Chapter 7: Online abuse and protecting your data

Introduction

Online abuse is increasingly used by governments, individuals, and organised online groups as a way to discredit and undermine journalists and media outlets. Harassers comb the internet looking for a journalist’s personal data and use this information to threaten and intimidate them and their families. These attacks are often accompanied by other digital threats, such as hacking of accounts, phishing attacks, or doxxing. This chapter walks journalists through the best practice needed in order to better secure their data.

This chapter will cover:

  • Regional context of online attacks against journalists
  • How to carry out more advanced online searches for personal data
  • How to remove and/or hide personal data online

Training journalists for the first time?

The following can be helpful to keep in mind:

  • Journalists need to have an online presence in order to do their job. This involves negotiating and differentiating between the data about them that they are willing to share with the world, and data that they would rather keep private. Family and relationship details, living locations, and health data might all fall into the latter category.
  • Since the growth of social media, journalists have been encouraged to share a great deal of personal data online as a way to connect with their audience. Some of this data is now being used to harass and intimidate them.
  • Journalists often have very little separation online between their work and their personal life. This makes them more vulnerable to harassment and abuse because people are able to harass them using a range of online platforms as well as via phone and email.
  • Online abuse can also include a range of other digital threats, including account hacking, spear phishing, impersonation, and doxxing amongst others. Many of those threats do not need to be successful in order to have a chilling or deterring effect.
  • Women journalists and journalists from marginalized communities, for example LGBTQIA+ journalists, are disproportionately targeted by online harassment. This abuse will include misogynistic, racist and homophobic messages which often contain threats of physical violence against the journalist and his or her family.
  • Newsrooms often lack sufficient measures protect journalists from online harassment. This includes a lack of IT support for social media accounts as these do not fall under the remit of a work account even though they are being used for work purposes.
  • Online abuse is being weaponized by a range of online actors, including governments, as a way of limiting freedom of expression by discouraging journalists from pursing their reporting and trying to force them into quitting public life altogether.
  • The more journalists can do to protect their data in advance of an attack, the safer they will be.

Training digital security for the first time?

This section covers best practice that can be used when teaching the activities in this chapter. See the resources section in this chapter for further reading.

General best practice

  • There are a wide-range of people who attack journalists online these include; state actors and people working for governments who are paid to harass others online, lone harassers, online groups that are well organised and may often work across borders, supporters of a particular subject that has relevance for the country, including topics such as race, gender and women’s health.

  • Online abusers use a wide range of tactics against journalists. PEN America has a detailed guide to these tactics which you can read here. Some of the most common ones include;

    • Concern trolling
      An abuser appears to support a journalist’s work but instead uses the message to make demeaning comments
    • Doxing
      Personal data, such as home address, is circulated online often with the implication of personal harm
    • Impersonation
      Abusers create fake accounts in the name of the journalist in order to publish content that could damage their reputation.

  • A number of tactics involve other digital threats, such as account hacking and phishing. More information on how to protect against these types of attacks can be found in chapter two.

  • Get journalists to understand what data is best kept offline. This includes data that can be used to locate them, data that can be used to contact them via a means they do not want, and data that can be used to steal their identity. Examples of these types of data include a journalist’s home address, their personal email address, and their identity number. This data may already be available online. If this is the case, then the journalists should try to remove it. If that is not possible then it is important to highlight that at least they know the data is there and that it could be used to target them.

  • Online harassers often get a lot of personal data about a journalist from the social media accounts of the journalist’s family members. It’s important that journalists speak with family members about the risks and that they actively help their family to secure these accounts.

  • Journalists should set calendar reminders to regularly look themselves up online. How often this is will depend on the risk that they face. High-risk individuals may want to look themselves up every month while others may be happy only checking every six months.

  • Get journalists to set Google alerts for their name, common misspellings of their name, and other personal data, such as their date of birth. This will send the journalist any data about them that is picked up by the Google search engine.

