Security/privacy for MAPs

by Miami Autumn — March 2021

Online teaching. Little girl working on the laptop. by Nenad Stojkovic
Online teaching. Little girl working on the laptop. by Nenad Stojkovic
Anti-MAPs (antis) have a long history of harassing, doxxing, and endangering minor-attracted persons (MAPs). Hence, security and privacy are necessities for MAPs; this includes both social and technical implications. If you have any suggestions for this article, please contact me.

I. Social protection

Identity

It is strongly recommended to use a pseudonym when participating in MAP communities or discussing minor attraction online. Effective pseudonyms are difficult to tie back to a MAP's personal identity. Be aware of what is being shared and whether it may be identifying. Overly specific details shared from a MAP identity could potentially lead back to a personal identity.

More...

Details such as a general age (e.g., 20s) or general location (e.g., United States) alone are not identifying. However, when combined with other data (e.g., time zone, state/city, occupation, exact age, birth month, interests, hobbies, etc.), a person's identity can be narrowed down to relatively few people. While this alone isn't necessarily dangerous, it can be in some circumstances, especially if a MAP's personal identity is also public (e.g., on public social media, published literature, etc.).

In addition to being cautious about what's shared through their MAP identity, a MAP should also be cautious about what's shared through their personal identity. It's advisable for public figures in the MAP community to consider limiting or deleting personal social media accounts and making an effort to reduce their digital footprint. Techlore has an excellent video tutorial about how to accomplish this effectively.

Publicity and permanency

Assume that MAP communities are public and that anyone can gain access to them if they are dedicated enough, and assume that anything said on the internet is permanent. Even if something is deleted, there is no guarantee whether someone may have already saved it offline, especially on public social media sites such as Twitter, Mastodon, and Reddit.

Trust and sensitive information

In MAP communities, trust is earned, not given. Always question the possibility that someone isn't who they say they are. Be cautious when sharing sensitive information, and never publicly admit to unadjudicated illegal activity.

More...

Only disclose sensitive information if everyone in the conversation is also willing to disclose the same sensitive information.

When disclosing any kind of sensitive information, do so on a secure, end-to-end encrypted platform such as Session, Element, Signal, or Telegram secret chats (regular chats are not end-to-end encrypted on Telegram). Direct messages in most MAP communities and public social media are not private and can be read by community administrators. View the messaging and email section for more info.

Disclose sensitive information conservatively and gradually. Talk to the person for at least several weeks, and ask questions to affirm their trust. Ask how they feel about the topic, drop hints at it, etc. Be reasonably confident that the person is who they say they are and that they can be trusted with the information intended to be disclosed.

Always keep in mind that publicly disclosing unadjudicated illegal activity is a rule violation in most MAP communities and is dangerous. Never publicly admit to unadjudicated illegal activity.

II. Technical protection

Browsers

People rely on their browser to protect them from online tracking. Common browsers like Google Chrome and Microsoft Edge allow people to be tracked and have poor privacy customization options.

Tor Browser is the best browser for privacy and security. It is designed to make people using it look like everyone else using it, so people cannot be targeted by trackers. When using Tor Browser, web traffic is routed through the Tor network (view the networks section for more info), which means that websites and attackers cannot see a person's real location; they can only see that a person is using Tor.

Tor Browser is based on Firefox, which is also a solid option for secure browsing if it is customized and paired with a virtual private network (view the networks section for more info). Safari is another secure browsing option for people who use iOS and MacOS.

More...

To ensure that a browser isn't storing local logs of browsing activity, enable private browsing mode. Some browsers allow private browsing to be set as the default browsing mode. Tor Browser is always in private browsing.

Tor Browser offers three security settings: standard, safer, and safest. These options are sufficient for nearly all browsing circumstances. However, if online activities require the utmost security, people should use TailsOS (view the operating systems section for more info) with the safest security settings in Tor.

