This is a starting guide for people interested in information security and knowing how to keep their identiies safe online. While it's designed for trans Iowans, nearly everything in here is applicable to everyone. Cis Iowans and people in other states can use the same tools and strategies! Privacy is a team sport: we all have some information about each other, and working together helps us keep information among the people who are supposed to know it. In the absence of state protection, we have to protect each other.
If you want help with threat modeling and making your security plan or would rather encounter this information in person, come to Forest Avenue Library on June 6, 2023, at 6:30 PM, or ask a trusted individual to come to the program and learn and share this information with you.
A note for allies: in the spirit of this guide, be careful with the information the trans people in your life share with you. If you're concerned about putting them at risk, consider employing these security tools yourself.
Allies can also read the Trevor Project's Guide to Being an Ally to Transgender and Nonbinary Young People to learn more.
What You'll Learn
Here's a general outline of what you'll find on this page:
- I Need Urgent Help
- What to do if you're thinking of hurting yourself or if you've been doxxed.
- General Online Safety
- Steps to take in order to be safe online.
- Threat modeling
- A tool to help you identify your security priorities and useful actions
I Need Urgent Help
If you are considering harming yourself, please contact
- Trans hotline - 1-877-565-8860
- For young people: the Trevor Project lifeline (1-866-488-7386) or text line (text START to 678378)
If you need urgent help because you've been doxxed or are being seriously harassed online:
- Important: Create a support team. Don't do all this yourself. Get somewhere safe, drink water, and ask for help
- Let your support team keep track of what's happening, but log it all--with dates, URLs, etc--before you report it to the hosting source to have it taken down. Doxxing is against most web platforms' terms of service
- Set up 2-factor authentication. Change passwords. Lock down social accounts if you don't have the bandwidth for what's coming in. You can ask your support team to monitor and report messages
- In case of doxxing, contact credit cards, banks, etc. to let them know it's happening
- Contact employer/school/other relevant institutions to give them a heads up and request support if appropriate (for example, taking your name off the website temporarily)
- Contact loved ones if they might be at risk
- Try doxxing yourself and opt out from or report everything you find. This can take a few days but may still be worth doing. It's a good task for your support team
General Online Safety
Companies have a lot of incentive to track everyone. The threat modeling worksheet can help you judge which steps are most important for you, but these are all good steps for anyone to take.
Suggestion: get together with a group of friends and make a party of adjusting your settings and adding privacy tools!
If you aren't safe at home, use your own best judgment about which privacy practices to implement right now. For example, maybe you can't safely delete software that tracks you, but you can share a little less.
Steps to Take
Share Less Data
- Only share what you want to share--know your privacy settings, lock stuff down, and don't tag others without permission (let them share only what they want to share too)
- Delete what you aren't using: apps, accounts, location history, old posts (TweetDelete can help if you use Twitter)
- With very limited exceptions, things you type online (in apps or browser) aren't secret. For example, Facebook DMs have been used to prosecute people seeking abortions. If you're talking about something you really need to keep secret, keep it offline and limiting who you tell.
- Remember privacy is a team sport. Be as careful with information about the people you care about as you are with information about yourself, and have them ask before sharing anything about you. You can also ask them to limit who can see posts about you, turn off location before taking photos of you, or otherwise keep your information secret.
Use Unique and Strong Passwords
Using a password manager is the rare situation where practicing privacy also makes things more convenient for you--you can use strong, unique passwords without having to create or remember them.
Bitwarden is a free and open-source password manager with cloud storage. Cloud storage is more convenient for moving between devices, but it isn't quite as secure if you're worried about hacking.
KeePassXC is a free and open-source password manager that stores passwords in your device. You'll need to make and keep backups in case your computer dies, so although it's a bit more secure, it might not be a better option for you if you aren't worried about hacking.
Bonus tip: use your password manager's notes feature to store the answers to your security questions. That way, you can lie, making it harder for people who know something about you to hack your accounts.
Diceware is a site that provides you with random words to use for a password. If you don't want to use a password manager, or you're trying to create memorable passwords for the ones you need to remember frequently, random strings of words are easier to remember and more secure than random strings of letters.
If you have memory issues, a password manager may not be for you. (You do need to remember the main password that lets you into your password manager--they aren't going to make it easy to get that back if you forget.) If you trust the people in your home, writing down passwords in a notebook is pretty secure--hackers aren't likely to come to your house. If you want more help deciding the right way to handle your passwords, you can email Nikki at nmrhodes@dmpl.org or ask a librarian for more information.
Turn Off Location on Your Phone and/or in Apps
If you're taking photos with friends, ask them to turn it off too. Photos and many social posts default to keeping location data about where they were taken/posted.
- Turn off location entirely:
- Android: Settings → Location
- iOS: Settings → Privacy & Security → Location services
- Turn off location app-by-app:
- Android: Settings → Apps, click each app to adjust permissions
- iOS: Settings → Privacy & Security → Location services
- Delete location history:
- Android/Google account: Maps app → tap your account circle/photo in the top right → Settings → Maps history and see what you find
- iOS: Settings → Privacy & Security → Location services → System services → Significant locations → Clear History
- iOS might still have Google location history, such as if you use Google Maps. If so, open Google Maps → tap your account circle/photo in the top right →Your Timeline → More → Settings → Delete All Location History → check box and Delete
- Turn off location history going forward in Google Maps: tap your account circle/photo in the top right → Settings → Maps history and see what you find
Browse with a VPN
A VPN, or virtual private network, obscures your IP address and hides what you're doing from your network and people trying to watch you on it. But it doesn't hide your browsing from the VPN, so you want to use a reputable one that doesn't keep user data, and those usually cost money. If you want one, here's a guide to choosing a VPN.
