How to Deter Doxxing

Image for How to Deter Doxxing
Last November, Anna Merlan got an unexpected e-mail from Domino’s Pizza. The pizzas she ordered were ready, and she could pay for them in cash when they were delivered. The problem was, she hadn’t ordered pizza, and she no longer lived at the address listed in the e-mail. Merlan shrugged it off, but a few minutes later she started receiving weird tweets.

“Hey do you like pizza?” an egg-avatared user asked. “Are you vegetarian/vegan?”

Merlan looked at the Domino’s e-mail again: two large pies, one with triple cheese, triple sausage, triple salami, triple barbecue, hot sauce, half onions and half pineapple, and one with no cheese but triple sausage. Eventually, it clicked. Merlan was being doxxed, the practice of publicly posting private information (home addresses, phone numbers, credit card and Social Security details) which can be used to threaten or otherwise harass an individual.

The harassment that follows doxxing, a term derived from “doc,” as in “documents,” is like a human distributed denial of service attack—every channel for digital communication is flooded to the point where it becomes unusable. Your phone is full of vile text messages and rings continuously. Your e-mail is full of threatening messages and photographs of dead bodies. Twitter and Facebook—and other ways you might communicate with friends and family not physically present—are clogged with threats. All coordinated by often-anonymous harassers who have taken offense at something you’ve written.

Though doxxing has yet to be formally studied and many incidents are not reported, it does appear to be on the rise, particularly the doxxing of journalists. Melissa Bell, vice president of growth and analytics at Vox Media, where several staffers have been targeted, says that the online harassment has “become a noticeably worse problem in the last year.” Two New York Times reporters who included details about the daily life of Darren Wilson, the Ferguson, Missouri police officer who shot and killed unarmed black teenager Michael Brown, in a story were doxxed. Cybersecurity journalist Brian Krebs was “swatted”—a tactic in which harassers make false 911 calls claiming a dangerous situation at the address in the hopes that a SWAT team shows up—after writing about a site that purports to sell Social Security numbers and credit reports. Amanda Hess, a journalist at Slate, has written publicly about the harassment she’s faced.

Journalists think a lot about protecting their sources, building security tools and secure methods of communication. But when it comes to their own safety, reporters are often stuck with a strange dilemma. They have to have open channels of communication to speak with sources and get information, but that can also put them at risk for harassment. As doxxing continues, newsrooms are starting to re-examine their security systems and the support networks in place for reporters. Though many newsrooms still struggle with how to respond to harassers, there are a few strategies media companies can employ to deter doxxing.

Merlan responded by chronicling her harassment in a post on Jezebel, where she is a reporter, and where, earlier on the day she was doxxed, she had written a post about a Time magazine poll asking readers which words they would like to see banned. A set of users on the forum 4chan had banded together to flood the poll with votes for the word “feminist.” In her post on the ballot stuffing, Merlan called 4chan "the Internet's home for barely potty-trained trolls." Users of the site did not take kindly to the characterization, so they posted her address (or, what they thought was her address) and plotted to send her everything from pizza and vacuum cleaners to potential rapists and a SWAT team.

4chan has become ground zero for many coordinated harassment campaigns, in defiance of an official policy against doxxing. Doxxers obtain personal information from public records, data collection services, and security breaches or through hacking into e-mails and other personal accounts. Doxxing is almost always followed by a call to action, often in the form of coordinated harassment that ranges from threatening phone calls and unwanted food deliveries to more dangerous things like swatting or posting a claim on Craigslist that the resident has rape fantasies and encouraging men to visit.

4chan describes itself as “a simple image-based bulletin board where anyone can post comments and share images.” The forum was founded in 2003 by then-teenager Christopher Poole as a place to discuss anime and manga. Poole stepped down from running the site in January of this year. Since 2003, the site has grown into a hub for discussion and image sharing that ranges from cute kittens to vulgar threats and coordinated harassment. Anyone can post anything without attaching any identifying information of their own. Critics point out that this makes it too easy for users to threaten and harass victims without any fear of retribution. The site has been in the news recently in connection with GamerGate, in which some female video game journalists and developers have been harassed, and was home base for last year’s hacked celebrity nude photographs.

But while 4chan gets a lot of the attention, it's not the only platform dealing with harassment issues. Twitter, Facebook, 8chan, Voat and Reddit (whose CEO Ellen Pao resigned earlier this month amid dissatisfaction with the site's efforts to curb online harassment by its users) have each seen their own brands of targeted harassment campaigns.

