Online Harassment Toolkit

Steps to Take If You’re Facing Online Harassment

• Make your social media accounts private. Here’s how to do that for Twitter, Facebook, Instagram, LinkedIn, and TikTok.
• Disable location tracking on all social media accounts and other apps. This overview for iPhone and Android can help.
• Report online harassment to social media platforms. PEN America has a resource with links to each major platform’s reporting page.
• Document your online harassment. PEN America has a guide on what to record and how.
• You can also set up a Google Alert for your name and common misspellings to keep track of future harassment.
• If you’re being threatened or harassed online, use Google’s Removal Request tool to hide personal information, such as social security numbers, bank account numbers, credit card numbers, addresses, phone numbers, and email addresses, from search results. Read more about this resource in a Google blog post explaining the company’s policies.
• Not feeling like you can handle documenting this information yourself? Consider asking a trusted friend or family member to do this work for you.
• Self care (and community care) is an important part of responding to online harassment. If you need help figuring out how to discuss your online harassment with friends and family, check out this guide by the Crash Override Network, an online abuse resource center.
• Make sure your passwords are secure. Use a password manager (and its suggested strong passwords) and turn on 2FA. Here are some options.
  • Bitwarden (free/ Open Source)
  • LastPass (free on one device, otherwise paid)
  • 1Password (paid, but free for journalists)
  • LogMeOnce (free and paid versions)
  • Dashlane (free and paid versions)
• Make sure your phone and computer software is up to date, installing all recommended security patches.
• Assess your password security by visiting HaveIBeenPwned.com to see which of your online accounts were associated with a data breach. Take steps to secure the compromised accounts by updating the account passwords and turning on 2FA, as suggested above.
• Remove your data from the web: The World Privacy Forum has suggestions for several ways to do this. Intel Techniques, a privacy training site, has a list of data brokers and how to remove your information from their databases here. Yael Grauer also has a list of data brokers you can opt out from.
• Ask Google to blur your home address on Google Maps. 
• You can also ask Google to remove doxxing information from search results, as suggested by the Committee to Protect Journalists.
• Consider setting up a Google Voice number as your primary contact number, which can also be used as your number when signing up for encrypted messaging apps (only you and the recipient see the message but no one in between without a key can) like Signal. Avoid using your personal phone number to sign up for social media apps. Here’s more on Signal, and how to use it. While Facebook offers encrypted messaging, DMs are not expected to be encrypted by default until 2023. Telegram is also not encrypted by default. Whatsapp messages are encrypted, but some business users share your data with Facebook.
• Know your legal rights: HeartMob by Hollaback, which works to end harassment, has information on your legal rights as well as what to consider as you think about approaching the police or a lawyer. PEN America also has several resources related to legal rights when it comes to online harassment.

What newsrooms can do

It shouldn’t only be up to individual journalists facing harassment to combat it. Newsrooms have a responsibility to help protect their staff.

• Monitor press mentions with tools like Muckrack. Within those tools you can usually isolate a group of sites that may drive online harassment to keep a closer eye on repeat offenders.
• Alert social media teams that a team member has been doxxed so they can inform others should they see trolls tagging the site as well as the journalist, and potentially notify social media platforms of the harassment.
• Empower the PR Team, or some other designated team, to reach out to social media platforms to report heavy abuse to take that burden off the individual journalist. The designated support team can search for the journalist’s handle on social media sites and screenshot harassment to share with platforms.
• Alert team members tasked with watching online responses when a particularly controversial piece may run. Being proactive can help catch harassment early.
• Managers should offer time off to the affected staff member and suggest they make their accounts private if they haven’t already done so.
• If you have a commenting section on your site, make sure you have a community manager in charge of monitoring the messages.
• Consider hiring an online safety editor.
• Consider paying a content monitoring service to protect the attacked journalist. The Committee to Protect Journalists suggests DeleteMe or Recorded Future as options.
• The International Press Institute has a step-by-step guide for creating an online harassment protocol for your newsroom.
• The IPI partnered with the Dart Center, which provides resources around trauma, to create online tutorials about coping with online harassment.
• The Technology and Social Change project, led by a Harvard researcher, recommends newsrooms build a culture of support to respond to online harassment, provide an annual digital security checkup to every journalist and have a digital security specialist on call.

What to do before you get doxxed

• Make sure your passwords are secure
• Use Have I Been Pwned? to check if your information has been part of a data breach. Change passwords to all affected accounts.
• Delete accounts you no longer use. Take inventory of your accounts by searching your email account for terms like “welcome” or “sign up” to create a list of accounts that need to be scrubbed.  
• Remove your data from the web. The World Privacy Forum has suggestions for several ways to do this. Yael Grauer also has a list of data brokers you can opt out from.
• Check to see if your resume is online with your address and number. You can search for this by googling “‘[First Name] [Last Name]’ filetype:pdf.” Work to remove those resumes by reaching out to website owners. The Coalition Against Online Violence recommends replacing your online resume with one that doesn’t have private info.
• Set up a Google Alert for your name and common misspellings to monitor what people are saying about you online.
• Consider using a service like PimEyes to search for all images of yourself on the internet and work to remove images you’ve forgotten are on Facebook or other public-facing platforms. PimEyes is a paid service and you have to provide a photo of yourself to start the search, so make sure to use an already public-facing image, such as your LinkedIn photo. Yandex offers a similar service.
• Disable location tracking on phone apps, especially social media apps like Instagram and Facebook, which can post your location whenever you upload a photo. Teaching Privacy, a project by UC Berkeley and the Computer Science Institute, has instructions on how to disable location tracking on iPhones and Androids in English and Spanish.

More resources

• NYT Open: Clean Up Your Online Footprint Before You Get Doxxed
• How to Report Safely: Strategies for Women Journalists & Their Allies (a Knight Center Free Self-Directed Course)
• Coalition Against Online Violence (Includes step-by-step guides for reporters and newsroom managers dealing with active emergencies.)
• Dart Center’s Overview of Journalism and Online Harassment
• Dart Center’s Self Defense Guide for Online Abuse
• Access Now’s Digital Security Helpline: A free 24/7 helpline
• Electronic Frontier Foundation’s Surveillance Self Defense 
• A Culture of Safety Alliance: Resources for freelance journalists
• Totem’s Digital Security Training
• Journalist Trauma Support Network (Mental health resources from the Dart Center)
• Crash Override Network
• Online SOS
• Consumer Reports Security Planner
• Feminist Frequency