Privacy and Security Guide

Create a Fake Identity

All accounts that you plan to use for MAP-related purposes should be created and maintained under a fake identity.

Elements of a fake identity:

• Fake name

• Separate email address

• Original, unique username(s)

• Fake date of birth (within a few years of your real one)

• Any other details you want to falsify

Tips:

• Do not use any real information to create your fake identity

• Do not reuse an identity that you previously used for non-MAP purposes

• Only use your MAP identity for MAP-related purposes

• Never share your MAP identity with anyone who knows your real identity

Any accounts you create under this identity should be set up so that even if somebody were to hack into all of them, they would still have as little information about your real identity as possible.

If you need help creating a fake identity, check out this generator.

Use a VPN

A virtual private network (VPN) makes it harder for your internet usage to be tracked and for the websites you visit to gather identifying information about you.

Many VPN services charge a subscription fee, however, ProtonVPN has a free version.

Setting up ProtonVPN:

1. Create a free Proton account

2. Download ProtonVPN on all eligible devices

3. Turn on the Kill Switch feature on each device

Remember to turn on your VPN before accessing MAP-related websites or accounts. Some websites may exhibit unexpected behavior while using a VPN.

Use Private Mode

Most web browsers have some form of private mode (it may be called Incognito, Private, or InPrivate, depending on your browser). Once you close all of the tabs in this mode, information about the browsing session will be deleted from your device (excluding files you downloaded). Some browsers may also turn on additional privacy features in private mode.

Always use private mode to access MAP-related websites and close all private tabs before leaving or turning off your computer.

Use HTTPS

HTTPS prevents malicious actors from being able to see the data you send to and receive from the websites you visit. Some browsers have a setting that allows you to block non-HTTPS connections, usually under security settings. If you can't find the setting, type the name of your browser followed by "always use HTTPS" into a search engine. 

Use Secure Messaging

While many MAP spaces provide members with the ability to DM, sensitive conversations, such as those involving potentially identifying information, should always take place on a separate messaging platform.

Always review the default privacy settings when downloading a new app for MAP-related purposes.

Telegram

This secure messaging platform is popular among MAPs and allies for its anonymity and privacy features. Users can find each other via username, so no identifying information is necessary to connect with people you know from other platforms.

By default, Telegram shows your phone number to your contacts and reveals your IP address to contacts during voice or video calls. You can disable phone number sharing in Settings > Privacy and Security > Phone Number and prevent it from being shared with new contacts by unchecking the "Share my phone number" box when adding a contact. IP address sharing can be disabled by going to Settings > Privacy and Security > Calls > Use Peer-to-Peer with and selecting the "Nobody" option. In general, we recommend against adding contacts at all to avoid these issues.

Discord

Though it is generally considered less secure and MAP-friendly than other platforms, Discord is still a good place for MAPs and allies to connect and interact. Though it includes voice and video chat services, these have been insecure in the past and should be avoided.

Jitsi

With numerous privacy-preserving features, Jitsi is a favorite among MAPs and allies who prefer to interact through voice chats. It offers numerous security options and can be used without creating an account.

Remember that you sacrifice some anonymity when you associate your voice with your MAP identity.

Enable Auto-Delete

Some messaging services have a feature that automatically deletes messages after a set amount of time. To determine whether autodeletion is available for a specific service, type the name of that service followed by "auto-delete" into a search engine.

Enable this feature for as many MAP-related conversations as possible (a deletion time of approximately 1 week is usually best). Remember to save any important messages before they are automatically deleted.

Limit Sharing

Disclose as little information about yourself as possible. No space is truly private, and anything you post can be screenshotted and shared elsewhere. Never share information that could reveal anything about your real identity.

Tips:

• Remove timestamps from screenshots before sharing

• Post screenshots of photos, not original images, to remove location metadata

• Be vague (or lie) about your age, location, career, etc.

If you do share personal information privately, remember that people can lie about their status in the community and even create multiple accounts to portray themselves as trusted by others. Once you reveal sensitive information, you cannot control how it is used or shared or whether the account you shared it with remains secure.

