreign state? A journalist on the trail of a story? Each adversary has a different toolkit and different legal powers.
  3. How likely is it that I will need to protect it? Not "is it possible?" — almost everything is possible. "Is it probable enough that I should expend effort?" Honest probability assessment is what stops privacy from becoming a paranoid full-time job.
  4. How bad are the consequences if I fail? Mild embarrassment? Loss of employment? Loss of citizenship? Loss of liberty? Physical harm? The defensive effort should match the consequence.
  5. How much trouble am I willing to go through to prevent those consequences? Daily-driver Signal use is cheap. Carrying a separate device for sensitive communications is moderate. Living on Tails on an air-gapped laptop is expensive and disruptive. Pick the level of effort that the consequences justify, and that you can actually sustain.

If you are reading this and you are in the third or fourth box for any of those questions, the rest of this page will help — and you should probably also be talking to a specialist organisation listed at the bottom.

Scenarios

Everyone — the baseline

If you are doing nothing more sensitive than ordinary life, you still benefit from a baseline:

  • Signal as your default messaging app for one-to-one and small-group chat. Usernames over phone numbers. Disappearing messages on for new conversations.
  • Password manager (1Password or Bitwarden), unique random passwords per site, hardware-key 2FA where possible. See the OSINT self-audit if you want to know what's already out there about you.
  • Phone hardening: iPhone with Lockdown Mode if you are at any elevated risk; otherwise the standard iOS lockdown checklist (long passcode, FaceID/TouchID off if you cross borders, automatic updates on). Android: Pixel + GrapheneOS for the genuinely security-minded; up-to-date official Android otherwise.
  • Browser: Firefox with uBlock Origin, Multi-Account Containers, and Privacy Badger. See the uses page for the detailed setup.
  • Email aliases via SimpleLogin, addy.io, or Apple's Hide My Email — every service gets a different address.

None of this stops a determined state-grade adversary; all of it raises the cost of casual surveillance enormously, and that's the right baseline for most people.

Survivors of domestic abuse and stalking

This is the highest-stakes UK use case for surveillance self-defence by a wide margin. Refuge's Tech Safety service and the Suzy Lamplugh Trust's National Stalking Helpline are the specialists. Use them.

Critical operational points specific to this scenario:

  • Stalkerware on phones is endemic. If you suspect your phone is compromised, do not factory-reset it as your first move — that will tip off the abuser and may delete evidence. Talk to Refuge's tech-safety team or a specialist police contact first. The new device should be brought into the relationship cleanly, not as a replacement for the compromised one.
  • Shared accounts are an ongoing surveillance channel. Apple Family Sharing, Google Family, shared iCloud accounts, joint Spotify, joint streaming subscriptions, location-sharing in Find My / Find My Device, the family Tile network — all of these can be used as a real-time tracker. Audit and unwind methodically, with help.
  • Open-register opt-out is critical (see the OSINT self-audit). Anyone with £20 and 192.com can find your home address otherwise.
  • HM Land Registry exposes property ownership for £3 a search. If you are at risk and you own property, you can apply for the Property Alert service and, in serious cases, redaction of personal information from the register.
  • Companies House SR04 — if you are a company director and at evidenced risk, you can apply to suppress your name and home address from the register beyond what's available to credit-reference agencies. Real, not paranoid, and underused.
  • The MARAC process — Multi-Agency Risk Assessment Conferences are how police, social services, refuges, and health services share information about high-risk domestic-abuse cases. If you are not in MARAC and you should be, ask. Refuge can help you navigate this.

If you are reading this and you are in this category, please go to refugetechsafety.org and the Suzy Lamplugh Trust before doing anything else.

Journalists and their sources

The UK is a more difficult environment for source protection than people often realise. Three critical points specific to British journalists:

  • The Investigatory Powers Act has been used to identify journalists' sources. The Act has limited journalistic-source protections that are weaker than those most working journalists assume. Communications data — who you called, when, where you were — is accessible to a long list of public authorities under the Act, and was used to identify the source for the Plebgate story before the law was tightened.
  • Schedule 7 detention at the border has been used against journalists in transit. David Miranda's detention at Heathrow in 2013 is the canonical case. If you are travelling with sensitive material, do not travel with the only copy, do not travel with passwords your detention would compromise, and assume that any device that crosses the border may be copied.
  • Section 49 of RIPA requires you to disclose passwords for encrypted material on demand from police, with up to two years' imprisonment for refusal (five years in terrorism cases). Refusing to comply is a separate offence. The defence to a Section 49 notice is narrow.

