shoring up the digital ramparts against hate mobs
February 25, 2015 11:44 PM   Subscribe

I'm writing about feminism and gaming on the internet. I'm a woman. I know that if I gain any reasonable amount of success, it'll probably come with death threats and hacking attempts and doxxing and the like. What should I do now, while very few people are reading me, to protect myself?

I'm doing this on my own blog, which runs Wordpress, and I'm using Jetpack along with the spam moderation that comes with that, but if people have harassment-specific technological solutions to any of this that I can put in place now, that would be great; I'm already using a registrar with privacy protection so I'm not in danger of getting doxxed from a whois. I'm also occasionally posting here and posting on Twitter. (I'm already using Block Together and subscribing to the lists that block gamergaters.)

The big special snowflake detail in my case is that my father spent most of the last couple of decades writing for the biggest newspaper in the state and has only recently quit that gig to write a book and do work for our local University; he's totally supportive, knows the extent of shit that I might end up dealing with and is ready to do anything he can to help, but I don't want to put him in any physical danger, and I know that a lot of the big feminist names that've been targeted by #gamergate and their ilk have had their families targeted as well.

I'm looking for technical solutions, personal safety solutions, backup plans, strategies for what to do in case this happens, etc. Thanks.
posted by NoraReed to Grab Bag (35 answers total) 29 users marked this as a favorite
Would it be practical and would it be satisfactory to do your writing under a false name? That wouldn't stop a determined nutter, but it would reduce the number of casual idiots that find you.
posted by Joe in Australia at 12:27 AM on February 26, 2015 [2 favorites]

Change all passwords on all your services to randomly generated 12+ character passwords automatically generated with LastPass or PasswordSafe. Remember to change all challenge questions for password recovery to nonsensical unguessable answers, e.g. "What is your mother's maiden name" should be "inglorious antelope noddy". If you are uncomfortable with password keepers, just write them down (don't save them and print them) on a piece of paper and keep it in your files. If you use Gmail, set up two-factor authentication. Set up login warnings on all services that support it, e.g. Facebook, Google. Set up fraud protection on your credit reports. Assume the attackers have access to everything you've ever written and a complicit family member. Remember to treat you cell phone service provider the same regarding passwords and challenge questions/PINs, since SMSes can be used to reset accounts. Try to get correspondents to secure at least email accounts, e.g. make sure your dad's email password isn't DaughterName1.

Ask a technical friend to run a security scan on your Wordpress site and check if it has any known vulnerabilities. Do the same for your home computer(s). Get in the habit of disconnecting or physically disabling microphones and cameras that are network attached. Disable all public location broadcasting via phone, e.g. via auto-checkins, Facebook posts, or EXIF data in picture uploads. Enable private location broadcasting to a trusted friend.

Personal safety -- get some pepper spray and training in how to use it properly. Take a women's self defence class of some sort, even if it's only a day it's better than nothing. Buy a strike plate to keep your front door from getting kicked in easily. If you don't have a landline, buy a cheap $20 cell and keep it in a known place in your house where you will have easy access to it (in case your smartphone loses charge/gets stolen/lost).
posted by benzenedream at 12:34 AM on February 26, 2015 [24 favorites]

Are you currently anonymous? Or are you writing under an easily googleable name, that has digital breadcrumbs back to your real identity?

I would suggest - if it's possible - starting from scratch, with an utterly blank online identity. If "very few people are reading (you)", then rebuilding readership shouldn't be an issue.

I also wish to express solidarity with you for this. Thank you!
posted by special agent conrad uno at 1:17 AM on February 26, 2015 [1 favorite]

It's really f'ed up that you're even asking this question. I mean, I totally get why you're asking, but it sucks that this has to be a consideration. In 2015! Christ.

I'd suggest a pen name. I'm here to tell ya that when you use a fake name long enough, it can become as real to you, and as real to people reading what you write, as your "real" name ever was. "Ursula Hitler" isn't a made-up person to me. She is me, even if that's not the name on my birth certificate.