Avoid Untrusted Links

When your browser loads a website, it shares information about you and your device with that website. Some people can take advantage of this and obtain that information just by convincing you to click on a link. Never open links that seem suspicious or were sent to you by a stranger.

Use a Safe Email

After creating an email address for your MAP identity, you should ensure the email service you use does not leak your IP address.

Check your email:

1. Close all MAP-related apps and websites

2. Turn off your VPN if you have one running

3. Open this website

4. Click Start

5. Send an email to the address provided

6. Wait for the website to display your results

If you plan to send MAP-related emails from multiple different platforms and devices, we recommend checking each combination of these.

Even with a safe provider, email is still an insecure form of communication and should not be used for conversations involving sensitive information.

Use a Password Manager

A password manager allows you to use complex and unique passwords for every account, making it harder for a malicious actor to gain access even in the event of a data breach or if one of your accounts is compromised.

Some web browsers and operating systems have built-in password managers, however, these often do not work in private mode or on devices on other operating systems. Bitwarden is a trusted password manager with a feature-rich free version and apps for a variety of platforms.

Setting up Bitwarden:

1. Create a free Bitwarden account

2. Download Bitwarden on any necessary devices

3. Generate new passwords for your MAP accounts

4. Add the new passwords to your Vault

If Bitwarden doesn't quite fit your needs, you can check out other options, such as Proton Pass.

If you do not want to use a dedicated password manager but still want to strengthen your passwords, Passwrd is a customizable password generator that can even be installed as a web app and used offline on some devices.

We recommend using randomly-generated passwords of at least 20 characters (including at least letters and numbers) for all MAP-related accounts.

Use 2-Factor Authentication

2-factor authentication (2FA) verifies your identity before allowing you to log in, making it difficult for a malicious actor to gain access, even if they have your password. It does this by requiring you to input a code obtained using a mobile app on your phone during the login process.

Preparing to use 2FA

Before you can use 2FA, you must download an app to allow you to obtain verification codes. There are dozens of these apps available, however, many of them can only be used on one device, causing you to be locked out of your accounts if you are unable to access that device. Authy allows you to back up your account so that you can access your codes even if your device is lost or broken.

Setting up Authy:

1. Download Authy

2. Enable 2FA on at least 1 account

3. Enable Authy Backups

4. Add additional devices if necessary

You should write down your Backup Password and store it somewhere secure (but not in your password manager). If you lose it, you will not be able to receive verification codes on new devices.

Enabling 2FA

On most websites, you can find 2FA settings in your account security settings. This website also contains a list of some popular services that allow users to enable 2FA.

When setting up 2FA, you should always select the Authenticator App option (depending on the website, it may be titled slightly differently). Never enable an option that allows verification codes to be emailed or texted to you, as this is insecure and easy for hackers to exploit.

Most websites will give you one or more recovery codes when you first enable 2FA. Always save these, as they will be the only way for you to access your account if you are unable to obtain a verification code.

You should enable 2FA on as many MAP accounts as possible.

Stay Updated

Outdated apps and devices can leave you and your accounts vulnerable to viruses and security exploits. You should check for app updates weekly and system updates once per month on all your devices. Consider enabling automatic updates wherever possible.

Avoid Suspicious Programs

Programs, apps, and browser extensions from untrusted sources can contain viruses. Check the reviews before installing and stick to reputable sources, such as your device's built-in app store or the website of a well-known developer.

Enable Antivirus

Some operating systems come with built-in antivirus software. Enabling this can protect you from malicious programs designed to steal or even delete your data. You can usually find the relevant controls under security settings.

Dedicated antivirus software can provide additional protection, however, it is unnecessary for most users and can harm the performance of your device.

Hide Your Identity

Any MAP or ally with a public presence should take extensive steps to ensure their real identity remains concealed. 

Use your MAP identity

Integrating components of a fake identity into information you share publicly can help obscure your real identity. While using the same MAP identity as in private spaces, such as support groups, is an option, creating a separate identity for public spaces is recommended.

