Think back to 2015. You likely had a different phone, a different hairstyle, and maybe even a different job. But if you’re like 60% of people today, you are likely still using the exact same password strategy you used a decade ago.
At Defenders Protection Initiative, we’ve seen how the digital landscape in Uganda has shifted. From the implementation of the Data Protection and Privacy Act to the rise in sophisticated phishing targeting Human Rights Defenders, the stakes have never been higher.
The uncomfortable truth? While we’ve upgraded our gadgets, our “digital front doors” – our passwords – are still using 2015 locks in a 2026 world of high-tech “digital crowbars.
Why “Complexity” is a Myth
For years, we were told to use things like P@$$w0rd123!. We thought we were being clever. We weren’t.
Modern hackers aren’t guessing your password; they use Graphics Processing Units (GPUs) that can test billions of combinations per second. To a computer, “P@$$w0rd” is just as easy to crack as “password.” The real danger today isn’t just a lack of symbols; it’s reused habits. If you use the same password for your work email as you do for your Netflix or Jumia account, you aren’t just at risk—you are an open door.
The New Rules of the Game
For Civil Society Organizations and HRDs in Uganda, a compromised account isn’t just an inconvenience; it puts sensitive data, sources, and safety at risk. Here is how to evolve:
1. Length is King (The Passphrase Shift): Forget “passwords.” Start using Passphrases. A string of four or five random words like Boda-Mango-Sky-Table-Blue is nearly impossible for a computer to crack but incredibly easy for you to remember.
2. Stop Being Your Own Vault: You shouldn’t know your passwords. Use a Password Manager. It generates unique, unbreakable codes for every site and stores them behind one master key.
3. The “Second Lock” (MFA): Multi-Factor Authentication (MFA) is your best friend. Even if a hacker steals your password, they can’t get in without the code sent to your phone or app. Think of it as a deadbolt on your digital door.
Taking Action: Beyond the Screen
At DPI, we believe that digital security complements physical security. Protecting your data is protecting your mission.
Audit Your Team: When was the last time your organization updated its digital hygiene policy?
Get Trained: DPI offers Digital Security Clinics specifically designed for Ugandan CSOs to navigate these threats.
Don’t let 2015 habits jeopardize your 2026 impact. The hackers have upgraded, it’s time you did too.
Across social media platforms, caricature portraits and AI-generated avatars have quickly become a popular way for people to express themselves online. From activists and professionals to young girls exploring identity in digital spaces, many users are embracing these stylized images as profile photos or storytelling tools. While the trend looks creative and empowering on the surface, it also raises important questions about digital safety, privacy, and online protection.
A New Layer of Digital Identity
Caricatures allow individuals to present a version of themselves that feels artistic and less exposed than a real photograph. For many women and young users, especially those navigating online harassment or public visibility, avatars can feel safer. They create a sense of distance between personal identity and public presence while still allowing creativity and confidence to shine.
However, digital safety experts caution that caricatures do not always guarantee anonymity. Even stylized images may reflect recognizable features such as hairstyles, skin tone, or cultural symbols. When combined with usernames, captions, or location tags, it becomes easier for someone to connect the avatar back to a real person. This can create a false sense of privacy, where users share more information than they normally would.
The Hidden Risk of Facial Data
Many caricature tools require users to upload several photos to generate their artwork. These images may be processed by artificial intelligence systems, and sometimes stored on external servers. If the platform’s privacy policies are unclear, users may unknowingly give away biometric information such as facial structure or expressions.
For digital rights advocates, this raises concerns about data ownership and consent. Young people and first-time users may not fully understand how their images are used beyond creating a cartoon portrait. Over time, repeated uploads to different apps can expand someone’s digital footprint and increase exposure to data collection practices.
Identity Misuse and Online Harassment
Another growing concern is the potential misuse of caricatures. Screenshots or downloaded avatars can be edited or reposted without permission, which may lead to impersonation or misleading content. In online spaces where women, journalists, or activists already face targeted harassment, even a stylized image can become a tool for unwanted attention.
