Changes: Mitigating internet trollstorms

Being the target of mass online and offline harassment, whether because of sexism, racism, or other issues, can be overwhelming and devastating. This document intends to provide actionable guidance for people who are being attacked or who are concerned about being attacked in the future, and includes both information security, physical security, and self-care advice drawn from the experiences of the Geek Feminism community.

Security update checklist

Should you become the target of an internet trollstorm, here are some immediate steps you can take to mitigate the damage:

• If you're not already using a password manager and unique passwords, prioritize changing important passwords:
  • Email, e.g. Gmail
  • Facebook
  • Twitter
  • Tumblr
  • Your domain registrar & hosting provider
  • Amazon & eBay
  • Apple
  • Banking
• Use a unique password for each site. Write them down or use a password manager (see below for more on this)
• If you use Gmail, review the "Last account activity" details; this page can be found below your email inbox.
• Go into security settings and verify which 3rd party apps you've granted access to. Remove unnecessary 3rd party access.
• Check what email address you have as a "reset" account or backup account.
• For services which allow posting-via-email such as Tumblr and Pinboard, have them generate a new email.
• Remove expired or compromised payment methods from accounts.
• Verify your account recovery information on important accounts, and (if possible) remove any where the answer has been leaked or otherwise findable.
• Ensure that you have a PIN set for your mobile phone provider. There is often one required for voicemail, and a separate one for when you call or visit to make changes to your account. See this AT&T support page for an example of the latter.
• Advise important parties (family, close friends, hosting providers, possibly your employer) what is happening and that they should verify any unusual inquiries with you.

Security practices

Passwords and authentication

• Use a password manager such as 1Password, Dashlane, KeePass, LastPass or Password Safe.
• Use different and complex passwords for each site.  Never re-use the same password on different sites. Your password manager can generate a good password for you.
• Avoid account recovery information which provides an easier route in, such as facts which can easily be researched (like zip code when your home address is publicly listed). 
• When updating your passwords, check the email address on each account. Since attackers can send password resets to the address on file, you should be sure every site has your most up-to-date and secure email address. If you have both a personal domain address and a Gmail or Yahoo or other corporate address, consider the corporate one more secure.
• Set up two factor authentication on any service that supports it, especially Gmail if your password reset emails are sent to that address. twofactorauth.org is a comprehensive list of which services support two factor authentication.

Computer and information security

• Don’t open strange attachments or click on strange links.  If this is not feasible, do so within a virtual machine or by uploading the file to Google Drive or Microsoft OneDrive until the storm has blown over.
• Go over your browser privacy settings. Chris Palmer from the Chrome Security Team has an excellent guide on how to do this for Chrome . Similar guides exist for other browsers, but Chrome is your safest bet.
• Disable Java in your browser. In fact, unless you really need Java for a specific reason, just uninstall it.
• Adobe Flash is a common vector for attacks and compromises. Use an extension like FlashBlock (Firefox , Chrome ) to allow it on a per-site basis.
• If you use Windows, deploy EMET
• Consider making offline backups (ideally isolated on more than one drive not regularly connected to the internet, such as USB drives or an external hard drive) of your blog/passwords/photos in case of compromise (backing up your blog is generally easy).
• If you own your own domain, use domain privacy if your registrar permits it. Keep in mind that domain records are archived by various sources and existing information will persist.
• Request that your personal information be removed from "people search" sites. StopDatamining.me maintains a comprehensive list of opt-out processes for these sites, or you can have Abine do it for you for a fee.
• Consider changing your wifi password, or setting up wifi security if your network is open. (If you have devices which require an open network, some routers can create an open "guest network" for those devices, while keeping the network with the rest of your information encrypted.) 
• Make sure that your computers have full disk encryption enabled. On Windows, use Bitlocker ; on Mac, use FileVault ; on Linux there are several options; see this howto for Ubuntu for example.
• Keep your devices physically secure
  • Don't leave your laptop unattended
  • Don't plug strange USB devices into your computer (one espionage attack tactic includes seeding the parking lot of sensitive locations with trojan horse "lost" USB drives)
  • Keyboards, mice, and other "harmless" USB devices can be compromised.

Non-tech identity theft stuff

• Use a PO Box, commercial mailbox, or a work address instead of your home address when signing up for services that require a mailing address (in the United States, this often required for services that send mass email because of the CAN-SPAM Act).
• Call the credit bureaus for your country and ask them to place a fraud hold on your credit report. There are commercial "credit protection" / "ID theft insurance" services that will do this for you, or you can contact the bureaus yourself.
  • Canada
  • United States - you can place either a 90 day hold or a 7 year hold
    • Equifax
    • Experian
    • TransUnion

Physical security

Some options to tighten up your physical security include:

• Security cameras at entrances at to your house, particularly if you live in a house rather than an apartment building.
• Door chain, bar latch, or deadbolt that can't be picked or opened from outside.

