In light of the gamergate fiasco, we realized that most of the targeted individuals had their private information trivially publicly online. Later, several authors had more immediate experience with online harassment. This guide is meant to help people take basic steps required to protect their online privacy, hopefully reducing the number of crazies who threaten to show up at your house. Privacy Guide for Activists with Haters
We do not believe that leaving your information online means you deserve harassment, we simply wish to arm people who want to speak up with all the defensive tools available.
This guide is not an anti-government-surveillance document, as it only helps you make your information private and does not remove it. Fighting back against surveilance is a very different problem, and there is a separate guide for that.
This one should be easy, but it is the number one privacy failure we found when checking information of individuals who have previously been harassed. Hiding Your Whois Data
When you register a domain, you fill out contact information which by default is public. You can trivially check what information is public in any Linux/OSX terminal
If you're not a machine which supports the whois command you can use one of the many online tools to check your the whois records.
If your personal information is available, we advise you to take one of the following actions:
- Purchase WhoisGuard for your domain from your registrar
- Purchase a domain by proxy plan and have them handle your domains
- Migrate to a registrar which provides free domain name privacy (namecheap gives it for free your first year)
Whois data isn't generally publicly cached, so once you fix this you should be good to go! It sometimes technically can be stored by certain services behind a paywall.
If your information is on your whois but out of date, put some of it through [reverse whois tools]( Advanced Whois Chaoshttp://www.expertusability.com/reverse-whois-search/). A matching phone number or email address can be used to find other domains registered with that information, and those records might be current.
While most activists are very good about this, no guide would be complete without it! Removing location data
- Disabling web location and removing your old location data on Twitter
- Disabling mobile location on mobile devices
- Disable location services on iOS
- Unfortunately, due to the way android phones are made, the camera app is normally different for each manufacturer, and so you will have to look up directions specific to your phone's make.
EXIF data is a variety of information the device which captures your photo stores and uploads with your photo. If this device contains a GPS chip (like almost all cellphones do) the location where the photo was taken can be determined. [The EFF has a longer explanation]( Removing EXIF datahttps://www.eff.org/deeplinks/2012/04/picture-worth-thousand-words-including-your-location) if you're curious.
- Twitter, Facebook and Tumblr remove sensitive photo EXIF data by default, but not all services do.
- If you'd like to see what EXIF information a site shows, take the URL of an image uploaded there and put it in this website.
- Flickr permits you to upload information with EXIF data. Consider disabling it when you post from sensitive locations.
- If you have an anonymous persona, strip all EXIF data from all photos you upload. A device ID can link your public and private personas.
- Imgur automatically strips all sensitive information, so when in doubt, they are safe and awesome!
If you recycle the same profile images over and over, you may be surprised what shows up if you [search by your profile image]( Searching by Imageshttp://www.google.com/insidesearch/features/images/searchbyimage.html).
* Don't hotlink images directly from Facebook unless you're OK with everybody knowing your Facebook profile. * If you discuss your partner(s) or housemates publicly, remember to make sure they follow this guide too. Miscellaneous
Make your accounts harder to steal!
We're sure you've been lectured on password security, and while your habits are probably terrible, we're going to focus today instead on 2-factor auth. 2-factor auth requires somebody to know your password **and** have your phone or another physical device (or at least control over it). 2 Factor Authentication
You're encouraged to enable 2-factor authentication on everything, but prioritize accounts where password resets are sent.
Check through your old accounts. Do you still own the old @hotmail.com where you registered your twitter handle 7 years ago? If you don't, somebody can register that name and take your password reset! Make sure your account recovery options go to a safe location. You can read as many postmortem security reports you need to to get the picture: **this is the most common way somebody gets control of your online persona.** First they take the account where your main account (probably your gmail) goes to, they reset that password, then they login to your main account (probably your gmail) and the go to town. **Even if you don't put a 2-factor setup anywhere else, put it on the primary email where all your password resets go.** If your password resets go all over the place, pick one account, send all the password resets there, and turn on 2-factor there. Update where password resets go
Remember how you thought your terrible habits would never come back to bite you? If you're reading this, you are obviously reconsidering that stance. Proper unique passwords
Convincing you to be an adult overnight is probably a lost cause, so install a password manager. KeePass is the choice of open-source hippies (like me), while LastPass and 1Password are commercial options.
