Information Security: With Former CPJ Internet Advocacy Coordinator Danny O’Brien

In the course of reporting, you use technical tools all the time—a laptop on which to write articles and do online research; mobile devices to make calls and send email; cameras for photography; and recorders for interviews. These may be combined into one device which does many tasks. These devices contain a wealth of information necessary to your reporting.

This section is about secure use of these tools. This means protecting your information: ensuring you do not lose materials crucial to a story, and keeping confidential information private. It also means ensuring that these tools work when you need them—even if someone is trying to interrupt their use.

If you are working in the field, digital files might be the most precious items you carry. Losing notes or materials like photos and videos can derail a story. Letting your contacts list or itinerary fall into the wrong hands can put you or a source at risk. Allowing your tools to be confiscated, destroyed, or interrupted can prevent you from pursuing a story at all.

Digital attacks on journalists continue to increase in both quantity and sophistication. In China, foreign correspondents have seen their personal computers infected with surveillance software that was concealed as attachments to carefully fabricated emails. Authorities in countries from Ethiopia to Colombia have accessed reporters’ telephone, email, and text conversations. Government players are not the only ones who use digital surveillance and sabotage; large criminal organizations increasingly exploit high-tech opportunities. Opportunistic or “patriotic” computer criminals also target journalists working with valuable or controversial data.

In the end, good information security is rarely about fending off sophisticated attacks and Hollywood-style hackers. It’s about understanding what you have to protect and the motives and capabilities of those who might want to disrupt your work, then developing consistent habits based on those assessments.

Planning for safety

What to protect

Technology affects so many aspects of our work that maintaining comprehensive tech safety can be a substantial ongoing job. This section offers comprehensive information about the risks you may face, how to assess them, and then defend yourself. For a quick set of personalized recommendations based on the tools you currently use, Citizen Lab’s Security Planner is an excellent resource to use as you begin the vital work of protecting yourself.

There are usually three risks you might think about:

  1. Loss. When your hard drive dies, your phone gets smashed, or you lose your camera's data card.
  2. Disclosure. Someone learns something that you would prefer to keep private.
  3. Interruption. Your network connection stops working, you can't send an email, or your phone doesn't have a signal.

When considering what you want to protect, imagine what's important to you to get your job done or to an adversary who wishes to disrupt your work. This may not be obvious, so it's worth careful reflection. Even if your work is largely transparent, there are still tools you rely on and material that should remain private.

Reuters Consider whether the information that sources have given you could put them in danger if disclosed. Some things may seem innocuous in one context, but present a danger in another. Access to your Israeli contact information when covering a story in an Arab country (or vice versa) can cause problems for all concerned. Even personal and travel-related information you've previously shared online could trip you up in another context.

Some assets are clear. You probably don't want to lose or disclose the files on your computer and mobile devices, and temporary interruptions would disrupt your work. Some assets are more ephemeral. You (and your sources) would probably prefer that your current location and location history not be disclosed. Likewise regarding a list of the people you communicate with and when, or a list of the sites you visit online while researching a story.

You also rely on technical resources to work effectively. How much would your work be disrupted by interruption to your email or to your ability to make phone calls or research on the Web, or even interruption of your network access entirely? It's worth making note of online services you rely on. Do you work on your notes, email, documents, and so on in a Web browser; how disruptive would an interruption of your access to those services be?

If you find it hard to keep track of all the tools, data, and resources you rely on, it may be useful to keep a journal of what you use over the course of a week.

Understanding the Threat

Now that you know what you might want to keep safe, it is worth putting a name or face to the ominous “they” who might want to compromise these assets.

Some threats are benign or environmental. Laptop hard drives sometimes die; without regular backup, that data is lost. Some threats come from a malicious actor—a government agent who copies your hard drive at the border, or a private detective who follows you around. It's important to consider both types of threats, but the effects are the same: the actor threatens the integrity of one of your assets.

When trying to enumerate malicious actors, it's important to consider their motivations. Who might want to disrupt your reporting or identify your source? Perhaps they wish to view non-public information you possess. Perhaps a threat isn't interested in you specifically. If a country censors the local Internet connection, that may interrupt your ability to communicate and research while you're there.