Searching for personal data online

  • Use Boolean search techniques, also known as Google Dorking, to get more accurate results. You can read more about that here. Some useful ones to discuss include:
    • # to search for hashtags
    • Site: to search for a specific site
    • Cache: to search for cached results
    • PDF: to search for PDFs.
  • Check video and photo content as well as websites. You can carry out an advanced image search to look for a particular photo and its location on the internet.
  • Use all search engines, not just Google. Different search engines throw up different results so it’s important to check them all. If applicable, journalists should check Yandex and Baidu, Russian and Chinese search engines.
  • Review personal social media accounts to see what information is available to view publicly. Most major platforms now have a privacy guide which users can follow. Review privacy settings for [Facebook] (https://www.facebook.com/help/443357099140264), Instagram, Twitter, TikTok.

Removing or limiting access to data from the internet

  • Once personal data is put on the internet and then deleted it is impossible to guarantee that it has been completely removed from the web. This is because the information is likely to be stored in different places, including the accounts of others, public databases, captured by others using screenshots, and archived in online archive services, such as the Wayback Machine. Despite this, it is still important to delete content where possible because it will make it more difficult for online attackers to obtain the information.
  • If the journalist is in control of the site that the content is on, for example their personal Facebook page, then they can go in and back up the content and then delete or hide it. The information will disappear from the site but won’t disappear immediately from a search engine result.
  • Common best practice for protecting data on social media accounts includes:
    • Choosing to use the social media account for either exclusively work or personal use
    • Making non-work related personal media accounts private
    • Using a non-descript photo, such as a plant or animal, as the photo for their social media account
    • Reviewing who follows or who is friends with the account holder and removing people who are unknown or they no longer communicate with
    • Hiding friends or followers from being viewed publicly
    • Deleting old messages and posts or restricting who can view them
    • Some social media sites give the option to remove the site and their name from showing up in search engine results.
    • Controlling who can see, tag, and download photos and videos
  • Journalists should speak with family and friends about removing or hiding their personal data from their social media accounts.
  • Data is likely to be stored on third-party platforms over which the journalists have no control. Examples of third-party platforms include government databases, a website run by someone they don’t know, and websites run by companies. They may or may not take down personal data depending on laws, terms and conditions of the site, and whether they want to take it down or not. Each site will have their own steps for requesting the removal of data.
  • Journalists should review internet archive services to see if their personal data is available and request to have it removed.
  • Journalists may wish to blur out their house on Google Maps and Apple Maps. This will stop online abusers being able to use the internet to see what the outside of a journalist’s house looks like.

Completing the risk assessment

When speaking about the risk assessment and personal security plan it may be helpful to touch upon the following:

  • Help journalists think through what groups may target them online and the strategies that these groups use. To do this, the journalist may want to speak to other journalists in their network to see whether they are also experiencing similar attacks. They can also carry out online searches using the name of the adversary and key words such as online attack, online abuse, doxxing amongst others.
  • Journalists should know what data is fine to share online and what data is best kept private.
  • Journalists should speak to family about what data they are happy to share online and what data they would like to keep private. They should work with their family to secure their family members’ account and be aware that if an abuser cannot locate the journalist online they may well target their family.

Common questions asked

Below are some questions that journalists ask about safer communications. It can be helpful to have answers prepared for these in advance. More detailed guidance is available in the section named Training digital security for the first time?

I have so much information online. Where is a good place to start when it comes to removing it?

Journalists have a lot of public-facing data on the internet and they often need to do so for their career. Explain that becoming safer does not mean removing everything; instead, they should focus on removing data that can be used to locate them, such as their home address, information that can be used to contact them via a means they do not want, such as a personal email address, and data that can be used to steal their identity, including their date of birth and their national ID number. They should also take steps to remove details about their family, including photos. Ideally, the only information they should have online is professional contact details, professional photos, and their journalistic work.

How can I remove my data online?

Recommend that they set aside a chunk of time each week to review what data is available about them and remove it. They should follow the best practice for searching online for their personal information and removing it. This guidance can be found in the section Teaching digital security for the first time?, found at the beginning of this chapter.

