Changes: Mitigating internet trollstorms

Being the target of mass online and offline harassment, whether because of sexism, racism, or other issues, can be overwhelming and devastating. This document intends to provide actionable guidance for people who are being attacked or who are concerned about being attacked in the future, and includes both information security, physical security, and self-care advice drawn from the experiences of the Geek Feminism community.

Security update checklist

Should you become the target of an internet trollstorm, here are some immediate steps you can take to mitigate the damage:

• Change important passwords, using a unique one for each site. Write them down or use a password manager (see below for more on this)
  • Email, e.g. Gmail
  • Facebook
  • Twitter
  • Tumblr
  • Your domain registrar & hosting provider
  • Amazon & eBay
  • Apple
  • Banking
• If you use Gmail, review the "Last account activity" details; this page can be found below your email inbox.
• Go into security settings and verify which 3rd party apps you've granted access to. Remove unnecessary 3rd party access.
• Check what email address you have as a "reset" account or backup account.
• For services which allow posting-via-email such as Tumblr and Pinboard, have them generate a new email.
• Remove expired or compromised payment methods from accounts.
• Verify your account recovery information on important accounts, and (if possible) remove any where the answer has been leaked or otherwise findable.
• Ensure that you have a PIN set for your mobile phone provider. There is often one required for voicemail, and a separate one for when you call or visit to make changes to your account. See this AT&T support page for an example of the latter.
• Advise important parties (family, close friends, hosting providers, possibly your employer) what is happening and that they should verify any unusual inquiries with you.

Security practices

Passwords and authentication

• Use a password manager such as 1Password, KeePass, LastPass or Password Safe.
• Use different and complex password for each site.  Never re-use the same password on different sites. Your password manager can generate a good password for you.
• When updating your passwords, check the email address on each account. Since attackers can send password resets to the address on file, you should be sure every site has your most up-to-date and secure email address. If you have both a personal domain address and a GMail or Yahoo or other corporate address, consider the corporate one more secure.
• Set up two factor authentication on any service that supports it, especially Gmail if your password reset emails are sent to that address. twofactorauth.org is a comprehensive list of which services support two factor authentication.

Computer and information security

• Don’t open strange attachments or click on strange links.  If this is not feasible, do so within a virtual machine or using Google Docs Viewer until the storm has blown over.
• Go over your browser privacy settings. Chris Palmer from the Chrome Security Team has an excellent guide on how to do this for Chrome . [someone add guides for Firefox, Safari, and IE please?]
• Disable Java in your browser (you should do this anyway). If you don't know how to do this, just uninstall it.
• Adobe Flash is a common vector for attacks and compromises. Use an extension like FlashBlock (Firefox , Chrome ) to allow it on a per-site basis
• Consider making offline backups of your blog/passwords/photos in case of compromise (backing up your blog is generally easy)
• If you own your own domain, use domain privacy if your registrar permits it. Keep in mind that domain records are archived by various sources and existing information will persist.
• Use a PO Box or business address instead of your home address when signing up for services that require a mailing address (often required for services that send mass email because of the CAN-SPAM Act).
• Request that your personal information be removed from "people search" sites. You can often find these by googling for variations on your name and keywords like "address" or "phone number."
• Consider changing your wifi password.
• If you use Windows, deploy EMET .
• Make sure that your computers have full disk encryption enabled. On Windows, use Bitlocker ; on Mac, use FileVault ; on Linux there are several options; see this howto for Ubuntu for example.

Physical security

Some options to tighten up your physical security include:

• Security cameras at entrances at to your house, particularly if you live in a house rather than an apartment building.
• Door chain, bar latch, or deadbolt that can't be picked or opened from outside.

Recordkeeping and troll-tracking

• Set up a Google Doc or other shared file with your trusted readers/collaborators
• Collect IP addresses and screen names of trolls/harassers
• Collectively block those people from your social media accounts
• Note dangerous or particularly egregious harassers and potentially identify and out them
• Liz Henry has a great article on how to do this

Working with law enforcement

You may wish to report threats of violence to law enforcement. While there have been some cases where harassers have faced judicial consequences, this is unfortunately rare. Despite the lack of effort most harassers put into their own operational security, getting law enforcement to do things like subpoenaing for IP addresses can be like pulling teeth. This is where record-keeping becomes extremely important - both of the harassment and of the interactions you have with the police; even if they don't take things seriously at first, having records of long-term harassment can be helpful if things escalate.

Here are some strategies to make this more effective:

• Bring a friend with you for interactions with the authorities- this is important both for moral support and for having a second person there to witness the interactions. If you're calling the police, put them on a speakerphone or if possible record the call.
• Provide detailed records - screenshots with timestamps and URLs, emails with full headers. Offer to provide printouts or a USB key if they would like a physical copy.

Mental health and self-care

• Ask someone you trust (but possibly not someone SUPER close to you, think friend-of-a-friend who isn’t in your industry) to take over mod duties on your Twitter/FB/blog for n days/weeks. They’ll send you whatever comments or @s require a response, everything else gets trashed ( or saved in a separate file) without you having to see it. Consider setting your Twitter notifications to "People you follow." Friends can monitor the @s you receive from strangers by searching for [to:your_screen_name].
• Set up a "safe list" of important personal contacts whose communications you'll want to see.
• Remind yourself that progress is a choir, not a solo ; you don’t have to pay attention to all jerkfaces and answer all questions all the time forever and ever. Let other people sing, get some sleep.
• No really, get some sleep. Also don’t stop showering (even if you work from home, even if it seems really difficult). Same with food -- your brain needs food so it can feel better.
• Seek out media that can comfort you in a tough time -- favorite shows, books, movies, music.
• Ask your friends on the net and locally for emotional and practical support. Have someone come over, go to a friend’s house, do something outdoors non-internet related.
• Talk to someone else who has experienced the same kind of harassment.
• In extreme cases it might be a good idea to just go on vacation and not look.

Resources for friends and family of people facing online harassment

• Ashe Dryden's "Trolling, threats, and abuse: how you can help me "
• Leigh Alexander's "But WHAT CAN BE DONE: Dos and Don’ts To Combat Online Sexism "
• "Helping Her Get Free: A Guide for Families and Friends of Abused Women" by Susan Brewster

Further reading

• Ashe Dryden's "You Asked: How do I deal with online harassment? How do I help the targets of online harassment? "
• Our general list of Abuse and trauma resources - the book "The Gift of Fear" is particularly relevant to harassment, but note that the chapter on domestic violence tends towards victim-blaming.