Unintuitive default: who can edit access in Google Docs

When you create a new Google Doc, you have the option to share it with others to view or edit. Viewing permission is straightforward, just view access, but by default, editors have the ability not just to edit the content of the document but also to edit sharing permissions. If you grant edit access for a private document to a collaborator and don't check the box for "Prevent editors from changing access and adding new people" in Advanced > Owner settings, they can share the document, edit history and all, with someone else.

A picture of the Google Docs sharing settings dialog after you've enabled access for anyone with the link; the Advanced settings in the bottom right corner is highlighted with a red arrow and box
This is what the Google Docs sharing settings look like after you grant edit access to anyone with the link. The button to expand the Advanced settings is pointed out in the bottom right corner.
A picture of the Google Docs sharing settings dialog after you've clicked to see the Advanced settings; the unchecked by default option to "Prevent editors from changing access and adding new people" is highlighted with a red arrow and box
Once you click to see the Advanced settings, make sure to consider whether or not you want to check the "Prevent editors from changing access and adding new people" box. If you've granted edit access to anyone with the link, leaving this box unchecked allows anyone to limit who can view your document.

Linking document editing to editing sharing permissions by default is particularly unintuitive to me in the context of documents where anyone with the link to the document can edit it: even in that case, anyone with edit permission - anyone who gets the link either from you or from someone else who had it sharing it, so potentially anyone on the internet - can change who has access to the document. Anyone with the link can limit access to the document, and that might subtly cause confusion when people who you'd expect to be able to view it suddenly can't.

Fortunately, no one can revoke access from the owner of the document, so once you're aware someone is locked out who shouldn't be, the owner can fix the sharing settings and decide whether or not to tick the "Prevent editors from changing access and adding new people" box.

Since discovering this accidentally, I always tick the "Prevent editors from changing access and adding new people" box when creating a new Google Doc, but that would probably have been more intuitive to have checked by default.

Reflections on XOXO 2018

If I actually wrote about XOXO 2018 last weekend like I had intended to do, I would have tried to write an article titled "XOXO strives to be what the internet should strive to be," and I probably would have never finished it. It's not that I don't still think XOXO tries to be what the internet ought to try to be; rather, it's that I have a misguided desire to separate what I feel from who I am, especially when I am creating, so that my words could find some unattainable universality and divorce themselves from my not particularly important existence compared with people substantially more eloquent and interesting.

This is particularly ironic for me in the context of XOXO. I've been lucky enough to get to go to every XOXO since 2014, and people I've met in XOXO's community have consistently valued my personal experiences and reminded me that I am happier and create better when I bring my whole self to creating.

It's even more ironic when I think back on the talks at this past XOXO, especially the one that resonated with me the most: Open Mike Eagle's discussion of his creative process and how difficult creating can be. Much of his talk was devoted to how he struggles to explain his creations to others when he himself is still not entirely sure how to succinctly describe the work he's created. He also touched on how creating with an eye on how an audience will receive what you're creating can hinder creating itself - the precise problem I narrowly dodged by procrastinating writing this essay!


XOXO Festival describes itself as "an experimental festival for independent artists and creators who work on the internet." This year's festival was my fourth XOXO, and the first one where I felt I could claim the words "independent creator" as words that described me. I finally had not just one non-trivial independent project, but two! I make two podcasts! Podcasts are on the internet! I could put things I was proud of on my badge! I finally felt like I created real things that meant I really deserved to be there, instead of being that person who was still working on creating the metaphorical space in their life for creating, someone who snuck in and was twiddling their thumbs until someone noticed.

My XOXO 2018 badge (Liz Denys - Loose Leaf Security & Private Vics) and lanyard with the many pins I accumulated over the course of the festival

This year's festival was attended by nearly twice as many people as the other three I've had the fortune of attending, and it was the first festival since I started to help moderate XOXO's lively Slack community. I don't know if it was because of either of those things or because of something else, but this festival was somehow the first one where I didn't feel like my creating brought much to the festival. I had substantially fewer conversations about what other folx were working on, what I was working on, and creating in general than at past festivals.