This thread could be useful.
posted by Ursula Hitler at 1:28 AM on February 26, 2015 [2 favorites]

Best answer: Zoe Quinn's What To Expect When You’re Expecting (the internet to ruin your life) has advice both on protecting yourself and coping if the mob turns on you.
posted by escapepod at 1:28 AM on February 26, 2015 [10 favorites]

Response by poster: I'm really not interested in using a pseudonym, for the record. Even though not a lot of people are reading the stuff I'm writing on feminism yet, I do have some people who follow my work from other places, and I have a lot of people who read me on Twitter. Plus, since my dad and I talk to and about each other (we are very charming) on public-facing social networking sites all the time, I'd have to stop doing that. (I do only write under half of my real name, though-- I have a very long and very German surname; Nora Reed is my first and middle names, so I'm a little harder to track down that way.)
posted by NoraReed at 1:35 AM on February 26, 2015 [5 favorites]

If you're using your first and middle names and you and your father reference each other on social media, it wouldn't take a genius to work out what your surname is, surely? So I guess make sure that you're not in the telephone book, because whois isn't the only way that someone is going to find out your name and contact details.
posted by kinddieserzeit at 2:23 AM on February 26, 2015

I've mentioned this before, but here we go. I used a pseudonym online, I had no photos of myself, and I gave no clues as to my location except that I lived in a major European city. My stalker was able to show up on my doorstep because he checked out my whois info; because I had an unusual name, he was able to access my financial records through his job, so he could find out where I did my grocery shopping; because he knew where I bought milk, he could trawl the surrounding streets until he found a doorbell with my unusual surname; because he seemed charming, he got personal details about me from my neighbours. So, he knew what I looked like, that I was living alone, what I did for a living, where/when I'd go out to buy groceries, and so forth.

Bottomline: you can never be sure you are safe. Using some permutation of your real name will only make it easier for determined people to find you. Even posting this online using your username (that may be similiar to your handle elsewhere) will be enough to connect dots. Using a pseudonym will make it harder, but not impossible to find you.

Your can either choose to own your identity (like I did - pictures are now everywhere and I use my real name online) or attempt to throw off the scent for some time. Whatever you choose to do, just make sure you understand the implications and have back-up plans in case of a crisis (my solution was the police, then to move countries).
posted by kariebookish at 3:07 AM on February 26, 2015 [9 favorites]

I recently looked into the subject of sites such as Spokeo, which Zoe Quinn's article mentions, out of curiosity and was shocked by just how many of them there are. When it comes to sites that could potentially sell your information to anyone for a nominal fee, they are just the tip of the iceberg. I honestly don't know if it would even be possible to make sure you've removed yourself from them all. I think this is definitely an area worthy of further research to understand just what's available. While I was looking into this I saw that there is an industry of companies who will take your money to keep you out of as many as possible, but I don't know if it's worthwhile. Basically just search "background check" to dive down this sordid rabbit hole.
posted by feloniousmonk at 3:07 AM on February 26, 2015

Best answer: I'm a guy, and all I did was tweet and retweet some support for the women involved in #gamergate, and my personal website was under attack that same day. I installed iThemes Security Pro and battened down the hatches.
posted by John Kennedy Toole Box at 3:25 AM on February 26, 2015 [2 favorites]

Nora Reed is my first and middle names, so I'm a little harder to track down that way.

No, your Google footprint is large enough that five two minutes of googling will give your full name from multiple sources, as well as some employment and university info. At this point there is no way to separate the online persona "Nora Reed" from your physical life. If you want that, you have to start over with a new pseudonym.
posted by ryanrs at 4:16 AM on February 26, 2015 [11 favorites]

Best answer: Here's an article on how to protect your information if you're concerned about being doxxed.
posted by fox problems at 5:14 AM on February 26, 2015 [4 favorites]

Yep, your full name shows up as result no. 5 on my quick google search. From there it takes me to your hometown and several photos of you. I got hits on your LinkedIn profile which gave me a tonne of your employment details and your list of contacts. All in less than two minutes.

If you are really concerned about safety, switch to a completely random pseudonym but prepared for the web to untangle at any stage.
posted by kariebookish at 5:14 AM on February 26, 2015 [5 favorites]

In addition to what ryansr and kariebookish has noted, you should realize that metafilter and all of the things you've said here aren't somehow insulated from the rest of the internet for someone who wants to take the time to research.

Your mefi profile is already a wealth of publicly available information, completed with location and photo, then combined with statements like " (I do only write under half of my real name, though-- I have a very long and very German surname; Nora Reed is my first and middle names, so I'm a little harder to track down that way.) only serves to confirm what appears to be your facebook profile and full name, which pops up very quickly on google under a basic search for Norareed.

In addition to scrubbing all of your social media profiles and changing your facebook name away from your real name (mefi included), I second writing under a pseudonym, but also taking pains to never cross promote the pseudonym with any of your "real name" social media.

All it takes it one connection to make the connection.
posted by Karaage at 5:58 AM on February 26, 2015 [3 favorites]

I'm already using a registrar with privacy protection so I'm not in danger of getting doxxed from a whois.