It's easy to think of an Orwellian surveillance state analyzing every digital breadcrumb. However, this is not the only threat you may face. Other actors may present much more urgent threats. You may be at greater risk from a specific part of an administration or a specific person such as a local police chief or corrupt government official. Do they have access to sophisticated surveillance equipment or are they more likely to have someone kick down your door and steal your laptop?

Also consider the possibility of attack by supporters or sympathizers of those who dislike your reporting. In many cases documented by CPJ, attacks are not directly perpetrated by governments or political parties, but by unconnected, “patriotic” troublemakers who perceive opposition or foreign media as legitimate targets.

Making a Plan

Technology security has some distinct foibles. It can be very hard to know when someone has rifled through your data. If someone steals your wallet or ransacks your hotel room, you are likely to notice. If someone makes a copy of your laptop's hard drive while you are out of your hotel room having dinner, you may never notice. The harm can be impossible to undo. Once your data has been lost, or someone has learned a secret, you can't get it back.

This is exacerbated by the fact that technology systems are complex, made up of many different parts that are always changing. Not even the smartest and most meticulous technologists can know the workings of every program on their computers, let alone how they interact with other software on the network and where those interactions could be exploited. Even if you’re not an expert on bulletproof vests, you can understand basically what they do and how. Computer security is much harder to comprehend intuitively. Real-world analogies rarely paint a full picture.

This means that your emphasis should be on simplicity. A small number of easy-to-use tools, techniques, and habits are always safest. Complex systems are hard to understand; involved procedures can fall by the wayside when tasks are urgent. Sometimes, effort spent fortifying one activity is unnecessary when there's a simple weak link elsewhere.

Focus on the people who are most likely to wish to interrupt your work, the lengths they may go to do so, and how proficient and effective they are likely to be. Use that knowledge to plan how to protect your work.

Once you have thought about who might wish to disrupt your work, what they might do, and how well they might do it, you can start planning the technical measures you will use to confound their plans. The rest of these suggestions are broad guidance about information security. Detailed technical advice can become out of date quickly, especially if a new vulnerability is discovered in a piece of technology.

Accounts

Your various online accounts likely contain a wealth of information that you would like to keep private including notes to sources and unpublished work. Access to your accounts allows someone to dig through your digital dirty laundry, as well as impersonate you or the publications with which you work.

Passwords

Most accounts are protected with a password or passphrase. This is unfortunate because memorizing a lot of good passwords is a real strain on the human brain, but guessing them is very easy for computers.

If a password is based on personal information then someone who knows you well — or looks you up online — may be able to guess it. A passphrase used on multiple sites is even more dangerous. If someone gains access to the password via one site, they can use that to access all your other accounts. Sites regularly suffer security breaches that effectively give attackers access to the list of usernames and passwords for that site. They can then use those same usernames and passwords to access other sites.

Attackers might also be able to compromise your email account, giving them access to a list of sites where you have accounts. They can then use the forgotten-password links that are available on most sites to take over control of those accounts.

Password managers

The best defense against online attacks is to minimize reliance on human memory. If you have a machine memorizing your passphrases, they can all be different, long, random, incomprehensible strings of letters, numbers, and symbols. That is what a passphrase manager does.

There are a whole number of different password managers out there and they are all slightly different. CPJ doesn’t endorse any particular applications. The important thing is that you pick a password manager that you like and then use it for all your accounts and passwords. Security experts tell CPJ that these are some of the most-common:

Password managers are also good places to store other important website information.

Password recovery questions can provide a potential attacker an easy way to use public records to get around your strong passphrase. Never answer these questions truthfully. Instead create other random passphrases and store the questions and answers in your password manager.

Your password manager can also help keep track of what information you have shared with particular sites. If you lose your credit card or there is a data breach at a website you use, it can be useful to know which websites have your address, phone number, credit card info, or date of birth.

Passphrase creation & memorization

Not every password can be saved in a password manager. You will still need to remember the codes you use to unlock your computer and phone as well as the password to your password manager.

While it is impossible to memorize as many good passwords as you have online accounts, it is quite possible to memorize a few strong passwords or passphrases.

Secure memorable passwords can be made by randomly picking words from the EFF’s wordlist. Print the list, then roll a six-sided die five times and look up the corresponding word. Repeat until you have a ten-word passphrase. Write the passphrase on a piece of paper and keep that with you until you are confident that your new passphrase is lodged in your memory. Do not try to memorize the new passphrase instantly and make sure you have to type it a few times a day.