XOXO was also at a new venue located in a different area of Portland, one much less surrounded by a bunch of restaurants within walking distance, and despite the increased in attendees, there didn't seem to be an increase in food carts on site. The Andys (Andy Baio and Andy McMillan, the festival's creators) put in extra work to prioritize businesses owned by chefs of color, which is fantastic, and I'm sure worrying about the budget deficit didn't make it any easier to coordinate with the vendors they did secure. Unfortunately, the vegetarian and vegan options ended up being very limited, and there wasn't breakfast other than Pip's (delicious) donuts on site like there was in previous years. Between eating most meals offsite because many of my friends at XOXO are vegetarian or vegan, not having the excuse to meet up on site for breakfast before the talks, and getting to the main stage early because many of the seats weren't comfortable for myself and my friends, I found myself finding very little of a specific, rare type of serendipity in meeting awesome new folx I had come to associate with XOXO.


XOXO Festival may describe itself as "an experimental festival for independent artists and creators who work on the internet," but for many people, especially marginalized folx, XOXO is a lot more than interesting talks and performances by highly talented artists and creators: it tries - and often succeeds - to create a safe space for those traditionally left behind. XOXO has had a strong community code of conduct since at least as long as I've participated, and the Andys have discussed its enforcement openly at the festival and within the Slack community. But it takes a lot more than a solid, enforced code of conduct to create that sort of space. It requires recognizing your biases and actively thinking about inclusion - prioritizing diversity when creating the lineup; a fairer registration policy than first-come, first-served through surveys collected over more than a week; caring about physical, emotional, and financial accessibility; normalizing socialization without alcohol through the extensive, free non-alcoholic drinks menu while charging for alcohol; denormalizing assumptions like gender and pronouns through pronoun pins; and confronting the history of the lands you're standing on and the people you've displaced.

I used to joke that my gender was "a woman in tech" because I've never truly felt like a woman outside of society gendering me as one. During the past few months, I've come to realize I'd been hiding my feelings about gender behind humor. Demi Adejuyigbe brought an excellent talk on hiding behind humor to XOXO 2018, and one line really stuck out to me:

If I make fun of me, then it won't matter when other people do.

Demi wasn't speaking about gender, but when he spoke that line, feelings about how I've previously interacted with my gender flooded my existence. If I said that I was a woman, then it wouldn't hurt me when other people did.

I started to understand that I am non-binary, probably primarily agender, in no small part because of the space the XOXO community provides me to safely be who I am. For a time, XOXO was the only space I was actively out in. While I continue to deeply feel that acceptance and safety within the XOXO community Slack, I didn't truly feel that safety deep in my gut at the festival. If I sat and thought about it, I felt safe because I had my partner Matt and other friends who would help me navigate potential issues and because I felt the Andys would take those issues seriously, should something happen.

But it was a very intellectual form of safety, not the instinctual one I'd known in the past. Maybe it was the lack of gender neutral bathrooms that was corrected slowly as the conference went on, and being involved in figuring out how to fix that oversight took no small amount of emotional labor and energy from me, someone who was directly hurt by it. Maybe it was what seemed to be an increase in white tech dudes, many of whom complained about XOXO's inclusion of content warnings because they thought it was "simply 'for independent artists and creators who work on the internet'" - as though that isn't descriptive enough because XOXO tries to value and prioritize marginalized folx.


During past XOXOs, I have always cried - sometimes during talks, others back in my hotel room after experiencing days where I've felt radically seen as a person in ways I am not used to. But I'm the sort of person who cries a lot, and I've come to accept and expect that.

I didn't cry during XOXO 2018. I did cry a little after I flew home.

It's not that I didn't enjoy my time at XOXO - I did. I got to see a bunch of close, old friends, and I got to spend time in person with some newer ones. I listened to a bunch of fantastic talks, saw truly excellent performances, and played a variety of engaging arcade games. I just wasn't expecting the expectation mismatch after experiencing three other XOXO festivals.


A week before this year's XOXO, another attendee started a lovely discussion about being a survivor by asking:

What's a motto that holds meaning for you? A line from a book or song or movie that expresses the difficulty of learning to thrive after years of surviving?

I immediately thought of a line I love from a Tori Amos song I don't really love anymore:

I'm okay when everything is not okay.