Recordkeeping and troll-tracking

• Set up a Google Doc or other shared file with your trusted readers/collaborators
• Collect IP addresses and screen names of trolls/harassers
• Include these records in your offline backups
• Collectively block those people from your social media accounts
  • Programs or websites might be available to automatically perform some of the blocking for you. On Twitter, consider @TheBlockBot or @blocktogether which can help you to block people who have already been blocked by others
• Note dangerous or particularly egregious harassers and potentially identify and out them
• Liz Henry has a great article on how to do this

Working with law enforcement

Reporting threats to law enforcement

You may wish to report threats of violence to law enforcement. While there have been some cases where harassers have faced judicial consequences, this is unfortunately rare. Despite the lack of effort most harassers put into their own operational security, getting law enforcement to do things like subpoenaing for IP addresses can be like pulling teeth. This is where record-keeping becomes extremely important - both of the harassment and of the interactions you have with the police; even if they don't take things seriously at first, having records of long-term harassment can be helpful if things escalate.

Here are some strategies to make this more effective:

• Bring a friend with you for interactions with the authorities- this is important both for moral support and for having a second person there to witness the interactions. If you're calling the police, put them on a speakerphone or if possible record the call.
• Provide detailed records - screenshots with timestamps and URLs, emails with full headers. Offer to provide printouts or a USB key if they would like a physical copy.

Swatting

There have been several instances recently of harassment escalating into Swatting, which is where a harasser calls law enforcement and reports a false claim of a hostage or other violent situation. If you're experiencing large-scale online harassment, you may wish to call local law enforcement and ask them to call first in case of reports made about your address. Here is a script you can over the phone or in person to your local law enforcement officials:

[First ask if they are familiar with SWATting, if not explain:] My personal information, including address/phone number/social security number [as appropriate] were recently posted on the internet by someone who is harassing [or stalking, as appropriate] me. There is a chance that someone may call in a fake bomb or hostage threat at my address as part of the harassment, so I wanted to reach out and let you know that this could happen. If you receive a threat like this for my address, I need you to call my cell number before sending emergency responders.

Mental health and self-care

• If someone makes a request of you that makes you feel uncomfortable, especially if that person has treated you poorly in the past, you don't have to do them that favor. You don't owe them an explanation for why not. You are allowed to just say no. 
• Ask someone you trust (but possibly not someone SUPER close to you, think friend-of-a-friend who isn’t in your industry) to take over moderation duties on your Twitter/FB/blog for a certain number of days/weeks. They’ll send you whatever comments or replies require a response, everything else gets trashed (or saved in a separate file) without you having to see it. (This is a great opportunity for them to block people who only aim to cause you grief, so you won't run into them later.) Consider setting your Twitter notifications to "People you follow." Friends can monitor the replies you receive from strangers by searching for [to:your_screen_name].
• Set up a "safe list" of important personal contacts whose communications you'll want to see.
• If the volume of interactions becomes too much, ask your friends or followers to avoid mentioning you when they engage with abusive people, so that you are not included on those conversations
• Remind yourself that progress is a choir, not a solo ; you don’t have to pay attention to all jerkfaces and answer all questions all the time forever and ever. Let other people sing, get some sleep.
• No really, get some sleep. Also don’t stop showering (even if you work from home, even if it seems really difficult). Same with food -- your brain needs food so it can feel better.
• Seek out media that can comfort you in a tough time -- favorite shows, books, movies, music.
• Ask your friends on the net and locally for emotional and practical support. Have someone come over, go to a friend’s house, do something outdoors non-internet related.
• Talk to someone else who has experienced the same kind of harassment.
• In extreme cases it might be a good idea to just go on vacation and not look, if possible.
• If you're seeing a therapist or considering finding a new one, see our page on Resources for therapists for information you can print out or email to your therapist for background information on sexism in geek culture.

Resources for friends and family of people facing online harassment

• Ashe Dryden's "Trolling, threats, and abuse: how you can help me "
• Leigh Alexander's "But WHAT CAN BE DONE: Dos and Don’ts To Combat Online Sexism "
• "Helping Her Get Free: A Guide for Families and Friends of Abused Women" by Susan Brewster

Further reading

• Ashe Dryden's "You Asked: How do I deal with online harassment? How do I help the targets of online harassment? "
• Our general list of Abuse and trauma resources - the book "The Gift of Fear" is particularly relevant to harassment, but note that the chapter on domestic violence tends towards victim-blaming.
• Our Streets, Our Selves: Tips for Post-Harassment Self-Care