If you’re worried about losing the passphrase, it is okay to write out a copy and leave it in a secure part of your home or office. In a month, your fingers should be able to enter your passphrase without you even having to think of the words.

This process works because it creates passphrases that are impractical to guess, even if your adversary knows that you’re using this approach. Do not rely on other techniques, especially ones that seem easier or rely on words or phrases that you come up with yourself.

Changing Passphrases

There is no need to change your passphrases, unless you have reason to believe that someone else may have learned it. Security experts suggest using the service Have I Been Pwned, which can automatically notify you when your email address appears in data breaches or the like.

Two-factor authentication

Two-factor authentication (also called two-step verification, 2FA, or 2SV) is one of the most important measures you can take to secure your account. It can protect you against some of the most common methods of taking over accounts, like phishing and passphrase-compromise. 2FA comes in a variety of forms. They are all improvements over just a passphrase, but some methods are more useful than others.

Text Message

The simplest and most common form of 2FA is receiving a unique code via text message to use when you attempt to log in.

However, this 2FA method has the most drawbacks. Your cellphone must be online, so this approach might not work when you are travelling. Text messages are also relatively easy to intercept. A dedicated attacker might also attempt to hijack your phone number directly by calling your carrier and pretending to be you.

Many services won’t let you turn on better forms of 2FA until you’ve enabled the SMS 2FA first. After you’ve enabled a safer form of 2FA, see if you can turn off text messages. Some services will not let you, some will always allow text messages as a fallback even if you think you’ve turned them off, and some services turn off 2FA completely when you turn off text messages, forcing you to start over. Make sure to note the details of your 2FA setup in your passphrase manager, including the phone number you used, and which modes it supports.

Code Generator

A code generator app is a step above a text message and works on mobile devices. The app generates a new code approximately every 30 seconds. When you need to log in, you open the app, and enter the code. As with 2FA text messages, you need to have your phone with you. Unlike the text messages method, your phone doesn’t need to be online.

There are many code generator apps and they are, generally, mutually compatible. As with password managers, CPJ does not endorse any app. The most important thing is not which one you use, but that you use one. Here is a list of options suggested by security advisors to get you started.

  • Google Authenticator
  • Authy
  • FreeOTP
  • LastPass Authenticator
  • 1Password
  • Duo Mobile
  • Toopher

Security Key

The crucial limitation of text messages and code generators is that they rely on you to type a secret code into your browser. Anything that you can type into your computer can be phished; you can be tricked into typing something into an impostor site.

Security keys are typically USB devices and they communicate cryptographically with a website in a way that cannot be phished. Since the keys need to physically be in your possession for them to work, they are the most powerful tool available to secure an online account. Whenever you can protect an account with a security key, you should. This will ensure that the account will be locked down as tightly as possible.

A basic security key costs about $20 in the US. There are more advanced models that can fit unobtrusively in a laptop’s USB port so you don’t need to carry them separately. You only need to have one key; it is fine to use the same security key for multiple sites. It is also a good idea to have a backup key or two— perhaps one that you keep at home and one at the office.

If you use a security key for a website, try to disable all other forms of 2FA for that website— especially text messages.

Recovery codes

Recovery codes will give you a backdoor into your account even if you lose your phone, security keys, and everything else. As long as you still have the recovery codes from when you set up 2FA, you can use one in lieu of any of the other forms of 2FA when logging in (and then presumably change your 2FA settings to use your new phone/app/security key).

Google Advanced Protection

Google accounts can be locked down even further by enabling a mode called Advanced Protection. With this setting enabled, you can only access your account with a security key, the safest 2FA method. Advanced Protection also prevents outside apps from getting access to the full contents of your email inbox or Google Drive. This both blocks third-party tools like Thunderbird or Apple Mail, and protects against malicious or compromised apps. This is the safest that an account can possibly be, though it requires you to compromise some convenience. If you turn on Advanced Protection, it’s a good idea to keep backup security keys because that’s the only way to get into your account.

Phishing

“Phishing” is a catchall term for attackers trying to trick you into giving someone else access to your accounts.