I'm afraid there may be some kind of disconnect here. Did you really say that you're blogging under your real first+middle name (the same as your user name here)? If so, as others have pointed out, doxxing isn't an issue. You've already doxxed yourself. You don't need to worry about protecting your identity (it's already exposed), and can move directly on to the other steps you asked about.
posted by alms at 6:49 AM on February 26, 2015 [1 favorite]

Yah, it's too late for you and anonymity. The best you can do is delete everything and wait for Google to slowly bury it all, which it never will. You'll just slow people down by five minutes. Delete your Metafilter profile. Delete your tweets, delete your Tumblrs, delete your registered domains. Then move your home and start over. :)

I can understand the wisdom of writing under a fake name, and why people are asking you to do it, but I would encourage you to stick with your gut and not. It's not only that it's too late, it's also bad for journalism, bad for America, and bad for freedom. (I'm being sarcastic, yes—but on some basic level I really do believe that. Sometimes we take heat for standing up for what we believe. Sometimes it SUCKS. Also journalists die on the job with regularity.)

benzenedream's starter kit there is pretty fantastic. I would add that you should ALWAYS keep WordPress up to date; each update usually contains a security-related change.

You'll find that different things circulate differently. Things with pictures of yourself, particularly videos, will attract more threats than text.

I would also encourage you to look at the actual tactics you might face. So far we have a lot of people being inundated with total horror, but almost entirely by digital means. (I mean, bad enough! And it's a gross awful experience! And yes, I 100% believe that someone will get stabbed this year, don't get me wrong!) But so far SWATing, for instance, is mostly directed at gamers on streaming channels. It's important to neither underestimate nor over-dramatize; an impossible line.

I would also encourage you to make a plan about how you will interact and react with digital threats. There are different schools of thought about how we should deal with these things. Some people feel it's important to point them out, to make threats visible. Some people feel that pointing threats out inflames threat-makers and creates more threats. So I would encourage you to make a plan about how you will behave and respond online that is coherent to you and stick with it (for as long as it makes sense to you, of course).

I also benefited from being licensed to carry teargas in my state and legally carrying a stun gun and knowing what to do with them both. When the first time came to use them because two guys carrying wrenches jumped me on the street, I was prepared—and it was gratifying. (Yup, there were literal male tears.)
posted by RJ Reynolds at 6:55 AM on February 26, 2015 [6 favorites]

It is super-easy to find you now. The single best thing you can do to achieve your stated goal is to use a different handle and follow your current approach re: anonymous whois. Keeping your writing under your "known" handle and remaining anonymous are not intersecting goals with the search footprint you currently have.
posted by ersatzkat at 6:59 AM on February 26, 2015

Probably the best thing to do is start from the presumption that someone will want to physically hurt you and/or your dad and work backwards from there. That sucks, but it's realistic.

Take self defense classes. Have your dad do the same. Decide what, if any weapons you want to carry for self defense. Have an action plan for when an attack does occur, i.e. these are the people you're going to call for support, these other people are going to go your home and collect important stuff for you/make sure things are safe there, etc etc. Set up places you can stay if things happen. Have a "to stay" bag at those places with toliteries and other personal items to make the stay less emotionally taxing (favorites slippers, stuff like that). Invest in heavy duty locks and a alarm system. Let your employers know what you write about, so they won't be surprised when assholes start calling/emailing them about your activities.

Learn/ask about how to keep your computer secure. Have a backup device or two for when your main device get's stolen, smashed or compromised. Look into Wordpress security plugins. Consider using a more secure CMS package.

Overall, make plans for when everything is compromised, instead of trying to totally protect your digital stuff, 'cause it'll get compromised. So instead "oh my site was hacked, now what do I do?" it's more "Oh my site was hacked, switching to plan B, while prepping plan C".

Sorry you have to deal with this, best of luck.
posted by Brandon Blatcher at 8:04 AM on February 26, 2015

Best answer: I wanted to follow up on benzenedream's suggestion of setting up fraud alerts. If you are in the US, and depending on what state you live in, you can also freeze your credit reports. It doesn't affect any credit accounts you currently have (cards, mortgages, etc.), and it won't prevent fraudulent charges on cards you currently own. But it does prevent anyone from running a credit check on you, so they can't open credit cards, loans,etc. in your name. (We knew someone who had their identity stolen and a mortgage taken out in her name, although you'd like to think that lenders are sharper these days) You would have to unfreeze your accounts down the road if you wanted to do something that requires a credit check, but freezeing/unfreezing is not that big a deal. (We've had ours frozen for years and have bought a house, refi-ed, etc.)
posted by snowymorninblues at 9:01 AM on February 26, 2015 [3 favorites]

Also note that it's not that hard to identify a person by their writing if they have written a reasonable corpus online. All it takes is a few phrases that are rare to connect the dots between an anonymous account and a less anonymous one (e.g. metafilter).