Important: The safest security setting in Tor Browser uses NoScript to block JavaScript elements on webpages but does not actually disable JavaScript. To disable JavaScript natively, people must go to about:config in Tor Browser and toggle javascript.enabled so that is it set to false. JavaScript should be disabled in circumstances requiring utmost security because it increases attack surface and leaves people vulnerable.

Do not change any settings in Tor Browser except for the security setting and disabling JavaScript. The settings in Tor Browser are specifically designed to resist tracking and make everyone using Tor look the same. Changing settings can decrease anonymity.

In Firefox, browser fingerprinting can be resisted by going to about:config and toggling privacy.resistFingerprinting so that it is set to true. This setting is enabled by default in Tor Browser.

For iPhone users: The official Tor Browser is not available on iOS because iOS requires browsers to use WebKit (Tor Browser is based on Firefox, not WebKit). iPhone users can use Onion Browser by Mike Tigas, which is endorsed by the Tor Project. Onion Browser is open-source and provides adequate privacy/security for nearly all use cases. However, Onion Browser has some known limitations.

Never use the Android Tor Browser or Onion Browser for activities that require utmost security. Mobile devices have inherent limitations that cannot be surmounted, and this could place users at risk in some situations.

Encryption

Unless a device has been encrypted, chances are that all of the data on that device is accessible to anyone who gets ahold of it. Encryption protects people's data by making it appear to be a string of random characters until a passphrase is entered to decrypt it.

VeraCrypt is free and open-source encryption software that can be used on Linux, MacOS, and Windows. iPhones are encrypted by default when a passcode is enabled, and encryption on Android phones depends on the model.

Important: If a device is powered on and a passphrase has been entered to decrypt it, then it is not fully encrypted again until it is powered off. In order to encrypt the device completely again, power the device off; do not just lock it.

More...

Most operating systems have native encryption software that can be utilized. VeraCrypt is free, open-source, and cross-platform.

Androiddepends on the model and may require people to manually enable encryption in settings or download an app that encrypts the device.

iPhone — encrypted automatically when a passcode is set in the FaceID/TouchID & Passcode menu in Settings.

Linux — can use LUKS for encryption. Enabling this depends on the distribution.

MacOS — has FileVault start-up disk encryption that can be enabled in the Security & Privacy menu in System Preferences. Disk Utility can be used to encrypt external drives and create encrypted partitions within MacOS.

VeraCrypt — available for Linux, MacOS, and Windows and can be used to encrypt system partitions as well as to create standard encrypted volumes and hidden volumes.

Windows — does not offer free encryption software. However, VeraCrypt is available for Windows.

Messaging and email

Direct messages in most MAP communities and public social media are not private and can be read by community administrators. When disclosing any kind of sensitive information, do so on a secure, end-to-end encrypted (E2EE) platform such as Session, Element, Signal, or Telegram secret chats (regular chats are not E2EE on Telegram). End-to-end encryption ensures that message content can only be read by the person sending the message and the person(s) receiving the message.

It is highly recommended for MAPs to use a separate email address for their MAP identity that is not tied in anyway to their personal identity. Protonmail and Tutanota are two email providers with strong privacy practices. Email is generally not considered a secure form of communication; however, Protonmail and Tutanota allow the option to send E2EE emails that require a password to open. If both people are using the same email provider, then emails are sent E2EE without requiring a password.

More...

Session is open-source, E2EE, and uses an onion-routing network to ensure that people using the app are anonymous. It does not require a phone number, email address, or anything else to register.

Element is open-source and has an option for E2EE (it is not always enabled; it must be enabled manually). Element requires a real email address to register, but this email address is not displayed to other people.

Telegram is partially open-source and uses E2EE in secret chats (regular chats are not E2EE). Secret chats are only one-to-one; E2EE group chats are not supported. Telegram requires a real phone number in order to register, and this phone number is shared by default; however, phone number sharing can be disabled in the Telegram settings. When adding a new contact, Telegram shares people's phone numbers by default, but this can be prevented by disabling it when adding new contacts. If Telegram has access to a person's contacts, it will allow people to find each other using their phone numbers.