[pq full]mouse cursor“Why would anyone bother to do something like that?” one police officer asked after a female journalist reported an online rape threat[/pq]

Nathan Mattise’s story is a lot like Merlan’s. At 4 a.m. on January 5th he got a hard push from his girlfriend. His phone kept buzzing, and when he looked at it, it was full of missed calls and text messages. Three hours earlier, someone on the site 8chan (founded in 2013 by a 4chan user who felt the site had become too “authoritarian”) had begun posting information about Mattise, including his phone number and home address. Over the next 14 hours, he was inundated with e-mails and calls as well as pizzas, Chick-Fil-A food, and 50 copies of the Koran. In a story for Ars Technica, where Mattise is an editor, he had used the name 8chan to refer to a subset of 8chan users. 8chan users protested.

The first thing Mattise did was contact his editors. “I wasn’t the first person on Ars who was doxxed. I won’t be the last,” he says. His editors urged him to contact the police. “The NOLA PD was really willing to listen to me and file a report.”

That’s not the experience many people have. In a Pacific Standard article, Amanda Hess recounts several stories of women who’ve been met with unhelpful, even skeptical, responses from police. “Why would anyone bother to do something like that?” one officer asked her after she reported an online rape threat.

This is one area where newsrooms can help employees. Merlan praises the Gawker lawyer who walked her to the police station to report the threats. She and her lawyer explained to the police what was going on, but even with a lawyer in tow the precinct wasn’t exactly helpful. Without information on the physical location of the perpetrators, the police said they would wind up closing the case right away.

Arielle Duhaime-Ross, a reporter at The Verge who was targeted last year, says having understanding editors is really important. “My managing editor and editor in chief took me aside and asked me about how I was doing and what they could do,” she says. “They reminded me of what Vox Media offered: You can see a therapist easily once or twice through our system; there were numbers I could call. It was really helpful knowing that this system was in place.” Her editors encouraged her to take time off and offered to re-route her e-mail address to the general tips e-mails for The Verge. Her e-mail stayed re-routed for weeks.

At some companies where harassment has been constant or pervasive, there are specific channels through which employees can support one another. Vox, for example, has a Slack chat room called “Vox Media No Haters” where people can report harassment and work together to support one another. “Those are some of the techniques that we’ve used to say, ‘We’re here with you. You’re not alone. This isn’t something you need to experience as an individual,’” says Bell. “That’s how we try to tackle it as a company.” Gawker has a similar setup. “Even having a chat room where you can share a gross comment and laugh at it together is really helpful,” says Jezebel editor in chief Emma Carmichael.

At many publications, though, support for harassed reporters stops there. “What we really need,” argues Merlan, “is employers who are thinking proactively about our safety.”

In January of this year, someone at Gawker leaked the company’s seating chart as a media in-joke. To the writers at Jezebel, who receive threats on a daily basis, that wasn’t very funny. And it highlighted the importance of understanding how social media is used. “A lot of our writers were like, ‘Oh, great, a seating chart for a crazed person to come find me,’” says Carmichael. “Jezebel had to explain why [the leak] felt like a threat, and I had a lot of productive conversations out of that with people from other sites and our executive editor.”

Having newsroom staff understand possible threats is crucial. Staff should know what 4chan and 8chan are, understand basic digital security, and take threats and harassment seriously. For Mattise, a more widespread newsroom understanding of 8chan might have helped him come up with a less provocative headline. “If I had kicked that to someone else they might have noticed that 8chan users get really particular about this,” he says. “That might have been something someone caught in advance. If editors are familiar with these sites and topics that seem to be intermingled with doxxing, that knowledge will help.”

At Vox, Bell says, new employees are offered information on how to keep their identities safe. Trainings that walk reporters through basic digital security measures—how to mask their IP addresses, how to set up password management services, and how to remove their information from data collection sites and domain registries—make it a little harder for would-be harassers to find personal data. Newsrooms can, and should, set up educational sessions for their editors and reporters, not just on the nitty gritty of digital privacy, but on the harassment policies of social media sites and the best ways to support reporters who might be targeted.

Vox has also made changes to its sites to deter doxxers. Vox’s pre-written tweets used to include the author’s Twitter handle, which gave potential harassers immediate access to Twitter feeds. Now, the Twitter button simply directs to the general Vox account. “We wanted to keep a little bit of a wall between the vitriolic users,” Bell says. “A small product change like that, it’s not going to stop harassment, but it’s a little thing we can do.” Bell also says Vox is collaborating with Twitter and Facebook about how to make the platforms less toxic.

[pq full]mouse cursorFreelancers may be regarded as easier targets, and in many ways they are. They have no HR department, no lawyers to help them with the police, no editors to read their e-mails and tweets for them[/pq]

If all of this feels insufficient to tackle the level of harassment reporters face, it is. Reporters and editors are frustrated by how helpless they feel about keeping their reporters safe. I know that frustration firsthand because I've been doxxed.

