Welcome to “Ask a security trainer,” the column where the Digital Security Training team at Freedom of the Press Foundation (FPF) answers your burning questions at the intersection of journalism and security. Submit yours here! Let’s jump right into this week’s question.
Dear DST,
I’ve been seeing prominent individuals in politics attacking journalists online in response to their reporting. What can journalists do to address some of the risk when receiving this kind of attention?
Signed,
Under the Eye of Sauron
Dear Under the Eye,
First, let’s separate out what to do if you’re bracing for potential harassment or are experiencing acute harassment now. The responses are very different.
If you’re a journalist in the middle of an incident, you may need hands-on assistance. For immediate incident response resources, reach out to our friends at Access Now’s Digital Security Helpline.
In this column, though, we’ll primarily walk through what you can do ahead of time to prepare for potential harassment.
Back in the long, long ago, when Twitter was still Twitter, there was once a tweet that read, “Each day on twitter there is one main character. The goal is to never be it” — something that’s still absolutely true and which applies across the web.
While many journalists are used to being criticized for their work, people with massive followings can cause enormous headaches for internet strangers, simply by speaking their name. When someone has a following that large, it only takes a small handful of especially zealous followers to cause a lot of damage.
Journalists who prepare for this possibility can significantly slow down, and sometimes stop, even the worst outcomes. It’s much easier for you to prepare for harassment in advance than to react to it as it happens.
First, know the typical tactics
One of the most common forms of harassment is to dig up and publicly spread personal information, such as your home address or phone number. This “doxxing” can be very intimidating, as harassers are then able to reach out over email, DM, phone, and more to send threatening or hateful messages. It can even escalate beyond that to physical threats, such as by “swatting” your home.
While it’s rarer, sometimes harassers will also try to access your accounts — the digital equivalent of jiggling your door handle to see if it opens. Typically this involves finding password dumps from previous public breaches to see if any will work on known login details, such as your work or personal emails.
Depending on how persistent harassers are, they might get bored and move on, or they might be willing to invest substantial effort into finding personal information, breaking into accounts, or even making it physical. You can’t really prevent all of these attacks, but you can make their job much, much harder.
This is why it’s so important to set up defenses in advance. Reacting to harassment often puts you in a “fight or flight” mode, where it’s hard to prioritize what defenses to put up in a suddenly time-sensitive moment. By preparing for harassment instead, you can slowly, deliberately put together defenses on your terms. You can then also just live life with a lower heart rate, feeling more confident that you have already done the work.
Finding and removing your online info
To lower the risk of doxxing, you’ll first need to understand what’s out there about you right now. Search for information you’re already aware of, so you can determine where it’s located. This might mean looking for social media handles, emails, phone numbers, home addresses, family members, locations, work history, and more. If you need help getting started, NYT Open has a nice guide.
From here, you can begin writing down the “problem sites” to contact about having your information removed. If you’re lucky, these sites might be controlled by friendly people, such as those you’ve worked with on publicizing events, who are happy to remove this information.
But more typically you’ll notice that many of these websites are data brokers — services that allow anyone to buy profiles on individuals, using commercial data and public records. While their information is not always accurate, it still gives harassers a set of leads to investigate. You can often opt out of data brokers individually. Our friend Yael Grauer’s Big Ass Data Broker Opt-Out List can help.
You can also ask Google to de-index web pages that have your personally identifiable information. This doesn’t work every time, and it will not remove the website at issue. But when it works, it removes Google’s link to the search result.
Removing this information is a bit like playing whack-a-mole because data brokers regularly repopulate new information. One alternative is to use a paid anti-data broker service such as Optery or DeleteMe. When your information reappears on data broker websites, these services will regularly send opt-out requests to remove your information.
This makes it more difficult — but not impossible — for harassers to find your personally identifiable information. It’s not cheap, but it might be worth the investment. (Newsrooms really ought to support this, in the way they would pay for other safety measures, but that’s a conversation for another time.)
Secure your accounts
Likewise, harassers may try to get into your accounts. To minimize this risk, it’s important to use two-factor authentication. This just means requiring a second piece of information to log into an account, such as a short code sent to your phone.
You probably have 2FA set up already on your bank account. You’ll want it in as many places as you feel comfortable, particularly your primary email account(s). Your email can be used to recover other accounts, so they are some of the most sensitive accounts you have. Check out our guide to using 2FA.
You’ve reused passwords, I’ve reused passwords. It’s only human. But the easiest way for someone to get into your account is by finding a reused password and trying it out on a bunch of your accounts. This is why we so often recommend using a password manager to create long, unique passwords that can be stored securely. Check out our guide to get started.
These measures are much easier and more effective to set up in advance. Try to avoid a scramble by frontloading this work as much as possible.
Finally, if all else fails and you find yourself being targeted by a famous person, or swarmed by their fans, know that there’s no one “right” way to respond. Some journalists love to swat down harassers themselves, and others prefer to have backup.
We think it’s important to lean on your network. Institutional backing can take many forms, such as public statements of support or colleagues stepping in to monitor unwanted comments. Importantly, this should be responsive to the person being targeted — what do they need to be OK?
But this kind of response also underscores how important it is for newsrooms to understand that these are often bad-faith attacks on reporters, sometimes based on their reporting and sometimes based on their identity. They potentially impact anyone doing this work, whether they think they’re doing politically sensitive reporting or not.
There’s a lot more to say here, but hopefully this is a helpful set of first steps. For more, check out this compilation of useful resources on preparing for online harassment created by our friends at PEN America, Consumer Reports, and elsewhere.
Whether you’re expecting harassment in response to a story, or you’re already experiencing it, reach out to learn more. Our digital security training team is ready to help.
Best,
Martin Shelton
