Information Safety

Of all of the methods used to harm radically queer beings, doxxing (release of most/all of a victim's personal information to the public, such as names, addresses, phone numbers, and photos) is potentially the most prevalent. The best way to defend yourself against doxxing is to limit access to that personal information, making it harder for anyone who wants to dox you to find it in the first place.

Evaluate social media presence

Social media encourages users to publish personal information to everyone on the internet, or at least users of the social media site: names, faces, occupations, areas of residence, associations with friends/partners/family/coworkers, and more. Photos are especially risky – even a photo that doesn't seem like it contains anything that clearly identifies a being or their location often reveals quite a bit more than they think, if observers are sufficiently determined to comb through every detail.

One of the most common ways beings get doxxed is by inadvertently exposing a link between their social media identity and a pseudonym, or being outed directly, followed by the information on their social media accounts (possibly combined with search results) being used to dox them. As such, it is highly recommended to think carefully about your use of social media – do you really want all of the information you've posted to be available to so many beings? If not, you can take accounts/posts private or delete them completely – that won't remove them from archiving sites like the Wayback Machine, and it varies whether or not they'll still stay in search results for a while, but anyone looking for it with ill intent will at least have a meaningfully harder time.

Reduce odds of exposure from hacks

While public exposure on social media is by far the biggest real-world risk, any personal information associated with an online account, even if it's totally private in theory, can be exposed if the account or the account database get hacked. To reduce the probability of an account hack, you can take the following steps:

1. Enable two-factor authentication (2FA) in security settings whenever possible. App-based 2FA is generally the most secure, using apps such as Ente or Aegis, but 2FA via SMS or email are still preferable to no 2FA at all.
2. Use strong passwords – unique, long, and random. Since almost no one can remember large numbers of strong passwords, this usually means using a password manager, such as Bitwarden or KeePassXC/KeePassDX. That password manager needs to have the strongest password of all, and ideally 2FA as well, but the tradeoff is well worth it.
3. Don't use the same email address/username for everything, especially if it's a username that no one but you ever sees. The email address or username that you use to log into an account is effectively a second password in many cases – using randomly generated usernames, or email aliases such as those offered by Proton Mail, to make it harder to guess part of how you log in will also make hacking harder.

However, there is relatively little you can do if hackers target the site itself for a breach – hacking into supposedly secure systems to harvest internal data. This is usually done with the goal of presenting the site with a ransom demand, to be paid or the data collected will be released on the dark web, but it's also common for a subset of the data to be released to increase the probability of the site complying with the demand. And once it's out there, it might not necessarily be easily searchable, but there's no concrete way to take it down.

The upshot of this is that in addition to removing or not providing personal information publicly, it can be good to avoid providing it at all unless there's a clear need. Most businesses require core personal information, but you can still limit which businesses you deal with, and when possible, try to prefer ones that maintain their technology more professionally. And when information isn't required, consider not providing it – a little bit of inconvenience now could potentially save a lot of inconvenience later.

Notably, leaked data can include passwords, which is why it's so essential that passwords be unique – it doesn't matter how strong your password is, if you reuse it everywhere and a data breach contains it, anyone with access to it can bypass most of your security on all of your accounts, especially if you used the same email address everywhere too.

Remove yourself from people finder sites

The data broker industry specializes in obtaining personal information via legal or dubiously legal means, then making it available to their customers. These customers are most often businesses and law enforcement agencies, but they also frequently expose some of it online on "people finder" websites as a sample to demonstrate what they have to offer paying clients. Many beings have associations between their names, addresses, phone numbers, and more searchable on such sites (and, by proxy, on search engines) without their knowledge, due to, among other things, businesses they've interacted with having reserved the right to sell customer information, and data brokers buying it for resale.

One bright side to this is that these sites often tend to be extremely inaccurate, mistakenly conflating different beings into single entries or filling in guesswork as hard data. However, enough is accurate to be a threat, and US citizens have relatively weak legal protections against exposure by data brokers. However, many people search sites allow beings to submit requests to have their information taken down (or at least made harder to access), so at the very least it's a good idea to do that when this data appears in search results. There are also paid services, such as Optery and DeleteMe, that specialize in essentially submitting this kind of request to large lists of data brokers covered by their services; these can be worth considering, though it's unclear how much they actually help in practice since not all such requests will be honored.

