EFF Surveillance Self-Defense

EFF Surveillance Self-Defense is the canonical threat-model-driven OPSEC reference — a free, public-domain guide maintained by the Electronic Frontier Foundation that teaches privacy practitioners how to think about threats first and then apply tooling appropriate to those threats. Listed at Grade A · editor's pick because SSD occupies a structurally unique position: it's not a tool, not a wallet, not a service — it's the mental framework behind every privacy decision the rest of this directory documents. Mandatory reading for anyone starting privacy work, and a periodic re-read for anyone who's been at it for years.

Background. Surveillance Self-Defense was launched by the Electronic Frontier Foundation (EFF) in 2009 and has been continuously updated since. The EFF itself has been operating since 1990 — one of the longest-running digital rights organisations in the world — and SSD is one of their flagship public-education resources. Domain: ssd.eff.org. License: content is published under Creative Commons (CC BY 4.0) — meaning the guides can be freely shared, translated, and adapted. Languages: SSD is translated into 13+ languages including Spanish, Arabic, Russian, Mandarin, Vietnamese, Turkish, and more — explicitly chosen to serve activists, journalists, and human-rights workers in regions where the threat-model framing matters most. Maintainership: ongoing updates by EFF's technologist staff; revision history is transparent (you can see when each guide was last updated). No commercial pressure — EFF is donor-funded; SSD has no advertising, no upsell, no SaaS product attached.

What you trust. EFF organisational track record — 35+ years of digital rights advocacy with public legal track record (lawsuits against NSA mass surveillance, court briefs on encryption policy, EFF-led research on commercial tracking). Threat-model-first methodology — SSD teaches users to ask "what am I protecting? from whom? at what cost?" before picking tools. This is the foundational discipline that separates effective OPSEC from "I downloaded a privacy app, now I'm safe." Tool-agnostic core — SSD recommends specific tools but the methodology is tool-independent; the guides survive product churn (when Signal changes UX, when a recommended tool gets acquired, when something new launches) because they teach how to evaluate tools, not which specific button to click. Translated by regional partners — many translations are done by regional activist organisations who understand the local threat landscape; the Arabic, Mandarin, Russian, and Vietnamese translations are particularly well-maintained. What you don't trust: SSD is education, not a service — it doesn't host your data, doesn't run software for you, doesn't track you. EFF's US jurisdiction is a factor for some threat models — EFF is based in San Francisco and subject to US law; the content of SSD is universally usable, but EFF as an organisation could theoretically receive US legal pressure (though its lawsuits-against-NSA track record suggests it would resist).

Operational specs. Format: web-based guides + downloadable PDFs for offline use. Sections: Basics (foundational concepts: what is encryption, what is metadata, why threat modelling matters), Tool Guides (specific tools: how to use Signal, how to use Tor Browser, how to encrypt your email), Further Learning (deeper reading on cryptography, surveillance studies, digital rights), Glossary (~100 privacy/security terms defined clearly). Threat-model framing: every guide opens with "this guide is for [specific threat model] — if your situation is different, see [other guide]." Updates: revision history visible at the bottom of each guide; recent updates are tagged with dates. Access: HTTPS-only at ssd.eff.org; works on Tor Browser without aggressive blocking; mobile-responsive; works without JavaScript (the guides are static HTML — a Tor "Safest" mode-friendly feature). Offline access: PDF download for offline reading (useful for users in censored regions or for printing). No accounts — read anonymously; SSD doesn't track, doesn't require login, doesn't ask for email. API: there's no API per se; the guides are a static website. Distribution: also covered in EFF's email newsletters and their tech-blog posts, but the canonical home is ssd.eff.org.

Philosophy. SSD's editorial differentiator is the threat-model-first methodology. Most "how to be private online" content is tool-prescriptive ("download these 5 apps"); SSD inverts that. Before any tool, you identify: (1) what you're protecting (the asset — could be your identity, your sources, your location, your communications), (2) who you're protecting it from (the adversary — could be ad-tech, ISP, employer, state actor, a specific group), (3) how likely the threat is (probabilistic, not paranoia-driven), (4) how bad the consequences are if the threat is realised, (5) how much effort you're willing to spend on defence. Only then do you pick tools. This is the foundational discipline of OPSEC — and SSD is the most accessible introduction to it in the privacy-tooling space.

Grade rationale. Grade A and editor's pick reflect: 16+ years of operational continuity (since 2009); maintained by the EFF (35+ year digital rights organisation with strong public-interest track record); Creative Commons CC BY 4.0 licensing (freely shareable, translatable, adaptable); 13+ language translations including high-priority languages for activist/journalist use; tool-agnostic threat-model methodology that survives product churn; static-website + no-JS architecture (Tor-friendly, censorship-resistant); no advertising, no tracking, no commercial pressure; tagged revision history for transparency; works offline via PDF; cross-listed in essentially every privacy-tools reference (Privacy Guides, EFF's own ecosystem, dozens of activist organisation reading lists). The most-recommended foundational reference in the privacy-tooling space. Last verified 2026-05-11.

Useful when. You're starting privacy work and need a foundation before picking tools — SSD is the first reading list. You're teaching privacy/OPSEC to others — SSD's threat-model methodology is the cleanest pedagogy in the space. You're a journalist or activist in a hostile-network region — SSD has translated guides specifically for these threat models. You're a technologist at an organisation deciding which privacy tools to recommend internally — SSD's tool guides are evidence-based and updated. You're periodically re-reading to refresh your threat model as your work or context changes (a senior practitioner exercise — your threat model should evolve as your work does). You want a single source to point someone at when they ask "where do I start with privacy?" — SSD is the canonical answer. You're translating privacy content into a new language — SSD's CC BY 4.0 licence makes it the canonical base text.

Caveats. SSD is education, not a service — you still have to apply the methodology to your specific situation; reading SSD alone doesn't make you private, applying its methodology does. Some tool recommendations age — SSD is updated but the rate of privacy-tooling evolution means specific tool recommendations sometimes lag the state of the art by 6-12 months. Cross-reference recent specialised sources (Privacy Guides, this directory, EFF's blog) for tool-specific currency. US-organisation caveat — EFF is San Francisco-based; for users whose threat model includes US-state-actor concerns, SSD's content is still valuable but consider whether the organisational jurisdiction matters for your specific case (it almost never does — SSD is content, not infrastructure that handles your data). Some sections are more current than others — the foundational concepts age slowly; the tool guides age faster. Skim the "last updated" date on tool-specific guides. Doesn't cover everything — SSD focuses on threat-model framework + commonly-relevant tools; for specialised threats (cryptocurrency privacy, hardware wallet security, supply-chain attacks on specific software), supplement with specialised sources (Privacy Guides for hardware, this directory for crypto, the relevant project's own docs for software-specific concerns). Language quality varies across translations — the English original is the canonical; some translations are excellent (Spanish, Russian, Arabic), others are slightly behind on currency (less-resourced languages). Not a substitute for legal advice — SSD covers the privacy/OPSEC landscape but if your threat model includes legal proceedings (subpoenas, court orders, jurisdiction-specific privacy laws), pair SSD with a qualified lawyer in your jurisdiction. The threat-model exercise is the work — many readers skip "do the threat-model exercise" and jump straight to "what tools should I use?" That defeats the purpose. The methodology is what makes SSD valuable; the tool list is the secondary output.