Information Security for Trans Iowans

• Only share what you want to share--know your privacy settings, lock stuff down, and don't tag others without permission (let them share only what they want to share too)
• Delete what you aren't using: apps, accounts, location history, old posts (TweetDelete can help if you use Twitter)
• With very limited exceptions, things you type online (in apps or browser) aren't secret. For example, Facebook DMs have been used to prosecute people seeking abortions. If you're talking about something you really need to keep secret, keep it offline and limiting who you tell.
• Remember privacy is a team sport. Be as careful with information about the people you care about as you are with information about yourself, and have them ask before sharing anything about you. You can also ask them to limit who can see posts about you, turn off location before taking photos of you, or otherwise keep your information secret.

Using a password manager is the rare situation where practicing privacy also makes things more convenient for you--you can use strong, unique passwords without having to create or remember them.

Bitwarden is a free and open-source password manager with cloud storage. Cloud storage is more convenient for moving between devices, but it isn't quite as secure if you're worried about hacking.

KeePassXC is a free and open-source password manager that stores passwords in your device. You'll need to make and keep backups in case your computer dies, so although it's a bit more secure, it might not be a better option for you if you aren't worried about hacking.

Bonus tip: use your password manager's notes feature to store the answers to your security questions. That way, you can lie, making it harder for people who know something about you to hack your accounts.

Diceware is a site that provides you with random words to use for a password. If you don't want to use a password manager, or you're trying to create memorable passwords for the ones you need to remember frequently, random strings of words are easier to remember and more secure than random strings of letters. 

If you have memory issues, a password manager may not be for you. (You do need to remember the main password that lets you into your password manager--they aren't going to make it easy to get that back if you forget.) If you trust the people in your home, writing down passwords in a notebook is pretty secure--hackers aren't likely to come to your house. If you want more help deciding the right way to handle your passwords, you can email Nikki at nmrhodes@dmpl.org or ask a librarian for more information.

If you're taking photos with friends, ask them to turn it off too. Photos and many social posts default to keeping location data about where they were taken/posted.

• Turn off location entirely:
  • Android: Settings → Location
  • iOS: Settings → Privacy & Security → Location services
• Turn off location app-by-app:
  • Android: Settings → Apps, click each app to adjust permissions
  • iOS: Settings → Privacy & Security → Location services
• Delete location history:
  • Android/Google account: Maps app → tap your account circle/photo in the top right → Settings → Maps history and see what you find
  • iOS: Settings → Privacy & Security → Location services → System services → Significant locations → Clear History
  • iOS might still have Google location history, such as if you use Google Maps. If so, open Google Maps → tap your account circle/photo in the top right →Your Timeline → More → Settings → Delete All Location History → check box and Delete
  • Turn off location history going forward in Google Maps: tap your account circle/photo in the top right → Settings → Maps history and see what you find

A VPN, or virtual private network, obscures your IP address and hides what you're doing from your network and people trying to watch you on it. But it doesn't hide your browsing from the VPN, so you want to use a reputable one that doesn't keep user data, and those usually cost money. If you want one, here's a guide to choosing a VPN.

You can usually block third-party cookies through browser settings. Here are some instructions for common browsers:

• DuckDuckGo: DuckDuckGo automatically disables third-party cookies and stops most from collecting your IP address and other information as well.
• Firefox: Firefox automatically disables third-party cookies that track you between sites; to disable even more of them:
  • Settings → Privacy & Security → Custom → Cookies → All third-party cookies (may cause web sites to break)
• Chrome: To block cookies on Chrome, go to Settings → Privacy and Security → Cookies and other site data
• Edge: Edge doesn't offer very granular control and isn't a good browser for privacy. See your options at Settings → Privacy, Search, and Services
• Safari: Safari blocks cookies by default

No matter what browser you use, check for an https lock (at the left edge of the URL bar) before you share personal information, for example through a form.