When the attacker tries to tailor the hook to you personally — ostensibly sending the message from a friend or colleague, talking about issues or events you’re likely to be working on, etc. - that’s called spear-phishing, and it’s very easy to be deceived by it.

Phishing takes all sorts of forms, but there are some similarities. Typically, you will receive some sort of message: an email, a text, a Facebook message. The message either includes a link or a file. If it’s a file, it may attempt to exploit a vulnerability in the software that you use to open and view the file — like your PDF reader application or office software — and use it to install malware and take over your computer. A link may take you to the malware directly, and attempt to use any weakness in your web browser to take over your computer. We discuss how to respond to a malware attack later in this guide.

But if there isn’t malware involved, the link will probably send you to a login page, where the attacker wants you to enter your real username and passphrase on their fake site. Sometimes, the attacker is sloppy and the fake website doesn’t look quite right. But a successful phish will probably have a perfect fake, with no visible differences. While the web address will never be exactly right, when the attacker uses lookalike international characters, it can look almost exactly the same as the real address.

Your best chance to avoid this sort of attack is to maximize the number of opportunities you have to notice that something is wrong before you give your credentials to a fake site. If you use a password manager, it will not autofill your credentials on a fake address. Even if the web address looks exactly right to you, your password manager will know if one of the letters appears to look the same but is not. If you use 2FA and the site prompts you for the wrong type of authentication— a text message when you usually use an app, or a code when you usually use a security key— it might be a second chance to notice that something is wrong.

Periodic review

It’s a good idea to check on your accounts every month or two to make sure that no sneaky devices or apps have access to your info. Set a reminder to review your account security settings, and bookmark the account info pages for your most important accounts.

Your recovery details like email addresses and phone numbers can also be a way for someone to take over your account. Make sure that this contact info stays current and that you continue to have exclusive access to them.

Here are the account-management links for a few popular services.

Device safety

If someone else has control of the devices you use, no other protection is useful. Whoever controls the device can see everything you see, change what you think you see, impersonate you, and generally do whatever they want. Ensure that your devices are well protected so that they answer only to you, and nobody else can obtain access online or in person.

Never use internet cafés, hotel business centers, or other shared machines. These devices are universally rife with malware and any account you log into with one of these is almost guaranteed to be compromised.

All WiFi access points are suspect, whether it is a trustworthy hotel or an obscure coffee shop. The best safeguard is a trustworthy VPN. Unfortunately, there are a lot of unscrupulous VPN providers out there and in particular any VPN that’s free or very cheap is probably selling your data. CPJ doesn’t recommend any specific VPN providers, but TunnelBear is the only commercial VPN that has undergone a public security audit to test its baseline technical proficiency and commitment to transparency. Security experts told CPJ that you are even safer if you are also using a Chromebook or an iOS device.

Physical access control

If someone steals your device, or confiscates it at a checkpoint, a border crossing, or during an arrest, you need to make sure that they can’t obtain access to the information on your device.

Encrypting your device ensures that information physically stored on it is scrambled and that the information cannot be unscrambled without the passphrase. All devices support this feature one way or another. On PCs, the technology is called BitLocker. On Macs, it’s called FileVault. On Linux, LUKS is normally set up when installing. All iOS devices are encrypted by default. Because of the variation in Android devices, there are several different names for the same feature, but it’s typically called device encryption and can be accessed in the security area of settings. Some Android devices are encrypted by default. If you are encrypting an Android device be aware that it can take a few hours and should probably be run overnight to minimize inconvenience.

Encryption passphrases should generally be the ten-word random passphrases discussed above. On iOS, a twelve-digit numerical code is sufficient because of the defensive design of the encryption system.

Biometric access is not as safe as an unlock code. Someone arresting you can easily force your finger onto the biometric sensor. There are various accessible approaches to fool the fingerprint sensor of any device. If you do use biometric unlock— no matter on what device— make sure to disable that feature before you go into higher-risk situations, like airports, protests, etc. iOS (version 11 or later) has an extra feature called Emergency SOS which lets you turn off the biometric unlock by pushing the power button rapidly five times. This can be great if you find yourself in a surprise pickle.

For laptops and Android devices, simply having the device powered on leaves it vulnerable to attack from someone with physical access to the device. The safest way to cross a border with any device is to have it fully powered off rather than in sleep or suspend mode.