Some data is also being collected and re-sold by data brokers. There also exist some services which contact data brokers on your behalf and ask them to delete information about you. While many of those services are effective, they are also expensive. It’s also possible to contact data brokers and do this type of work manually; for a quick guide on how to do so, check out this page by Yael Grauer.

Once my data has been taken down is it really gone?

Explain that once data has been put on the internet it is impossible to guarantee that it has been removed. This is because information is stored in the accounts of others, including family members, held in public databases, and captured via screenshots. Online data is also archived by online archive services, such as the Wayback Machine. It is still important to take down any potentially harmful data to avoid it falling easily into the hands of harassers.

How long is this going to take, I’m really busy and don’t have a lot of time?!

How long it takes to remove data will depend on how much personal information the journalist has online. Explain that at the beginning it always takes more time because the journalist will not know what data is available about them and that the process for taking data down can be lengthy. Once they know what content is available about them online and feel happy with that it is just a case of setting calendar reminders to themselves to review data periodically and removing anything new that appears.

Learning outcomes

At the end of the session journalists:

  • Understand the context of online abuse in their region and are able to identify who may be attacking them and the tactics that they are using.
  • Feel confident looking up data about themselves online using tried and tested techniques
  • Know how to remove their data where possible and/or hide it

Templates and tools

The following templates and tools can be useful for teaching this session:

Resources

The following resources may be helpful for teaching this chapter:

The Chilling: A global study of online violence against women by UNESCO and the International Centre for Journalists

What is online abuse? by PEN America’s Online Harassment Field Manual

Refine web searches by Google

How to dox yourself on the internet by the NYT Open team

Removing personal data from the internet by the Committee to Protect Journalists

Protecting against targeted online attacks by the Committee to Protect Journalists

Big Ass Data Broker Opt-Out List by Yael Grauer

Activities

The activities below are designed to accompany this training session on online abuse. Trainers should feel free to use their own activities as well as to adapt the materials in this guide to best suit the needs of the journalists they are training. The number and type of activities selected will depend on the level of knowledge of the trainer as well as the amount of time the trainer has to spend with the participants. For those new to training in digital safety, don’t forget to review the Training digital security for the first time? section for best practice guidance.

Getting started

Who is harassing you online?

Learning outcomes Time Difficulty level Resources
Journalists discuss experiences of online abuse against journalists in their region and the groups that target them online.
Participants are able to see that others have similar experiences to them
Journalists learn some of the techniques that online abusers use		 60 minutes Medium Whiteboard or flipchart, Board pens, local case studies of online attacks against journalists, an understanding of the different strategies that harassers use in the region

Trainer note: the idea of this session is not to get journalists to speak about their own personal cases which may be traumatic for them and others in the room, instead get them to focus on cases of others.

Best practice for this activity can be found in the section, Training digital security for the first time?, located at the beginning of this chapter. Trainers may also want to consult chapter two on account security for best practices to protect against hacking and phishing which are common tactics used by online abusers.

Step one

  • Show the journalists some case studies of online abuse against journalists in the region and ask them whether they are familiar with them.
  • Put the journalists into small groups and ask them to discuss other cases that they might know of. It may help to get them thinking about the following questions; Are there any similarities between the cases in the way the journalists are attacked? What reasons are there for the attack? Are they able to identify who may be behind the attacks?
  • Facilitate a group feedback session on the questions above.

Step two

  • Tell the journalists they are now going to look at some of the techniques that online abusers use. Knowing how online harassers attack can help journalists better defend against it.

  • Introduce journalists to the most common attacks in their region using pre-prepared case studies. You can read more about these types of attacks in the section Training digital security for the first time? Located at the beginning of this chapter. You may want to cover the following:

    • Concern trolling
    • Cyber-mob attack
    • Doxing
    • Hacking
    • Online impersonation
    • Threats

Ask the journalists whether they are familiar with any of these tactics. Ask the following questions; Have you seen these types of attacks within your newsroom or against others? Are there any other ways that online abusers attack online? Which attack concerns you the most?

Step three

  • Close the session by asking the group the following questions;
    • What are they currently doing to protect themselves?
    • What is their media outlet doing to protect itself and them?
    • What do they feel they need to secure their data and themselves?
  • Explain that the follow up activities during the session will help them to better secure their data.