Practical posture:

  • Use SecureDrop for source contact where your news organisation has it. If your organisation does not, it should — talk to Freedom of the Press Foundation's UK contact about onboarding. Do not rely on the source's own discretion to protect them.
  • Use Signal disappearing messages with sources, not WhatsApp. WhatsApp metadata is harvested by Meta even though the message contents are end-to-end encrypted; Signal's metadata posture is dramatically better.
  • For high-sensitivity travel, use a burner laptop with no source material on it; access source material remotely through a hardened jump-box; assume the burner laptop is searchable at the UK border.
  • Consider OnionShare for moving documents between you and the source over Tor. It is more usable than people assume.
  • Talk to your NUJ ethics representative and a media lawyer before publishing material that may attract a Section 49 notice or a section 5 of the Official Secrets Act 1989 prosecution. The Bureau of Investigative Journalism publishes good UK-specific source-protection guidance.

Activists, protesters, and organisers

The UK has a long, well-documented history of state infiltration of protest movements — the Spycops scandal, the ongoing Undercover Policing Inquiry, the construction-industry blacklist exposed in 2009. Modern organisers face the same human-source threat plus a much larger digital surveillance footprint.

  • Protest day: switch to a clean phone or leave your phone at home (consider that police IMSI catchers have been deployed at protests). If you must take your phone, put it in a Faraday pouch when not actively using it. Disable Face/Touch ID and use a long passcode. Photograph other protesters with consent only — police will use seized footage for identification.
  • Organising channels: Signal groups, not WhatsApp. Smaller groups are safer than larger ones (one informer can compromise the lot). Use disappearing messages.
  • Recruitment of new members: assume that a non-trivial fraction of new contacts at scale are state-affiliated. The Spycops history is not over. Do not trust new contacts with sensitive operational information until they have been around long enough to have built a verifiable history.
  • Travel to actions: the ANPR network captures car movements at scale. Using public transport, cycling, or walking is a real-world privacy win. Cash for tickets and travel.
  • Live Facial Recognition: assume your face will be captured at any major event. Masks, hats, and sunglasses provide partial defence; FRT vendors have been adapting to defeat them.
  • Arrest preparation: know your rights under PACE before you go. Have a solicitor's number written on your arm in marker. Green & Black Cross is the canonical UK protest-support organisation; their bust card is required pre-reading.

Whistleblowers

UK whistleblower protection under the Public Interest Disclosure Act 1998 is real but narrow. It protects you from employer retaliation only if you make a "qualifying disclosure" through a "prescribed person" or otherwise meet the specific statutory tests. It does not protect you from criminal prosecution under the Official Secrets Acts, RIPA, or the Computer Misuse Act 1990 if your disclosure crosses those boundaries.

Operationally:

  • Talk to a specialist before you act. Protect (formerly Public Concern at Work) runs a free advice line for would-be whistleblowers. Use it.
  • Air gap and separation: never use your work device or work network to research, prepare, or transmit the disclosure. Do not use your home network either if your home network is associable with you. Use a clean device on a clean network.
  • Document carefully: a successful PIDA defence requires a clear record of what you knew, when you knew it, and what reasonable belief you held. A successful Official Secrets defence is a much taller order.
  • Use a journalist if appropriate: established news organisations have lawyers and SecureDrops. They are usually a safer route than self-publishing.

At-risk professionals

Lawyers, doctors, social workers, MPs, MPs' staff, civil servants in sensitive briefs, and academic researchers working on contentious topics (counter-extremism, drug policy, sex work, statelessness, climate-justice litigation) all face an elevated baseline of state and non-state interest in their communications.

  • Lawyer-client privilege is recognised in law but routinely tested in practice. The Investigatory Powers Commissioner's Office (IPCO) has documented multiple instances of accidental and deliberate interception of legally privileged material.
  • Doctors and social workers are required to keep records and disclose to safeguarding processes; the surveillance question is more about how those records are protected from incidental third-party access than about whether they exist.
  • MPs and their staff face a state-grade adversary baseline in addition to the ordinary one — the Foreign Office cyber-defence service publishes specific guidance for parliamentary kit.

The professional posture is the baseline plus serious commitment to the toolkit listed below — Signal universally, hardware tokens for everything, SimpleLogin or addy.io aliases, no work email on personal devices and vice versa.