Digital safety practitioners emphasize the importance of maintaining control over how images are shared. Simple actions such as using trusted platforms, adjusting privacy settings, and avoiding oversharing personal details can reduce risks.
A Positive Opportunity for Protection
Despite these challenges, caricatures can also support safer online engagement when used intentionally. Some advocates choose illustrated avatars instead of real photos to lower direct identification risks. Organizations working with young girls or community leaders have also used caricatures to represent participants without exposing their real faces publicly.
The key difference lies in awareness and informed choice. When users understand the digital implications behind the trend, caricatures can become a creative safety tool rather than a vulnerability.
Building a Culture of Digital Awareness
As the caricature trend continues to grow, conversations around digital safety must grow alongside it. Encouraging users to read app permissions, understand data privacy, and think critically about online identity can help create a safer digital environment.
Caricatures are more than just a social media trend, they are part of how people shape identity and community online. By balancing creativity with caution, individuals and organizations can enjoy the benefits of this artistic movement while protecting privacy, dignity, and security in digital spaces.
In our line of work as human rights defenders, secure communication is not just a convenience, it is a necessity. For many of us, WhatsApp and Telegram are lifelines for organizing, documenting, and protecting those at risk. However, as our reliance on these platforms grows, so does the sophistication of those who seek to silence us.
At DPI, we have observed a sharp rise in account hijacking that doesn’t rely on complex hacking, but on social engineering. Attackers are now tricking users into “inviting” them into their accounts through legitimate features like device linking and mini-apps.
How the Attacks Work: Exploiting Trust
1. WhatsApp: The “GhostPairing” Trap The most prevalent new threat is called “GhostPairing.” It exploits WhatsApp’s “Linked Devices” feature, which usually allows you to use WhatsApp on your computer.
The Bait: You receive a message from a trusted contact (whose account is already compromised) saying something like, “Is this you in this photo?” with a link.
The Trick: Clicking the link takes you to a fake page that looks like Facebook or a photo viewer. It asks for your phone number to “verify” you.
The Hijack: The attacker uses your number to request an official WhatsApp pairing code. They then display this code on the fake website and ask you to enter it into your WhatsApp app. Once you do, you have unknowingly authorized the attacker’s browser as a “linked device.” They now have full access to your chats and media in real-time while your phone continues to work normally.
2. Telegram: The “Mini-App” Phishing Lure Telegram’s “Mini Apps” programs that run directly inside the chat interface are being abused because they lack a strict vetting process.
The Bait: You might see an “airdrop” or a “gift” offer from what appears to be a legitimate channel or celebrity.
The Trick: When you open the Mini App, it looks official because it’s inside the Telegram interface. It prompts you to “log in” by entering your phone number and 2FA code directly within the app.
The Hijack: Since the app is malicious, the attacker captures your credentials immediately. Because these apps don’t open in an external browser, users are often less suspicious, assuming Telegram has “verified” the app.
The Remedies: Hardening Your Digital Defense
To protect your work and your network, we recommend implementing these immediate security measures:
Audit Your Sessions Regularly: This is your first line of defense.
WhatsApp: Go to Settings > Linked Devices. If you see a device or browser you don’t recognize (e.g., “Google Chrome on Windows” when you only use a Mac), log it out immediately.
Telegram: Go to Settings > Devices. Terminate any sessions that aren’t yours. Use the “Automatically terminate old sessions” setting for added safety.
Enable Two-Step Verification (2SV): Set a custom PIN that must be entered when registering your number on a new device. This prevents attackers from taking full control even if they have your SMS code.
Trust the Platform, Not the Link: Official platforms will never ask you to enter a pairing code or OTP into an external website or a third-party Mini App.
Verify Offline: If a colleague or contact sends an urgent or strange link, call them on a traditional phone line to confirm they actually sent it before clicking.
Use Passkeys: Where available, set up Passkeys (biometric login) which are significantly more resistant to phishing than SMS codes.