Knowledge building

I Mapping your online data

Learning outcomes Time Difficulty level Resources
Journalists find out what data is available about then online and where it is located 60 minutes Medium Whiteboard or flipchart, Board pens, internet connection, participants will need their personal devices to conduct online searches

Trainer note: this session requires journalists to look themselves up online and share some details about what they find. Let the journalists know that they do not have to share information if they do not feel comfortable doing so.

Best practice for this activity can be found in the Training digital security for the first time? section located at the beginning of this chapter.

Step one

  • Ask the journalists how often they look themselves up online and whether they feel comfortable with the data that they find. Facilitate a brief discussion around this.
  • Tell them that carrying out frequent online searches for their data is a good way to better protect themselves and that today they are going to learn how to do that more accurately.

Step two

  • Get the journalists to Google themselves and make a note of what data appears. Facilitate a brief discussion on this if journalists are happy to do so.

Step three

  • Walk the journalists through some best practice for doing more advanced searches. Trainers new to this subject can consult the Training digital security for the first time? section located at the beginning of this chapter. The trainer may want to touch on the following:
    • Using boolean search terms to refine results
    • Using advanced image searches to find a particular image
    • Reviewing internet archive sites
    • Reviewing their own social media sites
    • Reviewing the sites of family members and friends

Step four

  • Ask the journalists to now carry out a more advanced search using the techniques described above and using different search engines. Tell them that they will not be able to search for everything today so this should be seen as a more general search that they can use as a starting point for a deeper search later on at home.
  • Ask the journalists to note down any information they would like to remove.
  • Hold a brief discussion with the journalists around any content they found and would like to take down.

II Protecting online data

Learning outcomes Time Difficulty level Resources
Journalists learn steps they can take to better protect their online data, including removing and hiding it 60 minutes Medium Whiteboard or flipchart, Board pens, PPT created by the trainer, examples of

Trainer note: best practice for this activity can be found in the section, Training digital security for the first time?, located at the beginning of this chapter.

Step one

  • Explain to the journalists that data is stored on their accounts, the accounts of family and friends, and on other sites over which they have no control. Let them know that this session will guide them through removing that data.

Step two

  • Walk the journalists through best practice for removing data. Best practice guidance is available at the beginning of the chapter named Training digital security for the first time? The trainer might want to mention:
    • The difference between data stored on a platform they have control over vs a third-party platform
    • How to request the removal of data from a third-party platform
    • Common techniques for removing or hiding content from social media sites
    • The importance of speaking to family and friends about personal data and removing information.

Step three

Trainer note: you will need to use scenario II for the following exercise.

  • Put the journalists into small groups and tell them that they are going to read a scenario
  • Ask the journalists to work together to answer the question in the scenario and to plan out how best to protect the journalist.
  • Run a class discussion on the scenario and ask the journalist what steps they have taken to protect the journalist.

Personal security plan

Completing the risk assessment

Learning outcomes Time Resources
Journalists think through their individual risk and the risk associated with a particular story when carrying out online research.
Journalists are able to think through mitigation for those risks.		 20 - 30 minutes Risk assessment template

This section should help journalists better understand the risks that they face and get them thinking about concrete steps for mitigating that risk.

Step one

  • Tell the journalists they are going to work alone to complete their section of the risk assessment titled online abuse and protecting personal data.
  • Journalists should work on answering the questions and providing concrete steps for mitigating risk.
  • Support should be provided should they have questions, doubts, or look like they need additional help.

Step two

  • Help journalists reflect on the process by asking the following questions:
    • What information have you learned in today’s session that has helped you make more informed decisions around online abuse and protecting data.
    • What else do you think you need to learn?

Case studies

This case study accompanies the course material and provides journalists with real-life examples of digital threats against media workers. The case studies can be used to promote discussion around different types of risks as well as serve as a way to teach journalists steps to better protect themselves and others.

Our writeup: Case study on online abuse and protecting your data

CPJ’s writeup: Kyrgyz on the online ‘fake farms’ that threaten to kill them