Use privacy settings

Data harvesting and sale by corporations is impossible to prevent completely, because even when they're honored, the privacy policies of most sites allow them to legally harvest large amounts of data as a condition of use. However, there still are laws that place limits on what data can be harvested and when, and a result of this, a huge amount of data harvesting, including much of the most sensitive data (such as large amounts of device location history, as one example), is conducted with the notional consent of users.

This is done by way of providing account/device privacy settings that default to allowing the maximum degree of data harvesting, a compromise companies are willing to accept because most users won't ever change most of the default settings, ensuring the actual loss in practice to their data will be minimal. But, by being among the few users to go through the settings to evaluate everything that permits more of your data to be saved/used/shared/collected, you can often significantly reduce how much information you're giving them – which, in turn, means that there will be less that could be sold or leaked in a hack later on.

In addition to online data, offline data is also important to secure.

Encrypt device storage

"Encryption at rest" means that data on a device – logged-in sessions, history, messages, documents, photos, essentially everything – can't realistically be accessed without a password/PIN when the device is powered off. Android and iOS devices are encrypted at rest by default, but many desktop, laptop, and netbook devices lack encryption and are protected only by the login screen. Login screens are often not particularly secure, and can be bypassed by methods such as booting a different operating system off of a USB stick connected to the device, exploiting known operating system bugs, or sometimes even specific key combinations – all options available to any average being with physical access to the device, and technologically advanced attackers have even more options.

For Windows systems, VeraCrypt is the most secure option for storage encryption, and is relatively straightforward to set up, though backing up important data first is still advisable as sometimes there are still issues. For maximum ease of use, Bitlocker is less secure, but still a significant improvement over no encryption (ideally opting not to send a backup key to Microsoft's servers during setup). For Linux systems, LUKS encryption is very well supported and easy to use, but generally needs to be set up at the time the OS is installed – encrypting later on is technically possible, but challenging.

Adopt private device usage habits

Excellent passwords and encryption won't protect a device alone. It's also important to use the device in a way that keeps its contents protected from anyone you don't trust completely:

1. Don't give out passwords lightly. Even if you trust someone to have the best intentions, you're also trusting them to keep it secret too.
2. Don't let untrusted beings use private devices. Even supervised, they might run into private information accidentally (notifications are worth considering here), and if given unsupervised access, may snoop around intentionally. This also includes being careful not to let a phone or laptop be grabbed away from you while unlocked.
3. Be mindful of who can see your screen (especially while entering passwords) and hear your audio. It may be worth angling your phone away from others, sitting/positioning monitors in a different arrangement, and getting in the habit of using headphones.
4. Keep your devices fully powered off when you're not using them, if possible. Encryption at rest doesn't protect data that isn't at rest.

A lot of us get used to not thinking too much about what we're saying, whether in a social media bubble that's not actually private but presumed to be relatively undiscoverable, or in public settings like restaurants, buses, and trains. Most of the time, if we let something slip, it doesn't matter – but the issue is that that's most of the time, and the exceptions have the potential to get very out of hand.

Think about who could be listening/reading

Nothing online is ever as private as it might seem. Almost all of the most popular instant messengers aren't end-to-end encrypted, meaning that the service – a staff member, or even moderation AI – can view everything at any time. Posts on social media accounts with only a handful of followers may seem off the radar, but are actually totally visible to thousands if they just look. And even with end-to-end encryption, private group chats are only private if no one ever invites the wrong being, no one invited ever becomes a wrong being later on (opinions can change), and no one's device ever gets broken into.

Meanwhile, in-person, voices carry, sometimes more than we think. How many snippets of conversations have you ever overheard somewhere crowded like a food court or a bus? If you can hear others talking, at least sometimes, that means they can hear you sometimes too. And while most aren't paying attention, you can never know when someone in the next set of seats over might be, say, a militant conservative who caught part of a private conversation and started listening intently to post everything they hear online later.

