ANTI-DOXING GUIDE FOR ACTIVISTS FACING ATTACKS

We’re Equality Labs: a feminist digital security, technology, political organizing startup dedicated to progressive power-building. We provide practical tools for communities to make new interventions in longstanding systems of oppression and advocate for themselves. You can learn more about us by visiting our website.

We have created an urgent anti-doxing guide to support activists who are getting slammed by right wing forces around the world for resisting white supremacy, Islamophobia, casteism, and all strains of authoritarianism.

This guide has been created to deal with the current issues we are seeing and should be incorporated into your regular digital security practices. We know that the escalated activity of the white supremacists and Hindu nationalists is scary, but the best defense now is one rooted in information, compassion and self-care for ourselves and each other, and a commitment to collective resilience.

Here are some videos that walk you through the process of securing your iPhone, Android and Network Access:

1. How To Secure Your iPhone
2. How To Secure Your Android
3. How To Secure Your Network Access

If you have any questions, use our rapid response form, or contact us on Instagram, Twitter or Facebook.

BACKGROUND

Doxing is the violent internet-based practice of researching and broadcasting private or identifiable information about an individual or organization in order to harass and traumatize activists from organizing activity. Additionally, such attacks can also be accompanied by physical violence and disinformation about and individual and/or a movement, which has real life implications for our livelihoods and safety.

We believe that many of the alt-right and Hindu nationalist attackers are using their full social media ecosystem to both attack and spread disinformation. Hostile agents can get this information by searching publicly available databases and social media websites like Facebook, as well as through hacking, and social engineering.

Here is our check-list for protecting your identity:

✔ CREATE A SELF-CARE PLAN. Recruit friends and family to support you. Let them know whats going on, because trolling and doxing can be traumatic and you must prioritize your mental and physical health so that you can work through these attacks.

For us, we take our lead from our collaborators at Stop LAPD Spying Coalition who talk about adopting a vision of security culture that centers collective security practices as a form of expressing love and solidarity. We all have a sense of how important communities centered in compassion can be, coming from our experiences of marginalization and being targeted activists. It’s about harnessing those good instincts with knowledge and practice.

This is why it is important, even when you are under attack, to give space to your feelings of anxiety and dread, but do not succumb to them. Release them and return to your agency. Because in these situations we can practice a culture of mutual-aid and support around digital security. We can build power instead of paranoia and meet people where they’re at. From there, we can have a community of practice that normalizes our multiple ways of knowing, and creates new patterns of behavior.

✔ CREATE AN INCIDENT LOG. This is crucial to establish patterns of your attacks and can be useful to compare with other organizers to identify larger patterns within the ecosystem to identify opponents and their organizations.

A sample log could look like this:

The most important thing is that you keep notes throughout your attack and share with a security professional, and members of your team when you can. If you like this one, you can make a copy of this document as an example.

Please note: we recommend that you keep incident logs in an encrypted word processing platform like Etherpad on Riseup or Cryptpad.

✔ CHANGE ALL OF YOUR EXISTING PASSWORDS. Trolls will be trying their best to get into all of your accounts. You can find out if your e-mail is part of any recent hacks at this website. This will let you know what level of risk you are at for penetration of your accounts.

After that quick assessment, make a list of all of your crucial accounts and change the passwords immediately so you have fresh passwords for each. You can test the strength of your passwords here.

If you have time, we strongly recommend incorporating a password manager to generate and store all of your new passwords. This will allow you greater capability to create complex passwords for all of your accounts while limiting you to only remember one. We recommend 1Password, KeepassX, and Lastpass.

✔ TURN ON 2-FACTOR AUTHENTICATION (2FA) for all your accounts. This means you are adding another verification method when you sign into your accounts. This helps when you have trolls trying to break into your account. If they only have your password, they will be stopped at the second point of verification.

When thinking about which accounts you want to add 2FA, you have to think like a troll. Which accounts do you have that would cause the most damage if it was compromised? By taking over your e-mail, they can release and interfere with your communication, by taking over you bank account they wreak havoc with your finances, etc. We recommend you lock them all down.