In November of last year, something I tweeted became the center of a news story about gender representation in science. Members of 4chan found and posted my home address, e-mail address and phone number. I got pizza, magazine subscriptions, and 200 empty boxes delivered to my home. I was told that men would be coming to rape and kill me. A 4chan user told me they had seen someone post photographs taken of the outside of my apartment building, but the thread was deleted before I could confirm it. Since I am a freelancer, no support systems, no lawyers on call and no Slack chat rooms were available to me.

Freelancers may be regarded as easier targets, and in many ways they are. They have no HR department, no lawyers to help them with the police, no editors to read their e-mails and tweets for them. Their home address is their work address. Many freelancers send tax documents over unencrypted e-mail and, if they get a P.O. box or pay for other forms of digital security, it all comes out of their pocket. Many freelance contracts have clauses about what happens should a journalist get a publication into trouble, but very few say anything about what should happen if a story gets a journalist into trouble. Often freelancers balk at indemnification clauses for fear of being hung out to dry during a libel suit, but there are other reasons they might want the help of their employer’s lawyers, things like filing police reports or getting a restraining order against a harasser. “A freelancer could certainly propose including a clause that might give them access to the media organization’s in-house counsel or lawyers or some form of guidance in these circumstances but it’s not standard yet,” says John D. Mason, a copyright lawyer who has represented journalists in cases of harassment. “If this trend continues, it may become easier and, sadly, it may become commonplace.”

In the meantime, where can freelance journalists turn? In my case, I was lucky enough to be part of a Slack network of freelancers who were a lifeline. A handful of freelancers in my neighborhood met me at coffee shops to work by my side when I was afraid of working at home alone. I no longer send tax documents via unsecure e-mail, which often means teaching editors how to use encryption. And I urge fellow freelancers to secure their personal information, sending nearly everyone I know the link to Crash Override Network—a site developed by people who were targeted by Gamergate—where anyone can work through a threat model. Having a safety net in place before doxxing happens can be incredibly helpful, whether that’s a dedicated separate Skype number for friends and family, or a private Slack space for friends.

While proactive measures to keep reporters safe and support systems for them when they’re harassed are key, social media companies should do more to prevent harassment. Twitter’s then-CEO Dick Costolo admitted earlier this year that the service had serious issues with harassment. “We suck at dealing with abuse and trolls on the platform and we've sucked at it for years,” he wrote in an internal memo. Facebook hosts many pages and photos dedicated to promoting sexist violence. Some of those who report it have been told that the images or pages don’t violate Facebook’s terms of service. Both services are struggling to keep up with the torrent of abuse reports, and neither seem to be prioritizing the safety of their users.

If I learned one thing from my ordeal it’s that doxxing can happen to anyone, at any time, for nearly any reason. But awareness of the risks—and effective strategies to mitigate them—too often come from bad experiences rather than preparation. When I was doxxed, the person who understood the most about what happened was the Domino’s delivery guy. As soon as Twitter was mentioned, he knew exactly what I was experiencing. Now it’s time for reporters and editors to know just as much.

[sidebar head="What To Do about Doxxing" deck="Some things journalists can do to support colleagues and protect themselves against doxxing" byline="Rose Eveleth" style="full" id="whattodo"]Before it happens
New hires should have digital security training—how to keep personal information private, which sites and groups target reporters, how to send and receive encrypted files—as part of the on-boarding process, and this training should be updated as the harassment ecosystem changes.

Editors should get training on what harassment looks like and the people and sites that might target employees or freelancers. Finance departments should be comfortable using encrypted documents for things like invoices and tax forms.

Reporters should be offered an official e-mail address and phone number that is separate from their personal points of contact. Packages and letters should always be sent to the office, rather than to private homes.

Freelancers should consider using P.O. boxes instead of their home addresses and Skype or Google Voice phone numbers in place of personal cells or landlines. Do not send sensitive data like Social Security numbers and home addresses via unencrypted e-mail.

Those concerned about harassment should set up personal support networks like Slack chat rooms or private Facebook groups.

If it happens
If you choose to report the harassment to the police, bring a lawyer who understands the issues and examples of the threats. If you know any identifying information about the harassers, share that as well.

Colleagues can support doxxed reporters by diverting or monitoring official work e-mails and voicemails, keeping an eye on the target’s Twitter mentions to document the harassment, and reporting the abusers.

Doxxed colleagues will probably appreciate your support, but don’t be offended if they don’t respond. Most of the channels you might use to reach them—phone, e-mail, and social media accounts—are likely flooded with messages from harassers. They may be ignoring those streams or unable to see your support amidst the deluge.[/sidebar]