It's worth paying some mind to the possibilities, and asking yourself, do you really want to say what you were about to say? Would you want to use different wording? Would it be best to take it somewhere else more private instead?

Think about how you'll be interpreted

When dealing with beings with a hostile or potentially hostile stance, it's critical to keep in mind that a thing they usually do is interpret everything we say in the worst possible way, whether it's an easy misunderstanding or a huge reach – then they spread the "news" to others. Because of this, it pays to think carefully about how what you say could be turned against you. As a near-worst-case scenario, if you have a transage partner who, in the eyes of the law, is an adult, but you refer to them as a child without clarifying context, that comment could easily be taken as probable cause for serious investigation by law enforcement if someone brings it to their attention – and that applies equally whether they were knowingly presenting your words out of context or not. Careless words can constitute handing others weapons to use against you.

Prefer end-to-end encryption

When a platform is end-to-end encrypted (E2EE), such as Signal for instant messaging/calls or Proton Drive for cloud storage, that means the service provider doesn't have the ability to decrypt your posts or content – it's only accessible by you and those you send it to. This drastically reduces (though doesn't entirely eliminate) several kinds of risks. When end-to-end encryption is not present, all content on the platform is totally exposed to the service provider, rendering its users very vulnerable to, among other things, governmental overreach at the hands of the far right. Notably, phone networks are included in the category of unencrypted platforms, leaving calls and SMS messages highly exposed.

Avoid relying on services that ban often

Most of the most widely-used platforms and services, such as Discord, Tumblr, and X (among many, many others) have terms of service that prohibit sufficiently controversial identities and discussion, as well as actively searching for anyone violating those terms of service on the platform. Often, this isn't just a matter of receiving and acting on reports; the idea of using AI to sift through all user content and flag possible prohibited content is already applied in some cases, and will likely become more common with time. And when a user violating these policies is identified, it can lead to waves of bans as moderators look through their DMs and groups. In cases where no laws are being broken, being banned doesn't usually lead to in-person consequences, but it can be massively disruptive to social connections – social groups, friends, and even partners abruptly cut off from one another. And, as always, it's worth putting thought into what might happen if laws change, or any of the considerations in 1b. come into play.

Unfortunately, it's very difficult for most beings to totally stop using things like Discord, but it can significantly limit the risks to simply avoid violating terms of service on-platform and move anything that would otherwise be a violation to other platforms, such as Signal or SimpleX.

Make sure you don't lose touch

Especially if you only have contact with someone on something like Discord or X, you should establish at least one additional channel of communication with them, preferably on something E2EE. And even if it's an E2EE platform you have them on, you should still aim to always have more than one way to communicate if needed – even outside of moderation concerns, services go down, and accounts have issues.

Being true to oneself is always something that makes some enemies. Standing up for what you believe in, even more so. But a distinction should be made between making enemies for good reasons and making enemies out of beings who could have been allies or bystanders, as well as between provoking enemies as an inevitable byproduct of defiance and provoking enemies needlessly. Most of us have enough difficulty in our existences already without choosing to add more when doing so doesn't even accomplish anything, or provide meaningful value. Even in situations where we're being provoked, it's important to be able to do the practical thing and leave insults and false allegations unaddressed if responding would only make the situation worse, as one example.

The line between necessary and unnecessary provocation is an especially fuzzy one, and there are no firm rules to go by, but the essential part is just to give it thought and not act without consideration of all options and what their outcomes could be.

Opportunistic, profit-motivated cybercrime is a threat that virtually everyone faces in the modern world. Attacks of this type usually take the form of the attacker running their own malicious software on a user's system, and doing things like stealing accounts (by logging into them and changing credentials) to sell them, gathering information for use in identity theft, or locking users out of their data to charge a ransom. Something important to understand about this kind of attack, though, is that they're primarily after low-hanging fruit, and are fine with only successfully impacting users who've made significant cybersecurity mistakes – if anything, they sometimes prefer it, because users who don't understand cybersecurity well are also less capable of defending themselves after an attack. It's not advisable to get too overconfident, but just by not making yourself an easy target, you can avoid the overwhelming majority of the problem.