The digital space is a critical arena for human rights work. By staying vigilant and securing our accounts, we ensure that our voices remain loud and our data remains safe. If you suspect your account has been compromised or need further training, reach out to us at Defenders Protection Initiative.
For a long time, cyber attacks were associated with governments, big corporations, and major institutions. Small civil society organisations were often overlooked. They were seen as too small to matter, too insignificant to target.
That reality has changed.
Across Uganda and the wider region, Defenders Protection Initiative (DPI) is witnessing a steady rise in cyber attacks against small and medium-sized CSOs. These organisations, often operating with limited budgets and small teams, have become attractive targets for a wide range of actors.
Understanding why this is happening is the first step toward defending against it.
Small CSOs hold powerful information
Even the smallest organisation often manages sensitive data:
Lists of beneficiaries
Testimonies from survivors
Reports on abuses
Donor records
Financial documents
Contact details of activists
Internal strategies
For adversaries, this information is valuable. It can be used to intimidate individuals, disrupt projects, discredit organisations, or manipulate communities.
An attacker does not need to break into a ministry database if they can access the same information through a poorly protected NGO system.
Limited resources create easy entry points
Most small CSOs operate under serious financial pressure. They prioritise programme delivery over infrastructure. As a result:
Old laptops remain in use for years
Software updates are delayed
Free hosting is used without security support
Shared passwords become normal
Backups are neglected
Technical support is outsourced irregularly
These conditions create weak points that attackers easily exploit.
In many cases, a simple phishing email is enough to compromise an entire organisation.
Digital attacks are cheaper than physical repression
Targeting an organisation physically attracts attention and international scrutiny. Digital attacks are quieter and cheaper.
With minimal resources, an attacker can:
Take over email accounts
Delete important files
Monitor communications
Spread false information
Block access to systems
Leak internal documents
These actions weaken organisations without creating obvious evidence of repression.
For hostile actors, this is efficient and low-risk.
Small organisations are closer to communities
Grassroots CSOs often work directly with affected populations: land defenders, women’s groups, journalists, informal workers, and displaced communities.
This closeness makes them strategically important.
When a small organisation is compromised:
Communities lose trust
Beneficiaries become afraid
Documentation stops
Advocacy slows down
Networks fragment
By targeting small organisations, attackers disrupt entire ecosystems of activism.
The human factor remains the biggest risk
Most successful attacks do not begin with advanced hacking tools. They begin with human interaction.
We commonly see:
Fake donor emails requesting documents
Impersonation of partners
Messages pretending to be from management
“Urgent” compliance notices
Fake job offers or training invitations
Staff members, under pressure and working with limited support, respond quickly. One click can open the door to attackers.
This is not carelessness. It is a result of overwork and inadequate training.
Why awareness alone is not enough
Many organisations are now aware of cyber risks. Awareness, however, does not automatically translate into safety.
Without systems, awareness fades.
Effective protection requires:
Clear digital security policies
Defined access levels
Regular training
Incident response procedures
Secure backups
Leadership commitment
Budget lines for security
Security must be institutionalised, not improvised.
DPI’s approach to protecting small CSOs
At DPI, our work goes beyond emergency response. We focus on building long-term resilience.
Our approach includes:
Digital security assessments
Tailored trainings
Website and infrastructure hardening
Incident response support
Staff mentoring
Policy development
Network-based protection models
We work with organisations to strengthen their systems in ways that fit their realities.
There is no one-size-fits-all solution.
What small CSOs can start doing today
Every organisation, regardless of size, can begin with these steps:
Use strong, unique passwords and a password manager
Enable two-factor authentication on all major accounts
Separate personal and organisational devices
Update systems regularly
Set up automatic backups
Limit access to sensitive files
Document who controls what
Train staff at least once a year
Create a simple incident response plan
Know where to seek help
These actions are practical, affordable, and effective.
Conclusion: Security is now part of sustainability
Sustainability is not only about funding and programmes. It is also about protection.