You usually block ads with extensions to your browser. Extensions can be added by going to your browser's settings. Some good ad blockers include:

• Privacy Badger
• AdBlock Plus
• uBlock Origin
• 1Blocker X
• Ghostery

You may have heard that Chrome planned changes that would make ad blockers ineffective or less effective. As of March 2023, these changes have been delayed. Chrome still isn't the best browser for privacy - of the major browsers, Firefox is generally recommended - but it won't force ads.

• It'll make it harder for people to get into your account and give you a heads up if they're trying to access it.
• Authentication apps are more secure than texts, if you have the option.

Fix it in your browser, in accounts (like Google and social media) where you share information, and in anything where you log in for the first time.

If you're worried about police trying to access your data, choose a lock that relies on something you know, like a password, rather than a biometric lock, like face ID or fingerprint.

"Encryption" is using math to make your information unreadable except to the intended audience. "End-to-end encryption" ensures that if a message is intercepted in transit, it won't be interpretable.

Apps like Signal, which uses end-to-end encryption, and browsers like Tor, which uses multiple layers of encryption among its security practices, make you much harder to track. (Tor is slow, however, and not suitable as your only browser unless you are very patient.) Use both occasionally for low-stakes things so it doesn't flag as unusual activity if you need them.

What comes up when you--in a browser you don't use, in an incognito window, or on someone else's computer--search for yourself? Ask websites to remove information if you don't want it there.

If you're worried about doxxing, create a Google alert for your name

Threat modeling is a process from the information security world that helps us identify what risks we're facing so we can develop a security plan that addresses the right things.  

Forest Avenue Library will be hosting a program on threat modeling on June 6; everyone is welcome.

Learn more about making your threat model and turning it into a security plan at the Electronic Frontier Foundation's Surveillance Self-Defense page on security planning.

When practicing threat modeling, consider:

1. What do you want to protect? 

Things you want to protect are known as "assets." For each thing you want to protect, note where you keep it, who has access to it, and what barriers currently exist to other people getting it.

This could include, but is not limited to:

• Material things
  • Your physical safety
  • Gender-affirming items like clothing, if people around you would take them
  • Devices like your phone
• Information
  • Your trans status, if there are people you want to keep it from
  • Your address, phone number, or other personal information people could use to harass you
  • Messages
  • Other people's information they have trusted you with
  • Your location at any time
  • This security plan

2. Who do you want to protect it from? 

Those you want to protect your assets from are known as "adversaries." For each adversary, consider the ways ("capabilities") they have to access to the information you want to protect - for example, encountering them by accident, hearing from others, actively seeking them out, requesting it from big tech companies, etc.

This could include, but is not limited to:

• Institutions and collectives
  • School or employer
  • The government, including police
  • Coordinated harassment campaigns
  • Businesses
  • Health care providers
• People
  • Bosses
  • Bullies, online or in person
  • Your gossipy friends
    • Family members
  • People you live with
  • Exes/Former partners
  • Teachers

3. How bad are the consequences if your adversaries access your assets? 

Be sure to consider how likely each consequence is as well.

For example, while many schools are likely to report your trans status to your parents; Google may have much more of your information but be less likely to share it

4. What are you willing and able to do to protect your assets?

Some things are too far--we're not going to argue you should never come out, never talk to your friends, or not present in ways that feel right for you for the sake of security. Your happiness matters too, and weighing those priorities is something you have to do for yourself.

Consider the consequences, especially the likely ones, that worry you most. What are you willing and able to do to mitigate them?

If there are mitigation actions you'd like to take but aren't able to, who can help you?

If there are risks that worry you that you don't know how to avoid, you can ask a librarian for help finding information or consult the "general online safety" section of this guide.

Prefer to listen?

• Imara of the podcast Translash inteviews a cybersecurity instructor from the Tech Learning Collective. The episode is called "Cybersecurity for Trans People"

Iowa Resources

• One Iowa Action does policy and advocacy work
• Transgender and Nonbinary Resources from One Iowa
• Iowa Trans Mutual Aid Fund

Learn more against surveillance

• Surveillance Self-Defense from Electronic Frontier Foundation: module lessons on specific tools and situations related to surveillance
• Data Detox Kit: module lessons on protecting your data