If you have two blogs with large articles assume they will be linked eventually unless you use text scramblers but then your writing style is trashed.
posted by benzenedream at 9:06 AM on February 26, 2015

Best answer: In terms of WordPress, there are two plugins that leap to my mind to consider:

Bad Behavior. In this context the name is slightly misleading, it's more about spam than dealing with harassment. But it may prove worthwhile.

Limit Login Attempts is clearly named and will provide some measure of security.

There may be others. I have not had a need for it yet, but I wonder if there are any two-factor authentication plugins that are worthwhile for WordPress. Perusing WordPress Stack Exchange and searching for two-factor doesn't show much. But it's an important area.

Given your anticipated audience I think you need to know about Crash Override Network:
Crash Override is a support network and assistance group for victims and targets of unique forms of online harassment, composed entirely of experienced survivors. Our network includes experts in information security, white hat hacking, PR, law enforcement, legal, threat monitoring, and counselling. Most, if not all, of our agents are former clients. Prior to formal launch, our trial runs had great success in helping victims lock down their information, prevent SWATing attempts, and feel like they were back in control of their online life.
Here's their tumblr & twitter.

I wish you the best!
posted by artlung at 9:08 AM on February 26, 2015 [3 favorites]

You can make it a tad harder to find you by hiding your Facebook profile from Google searches, and making sure everything in your timeline is set to friends only

The cat may be out of the bag at this point, but that doesn’t mean you have to make it easy for the buggers.
posted by pharm at 9:44 AM on February 26, 2015

Response by poster: I realize people are going to find my real name; I know I'm easy to track down. I'd like to avoid people finding my address and phone number(s). I am not going to use a pseudonym.
posted by NoraReed at 12:46 PM on February 26, 2015

I just used "a popular genealogy website" to find your full name. If I clicked on the link I got, I could even order your birth certificate. This took like a minute. If people know your name it is trivially easy to learn your current address and phone number though the other services mentioned above.
posted by Joe in Australia at 2:36 PM on February 26, 2015

Response by poster: Seriously? My birth certificate? That's shady as hell, how is that legal? I mean, I know it's gonna be easy to find my hometown, because I literally talk about being here on the internet all the time, but I haven't found sites where it's easy to track down my current home address or phone number; I'm not even listed on Spokeo, for example.

I'll look into freezing my credit report and those wordpress plugins and make sure that my internet-facing family members do the same thing.
posted by NoraReed at 3:34 PM on February 26, 2015

I'm not defending this; I find it pretty creepy too. I don't think it would be legal in Australia, and it may not be legal in every state of the USA, but it appears to be legal for $US_STATE, where you were born. And, they don't have links to your address and phone number, but they often have links to phone and address listings as well. Perhaps they only show ones that are more than ten years old? Lots of people keep the same address and phone number for more than ten years, of course.

Anyway, that's just a genealogy website. I bet there is more and better information on websites that are actually meant to track living people down. Or someone could use social engineering to track people down via their school's alumnus program or something.
posted by Joe in Australia at 3:58 PM on February 26, 2015

I could even order your birth certificate.

Doubtful. Most states restrict birth certificate availability. Nobody can order my birth certificate but me, my parents (or legal guardians, but that doesn't apply to me), the legal representative of one of the three of us, or someone with a court order. That's it.

I'd worry about the lower-hanging fruit before I worry about your birth certificate. Someone would need a photo ID that says they're you in order to get your birth certificate, and if they have that, you have way bigger problems.
posted by one more dead town's last parade at 3:59 PM on February 26, 2015

Response by poster: I didn't think you were defending it, and I appreciate you using your google-fu to track this shit down, thank you!
posted by NoraReed at 4:17 PM on February 26, 2015 [1 favorite]

I do check these things, you know. I clicked through almost to the end of the ordering process.

If I wanted an "authorized, certified copy" I would have to submit "a Sworn Statement and notarized Certificate of Identity" that I was one of a long list of people entitled to receive one, including "a domestic partner" or "A party entitled to receive the record as a result of a court order, or an attorney or a licensed adoption agency seeking the birth record."