An organisation that cannot protect its data, staff, and communications cannot sustain its work.
As digital threats continue to evolve, small CSOs must adapt. With the right support, systems, and mindset, they can remain strong, credible, and resilient.
DPI remains committed to walking this journey with civil society organisations, ensuring that defenders are not left alone in the digital battlefield.
In October 2025, our team had the honor of participating in DataFest Africa 2025, organised by Pollicy, one of the continent’s leading convenings on data, technology, and innovation. As part of this vibrant gathering of technologists, researchers, civil society actors, policymakers, and creatives, we hosted a Digital Security Clinic, offering on-site support, guidance, and practical tools to participants navigating today’s fast-evolving digital landscape.
Why the Clinic Mattered
As digital spaces continue to expand across Africa, so do the risks that come with them including data misuse, online harassment, cyberstalking, image-based abuse, misinformation, account takeovers, and digital surveillance. For many activists, journalists, developers, and young innovators attending DataFest, these threats are not abstract; they are lived realities that affect their work, mental well-being, and personal safety.
Our clinic was designed as a safe, confidential, and responsive support space where participants could:
Seek one-on-one guidance on digital security and privacy
Report or discuss technology-facilitated gender-based violence
Get support on securing devices, accounts, and data
Receive mental health referrals and psychosocial first support after online abuse
Learn practical safety strategies for their work and activism
What We Offered on the Ground
Throughout the festival, our team provided:
Personalized digital risk assessments
Guidance on strong passwords, two-factor authentication, and safe browsing
Support on responding to online harassment, doxxing, and impersonation
Advice on safe content creation and data protection
Offered updated and genuine software like antivirus, MS Office, MS Word
Referral to trusted psychosocial and legal response partners where needed
Participants included women in tech, youth innovators, journalists, human rights defenders, researchers, and community organizers, many of whom were encountering structured digital safety support for the first time.
Key Reflections from the Clinic
Several key themes emerged from our engagement:
Online harm is deeply connected to offline safety, livelihoods, and mental health.
Many participants had experienced harassment, impersonation, or extortion but had never received professional support.
There is a strong demand for localized, continuous digital safety clinics, not just one-off trainings.
Women and young people remain disproportionately impacted by online violence and data misuse.
Building Resilient Digital Communities
Our presence at DataFest Africa 2025 reaffirmed the urgent need to move beyond awareness-raising alone. Safety must be practical, accessible, survivor-centered, and embedded into innovation spaces. Digital rights, data protection, and online wellbeing are not optional add-ons; they are essential foundations for meaningful participation in the digital economy.
By hosting this clinic, we demonstrated that large tech and data convenings can and should integrate real-time protection and support mechanisms alongside conversations on innovation, AI, governance, and development.
Masterclass: Shaping Youth Futures Through Digital Ownership
In addition to the digital safety clinic, we hosted a featured masterclass titled “Shaping Youth Futures Through Digital Ownership” at the National ICT Innovation Hub, Nakawa. The session brought together young people, innovators, and ecosystem actors to explore how digital ownership can unlock opportunity, protection, and economic independence for African youth. Participants engaged deeply with what digital ownership truly means in today’s platform-dominated economy, emphasizing the importance of owning data, digital skills, content, and platforms as a foundation for sustainable digital participation.
The masterclass examined how young people can transition from being passive digital consumers to empowered digital creators and owners, while critically reflecting on the risks of digital exploitation, platform dependence, and unsafe monetization. It further highlighted the role of policy, infrastructure, and community networks in protecting young digital entrepreneurs. The session was co-led by Noelyn Nassuuna, Raymond Amumpaire, and Owilla Abiro Mercy, who collectively challenged participants to think beyond access toward control, agency, safety, and sustainability in the digital economy.
