Media workers learn how to prevent, deal with attacks from doxxers

More than three dozen unionized media workers logged in to an online workshop recently to learn how to protect themselves against the scourge of doxxing and what to do if they become a target.

Several members of CWA Canada were among those who responded to an invite by the NewsGuild of New York to join the two-hour Defense Against the Doxx Arts webinar led by Harlo Holmes, the Director of Newsroom Digital Security at the Freedom of the Press Foundation. (Doxxing — also called doxing or d0xing — derives from the word docs or documents.)

According to the Guild, “Countless journalists have been victim to doxxing, which is when someone publishes private and/or identifying information about specific individuals on publicly accessible websites, with malicious intent. With the aid of social media, doxxing outlets have become sinister tools often used to intimidate, harass, and invade people’s privacy. Media professionals are especially at risk: Your work is public, your name is recognizable, and someone may choose to target you simply because they disagree with what you say or because of your employer.”

Topics covered in the workshop included:

• Locking down social media
• Protecting your phone
• OSINT (open source intelligence) and how doxxing actually works
• Fighting data brokers
• Protecting your personal life on the web

Holmes said the first step one must take is to assess the nature and magnitude of the threat. Consider what assets (phone numbers, addresses, contacts) you have to protect and from what adversaries (haters, trolls, hackers, corporations, government agencies).

Calculating the resources (skill, time, money) of potential adversaries and the likelihood of being a target will help determine how far a person has to go, in terms of time, skill and money, to protect assets.

The objective is to make it extremely difficult for personal information to be found on the internet; this will deter a majority of would-be doxxers.

The first thing journalists have to do is use the same techniques they employ when working on a story: they have to research themselves to determine how much they are exposed. (A useful guide was developed by the New York Times Information Security team: How to Dox Yourself on the Internet.)

Start with a variety of search engines such as Google, Duckduckgo, Baidu or Yandex and use boolean functions to mine for as much information as possible. Using image search (Bing, Tineye, Google) could reveal where on the indexed web that your photo might have gotten out of your control.

Regulated open source intelligence (OSINT) is information in the public domain, such as government records, and can be found using services like Datasploit and Whois.

Unregulated OSINT such as Spokeo, AnyWho, Intelius and White Pages will monetize your data. You can reclaim your privacy via the Big Ass Data Broker Opt-Out List, but it has to be done manually. Companies that will do it for you include Delete Me, Privacy Duck and Reputation Defender.

Safeguarding online accounts is critical and having two-factor authentication (2fa) is highly recommended as it is a layer of protection over and above a password. The second factor is usually an object such as a phone or USB dongle that you have control over; this is the most effective way of thwarting targeted attacks that aim to take over your accounts.

Now that Twitter has become an essential form of communication for journalists, it’s important to protect that account by establishing a backup code. For safekeeping, use a USB key and encrypt that backup code, along with all your passwords, email login credentials and 2fa data and keep it somewhere secure.

Holmes also covered phone security, especially in regards to confidential communications with sources; using a Virtual Private Network (VPN) to cloak an IP address, which is a digital proxy for a physical location; and using consciously curated backgrounds when using Zoom to keep prying eyes from gleaning any data about your home.

If you get doxxed, document each incident, take back control of your digital assets and seek out support and resources. Set up email filters to immediately trash potentially harmful messages, change passwords for compromised accounts (check for this using HaveIBeenPwnd.com), notify contacts who might have received fake messages from you, and use Unroll.me to unsubscribe from mailing lists.

This workshop was part of the New York Guild’s Digital Security Series. Members of CWA Canada can sign up here to receive notification of future workshops.

(This article is based upon files supplied by Lorraine Murphy, a member of the Canadian Freelance Guild, who sat in on the webinar.)

 

Reading | Resources

Poynter.org: The Dangers of Journalism Include Getting Doxxed. Here’s What You Can Do About It.
NYT Open: How to Dox Yourself on the Internet
Troll-busters.com: “Online Pest Control for Journalists”
Freedom of the Press Foundation: choosing a VPN
ArsTechnica.com: a list of reliable VPNs (2016)
TheWirecutter.com: best VPN service – reviews
iHeartmob.org: social media safety guides
CrashOverrideNetwork.com: resources for pre- and post-incident
PEN America: Online Harassment Field Manual
International Women’s Media Foundation: programs – online harassment