So I guess people can't get an "authorized, certified copy" unless they're willing to lie. But an "informational copy" (which is no cheaper than an "authorized, certified copy", and that tells you that they know what sort of people are requesting it) costs $28 with a $6 processing fee, and a note says
"Informational Copies - Anyone can order informational copies of [US County] birth certificates. No documentation is required."
[my emphasis]
posted by Joe in Australia at 4:24 PM on February 26, 2015

I'd like to avoid people finding my address and phone number(s). I am not going to use a pseudonym.

For what it's worth, it took me about 10 minutes to find your father's address and phonenumber. (culprit: whois)
posted by BungaDunga at 4:58 PM on February 26, 2015 [1 favorite]

Response by poster: Yeah, he's fixing that.
posted by NoraReed at 5:57 PM on February 26, 2015

I have a lot of people who read me on Twitter. Plus, since my dad and I talk to and about each other (we are very charming) on public-facing social networking sites all the time, I'd have to stop doing that.

A half-way solution may be to start a fresh site under a pseudonym, and keep your crowd by have your non-pseudonym sites point to the new site and get people to move over and follow you there - but put this information in messages that can be later deleted from your sites (and won't be archived by eg wayback machine). Keep the new site neutral for a while so as not to attract attack while people are transitioning. If you later delete those pointers before the new site has attracted hostile attention, it will be difficult for an attacker to find the link, because it never existed on the site they know about, and searching for removed material is easier when they know where to look, and if they knew where to look, they don't need the info anyway.

This is obviously not as secure as starting blank and fresh, but I thought it worth pointing out a middle way where a carefully managed transition of your followers to a fresh slate is safer than nothing while also less destructive of readership than going all-out on security.
posted by anonymisc at 6:15 PM on February 26, 2015

Response by poster: Nope, still not using a pseudonym. I'm shoring up my password security. I really appreciate the wordpress plugin + password management suggestions, I'll probably freeze my credit reports as well, and I'm getting my dad to lock down his domain + info on Spokeo and the like. But I'm not going to let fear of these fuckers steal my name and the credibility I've built up under it over the years. ~700 Twitter followers might not seem like a lot, but it's better from starting from zero, and I'm not going to stop writing charming posts about my family and my favorite local restaurants because I'm not gonna let misogyny steal that from me. (I'm also in the process of warning people who might be connected to me to do the same, especially on the whois stuff, since I don't want to avoid getting stalked myself and end up with them on my sweetheart's doorstep.)
posted by NoraReed at 10:50 PM on February 26, 2015 [2 favorites]

In that case, maybe the best defense is a good offense. Perhaps next week's question could be how to set up your sites with a few promising leads (and red herrings) that honeypot the nosey into having as much identifying information logged about them as possible, so if they escalate you'll be able to give a good legal-consequences scare and/or tell their mothers what they've been doing.
posted by anonymisc at 12:23 AM on February 27, 2015 [1 favorite]

Hi, I just found a login thing that is two factor, but is actually not really a pain to use (like the time I tried Google two factor lock your stuff up app) this just feels sort of magic. It is called 'clef'
(demo video)
I use a c-panel interface and application installer for web hosting, and I guess the clef plugin was preinstalled with the wordpress app installatron, and then for several weeks I saw it there, but I put off trying it out, because it says it "takes setup". This post led me to try to get it working.
It is truly really easy to set up. Once set up (you dl the app for ios/android, you make an account within the app [maybe here use a different email from your main one for extra-layers of keep away], create a pin code, do the "email confirmation" thing, install the plugin on your wordpress dashboard, then log out and then when you go to your /wp-admin... there is this waveform going by... you open the app on phone (works on wifi, so even without cell service as SMS based ones are [type your pin, or touch id swipe]) point camera at the screen, and you are logged in, and it could only be done by you with your phone and pin. I spent the past 10 minutes just logging in and out of things.

"Clef is free for unlimited users and logins. For extra features like advanced fraud metrics you’ll still pay less than any other two-factor authentication."
-so I don't know for sure what that means precisely. Free seems to be working so far. The prices for "paying users" are... vast.

A link to the plugins which make it work with a few of the more popular CMS/frameworks (Joomla, Wordpress, drupal, plesk [or just search it in the wordpress plugin installer).
Hopefully ways can be found to make the internet (and then... the world...) just a less hostile place for women to be. It is impoverishing us all to have so many missing voices from the conversations that are going to shape the next century. The measures that are required as protection as seen in that Zoe Quin link above form huge barriers to entry on what need to really be basic conversations about identity, and rights, and freedoms and the way that the zeit' is going to get 'geisted. Best wishes.
posted by infinite intimation at 9:15 PM on March 21, 2015 [2 favorites]

« Older Great resources on make-up & feminism   |   What programming language/technology should I... Newer »
This thread is closed to new comments.