Looking Ahead
Following DataFest Africa 2025, we are strengthening our:
Mobile digital safety clinics
Survivor-centered referral pathways
Youth and women-focused digital resilience programming
Partnerships with tech platforms, mental health professionals, and legal responders
We remain committed to ensuring that no one has to choose between visibility and safety, innovation and wellbeing, or participation and protection in digital spaces.
During the 16 Days of Activism, we are starkly reminded that violence against women does not begin or end offline. It follows them into their phones, their social media accounts, and every digital space where they speak, work, lead, or express themselves. In Uganda, women journalists, politicians, activists, and even students are facing a rising wave of online attacks that are not simply rude comments but deliberate efforts to silence, intimidate, and erase them from public life.
These attacks take an emotional, psychological, and professional toll. They push many into self-censorship, and some into withdrawal entirely, a process that weakens civic participation and harms democracy for everyone.
The New Digital Battlefield: Understanding Online GBV
Today, online gender-based violence (OGBV) has taken new forms that are faster, more invasive, and often anonymous. The attacks are rarely random; they are tools used to control women’s participation in leadership, public discourse, and community organizing. When a woman is silenced online, her influence in other spaces also shrinks, which affects the entire civic space.
Types of Attacks Women Commonly Face:
Harassment, insults, threats, and humiliating messages.
Doxxing, where private information is leaked to intimidate.
Non-consensual intimate imagery and sexualized abuse.
Impersonation on social media to spread misinformation or damage reputations.
AI-generated deepfakes targeting women in politics or media.
Manipulated photos and voice notes meant to scandalize or shame.
Targeted phishing attacks disguised as personal or work-related messages.
Cyberstalking and obsessive monitoring of online activity.
Lastly, Trolling and Coordinated Swarming: Where large groups are mobilized to overwhelm a woman’s account with abusive content, making platforms unusable.
Empowerment in Action: DPI’s Practical Safety Toolkit
Defenders Protection Initiative continues to meet women who feel overwhelmed by online harassment but are unsure where to begin or how to protect themselves. Strengthening digital safety is not just a technical process; it is an act of empowerment and resilience-building. Practical tools and safer habits can drastically reduce exposure to attacks and increase women’s confidence as they navigate digital spaces.
Useful Tools and Practices Women Can Adopt:
Category
Tool/Practice
Benefit
Secure Communication
Signal, Proton Mail
Safer, encrypted communication and private email.
Password & Access
Bitwarden, Two-factor authentication (Aegis, Authy, Google Authenticator)
Managing strong, unique passwords and preventing unauthorized account access.
Privacy & Anonymity
Brave Browser, Tor Browser
Improved anti-tracking protection and anonymity for high-risk users.
Verification & Reporting
InVID, Deepstar and Reality Defender
Tools for verifying deepfakes or manipulated images before spreading them.
Platform Settings
Regularly updating social media privacy settings, restricting who can tag or message you, and turning off real-time location sharing on all platforms.
Taking ownership of your digital boundaries.
Documentation
Time-Stamped Evidence: Document harmful posts using screenshots and URLs, ensuring dates and times are clearly captured for legal reporting.
Crucial for Legal Action: Provides the verifiable, immutable evidence needed for platform reporting, legal proceedings, and engaging with law enforcement or human rights bodies.
Responding to online abuse requires preparation and community. Beyond the tools, women should be empowered to report using platform tools, block accounts that escalate harassment, and seek support from trusted networks or institutions.
A Shared Responsibility for a Safer Digital World
Online violence thrives in silence, which is why the 16 Days of Activism is a powerful reminder that protecting women’s voices is a shared responsibility.
At DPI, we continue to provide digital security training, digital forensics, account-recovery assistance, and psychosocial referrals so that no woman has to face OGBV alone.
But the fight is bigger than us:
Organizations must invest in digital safety policies and provide robust HR support for targeted staff.
Men must actively challenge harmful online behavior and report abuse when they see it.
Platforms must strengthen their moderation systems and hold abusers accountable.
And as a community, we must make the internet a place where women feel safe enough to lead, express themselves, and participate fully.