Keep devices and software up to date

Most successful pure hacks (i.e., ones that don't rely on tricking the user) rely on vulnerabilities that have already been patched, and the fact that many users run out of date software anyway. Also, if a device or app that accesses the internet (or files from it) isn't going to get security updates anymore, don't use it – any hacking vulnerabilities found won't ever be fixed.

Be wary of untrusted messages

If you receive a message (an email, a text message, etc.) that seems suspicious, don't interact with it or anything in it. Don't follow links, don't open files (even ones that don't appear to be programs such as .exes), and especially don't run programs or scripts (.exe, .bin, .bat, and .sh are some common extensions). This is easier said than done, because many attempt to create a false sense of risk/urgency by making frightening claims, such as by referring to large fees that might be charged if you don't do what they want, but the best way to handle such situations is to follow up with their purported sources by another means; for example, if you receive an email that looks like it's from your bank saying that you have to get back to them or you'll owe them money, instead of engaging with the email, contact the bank via its official channels to confirm.

Notably, when it comes to running programs or scripts, even trusted contacts should be regarded with skepticism. Accounts can be compromised, and "your friend" asking you to "test out a game they're making" may not actually be them. One option is to establish a codephrase with someone in advance, and if you're ever not sure it's really them, ask them to repeat it; however, any similar solution involving something only known to the two of you will generally suffice.

Turn off JavaScript optimization

A majority of "drive-by" exploits (ones where all users did was visit a malicious page) in browsers based on Chromium (including Google Chrome, Edge, Brave, and others) rely on JavaScript JIT, sometimes referred to as JavaScript V8, or JavaScript optimization. This feature speeds up websites, but also significantly expands the range of attacks they can attempt to perform. As such, it should be disabled in Chromium-based browsers in nearly all circumstances. In Google Chrome, this can be done by going into Settings, Privacy and security, Manage JavaScript optimization & security, Don't allow sites to use JavaScript optimization. This is usually a similar process in other Chromium-based browsers.

When you browse the internet, normally your internet service provider can see every site you're visiting, and sites can see your IP address. For those less familiar with technology, your IP address is essentially a number assigned to you when you connect to your internet service provider; it is used to provide service, but in the wrong hands, it can also in some cases be used to identify your location, or even expose you to hacking attempts – someone who knows the IP address you're currently using can use it to try to connect to you. And ISPs are often among the companies that sell user data the most prolifically.

VPNs and Tor both keep your ISP from seeing what sites you visit, and sites from seeing your IP address. This isn't true anonymity – sophisticated tracking technology can identify you other ways, and avoiding that completely is extremely difficult – but it does at least keep you from being low-hanging fruit. In the case of Bt+ specifically, we would actually prefer not to know your IP address – the less user-identifying data you send us, the better. The downsides are slower browsing (especially with Tor), sites hassling you with more anti-bot measures (or blocking you completely), and in the case of Tor specifically, use of Tor can stand out to surveillance states as inherently suspicious. Using an untrustworthy VPN can also be worse than not using one at all – VPNs with especially good reputations for adhering to their claims of not tracking users include Mullvad, ProtonVPN, and IVPN.

When software is open source and all of its code can be examined by anyone, any privacy-compromising features or possible vulnerabilities are fully out in the open, and researching it online will let you know if there's anything to be concerned about. But when software is proprietary, its code is developed behind closed doors – you can only know how it works by going off the word of the developers, and analysis by beings doing things like observing its web traffic. It can spy on you any number of ways with no oversight, and could have known exploits that have gone unfixed because they weren't prioritized in budgeting. And when that software is your operating system (Windows, iOS, stock Android), it also has complete access to everything you do on the device, making it necessary to trust an entity like Google, Microsoft, or Apple with, in most cases, your entire online life.

For these reasons, beings concerned about privacy and security should strongly prefer using open-source alternatives such as Linux (for desktops and laptops) or GrapheneOS/LineageOS (Android). Unfortunately, that often still requires compromises in terms of what software will run on it, and open-source alternatives are often missing features compared to paid ones, so sometimes it's necessary to compromise and just try to lock down privacy settings as well as possible.