After the closing concert (Lizzo was incredible, by the way), I finally made my way to Dear Future Me, Alice Lee's interactive mural installation. Participants wrote postcards to their future selves that will be mailed a year later.

I knew I wanted to participate, but I kept putting it off because I didn't know what I wanted to write. I kept worrying about who future me would be, and how they would receive my letter. Plus, many of the participants wrote more eloquent and interesting letters than I could ever write.

So when I finally sat down in the calm environment Alice created to write my postcard as the festival was drawing to a close, my brain jumped around all the things that felt off that weekend. How I felt so different from how I had imagined I would have felt. How I didn't quite feel okay.

Then, it hit me, and I smiled.

A postcard with scripted writing: Dear future me, You're okay when everything is not okay. ♡, Liz circa 2018

Dear Future Me,

You're okay when everything is not okay.

Liz circa 2018


  1. Open Mike Eagle, Rapper/Podcaster - XOXO Festival (2018)
  2. The awesome new work Open Mike Eagle performed and discussed during his talk is out now!
  3. This is 100% me projecting my impostor syndrome onto what does or does not clearly "qualify" someone to attend XOXO. The festival's materials about registration clearly state that there are not minimum qualifications one needs to meet to attend XOXO:
    This survey isn't an application — we're not judging or ranking you based on your answers. We use these responses to answer a simple question: is this someone who makes things, or builds tools to help people make things? Artists and creators of any kind are immediately approved.
    More on how that survey helps later in the article.
  4. Some folx lovingly refer to XOXO as a festival for meeting Twitter mutuals in real life. I don't actually have many mutuals I don't know well in other contexts who attend XOXO, so while this has never rang true for me in any technical sense, I relate to the sentiments.
  5. From the inclusion policy:
    XOXO acknowledges that we rest on the traditional lands of the Multnomah, Wasco, Cowlitz, Kathlamet, Clackamas, Bands of Chinook, Tualatin Kalapuya, Molalla, and many other Tribes who made their homes along the Columbia and Willamette rivers.
    Also, the opening night events at XOXO 2018 were kicked off with a presentation from Rukaiyah Adams about race in Portland, the history of displacement due to the venue's creation, and a possible future for the neighborhood in the Albina Vision Project.
  6. Demi Adejuyigbe, Screenwriter/Comedian/Podcaster - XOXO Festival (2018); Demi also gave an excellent surprise presentation about jazz.
  7. A couple weeks before the event, I recall myself and the other moderators workshopping text to place near the gendered bathrooms' signs to try to make them less unwelcoming because they were all gendered. Based on how that discussion was started, I thought that there was nothing the Andys were allowed to do to change that for rental agreement reasons. It turns out that I had made an incorrect assumption there, probably in part because being told there wouldn't be gender neutral bathrooms was incredibly disheartening for me, a non-binary person, at the time. I have spent a non-trivial amount of time since worrying about what else I miss like this. I don't believe the Andys intentionally meant to exclude the creation of gender neutral bathrooms from the plan, but it is one of the many subtle difficulties that arise when you have two cis white men running an event. (I hope that the Andys include more people, particularly people different from them, at all levels of event planning for future XOXOs. I also hope that increased delegation will help everyone, including them, breathe a little better during future festivals.) I regret not pushing back a lot harder on the lack of gender neutral bathrooms, especially because of the harm that it did to other folx.
  8. If you believe this is not descriptive enough, I'd encourage you to sit with the work you need to do around why you're okay with the status quo's failure to do the same. I'd also like to highlight how bizarre that is, first, in the context of the internet, which is often praised as being a place for everyone when it's at its best, and second, in the context of independently-produced art, which gives voices to those shut out by traditional publishing structures and other gatekeepers.
  9. While I mostly found the talks to be excellent, I did find them to be generally more exhausting and less emotionally touching than in the past, though I do not believe that their themes were particularly different. It could be that I was multitasking by keeping up with people's needs on Slack as a moderator or that 2018 in general feels different. It could also be that I'm creating more and thus feeling more in tune with creating, so other folx discussing their creations and their creating didn't feel as though it was touching on things I hadn't thought as much about, like in past years when I was creating less. (This doesn't flow exactly, but since I mentioned how 2018 feels, I must mention a quote from Cameron Esposito's amazing keynote relating to part of why 2018 doesn't feel particularly different for her: "Art dismantles power; otherwise, it's propaganda.")