A safer digital world is possible, but only if we work together to create it.
We urge you to share this post and commit today to challenging digital violence. #EndDigitalGBV #16DaysOfActivism
Welcome to Digital Defense Freeze, an interactive Cyber Risk Traffic Light Game designed to sharpen rapid decision-making, strengthen teamwork, and build practical threat-analysis skills for CSOs, journalists, activists, and human rights defenders
In today’s rapidly evolving digital landscape, every online action carries some level of risk. This game helps participants practice identifying threats, debating complex scenarios, and choosing the safest path forward using the familiar Green, Amber, and Red traffic-light system.
Through realistic, high-pressure situations drawn from our civic space in Uganda, teams will think critically, argue their positions, and learn how to move from guesswork to informed security judgments.
Get ready to assess, debate, decide, and freeze when the risks spike!
This September, Defenders Protection Initiative (DPI) proudly joined digital rights defenders, technologists, and changemakers from across Africa and beyond at #FIFAfrica25 in Windhoek, Namibia. But this wasn’t your typical conference, it was an immersive journey through the digital challenges facing human rights defenders today.
CIPESA’s Internet Freedom Maze turned abstract cybersecurity concepts into visceral, first-hand experiences. DPI was honored to take part in two critical spaces within this experience:
Zone 1 – The Trap of Uncertainty, and
The Digital Security Citadel, a live, hands-on tech corner of the exhibition.
Zone 1: Phishing, Power, and Practicality
At the heart of the maze stood Zone 1: The Trap of Uncertainty where participants were confronted with a question we all should ask more often: “Am I truly safe online?”
DPI’s Communications Executive, Noelyn Nassuna, alongside Ogira Charles Donaldson, a member of the Digital Security Alliance hosted by DPI, led this space with thought-provoking simulations and real-time awareness-building. They guided participants through phishing simulations where QR codes led to realistic scam scenarios. It was a mirror into our digital behaviors forcing participants to pause, reflect, and often, realize they weren’t as secure as they thought.
To support learning beyond the simulation, DPI distributed custom-designed IEC materials, including ring cards with easy-to-understand security tips, tool recommendations, and practical digital hygiene reminders. These materials proved to be not just souvenirs but starter kits for better online habits.
At the Citadel: DPI’s Digital Doctors in Action
While Zone 1 tested instincts, the Digital Security Citadel gave participants tools and knowledge to strengthen those instincts.
Here, DPI’s Fred Drapari (ICT Executive) joined a team of digital security “doctors” including:
Gole Andrew, who impressively rode a motorcycle all the way from Uganda to Namibia in the name of digital resilience,
Hapee De Groot, a long-time digital security ally whose practical support and insight added great value,
Brian Byaruhanga from CIPESA, and
Several other seasoned practitioners from the Digital Security Alliance.
The Citadel offered:
Hands-on demos of Microsoft Office security settings
Guided installs and education around tools like Kaspersky antivirus, Bitdefender Security among others
Walkthroughs of encrypted messaging, password management, and 2FA
A rerun of the phishing simulation for those who missed Zone 1 or wanted to try again
It wasn’t just a tech station, it was a real-time consultation corner where participants could ask, test, fail, learn, and try again.
Building Connections Beyond the Booth
FIFAfrica25 wasn’t only about simulation and tech it was about connection and collaboration.
At both the Maze and the Citadel, DPI engaged with:
Funders and donor agencies interested in expanding the reach of digital protection work
Civic actors and journalists facing similar threats across the continent
Techies and tool builders contributing to the ecosystem of safe digital activism
From spontaneous hallway conversations to deeply technical Citadel demos, every interaction reinforced a shared vision: digital resilience is no longer optional – it’s essential.
What We’re Taking Home
As DPI returns home from Windhoek, we do so with renewed clarity and purpose. We plan to:
Expand the phishing simulation quiz into a broader campaign across civil society and media spaces
Print more of our IEC ring cards for wider distribution
Integrate new toolkits and tactics into our ongoing Digital Security Clinics and Bootcamps
Strengthen our collaborations with fellow Digital Security Alliance members and regional partners
FIFAfrica25 reminded us that defending the defenders is not just a slogan: it’s a strategy that requires tools, creativity, and deep community.