The toolkit

Communications

  • Signal (messaging, voice, video). Sealed sender, forward secrecy, disappearing messages, username support. The default for anything you would not want a third party to read.
  • OpenPGP for long-form email and where the counter-party already has a key. The PGP primer on this site walks you through it. Not the right tool for sync messaging.
  • Briar (Android) for situations where the network itself is hostile — it works peer-to-peer over Bluetooth or Wi-Fi without needing internet at all.
  • Element / Matrix with a hardened homeserver for group communications where Signal's group-size and identity model don't fit.
  • Avoid Telegram for anything sensitive — most chats are not end-to-end encrypted by default. WhatsApp content is encrypted but the metadata isn't.

Devices

  • Phones: iPhone with Lockdown Mode and a long passcode, OR Pixel + GrapheneOS. Both are credible. Disable biometric unlock when crossing borders or attending high-risk events.
  • Laptops: full-disk encryption (FileVault, BitLocker, LUKS), Secure Boot enabled, automatic updates, password manager, hardware-key 2FA. Tails on a USB stick if you genuinely need a clean computing environment for a specific task.
  • Hardware tokens: at least two YubiKeys (one daily-carry, one safe). Single-key setups are a trap.

Browsing

  • Firefox with uBlock Origin, Multi-Account Containers, Privacy Badger as the default browser.
  • Tor Browser for browsing where you do not want the website (or anyone in between) to know it is you.
  • Mullvad VPN for ordinary network-level privacy (not a substitute for Tor when you genuinely need anonymity, but valuable for everyday hostile networks).
  • Pi-hole on the home network to block trackers and ads at DNS level.

Travel — and Schedule 7 specifically

If you are travelling through a UK port or airport and you have any reason to think you might be stopped under Schedule 7 (returning from a place of interest, professional reason to be of interest, named in any database, or just unlucky):

  • Travel light. A clean device with no source material, no client material, and no sensitive correspondence on it is the right tool. Sensitive material lives on a server you can access remotely, not in your luggage.
  • Powered-off devices reset to BFU state (Before First Unlock) — biometric unlock is disabled until passcode is entered. Power your phone and laptop off before approaching the border.
  • Disable biometric unlock for the duration of the journey. Compelling a passcode is a separate legal step from compelling a fingerprint.
  • Memorise a lawyer's number. The right of access to a solicitor under Schedule 7 is real, but officers are not always quick to offer it.
  • Comply, then complain. Refusing to provide a password is a separate offence under Schedule 7. The right move is to comply and pursue redress through your lawyer afterwards — including, where appropriate, complaints to the Investigatory Powers Tribunal.
  • Assume the device is no longer trusted after any Schedule 7 detention. Wipe and reinstall before reusing.

Social media

  • Audit your privacy settings annually on every platform.
  • Do not post photos of children, your home exterior, your car, your route to work, or your habitual locations and times.
  • Strip EXIF metadata from photos (most platforms do this but Bluesky historically did not).
  • Assume that "private" accounts are private from casual observation only. They are not private from a determined adversary, the platform, or law enforcement with a court order.
  • Geotagging off everywhere by default.

UK helplines and specialist resources

When to talk to a lawyer

Anything in this list — talk to a lawyer first, before acting:

  • You are a journalist preparing to publish material that may attract a Section 49 RIPA notice, a section 5 Official Secrets Act 1989 prosecution, or a contempt-of-court application.
  • You have been served with a Section 49 notice, an Investigatory Powers production order, a search warrant, or a Schedule 7 detention notice.
  • You are a whistleblower preparing a disclosure that may engage the Official Secrets Acts, the Computer Misuse Act 1990, or PIDA.
  • You have been arrested at a protest and are out on bail.
  • You are a survivor in litigation against a current or former partner where your communications may be in scope.
  • You are an at-risk professional who has been the subject of unusual interest from the state — official approaches at conferences, unexpected security-vetting outcomes, suspected device compromise.

Specialist UK firms exist for each of these. The Law Society directory is the starting point for finding one; the specialist organisations listed above can recommend lawyers they have worked with.

What this page isn't

This page is a starting point, not a substitute for the deeper resources it links to. The EFF SSD is more comprehensive on tools. Refuge and Suzy Lamplugh are more specialised on survivor situations. Liberty, Privacy International, and Big Brother Watch are more authoritative on UK law and casework. A lawyer will know your specific situation in ways this page cannot.

It is also not legal advice. The legal observations above are accurate to the best of my knowledge as a practitioner who has been working in cyber security since 1996, and as someone who has been involved in privacy advocacy for nearly as long — but I am not a barrister, not a solicitor, and the law moves. Use this page to know the right questions to ask. Use a lawyer to get the right answers for your specific circumstance.

See also: Privacy hub · OSINT self-audit · PGP primer · What I use · Encrypted contact.