New Loose Leaf Security episode: digital photos and privacy

Making sure your digital photos aren't leaking your location or other information is one of the most important technology-related privacy issues influencing your physical safety, so make sure to catch the latest episode of Loose Leaf Security:

A hand holding a digital camera over a table set for a tea party: two teacups, jam, clotted cream, scones, deviled eggs, and a tart; the screen on the camera also shows the tea party spread

Digital photos and privacy

Digital photos contain more than meets the eye: they have metadata and other hidden information that can compromise your privacy. Liz and Geoffrey take a look at Exif metadata and other non-obvious ways that photos from your phone or camera might be sharing more than they want. Also, the new iOS 12 has some neat security features, and Yahoo! Mail has some not-so-neat privacy concerns.

Also, iOS 12 is out now, so if you have an iPhone or iPad, make sure to update! And if you prefer to get your podcasts on Spotify, you can now find Loose Leaf Security on Spotify, too!

New Loose Leaf Security episode: security stories! Plus, a 2FA zine!

The previous Loose Leaf Security series on safely surfing the web was pretty dense, so Geoffrey and I filled the latest episode of Loose Leaf Security with a bunch of our own personal security mishaps:

A striped kitten walking on a laptop keyboard, the laptop has tape over the webcam and Loose Leaf Security's homepage on the screen

Security stories: lost phones, a compromised computer, and an unexpected keyboard cat

As a change of pace, Liz and Geoffrey take a look back at security incidents in their own lives and talk about lessons they've learned - why phone backups are important, an unintentional security hole, and a security key gone rogue. In security news, the GDPR results in mildly positive changes for web tracking, and Fortnite's installer has exactly the vulnerability we were afraid of.

We're also heading to XOXO tomorrow and made a zine on two-factor authentication to hand out:

Loose Leaf Security presents two-factor authentication, a zine making good computer security for everyone by Liz Denys & Geoffrey Thomas License and page 1 pages 2 and 3 pages 4 and 5 pages 6 and 7 pages 8 and 9

It's licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, so you can copy and redistribute this zine in any medium or format. Feel free to download our zine for printing (8.5"x11", double-sided on the short edge and folded down the middle) or get the copy that's easy to view online or on your computer!

New Loose Leaf Security series: safely surfing the web

Three more episodes of Loose Leaf Security are out, a series about safely browsing the web:

Loose Leaf Security teapot on the horizon similar to the Netscape logo

The history of the Web and an introduction to browser security

The web can be a scary place - but once you get to know it a little better, it doesn't feel as scary. Liz and Geoffrey go back to 1990 to figure out how the web came to be what it is today and discuss how browsers keep us safe. Also, two very good improvements to HTTPS in today's version of Chrome, and the future of Android security just got a whole lot more complicated.

Tea kettle plugged into a wall outlet and a plate of frosted leaf cookies

Web security continued: cookies, plugins, and extensions

Continuing our exploration of web browser security from last episode, Liz and Geoffrey look into cookies, JavaScript, extensions, and plugins and discuss how best to mitigate their privacy and security risks while browsing the web. Plus, a serious Reddit breach provides a timely reminder to toughen your two-factor.

A red teacup with a man-in-the-middle design on it intercepts tea pouring from a teapot into a teacup placed on the table

Keeping your web browsing private

In the third and last episode in the series on web security, Liz and Geoffrey look at HTTPS and how it keeps your web browsing both private and secure, and they also investigate private browsing or incognito mode and what exactly that mode does for your privacy. Plus, a new version of the protocol behind HTTPS and the latest Android release are cause for celebration, while Facebook and Google's approaches to data privacy are cause for concern.

Head over to Loose Leaf Security or click the links above for the full audio and our detailed show notes. As always, you can subscribe to Loose Leaf Security in your favorite podcatcher or follow the project on Twitter, Instagram, and Facebook.