Make sure that all your devices lock when not in use. Mobile devices should automatically lock after one to three minutes and laptops after two to 10 minutes.

Software safety

Every piece of software on your computer represents a potential source of vulnerability. It only takes a small mistake in the design of one piece of software on your computer to allow malware to take control.

It is imperative to install software updates as soon as they are available. Many devices can download and install software updates automatically, which is the best option if it is available. Otherwise, whenever your device informs you that an update is available, let it install and do not put it off. From the moment an update is available (sometimes even before) attackers are beginning to target vulnerable machines. Every moment you delay updating increases the risk of your devices being compromised.

Chrome

You will need a web browser on all of your devices. Security experts recommend that you should use Chrome. It is the safest browser. It’s well-designed, resists attacks better than any other browser, and has an extensive security team that is constantly improving it systems.

As with software on your laptop, every extension that you install in Chrome presents an additional safety risk. This doesn’t mean that you should not install Chrome extensions, but be cautious and conservative about the ones you pick.

Experts tell CPJ that there are a few extensions, in addition to your password-manager, that are good choices for security.

HTTPS-Everywhere from the EFF automatically upgrades connections from the insecure HTTP protocol to the safer HTTPS (the ‘S’ stands for “secure”) protocol when a site supports it.

Privacy Badger, also from the EFF, heuristically disrupts trackers. Privacy Badger can cause some sites to render poorly or work less well. When that happens, you can temporarily or permanently disable it for that site.

uBlock Origin blocks one of the most common sources of drive-by malware online: advertising. It’s unfortunate that advertising is such a common source of malware, because many sites rely on advertising to function. But the reality is that sites have little to no control over the ads they show, and thus no way to prevent malware.

Minimize Software

Any device should have the absolute minimum amount of software necessary to get the job done, because every piece of software presents a risk. Do not install games on a machine where you view and write documents. Do not install office software on a device that you use to relax.

Some pieces of software present greater risks than others. Any unlicensed or pirate software presents a huge security risk. It does not benefit from the usual update channels, and can come pre-packaged with malware. PDF viewer applications are universally risky. As long as you have a PDF reader installed, you are one double-click on an infected PDF away from disaster. Remove the viewer applications from your computer and open all PDFs in Chrome instead.

Office software is another common source of vulnerabilities and infections. Digital security experts tell CPJ that using Google Docs and removing desktop office software will completely protect you from the risks of office files laced with malware.

The provenance of a file doesn’t make much difference when it comes to determining its safety. A friend or colleague who sends you a file might be perfectly trustworthy, but their computer may already be compromised with infectious malware. After a few documents are sent around from a compromised device, every computer could get infected. Defend yourself by using Google Docs instead.

Antivirus and firewalls

Antivirus software is not a useful defense against malware. In fact it actually increases the number of ways that your machine can be compromised, especially by a sophisticated attacker.

Interactive firewalls are very useful, not just at protecting you from malware, but also for protecting you against the less-than-scrupulous acts of the legitimate software you use. The built-in Windows Firewall works fine for much of this. Little Snitch does the same sort of thing on a Mac, and provides much more control.

Safest devices

Security experts tell CPJ that the safest devices you can use are iOS mobile devices and Chromebook laptops. A Chromebook is nearly impossible to infect with malware. Additionally, powering a Chromebook down and then turning it back on again ensures that you start over with a fresh slate, every time.

iOS devices are the safest phones and tablets. Security experts say that they are not quite as difficult to exploit as a Chromebook, but they are much better than almost all Android devices.

Communicating safely

There is no such thing as a completely secure way to communicate. While some methods or tools can protect aspects of your communication, nothing can protect it all. It is important to keep in mind the two basic categories of information that are at risk: the content (what you’re saying) and the activity records (who you’re communicating with, when, for how long, and how frequently).

End-to-end encryption

End-to-end encryption protects the content of communications. When a message or a call is end-to-end encrypted, your device scrambles it, making it completely impossible to decipher without a specific key. The only place that key exists is at the other end of the call on the other person’s device. No one else has the key, so no one else can access the content. Only the ends of the communication have the ability to unscramble it.