Remember to keep any false information believable. Oversharing or repeatedly changing the fabricated aspects of your fake identity may allow malicious actors to recognize and overcome your strategy. Refrain from sharing specific information, whether real or false.

Rotate public identities

Over time, identifying details can pile up across accounts. Replacing your public MAP identity on a regular basis makes it harder for a significant amount of this information to be collected. Some people create a separate identity for every account, while others use the same identity across several platforms.

Limit the number of people who can connect any of your public MAP identities to each other or the consistent MAP identity you use in private spaces, and never use the same account under more than one identity.

Avoid Being Targeted

Discussing certain life experiences, even in private, may make MAPs and allies more likely to be targeted by malicious actors.

Avoid discussing these topics on MAP accounts:

• Experiences working with or around children

• Past illegal activity

• Involvement in non-MAP minority spaces

• Real-life interactions with other MAPs or allies

Protect Your Contact Info

When creating MAP accounts on social media websites, provide as little information as possible. If an email is required, use one associated with your MAP identity. If a website requires your phone number, Google Voice allows anyone with a Google Account to create a virtual phone number. Be aware that Google Voice numbers expire after a period of inactivity, potentially allowing hackers to pick them up and take over unsecured accounts.

Make sure you disable contacts syncing (and remove the app's contacts permission on mobile) for any platforms that collect contact info. MAPs and allies have been outed because social media platforms recommended their account to friends and family members after syncing their contacts.

Additional actions:

• Twitter - Enable password reset protection

Audit Yourself

Regularly review the information about you that is publicly available under both your real identity and your MAP identities, then make changes to reduce that information. A good way to accomplish this is by pretending to be a malicious actor with varying amounts of information about yourself. See what else you can find about yourself using that information and a search engine.

Additional Resources:

• Access Now's Self-Doxing Guide

Our Advanced Tier has information about removing information from data collection websites.

Update Privacy Settings

Many apps use data they collect to target recommendations or create activity records that could reveal sensitive information. Disable data collection wherever possible on any accounts you plan to use for MAP-related purposes.

In the event that a MAP or ally is doxxed, the privacy settings on their real-life accounts can determine how much information the doxxer obtains. Review these settings regularly, keeping in mind that they will dictate what a potential doxxer is able to see if they find your real identity. Pay close attention to any websites that show up when you search for yourself using Google or another popular search engine.

Remember to change these settings when setting up new accounts in the future.

Delete Old Posts

After several months, any account's public history can be a treasure trove of outdated beliefs and sensitive information. Removing old posts from both your MAP and real-life accounts can boost privacy and reduce your risk of being targeted if you regularly discuss controversial topics.

Some platforms have tools and settings (usually under privacy settings) to help you manage old posts, and you should use these wherever possible.

Use Encrypted Messaging

Some MAPs and allies require an additional layer of privacy on their messages. Encryption provides this by making it nearly impossible for anyone except the sender and intended recipient(s) to read message contents.

Element

One of many interconnected servers on the Matrix network, Element provides encrypted messages and group chats. Its reliance on usernames and decentralized nature make it a particularly robust option for MAPs and allies.

Session

Session is the least invasive messaging app available, requiring no personal data or information to use. It is decentralized and provides strong anonymity, making it a common choice among MAPs and allies.

Session is still in the early stages of development and bugs are common.

Use an Encrypted Email

Though most emails are encrypted in transit, many email services have the ability to decrypt your emails once they arrive. Encrypted email services add an additional layer of encryption so that only you can access your copy of the email.

Proton Mail is among the most well-known encrypted email services, with a fully-functional web app and mobile apps for both iOS and Android. If you already use ProtonVPN, your existing Proton account comes with access to ProtonMail.

Tutanota is another popular encrypted email service, with a web app as well as several desktop and mobile apps. Though it is less popular, its free version is less restrictive than ProtonMail's.

Using an encrypted email service only protects your copy of emails. If senders and recipients do not use an encrypted email service, their email provider will be able to read their copy.

Use a Dedicated Password Manager

While the password managers built into browsers and operating systems are simple and easy to use, they lack several security features. We recommend using a dedicated password manager, such as Bitwarden or Proton Pass.