Women journalists and women politicians increasingly operate in hostile digital and political environments where online harassment, surveillance, legal intimidation, and psychological pressure are becoming routine. To respond to these risks, Defenders Protection Initiative (DPI), in partnership with Pollicy, with support from Urgent Action Fund, conducted two tailored two-day capacity-building trainings focused on digital safety, legal implications and compliance, and mental health.
The trainings were delivered separately for women journalists and women politicians, recognising the distinct risk landscapes they navigate while grounding both engagements in shared principles of safety, rights protection, and resilience.
Addressing Real and Escalating Digital Threats
Participants shared experiences of online harassment, coordinated smear campaigns, account takeovers, surveillance, doxxing, and threats that often translate into offline harm. These attacks undermine professional work, personal safety, and emotional well-being. The trainings were designed to be practical and grounded, equipping participants with tools and strategies they could immediately apply in their work and daily lives.
Key Focus Areas of the Trainings
Over the two days, the sessions combined technical learning, legal literacy, and psychosocial support through interactive and participant-centred approaches:
1. Digital Safety Tools and Practices Participants were introduced to safe and trusted digital tools for secure communication, strong account protection, password management, and safe data handling. Hands-on exercises supported participants in assessing personal and organisational risk and adopting safer digital practices without fear or overwhelm.
2. Legal Implications and Compliance The training unpacked relevant legal and regulatory frameworks affecting digital engagement, journalism, and political participation. Participants explored compliance obligations, responsible online conduct, and ways to protect themselves legally while continuing to exercise freedom of expression and civic participation.
3. Mental Health and Psychosocial Well-Being Recognising the emotional toll of digital attacks, dedicated sessions focused on mental health, burnout, and collective care. Participants discussed coping mechanisms, peer support, and referral pathways for psychosocial and mental health support, reinforcing the importance of well-being as a core component of protection.
Creating Safe and Supportive Learning Spaces
DPI intentionally created safe, feminist, and survivor-centered spaces where women could share their experiences openly, learn collectively, and rebuild their confidence. The approach affirmed that digital safety is not only technical or legal, but it is also deeply linked to dignity, agency, and mental well-being.
Outcomes and the Way Forward
By the end of the training, participants reported increased confidence in:
Using secure digital tools and safer online practices
Understanding legal risks and compliance responsibilities
Responding to online harassment and intimidation
Prioritising mental health and seeking support when needed
Through collaboration with Pollicy and the support of the Urgent Action Fund, DPI delivered a holistic intervention that recognises digital safety, legal protection, and mental health as interconnected pillars for women’s participation in journalism and politics.
Defenders Protection Initiative remains committed to strengthening the safety, resilience, and leadership of women human rights defenders, journalists, and political actors, ensuring they can continue to engage in public life safely, confidently, and with dignity.
By Helen Namyalo Kimbugwe and Noelyn Tracy Nassuuna
In today’s world, where our entire lives are condensed into handheld devices, the smartphone has become both an incredible tool and a significant vulnerability. For human rights defenders, journalists, and civil society actors in East Africa, the risks associated with carrying sensitive data are rapidly growing. With increasing surveillance, political repression, and data harvesting by authorities, especially across borders, your phone could expose you to threats you never imagined.
Recent developments in East Africa, particularly in Uganda, Kenya, Rwanda, and Tanzania, reflect an alarming pattern. Border officials are more frequently requesting travellers to unlock their phones. In some cases, they take the devices into another room, copy data, and return them 15 to 30 minutes later. This includes access to your photos, messages, apps, call logs, contacts, emails, and even deleted files. For many travelers, especially those involved in activism or advocacy, this kind of intrusion can lead to harassment, arrest, or worse.