If an app promises a new approach to encryption, a proprietary algorithm, a secret method, or anything “military grade” or “NSA-proof”, you should be skeptical. Inventing new crypto is very difficult; it’s easy to get wrong and almost impossible to work out what mistakes you have made. Moreover, cryptographers don’t think of new encryption setups as secure until they have been published and other cryptographers have had the chance to spend years attacking and trying to break them. Any app or service offering new or secret crypto is, therefore, irresponsible.

Another red flag is the term “military-grade,” which refers to an old and obsolete way that cryptographic tools were regulated, and is now completely irrelevant. If you see this phrase, it probably means that the service provider is trying to bamboozle you.

Activity records

Knowing who you talk to can reveal as much as knowing what you say. For a source, the mere fact that they have spoken with you can be enough to get them in serious trouble, whether or not anyone knows what he or she said. Moreover, it is frequently possible to infer the subject of a conversation just by seeing just the sequence and recipient of calls, as these examples show.

Unfortunately, protecting activity records is very difficult. The more frequently you communicate with the same people, the more records there are, and the easier it is to draw conclusions. This is mostly a problem if you are worried about actors who wield substantial power and could such as the monitor all network connections in your area or force service providers to disclose information.

AP

In terms of activity records, the best security you can get is to use a service provider that stores the minimum possible amount of information and refuses to give it out without a literal or legal gun to their head. It’s no guarantee, especially if you’re being watched, for example by the NSA, but it’s the best you can do.

The only exception to this rule is SecureDrop, a tool built on top of the Tor network that comprehensively scrambles information about who is talking to whom. SecureDrop is nothing like a chat app. It requires a fair bit of infrastructure to be deployed by you or your newsroom, and it’s not easy to have a consistent back-and-forth with sources. But SecureDrop does offer a reliably anonymous way for sources to get in touch, and a (somewhat awkward) communication channel that can be used to set up a more convenient (but still safe) way to talk.

Specific tools

Although this is not a comprehensive list, here’s a summary of what is revealed when you use certain popular communication tools.

Phone calls. Content is unencrypted and subject to wiretap. Calls made from mobile phones can be intercepted wirelessly. Calls made from landlines can be intercepted either with a court order or by those with either access to telecommunications companies’ equipment or physical access to your phone line. Activity records are produced meticulously for the purpose of billing and retained for extended periods.

Postal mail. Content is only encrypted if the material is an encrypted hard drive or other storage medium. Some postal services photograph the outside of envelopes or packages and retain these or other routing records. If used without a return address, postal mail can be a relatively anonymous way to receive materials.

Email. Messages are stored by providers in a format they can read. Messages may or may not be encrypted when sent between providers. Activity records are easy to falsify, but are generally retained by providers for extended periods.

SMS text messages. Content is not encrypted and can be viewed by telecommunications companies or intercepted wirelessly. Content may be stored for extended period. Activity records are produced meticulously for the purpose of billing and retained for extended periods.

Signal. Content rigorously encrypted. Activity records not retained by service provider. App offers auto-deletion of messages after hours to days (optional). The app attempts to resist forensic analysis of devices. One of the safest way to communicate via text messages, voice & video calls, or to send files. Because of the tool’s reputation for security, using may raise suspicions.

WhatsApp. Content rigorously encrypted. Unencrypted copies of conversations typically available in device backups (unless feature disabled). Activity records potentially retained by Facebook. A decent option second only to Signal. A popular tool whose use is unlikely to stand out to authorities.

Facebook Messenger. Secret conversations offer rigorously encrypted messages; regular conversations do not. App offers auto-deletion of messages in seconds to a day (optional) Activity records retained by Facebook. Facebook’s ubiquity makes use unsuspicious.

Slack. A team conversation tool. Messages are not end-to-end encrypted, but are encrypted en-route to Slack. Slack retains copies of all messages subject to retention policy. A popular team conversation tool with a robust security team, but a security breach could be catastrophic.

Wickr Pro. A team conversation tool. Messages rigorously encrypted and automatically deleted after a short period (which can be configured). Lacks Slack’s risk of centralized failure, but more expensive.

Semaphore. A team conversation tool. Messages rigorously encrypted. Activity records somewhat obscured. Some rough edges, but lacking Slack’s risk of centralized failure.