Block Third-Party Cookies
You can usually block third-party cookies through browser settings. Here are some instructions for common browsers:
- DuckDuckGo: DuckDuckGo automatically disables third-party cookies and stops most from collecting your IP address and other information as well.
- Firefox: Firefox automatically disables third-party cookies that track you between sites; to disable even more of them:
- Settings → Privacy & Security → Custom → Cookies → All third-party cookies (may cause web sites to break)
- Chrome: To block cookies on Chrome, go to Settings → Privacy and Security → Cookies and other site data
- Edge: Edge doesn't offer very granular control and isn't a good browser for privacy. See your options at Settings → Privacy, Search, and Services
- Safari: Safari blocks cookies by default
No matter what browser you use, check for an https lock (at the left edge of the URL bar) before you share personal information, for example through a form.
Block Ads
You usually block ads with extensions to your browser. Extensions can be added by going to your browser's settings. Some good ad blockers include:
You may have heard that Chrome planned changes that would make ad blockers ineffective or less effective. As of March 2023, these changes have been delayed. Chrome still isn't the best browser for privacy - of the major browsers, Firefox is generally recommended - but it won't force ads.
Enable Two-Factor Authentication
- It'll make it harder for people to get into your account and give you a heads up if they're trying to access it.
- Authentication apps are more secure than texts, if you have the option.
Fix Your Privacy Settings
Fix it in your browser, in accounts (like Google and social media) where you share information, and in anything where you log in for the first time.
Lock Your Screen
If you're worried about police trying to access your data, choose a lock that relies on something you know, like a password, rather than a biometric lock, like face ID or fingerprint.
Consider Encryption
"Encryption" is using math to make your information unreadable except to the intended audience. "End-to-end encryption" ensures that if a message is intercepted in transit, it won't be interpretable.
Apps like Signal, which uses end-to-end encryption, and browsers like Tor, which uses multiple layers of encryption among its security practices, make you much harder to track. (Tor is slow, however, and not suitable as your only browser unless you are very patient.) Use both occasionally for low-stakes things so it doesn't flag as unusual activity if you need them.
Threat Modeling
Threat modeling is a process from the information security world that helps us identify what risks we're facing so we can develop a security plan that addresses the right things.
Forest Avenue Library will be hosting a program on threat modeling on June 6; everyone is welcome.
Learn more about making your threat model and turning it into a security plan at the Electronic Frontier Foundation's Surveillance Self-Defense page on security planning.
When practicing threat modeling, consider:
1. What do you want to protect?
Things you want to protect are known as "assets." For each thing you want to protect, note where you keep it, who has access to it, and what barriers currently exist to other people getting it.
This could include, but is not limited to:
- Material things
- Your physical safety
- Gender-affirming items like clothing, if people around you would take them
- Devices like your phone
- Information
- Your trans status, if there are people you want to keep it from
- Your address, phone number, or other personal information people could use to harass you
- Messages
- Other people's information they have trusted you with
- Your location at any time
- This security plan
2. Who do you want to protect it from?
Those you want to protect your assets from are known as "adversaries." For each adversary, consider the ways ("capabilities") they have to access to the information you want to protect - for example, encountering them by accident, hearing from others, actively seeking them out, requesting it from big tech companies, etc.
This could include, but is not limited to:
- Institutions and collectives
- School or employer
- The government, including police
- Coordinated harassment campaigns
- Businesses
- Health care providers
- People
- Bosses
- Bullies, online or in person
- Your gossipy friends
- Family members
- People you live with
- Exes/Former partners
- Teachers
3. How bad are the consequences if your adversaries access your assets?
Be sure to consider how likely each consequence is as well.
For example, while many schools are likely to report your trans status to your parents; Google may have much more of your information but be less likely to share it
4. What are you willing and able to do to protect your assets?
Some things are too far--we're not going to argue you should never come out, never talk to your friends, or not present in ways that feel right for you for the sake of security. Your happiness matters too, and weighing those priorities is something you have to do for yourself.
Consider the consequences, especially the likely ones, that worry you most. What are you willing and able to do to mitigate them?
If there are mitigation actions you'd like to take but aren't able to, who can help you?
If there are risks that worry you that you don't know how to avoid, you can ask a librarian for help finding information or consult the "general online safety" section of this guide.
Further Resources
Prefer to listen?
- Imara of the podcast Translash inteviews a cybersecurity instructor from the Tech Learning Collective. The episode is called "Cybersecurity for Trans People"
Iowa Resources
- One Iowa Action does policy and advocacy work
- Transgender and Nonbinary Resources from One Iowa
- Iowa Trans Mutual Aid Fund
Learn more against surveillance
- Surveillance Self-Defense from Electronic Frontier Foundation: module lessons on specific tools and situations related to surveillance
- Data Detox Kit: module lessons on protecting your data