Thankfully, there are digital privacy measures you can take to stay ahead. For example, if you’re using GrapheneOS on a Google Pixel device, there’s an advanced feature called “duress mode.” This allows you to set up a special PIN code that, when entered under pressure, instantly wipes your phone. On iPhones, while you don’t get the same feature, you can enable the “Erase Data” option after 10 failed attempts. It’s not as powerful, but it still adds a layer of defence.
A simple yet effective tip: Always use a six-digit passcode instead of four. If you’re worried about forgetting it, you can repeat your four-digit PIN twice—it’s still significantly more secure. Biometrics like fingerprints and face unlock should be avoided while traveling, as authorities can forcibly use them to unlock your device without your consent.
One of the most critical steps you can take is to carry a clean “travel phone.” This is a secondary device that contains only the most essential apps and information—no personal messages, photos, or documents that could be used against you or your networks. Log out of all your email, banking, and social media apps before reaching a border checkpoint. Better yet, delete them temporarily and reinstall later when safe. If you must travel with your primary phone, ensure that it is encrypted. While most modern smartphones are encrypted by default, verifying this in your device settings is important. Although disabling automatic cloud backups (e.g., Google Drive, iCloud, WhatsApp) can be inconvenient, it is a critical step for maintaining data security. Where feasible, back up your data in advance, securely wipe your device before departure, and only restore the information once you are in a trusted and secure environment.
Secure messaging apps like Signal or Briar are highly recommended. Signal offers end-to-end encrypted messages with disappearing message options. At the same time, Briar works without internet access, connecting devices over Bluetooth, a useful tool when networks are shut down or compromised. For browsing, Tor Browser and Brave can help mask your digital footprint, and VPNs like Proton VPN protect your IP and data from being intercepted.
Another lesser-known threat while travelling is using other people’s laptops, power banks, or public USB charging stations to charge your phone. A cybersecurity expert, @MG, recently shared on his X platform that it’s possible to embed malicious hardware in seemingly ordinary charging cables, allowing attackers to silently install spyware or steal data, all through a simple act of charging.
“Every time I travel, I let people charge their devices. Totally harmless. They never know who I am or what I normally do with USB cables, but maybe one day. This lady’s phone died a few minutes into a 5-hour flight. I just wanted her to enjoy her time.”
While this risk is more prevalent in high-surveillance environments or with targeted individuals, East Africa’s tightening political environment means these kinds of attacks are no longer theoretical. Always carry your own power bank and wall plug, and avoid plugging into unknown USB ports or borrowed devices.
In East Africa, it’s not just border crossings where your phone is vulnerable. Internal roadblocks, especially in Uganda, are notorious for phone checks and random inspections. Renaming your contacts with neutral identifiers (e.g., changing “Lawyer” to “Uncle Ben”) can reduce suspicion if your contact list is scrutinized. Documenting human rights violations or organizing protests should be done with tools like ObscuraCam, which can anonymize people in images and secure your data.
All of these precautions may seem extreme, but they reflect the reality of an increasingly hostile digital environment. In the wake of laws such as the Computer Misuse Act and during times of election unrest or crackdowns on civil society, having activist materials or politically sensitive content on your phone can lead to detention or deportation. Even if you’re not the direct target, your phone may contain information that puts others at risk.
This isn’t about paranoia, it’s about preparedness. Just as you wouldn’t hand your passport to a stranger, you shouldn’t let your phone become an open book to authorities or unknown devices. Your smartphone is a window into your work, identity, and community. In the wrong hands, it becomes a weapon.
As you plan your next cross-border trip, whether for a workshop, a conference, vacation, a protest, or a field visit, take these precautions seriously. Train your team, update your digital safety practices, and always assume your device may be searched.
In the end, digital security is not a luxury. It is survival. Protect your data like your passport. Because in East Africa’s shifting political terrain, your privacy may just be your best defense.
Shopping Basket
Scan the code
Hello 👋 We're available on WhatsApp. Can we help you?