Signal is open-source and E2EE. It requires a real phone number, and this phone number is shared with others.

Networks

One method that antis use to dox MAPs is to send a link to a website that will gather the MAP's internet protocol (IP) address, giving the anti the MAP's approximate location. With that information, antis can narrow a MAP down to very few people and figure out the MAP's personal identity.

To protect against this, MAPs can use Tor. The Tor network is a decentralized network of servers that provides people with anonymity. When a person is connected to Tor using the Tor Browser (view the browsers section for more info), websites they visit are only able to see that somebody using Tor is accessing their website; they cannot see the person's real IP address.

MAPs can also use a virtual private network (VPN), which acts as a proxy between a person, their ISP, and the websites they’re visiting. VPNs are similar to Tor in this regard, but they are less secure/private than Tor. ProtonVPN is a free VPN with strong privacy practices. Other solid choices for VPNs include IVPN, Mullvad VPN, NordVPN, and ExpressVPN.

More...

Without any special precautions, internet service providers (ISPs) and other attackers like the police can view all of the websites people visit and the data transmitted to and from them (e.g., browsing activity, passwords, etc.), and the internet protocol (IP) address of the person transmitting the data (which can be used to find people's approximate locations).

By using HTTPS, which is relatively standard now, the data transmitted to and from websites is encrypted so that only the person sending the data and the website they're sending it to can see it. However, websites that are visited are still visible to the person's ISP and to attackers, and the person's IP addresses is still visible to websites and to attackers. Even if a site is not using HTTPS, Tor still encrypts traffic in transit to Tor relays. When using Tor, a person's ISP can only see that they are accessing Tor, not what websites they are accessing. EFF has an awesome visual representation of how Tor and HTTPS work to protect people's privacy.

Tor is more secure/private than a VPN because a VPN only provides pseudonymization, meaning that people who use VPNs still look unique; whereas, Tor provides anonymization, meaning that everyone using Tor appears the same. In addition to this, VPNs require trust in the company operating them to keep their data private. Tor is open-source and decentralized, so trust is not required.

Operating systems

Both MacOS and Windows collect data on people by default. However, on MacOS, this data collection is minimal and anonymized so that it cannot be traced back to a person's real identity, and most of this data collection can easily be opted out of in System Preferences. Windows, on the other hand, tracks people who use it, and it is difficult (and in some cases impossible) to opt-out of data collection. Regardless of their operating system of choice, people should spend time exploring the settings and disabling any unnecessary data collection.

For people who want the most private and secure option, Linux is the desktop operating system of choice. It is free and open-source, and there are many different distributions of it for a variety of uses. TailsOS is a linux distribution that runs off of a USB drive. TailsOS is amnesic, meaning that data is stored temporarily in RAM and is deleted when the operating system is shut down, and all network traffic in TailsOS is routed through Tor (view the networks section for more info), making people's internet activity anonymous. Other Linux distributions include Debian, Ubuntu, and many more.

On mobile, iPhone (iOS) is a more secure and private option than company-built Android phones (e.g., Samsung Galaxy). iOS has minimal, anonymized data collection that can be easily opted out of (much like MacOS). Stock Android phones like the Google Pixel can be used to install a custom operating system like CalyxOS or GrapheneOS.

Passwords/passphrases

It's a good idea to shift thinking from passwords to passphrases. Using a short phrase comprised of uncommon words is more secure than using a single word or a random string of a few letters. Including number and symbols can also improve passphrase strength. This also makes it easier to remember because words are easier to remember than letters. Some examples of passphrases (do not use these specific passphrases):

23NikesWithCalculatedHops HecticMacBooks'FastProcessers

Using a secure password manager is a convenient way to have passphrases stored for easy access. Most browsers have a built-in password manager; however, these password managers are not always as secure as other options. Firefox has a secure built-in password manager. BitWarden is a free, open-source password manager. People who use MacOS and iOS can use iCloud Keychain, which is end-to-end encrypted but is closed-source.