Avoid these:

• Google Password Manager

• iCloud Keychain

• Microsoft Authenticator

• Browser-based password managers

Ideal security features:

• Customizable password generator

• 2FA login

• Secure password sharing

• Encrypted document storage

• Import and export features

Disable 3rd-Party Cookies

A cookie is a small file that a website saves to a user's device in order to remember something about that user. While these play a vital role in allowing websites to function properly, cookies can also be exploited by hackers to reveal sensitive information. 3rd-party cookies are are particularly risky and often serve no functional purpose.

Many modern web browsers include an option to disable 3rd-party cookies. To learn how to find this setting in your web browser, type "disable 3rd-party cookies" followed by the name of the browser into a search engine.

Some websites may exhibit unexpected behavior with 3rd-party cookies disabled.

Avoid Phishing

Phishing occurs when an attacker tricks their victim into revealing sensitive information, often by posing as a trusted entity.

Attackers may pose as:

• A friend or colleague

• An organization's customer safety team

• A financial institution

• Tech support

The end goal of a phishing attack is often to obtain your login information for an account, usually by convincing you to enter it on a fake login page.

Signs of a phishing message:

• Incorrect sender address

• Grammar and spelling mistakes

• Links to suspicious URLs

• Email service flags it as spam

If you receive a suspicious email, mark it as spam and delete it without clicking any links or responding. If the email claimed to be from a specific website, check your account on that website for any similar notifications. If you accidentally click a link in a suspicious email and enter login information, change the password on that account immediately.

One way to reduce your risk of phishing attacks is to avoid sharing your MAP email except in the process of signing up for online accounts.

Prevent SIM-Swapping

In a SIM-swap attack, a malicious actor manipulates a mobile carrier into giving them control of the victim's account. This allows them to intercept SMS (text) messages and phone calls intended for the victim, usually with the goal of obtaining gaining access to the victim's online accounts.

Many mobile carriers allow customers to enable additional security features that prevent SIM-swapping attacks. To learn about the options available to you, type "sim-swap protection" followed by the name of your mobile carrier into a search engine. Additionally, avoid linking your phone number with online accounts or use a Google Voice number instead.

Signs of a SIM-swap attack

• Inability to send or receive texts or phone calls

• Loss mobile data availability

If you suspect you have been targeted by a SIM-swap attack, contact your mobile carrier and change your settings on any accounts that are set up to send sensitive information or security alerts via text or phone call.

Update Contact Info

Many websites allow you to recover an account using your contact information. As a result, accounts with outdated contact info can be stolen by hackers and other malicious actors to obtain sensitive information. Keep your contact info up-to-date on any accounts that store it.

Check for Data Breaches

Even if your security practices are strong, the same may not be true of the services you use. While data breaches can feel unavoidable and uncontrollable, knowing when they occur and what data was exposed is an important part of any security strategy.

Have I Been Pwned is a free service that allows anyone to check if their personal information has been exposed in a data breach and sign up for notifications about future breaches.

Using Have I Been Pwned:

1. Visit Have I Been Pwned

2. Enter your email and click pwned?

3. Sign up for notifications

4. Follow the confirmation instructions

5. Repeat for each email you use

You can reduce the potential impact of a data breach by using a unique password for every online account and enabling 2FA wherever possible.

If you are alerted that your data was exposed in a data breach, do the following:

• Change your password

• Update your contact info

• Add 2FA

Create Security Alerts

Sometimes, updates and changes can introduce security bugs into platforms and services you already use. While these may not directly expose your data, knowing about them when they happen can help you keep your accounts secure until the issue is resolved.

Setting up an alert:

1. Visit Google Alerts

2. Type the name of a service followed by "security bug"

3. Click Create Alert

4. Repeat for each service you use

Use Separate Identities

If possible, use a separate identity on every account, in both public and private spaces, and replace public identities regularly. Minimize the number of people who know that any of your identities are the same person.

