If the #MeToo movement had caught on in 1997, the many people coming forward would still have had to worry about getting sued, in addition to the myriad other consequences of challenging their harassers. But because it caught on in 2017, they also have to worry about getting hacked and being subject to mass online attacks, trolling, and other forms of harassment that can unfortunately be the cost of speaking out.
I’m a technologist with the ACLU’s Speech, Privacy, and Technology team, but outside of my day job, I’ve been working for the better part of a decade with people — mostly, but not all, women — who have been targeted online. I’ve also been a sexual-misconduct whistleblower myself, so I know the personal cost of speaking out. People often feel powerless in the face of unknown threats from the internet, but there’s a lot that whistleblowers can do to stay safe while coming forward.
The digital defense tips below are for individuals. They address threats against specific people, not the systemic problem of harassment. There’s an important conversation happening about how institutions — from universities to software platforms to law enforcement — handle online threats. In the meantime, though, these are some concrete things that individuals can do to feel a little safer about speaking out and confronting power.
Secure your accounts and devices
Start by using unique passwords everywhere. This is the most important advice I can give anyone. Let’s be real, most people reuse the same password everywhere. This is dangerous, because if any one of the places you’ve used that password gets hacked, that password could potentially be reused to break into your other accounts. We’ve seen that happen on a widespread level in what are called “credential stuffing” attacks, but it’s also a common way to target individuals who speak out.
Unique passwords are a pain to keep track of in your head, so use a password manager like LastPass (which has free-of-cost or premium options), 1Password (which is a bit more expensive), or one of the many free and open source apps. Lock the password manager with a strong password that’s long and generated with some kind of randomness, like picking words out of a book. (Here’s a simple guide for picking a strong, random password.)
Be alert for phishing. If your name has been in the news and someone decides to target you, “phishing” — sending an email made to look like it’s from Facebook, Google, or one of your friends — is a common way to try steal your passwords in order to break into your accounts. Using a password manager offers some protection from phishing because your password won’t autofill if you click on a link that sneakily points you to “trustmeiamdefinitelygoogle.com.” But that email request from your aunt to remind her of your birthday, first pet’s name, and other detailed private information? Maybe give her a call back to be sure it was really her.
Take it up a notch with two-factor authentication. Two-factor authentication protects you even if your password gets stolen. By requiring you to type in a code from an app or text message, or tap a notification or a hardware token, adding a second “factor” to log in makes sure it’s really you entering your password. It’s especially important to set this up for your email address, whether it’s Gmail, Outlook, or Yahoo, because control over your email account allows an attacker to reset many other passwords. Other key accounts to lock down include your Twitter, Facebook, and iCloud accounts. The best two-factor setup is a hardware key (e.g. Yubikey), then a time-based one-time password app like Google Authenticator. Getting your code via text message is the least secure way to do this, as dedicated attackers have been known to steal phone numbers out from under people in targeted attacks.
Stay patched. Install those pesky security updates for your operating system and apps — especially your browser. If you’re buying a new phone, iPhones and Google-branded Android phones are the most secure because they get consistent software updates; other Android phones get less frequent or no security updates.
Scrub your public information
“Doxing” is the non-consensual spreading of personal information such as addresses and phone numbers in order to intimidate and direct violence at someone. It’s a frequently-used tool in the arsenal of those who don’t like it when people speak out about abuse.
In some cases, like if you own a home, there isn’t much you can do to get your information completely out of the public eye. But it’s still worth spending some time to opt out of the services of “data brokers” who will happily hand over your personal data in bulk to the denizens of the internet for a few dollars. Check out stopdatamining.me and the Privacy Rights Clearinghouse for lists of brokers and instructions for opting out of each. You might want to start a spreadsheet to track which one’s you’ve checked out, which ones you’ve opted out of, and which ones have successfully purged your data. It can be a bit of a project, and there are commercial services like Abine’s DeleteMe that will do some of the work for you.
In addition to the data brokers, search Google and Bing for your phone number plus your first name, and your phone number plus your last name. Do the same thing for your street address and your first or last names. These might show up in all kinds of places — a flyer for a theatre project you worked on, a Scout troop newsletter, a friend’s old tweet. Sometimes you’ll be able to get them removed if someone you know was the one who posted it or the site has an opt-out process. Sometimes you won’t — but at least you’ll know how difficult or not it will be to track down that information.
If your information is or has been public, one specific threat to know about is “swatting.” While rare and usually related to video games rather than sexual harassment, this type of attack has in at least one case resulted in a death. An attacker calls 911 with a fake report of a hostage situation, bomb, or other critical incident at the target’s address, resulting in an overly militarized team being sent to confront the target or their family. If you are concerned about this kind of attack, call your local police’s nonemergency number and alert them to the likelihood of false reports about your address. Here is a verbal script to explain swatting and request that extra precautions be taken by first responders if a report is received about your address.
These are just some of the basics. If you’re interested in diving into more detail, I’ve written a longer guide that includes mental health resources and detailed notes on interacting with the media. For example, what does “off the record” mean as opposed to “on background”? How do you decide which journalists to talk to? Other useful resources include Crash Override’s resources and Feminist Frequency’s online safety guide.
And remember: You don’t need to handle this all on your own. Enlist a team to help you monitor social media and triage email. And make sure you remember to eat. Remember that progress is a choir, not a solo number. You don’t have to answer every media request. You don’t have to engage with every troll, even when they are infuriatingly wrong. You’ve done a brave and powerful thing by speaking up — you get to pick your battles from here on out.