Updated September 28, 2020
Journalists have long faced threats in reprisal for their work, and in the internet era, attackers can leverage information published on social media and professional websites to hack, abuse, shame, or defame their target.
Attackers may steal information to impersonate a journalist, manipulate it without consent, or they may dox journalists—and potentially their colleagues or family members—by researching and publishing their home address or other private details. Journalists should be aware of what information about them is in the public domain, consider what it reveals about them, and take steps to remove it where possible.
Be aware that it is very difficult to remove data from the internet completely, something to remember when posting online. Whether sites comply with requests to remove your personal information may depend on whether it is connected with an account you control, or owned by a third party.
Search engine algorithms also take time to reflect changes, so content may remain available for several days even if your request is successful.
To assess your personal information:
- Keep an eye out for news reports and accounts of other journalists having their private information published without consent. Such doxxing attacks increasingly target journalists on all beats, but awareness of new trends will help you take the right precautions.
- Research yourself to see what information about you is available to others. Enter different spellings of your name into multiple search engines – find some you don’t use frequently or that operate in a foreign language market to broaden your results. Check image and video results as well as websites in different languages. Set a reminder to do this regularly.
- Decide what personal data should not be public. This may include your location, date of birth, private contact information, and financial information. Remember that seemingly innocuous details, such as your pet’s name, might help someone impersonate you.
- Set up separate phone, email, and social media accounts for work and personal use. Doing this makes it harder for someone to access everything if one account is breached.
- Review your social media accounts regularly to see what personal data is exposed based on your privacy and security.
- Sign up for credit monitoring services that can alert you of fraudulent activity on your accounts.
To remove information from accounts and websites you control:
- Delete any personal data you have identified that should not be public.
- Ask family and friends to limit the information they publish about you, and each other.
- Review your website or any other sites you operate for sensitive, identifying information, and find ways to remove it where possible. For example, use a contact form instead of listing your email or physical address.
To remove information elsewhere:
- Contact the sites to ask that they remove information about you. Depending on the type of site, where they are located, and the laws governing the information, they may or may not comply. Check each site to understand its policies.
- Contact Google Maps to blur or remove your home or other identifying information.
- Ask search engines like Google Search to remove links from public search results.
- Sites such as people directories take personal information from public databases.
- Ask directories to remove your information, though it is likely to reappear unless you are able to remove it from the source.
- Contact the creator of the public database, normally a government body, to see if your information can be removed or made private. Laws about this differ by country.
To respond if harassment intensifies:
If you’re experiencing intensifying online harassment, it may signal that you could be targeted in more invasive ways. It may also be wise to step up precautions in advance of a high-profile byline, pressure resulting from elections, or coverage of other events.
- Set all your social media profiles to private; ask family members to do the same.
- If you haven’t already established the habit, carry out regular searches to see what kind of information about you or your family is being shared in the public domain. Increase the frequency; if necessary, ask a friend or colleague to do this for you in order to minimize your exposure to abusive content.
- Take immediate steps to remove information that exposes your location or otherwise increases your risk. Be aware that data removal takes time.
- Be aware of the possibility of fraud if private information about you has been publicized. Consider contacting your employer, bank, or utilities companies to let them know if you have been doxed.
- Document posts that attack you, threaten you, or use your information without consent and report them to the relevant social media platforms for removal, or to law enforcement if needed.
If you face serious exposure from doxing or harassment and your safety, work, or well-being is at risk, support and ongoing monitoring may be required. This can be expensive. If you can, ask your employer to hire a company for professional content monitoring and removal services. U.S.-based examples include DeleteMe or Recorded Future.
Editors’ note: This advisory was originally published on September 4, 2019. Information on assessing your personal information was updated on the publication date shown at the top.