We recommend against using more than one identity in a single private space, such as support groups, as this could be seen as manipulative behavior and result in you getting banned. However, occasionally switching to a new identity within private spaces is permissible.

Opt Out of Data Collection

Data brokers collect and sell people's private information. This is a major privacy risk to any MAP or ally engaged in high-visibility activities, as a malicious actor who obtains even a single piece of sensitive information could gain access to a substantial amount for a small fee.

Many data brokers allow people whose information they have collected to opt out and have their data removed. This website contains a sizable list of data brokers and information on the opt out policies for each. Please begin by reading the instructions at the top of the page, as they will help you prioritize 200+ data brokers listed.

We do not recommend completing any opt-out process that requires payment, as this only funds future data collection. Additionally, some data brokers will relist your data after a certain amount of time. You should check back at least once per year to request the removal of any new data.

Depending on the laws in your region, there may be additional ways for you to protect your personal information. We recommend researching your local and regional privacy legislation.

Prioritize Tor

MAPs and allies engaged in high-visibility activities may face additional threats and increased doxxing attempts. Using Tor whenever possible prevents your device from sharing sensitive information that could aid malicious actors. When Tor is not feasible, you should consistently use a VPN.

Use a Private Operating System

Most mainstream operating systems are not private by design and require separate software to keep users' data safe. Using an operating system centered around privacy and anonymity can overcome these weaknesses and provide much stronger data protection.

Tails

Tails is an operating system that runs off a USB drive, giving you access to a secure system across devices. It clears all local data (excluding file storage) when you shut it down, leaving no trace of past activity on the device or USB drive. It also routes all internet connections through Tor and comes with several privacy-preserving tools and applications preinstalled.

Whonix

Whonix is an operating system that runs on a virtual machine inside your existing operating system. This allows you to use a secure system for MAP-related purposes while retaining access to your computer for everything else. It is centered around Tor and includes a variety of privacy-enhancing features to protect your personal information.

Use an Offline Password Manager

Even with a reputable password manager that encrypts user data, storing passwords online still carries an element of risk. Offline password managers mitigate this by storing your passwords in an encrypted file directly on your device.

We strongly recommend storing the encrypted list of passwords generated by your offline password manager in at least 2 locations and updating the backup regularly. You should also store the key to decrypt this file in a secure location.

KeePassXC

KeePassXC is a free, offline password manager for computers with all the features you would expect from a cloud-based password manager. It stores passwords in the .kdbx format, which is compatible with all KeePass-based password managers.

Use Encrypted Cloud Storage

Many cloud-based file storage systems give the storage provider the ability to access and read your files. Encrypted storage protects your data while providing many of the same benefits as the most popular storage providers.

Filen

Filen is an encrypted storage provider that offers 10 GB (20 if you use the join button above) of storage under their free plan. In addition to a variety of apps so you can access your files across devices, their platform also contains features like file history and public sharing.

Back Up Your Data

One downside of encrypting your devices' data is the risk of data loss in the event of a software bug or glitch that prevents data from being properly decrypted. Regularly backing up your data can reduce the potential impact of this issue.

The most secure option is always backing up your data locally, such as on an external hard drive. If this is not feasible for you, we recommend backing up encrypted data to a privacy-centered cloud storage service. To learn how to create a backup of the data on your device, type "create backup" followed by the operating system and version your device is running into a search engine.

We do not recommend storing MAP-related information using built-in backup features (Google One Backup, iCloud Backup, OneDrive Backup, etc.), as companies may have the ability to decrypt and read the data in the backups created by these tools.

Strengthen Security Settings

MAPs and allies engaged in high-visibility activities may experience hacking attempts on their MAP and real-life accounts. We recommend reviewing the security settings on all of your online accounts and strengthening them wherever possible.

Recommendations:

• Use stronger passwords

• Enable 2FA

• Disable 3rd-party app access

• Log out old sessions

Some companies may offer advanced protection options for high-risk users. We recommend enabling these so long as they do not infringe on your privacy.

Additional actions:

• Enroll in Google's Advanced Protection Program

• Enable Advanced Data Protection for iCloud