Social Attacks

The most common forms of attack online are not technical; they are harassment and abuse. Anyone who publishes news with a byline or credit can expect to see some level of negative response. The total quantity of abuse you experience depends greatly on your personal identity, the things you report on, and the people who follow your work. Women, people of color, and members of the LGBT community typically experience substantially more trolling and harassment. Angering specific well-organized political or social groups can lead to substantial surges in abuse.

It can be hard to predict when you are going to see a particular upswing in this sort of attack, though sometimes you can be aware that the story you are working on may agitate those who are likely to make your life difficult.

The best mitigation is preparation: taking steps in advance to limit the more extreme impact that can come out of focused online abuse, and making plans for what to do if a situation escalates.

Psychological impact

Irrespective of other impact, all online abuse take a psychological toll. Access to support and self-care along with supervisors and colleagues who understand and accommodate you will be your best assets in managing this health risk. Blocking, muting, or otherwise silencing repeat harassers can be effective at limiting impact, but some dedicated harassment communities create new accounts quickly enough to render this strategy impractical.

If you experience a sudden spike in harassment, it might make sense to have someone else temporarily screen your messages. It’s somewhat less stressful to read threats and abuse directed at someone else, so the impact on your screener may be less than the toll reading these messages would take on you. Having someone else review messages rather than simply ignoring them also allows your screener to notice specific threats, such as those specifying your address, place of work, or family members’ identities.

In the case of escalating online harassment, the psychological toll can be substantial. Any measures normally appropriate for psychological stress may be helpful. If harassment and abuse are an unavoidable part of your work, having a strong support system including a professional therapist or counsellor is a good idea.

Escalation to attack

Harassment can escalate from simple online abuse to physical attacks. Online accounts are a common first target. Good use of a password-manager and random answers to security questions should protect you from a lot of these attacks. If you see an escalation in online harassment, that’s a great time to change passwords, turn on 2FA, and otherwise lock-down your accounts.

Doxxing is the practice of searching for private and personal information (‘dox’, from ‘documents’) and sharing it online in order to embarrass or enable other, more ambitious attacks. Doxxing can be hard to prevent because you don’t always have direct control over the people and places that store your personal information. No password-management practice can protect you from a dedicated attacker who manages to trick the receptionist at your doctor’s office into forwarding them your medical records.

You can make some information about yourself harder to locate. Use a nearby mailbox service (especially one not run by the United States Postal Service) rather than your physical home address to reduce the number of places that know where you live.

Make your voter registration information private through national, state or municipal processes and make a security notation on other public records about you. Use a public forwarding phone number to conceal your actual cellphone or landline number.

You can also notify companies that you are worried about doxxing identity theft.

Ask the companies if you can set a PIN to access your account over the phone. See if it’s possible to set a fraud risk notation or other security flag on your account to make customer service representatives more suspicious of unknown callers seeking access to your accounts.

Pay particular attention to providers of critical services, like power, water, gas, garbage, internet, mobile phone service, or other utilities. After making these sorts of changes to your accounts, call back and act like an attacker trying to break in. Make a note of what sort of information is needed to get into each account and what other accounts can provide that sort of information about you. Is there an escalation path from hacking a minor account to being able to turn off your power or water at home?

If personal information like your phone number, address, or social security number is publically released, you may see more significant attacks. Abuse of your address could be as simple as ordering a hundred pizzas to your house to inconvenience you. It could be as dangerous as calling in a phony hostage situation to your local police department in the hopes that they’ll overreact, break into your house, and arrest or kill you (a tactic called “swatting”).

Plan for what you can do if particular pieces of information are leaked. If your address is leaked you might want to contact your police and warn them about the swatting risk, if it seems safe to do so.

Any time someone makes a specific threat against you, take that threat seriously. The more specific the threat and the more detailed the description, the more credit you should give it.

If someone makes a specific threat about coming to your home and knows your address, consider if you have a safe place to stay for a while? If your financial information is revealed, do you know where to call to place fraud alerts and disable credit accounts? Do you know how to obtain a new social security number?

Planning for these situations can be stressful. But it’s much less stressful to plan ahead than trying to take these steps in a hurry when things have already gone wrong.

<$MTInclude module="Article Tools"$>
Journalist Security Guide
Previous Chapter:
Next Chapter:

Social Media

View All ›