2FA is available for G-mail, Facebook, Twitter, Instagram, Amazon and more. When possible, avoid using Text/SMS as your method of verification. This is because texts can be intercepted, making it not secure. We recommend using the Google Authenticator app or an application like Authy. These can generate codes on your phone and can be revoked remotely in the chance that your phone is confiscated, stolen, or lost.

You can find tutorials for all 2FA instructions for most of your accounts here and here.

✔ FIND OUT WHAT INFORMATION TROLLS CAN FIND OUT ABOUT YOU. Search for yourself on DuckDuckGo and try doing this search in incognito mode. This will give you a sense of how much data exists about you online to people who are not in your network. After that initial search, you can go on to looking at all of the data brokers sites that trade in our personal lives.

Privacy Duck shares how-to opt-out videos on their YouTube with detailed, step-by-step instructions. Check your data leaks and opt out here:

• BeenVerified
• CheckPeople
• Instant Checkmate
• Intelius
• PeekYou
• PeopleFinders
• PeopleSmart
• Pipl
• PrivateEye
• PublicRecords360
• Radaris
• Spokeo
• USA People Search
• TruthFinder.com
• Nuwber
• OneRep
• FamilyTreeNow

While it is difficult to get all of the content off, every little bit helps. Ultimately though, the challenge to get your personal data off these sites is an uphill battle, because there are hundreds of these sites and most organizers have very little time to do this work. In case of an urgent case of doxing and if you are simply over capacity in terms of your rapid response then consider using a service like Privacy Duck. They are incredible and have been working with activists around the country to scrub their data.

✔ CALL YOUR CREDIT CARDS, CELL PHONE PROVIDER, UTILITIES, AND BANK TO LET THEM KNOW YOU ARE A TARGET. Many times, trolls will escalate online attacks into the physical world by trying to go after your credit cards, utilities, and bank accounts. They can access these to try to drain your accounts, or worse. In the case of raised stakes, call them to let them you are target and they will add an additional layer of security that can help protect you during this time.

✔ INSTALL A VIRTUAL PRIVATE NETWORK (VPN) on your phone to protect your network access. This helps to privatize your network traffic and bypass filtering happening at your internet service provider. It also makes sure that trolls can’t find you by using your IP address. We recommend Private Internet Access and Vypr VPN, but whatever VPN you use. Be sure to always read the privacy policy to make sure your service does not sell, store, or share your data, and that they will protect it if engaged by the state. If you are in the United States, the government now has permission to collect your browsing data without a warrant. It’s important for you to take the extra step to protect your IP address.

✔ USE THE TOR BROWSER. A VPN is great because it can offer privacy, but only the TOR Browser offers real anonymity. This is because rather than going through a VPN server, your internet traffic is channeled through three computers who store none of the data while it is in transit.

This option is free and provides real anonymity, but does not always load multimedia heavy sites. We recommend using TOR at least once a day so it becomes part of your daily usage, and it won’t be unusual if you have to use it for an urgent situation.

✔ INSTALL SIGNAL. This secure messaging and voice app can take the place of text, phone, and e-mail when installed on your phone and computer. You must first install it on your phone, and make sure you verify all the users. You can find it for iPhone and Android devices. Additionally, make sure you add it to your chrome browser so you can add the Signal Messenger to your desktop.

✔ WEAN YOURSELF OFF G-MAIL AND BEGIN USING ENCRYPTED E-MAIL. Unfortunately, G-mail collaborates with the government on many surveillance programs including the PRISM project. So while Google’s extensive protection will help you from individual hackers, there is still the inherent threat that all of your data in your account can be searched and stored onto National Surveillance Agency servers with no consent on your part. We recommend if you are using G-mail, use a form of encryption like GPG Encryption. These are the safest, but the set up of your own GPG can be daunting. In that case use encrypted e-mail services like Tuanota or Proton Mail. Personally, we like Tuanota because they are open source and Proton Mail because of its use and scalability. Both services embed your encryption key as part of your service and its interface is similar to G-mail.

✔ FOR SECURE GROUP CONVERSATIONS USE TALKY.IO OR JITSI. All other applications are not secure. This includes FreeConferenceCall, Skype, Zoom, Google hangouts, and Facetime. Talky.io is free but can be wonky while Jitsi cannot host as many people on a call. If you are using Zoom make sure you go to the settings and turn on encryption.