Whenever possible, set up and use ssh keys instead of passwords.
So you now have the internet's full attention. What precautions can you take to minimize damage? These measures are not for daily use as they are rather inconvenient, but more of a disaster response plan if, for example, your haters get out of hand enough to merit national television reports. Disaster Response
Since your phone can be hacked, you may want to consider a physical 2FA device. We don't endorse any particular one, but check it is compatible with the services you plan to use it on. Switch to a physical 2FA device
You can place a freeze on your credit, thereby preventing people from taking out new debts or credit cards in your name. You will need to freeze your credit with each of the 3 major credit burearus: [Experian]( Freeze your credithttp://www.experian.com/consumer/security_freeze.html), [Transunion](http://www.transunion.com/securityfreeze) and [Equifax](https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp) Please note: this is a pretty dramatic step. You should read about what it means to freeze your credit and consider the ramifications before doing it. You will also inconvenience yourself significantly if you'd like to take out any new loans or credit cards because you can't do that when you freeze your credit.
If you debit card information is stolen, an attacker can clean out your entire account and the onus is on you to get things back to how they were. Credit cards are required by law to have far more strict rules, and you have a lot more options to control the situation. Ask your bank to give you ATM-only cards and credit-only cards. Sometimes this requires going to the bank in person and speaking to humans, but it is pretty easy to do. Warning: You now need either an Amex card or cash to go to Costco. Get rid of all debit cards
Your phone, tablets, and computers generally have settings to remove all of your data using only an internet connection. You normally enable these things because you believe your posessions are more likely to be stolen than the internet is to come hunting for you. When that calculation changes, it is time to disable any settings which permit remote wipes. [Apple products are notoriously sensitive to this issue.]( Disable all remote wipe settingshttp://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard)
We all love the conveniences of remote cloud backups which appear as folders in our system, but if these systems are compromised, an attacker has [full access to everything on your computer]( Remove dropbox and any other systems which can read or write to your hard drivehttp://www.polygon.com/2014/8/22/6057317/fez-developer-polytron-hacked-harassment) and the capacity to delete it.
If you find that you are removing your data online, particularly whois, you may want to consider opting out of the people searching services which store that data online for purchase. Some of them require you to pay them to do this or provide very personal information. That is bad behavior and they should feel bad. There is also an entire 3rd party market for paying services to remove your data. Reddit has compiled [a list]( Opt out of 3rd party data retentionhttps://www.reddit.com/r/technology/comments/j1mit/how_to_remove_yourself_from_all_background_check/) of major companies and how to opt out, though we don't have experience working with these companies, some seem shady, and some of the info seems out of date.
Many harassers don't make the calls themselves but instead sign you up as interested for potential services, and then have those services disrupt you. Getting on the [Do Not Call List]( Get on the Do Not Call Listhttps://www.donotcall.gov/) will severely diminish the number of calls that get through.
While rare for those facing online abuse, this absolutely is possible if enough information about you becomes public. [/r/personalfinance has an excellent guide on their wiki]( Traditional identity thefthttps://np.reddit.com/r/personalfinance/wiki/identity_theft). Thankfully, many of the steps are things you were probably doing already from this guide.
* If you own property, your address is a matter of public record. Sometimes you have to go to the office or call them to get it, but it can be legally obtained * If you are registered to vote, your contact information can be accessed by any Super-PAC in most states. Becoming one costs about $300 and the records cost $15 to obtain * Utility bills in your name, while they are not suppose to be something you can trace, often can be traced * Your cell phone may well be a weak point in your 2FA plan, especially via text. Some providers have sub-par security and permit you to read your texts online. You can get a new text number from one of many online services and simply not give it out to anybody to mitigate this. Google Voice does not work with all 2FA systems. * You currently need to begin Apple's 2FA process super early because they have a waiting period. The Bad News
* Use a fake last name What you can do
* Petition your government to make citizen privacy a priority * Petition sites you love to enable 2FA * Petition Apple to remove their waiting period. Katy wrote [a letter]( Ways to help even if you are not experincing online harassmenthttps://medium.com/p/apple-please-update-your-2fa-and-support-policies-to-protect-those-experiencing-online-harassment-f95c4265a966) for you to send if you like.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License, though we'd prefer that you just submit patches to this gist. If you want to give us money for this public service, give it to the EFF instead.