✔ CHANGE YOUR PRIVACY SETTINGS ON YOUR SOCIAL NETWORKS. Visit your privacy settings for Facebook, Twitter, Snapchat, and Instagram to private, and block all trolls who already follow you.

For LinkedIn, note that professional connections can be at particular risk if they are found to be engaging in political activities. To disable public visibility of your profile, go here and on the right hand side you will see “Your profile’s public visibility.” Switch this setting to “off”. Further information can be found here.

For Facebook, of your Facebook privacy settings can be found here.

1. Change your settings so that only your friends can see your current posts. When you want to post something work related as public, set those individual posts as public. Protect past timeline posts by watching this how to video.
2. If you can, review your friends lists. Unfriend all those people who follow you or who are your friends but you can’t remember who they are or maybe vaguely remember some awkward interaction with them. Double check that each of your friends is unique and no one has created accounts with similar names and photos of a real friend in order to access your private friend only communications.
3. Go through your profile information and make sure your phone number and email are set to be viewed by “only you.” Remove featured photos and/or any information in your “About” section in your profile that you would not want to see appear on doxing sites. A common tactic trolls will do, is to take your album photos and spread them across the internet. They will do this to either create a fake profile for you, or to make harassing memes or messages about you.
4. Remove your Facebook public photo, and replace it with a generic photo that doesn’t have your actual picture and remove your full birthday (or replace it with inaccurate information).

For Twitter, take the following actions:

1. In your account settings, make sure you have 2FA, and verify all login requests so you can flag anyone trying to get into your account.
2. In your Privacy and Safety Settings, make sure you turn off your location settings. This prevents you leaking your location through your Twitter statuses.
3. Turn off photo tagging, so that random troll accounts can’t tag you on harassing content or statuses.
4. Turn off discoverability by e-mail or phone.
5. If you are concerned about being followed by fake Antifa or Hindu nationalist accounts, consider installing an application like Block Together. Through block together you can follow trusted collaborators or accounts who begin blocking antifa and other hostile sites. This is a good practice to build within your own network as you will be able to start to see fake accounts through a pattern of similar messages, bad grammar, or even copy and paste texts. Blocking them collectively ensures you can operate with a greater peace of mind because their goals are to harass and spread disinformation. Once you have installed Block Together, you can subscribe to other users lists to spread community resilience. You can also use services like Troll Busters to attack a troll swarm with affirmative messages that can help drown out the abuse.

✔ KILL ALL UNUSED ACCOUNTS. Remember trolls are going to use whatever information they have to get into as many accounts you have. Accounts you have not used in a long time can make you vulnerable because if they are using an older password, they can try that accounts technical support to get more data about you that they can try to use for other accounts. Be on the safe side and shut them down. You can get a list of accounts that you may have forgotten you signed up for by going here.

✔ USE ALIASES WHEN SIGNING PETITIONS OR SIGN-IN SHEETS FOR MEETINGS. One of the number one ways people are getting their names on doxing lists for the white supremacists is through petition websites and sign on sheets. Our recommendation is to absolutely not use real names, phone numbers or e-mails for these kinds of activities. When possible, compartmentalize. Use an e-mail address that is only used for these activities, that cannot be tied back to your real life details. Additionally, for phone consider using Google voice or a burner app like Hushed to not divulge your personal information. An alias for these sign up purposes can be your best protection because if they don’t know your name, how can they find you?

✔ SECURE AND BACK UP YOUR HARDWARE. The final step is to get an encrypted external hard drive, and secure cloud services to store all your personal data and hardware.

If you have any questions, use our rapid response form, or contact us on Instagram, Twitter or Facebook.

Additional Resources:

1. Palante Tech: Zoombombing Digital Community Security in the Age of Coronavirus
2. Palante Tech: Zoombombing Self Defense: Technical Guide
3. ACRE Public Share: Resources Against Zoombombing
4. TechSoup: Keeping Your Nonprofit’s System Secure During COVID19
5. Frontline Defenders: Digital Security Resources

We know that this is a lot! Keep in mind digital security is a system that you are creating and implementing as part of your core skills as an organizer. There is no silver bullet to digital security: it is an awareness and a practice that gets better with reiteration and with a community committed to stay safe. The best defense is a collective one and we are all in it together.