Dear Computrix, I’m a video game developer for a small company. We’re about to release our latest title – written and developed by a primarily female team. This is our first release. A review of the game is scheduled for next week. After hearing about #Gamergate and how women often get harassed online generally my fellow developers and I are concerned that we are going to be assailed not only online, but for real, at home. The stories are frightening: many women are told they will be raped or killed and then their personal phone numbers and addresses are published online through social media. I was reading through Facebook today and saw a story about journalists at a non-profit news agency, ProPublica, who had to have their work email turned off from a scam email subscription bombing attack. Our company only has one IT person and we don’t have the resources to withstand the sort of assault that ProPublica got. Up to this point no one who doesn’t already know us hasn’t paid much attention to us online. How do we keep safe, both online and at our homes? Signed, My cat won’t handle a bomb threat well.
Dear Cat,
Congratulations on your upcoming title release! I hope that your video game is well received and your justifiable fears do not come to fruition. When angry people online decide to take it to the physical world and publish personal details about their target – details not only involving phone numbers and home addresses, but also birthdates and Social Security numbers – it is called doxxing (you might see it spelled with only one x – standard spelling and grammar aren’t concerns of the Internet). The name derives from “documents” – someone who has been doxxed has had their documents released and it is a form of information warfare. To make matters worse, the doxxing is usually accompanied by threats of violence and bodily harm. You have every right to be concerned. In the ProPublica case they had to give up their well-known work addresses and get new ones – and their organization suffered inconvenience and dread - but they luckily were not threatened in the physical realm. In the #GamerGate situation the women targeted had to leave their homes out of fear. Men get doxxed, too, but it’s more likely to happen to women. Once someone’s personal contact information is released onto the Internet it cannot be taken back. You can change phone numbers, yes, but you cannot easily move – and changing your birthdate and Social Security number is not going to happen.
One solution to avoid being doxxed is to never do anything that draws the attention of the Internet, but that isn’t a realistic course of action for anyone who has a technology-related job. There are less drastic measures you and your colleagues can take, but they should be taken before you draw any attention from the Internet. (Yes, this is horrible that I have to give this advice, but that is the world we live in now.)
First, you need to think like a doxxer: if you wanted to discover someone’s private information, how would you go about it? Google-stalk yourself and see what comes up. (This will be a depressing exercise, by the way, so make sure your cat is handy for emotional support.) I will be honest: nearly all of the private information that someone can find online cannot be erased permanently. You can make requests to some of the data brokers to remove your information but unless you find the source of their data and rip it out, it will just keep coming back to them to aggregate. If someone owns a house the property tax records are a matter of public record and therefore the physical address is available to anyone who knows the homeowner’s name and city. It is a good idea to have a friend or family member you can stay with if you start to receive threats and you feel your safety (and that of your cat) is threatened. It’s even better if you don’t mention this friend or family member on social media. Of course, if you are seriously threatened, notify local law enforcement. Keep a log of whatever sort of harassment you receive – that could help them if it comes down to legal action.
Next, even though the physical threat is a possibility, prepare for an online threat, too. If you aren’t already using multi-factor authentication – where an account makes you enter another code before you can login, start using it. Change your passwords and have different passwords for every account. If you were using those security questions that ask “what grade school did you attend?” go through and change the answers to something random and false – but keep a record of your mis-information in case you need to get into your accounts! This is especially important for any public social media accounts. You might want to consider changing your social media audience to private, so only your friends and business acquaintances have access to your posts and information. If you need to speak out publicly about something controversial on the Internet think about using a pseudonym that could never be traced back to you. Last, it doesn’t hurt to call your utility companies and financial institutions and ask them to set a password on the account.
As far as your work email and avoiding the ProPublica email subscription bombing attack, before your game releases and any reviews are published maybe change any known work email addresses and make sure your current contacts have the new one. Then, use a single email address for developer contact purposes; if that email address is attacked it is easy to turn it off to avoid blocking the entire system. Those who need to contact you legitimately can still do so through your new and improved and relatively secret email address. These are not perfect solutions, but if the worst case happens it can protect your company’s resources better than nothing.
Wired magazine published “The Wired Guide to Digital Security” last December. You and your fellow developers might want to check their advice for journalists, which is probably the best category for your situation. You can find the guide online here, https://www.wired.com/2017/12/digital-security-guide/ And while your video game doesn’t fall into the category of activism, you might find Equality Labs’ Anti-doxing guide valuable, as well: https://medium.com/@EqualityLabs/anti-doxing-guide-for-activists-facing-attacks-from-the-alt-right-ec6c290f543c
Stay safe out there!
- The Computrix
Sources
Angwin, J. (2017). Cheap tricks: the low cost of Internet harassment. ProPublica and Wired. Retrieved from https://www.propublica.org/article/cheap-tricks-the-low-cost-of-internet-harassment
Equality Labs. (2017). Anti-doxing guide for activists facing attacks from the Alt-Right. Medium. Retrieved from https://medium.com/@EqualityLabs/anti-doxing-guide-for-activists-facing-attacks-from-the-alt-right-ec6c290f543c
Kain, E. (2014). GamerGate: a closer look at the controversy sweeping video games. Forbes. Retrieved from https://www.forbes.com/sites/erikkain/2014/09/04/gamergate-a-closer-look-at-the-controversy-sweeping-video-games/#532844a934f8
Matisse, N. (2015). Anti-doxing strategy – or how to avoid 50 Qurans and $287 of Chick-Fil-A. Ars Technica. Retrieved from https://arstechnica.com/information-technology/2015/03/anti-doxing-strategy-or-how-to-avoid-50-qurans-and-287-of-chick-fil-a/3/
Newman, L. (2017). What to do if you’re being doxed. Wired. Retrieved from https://www.wired.com/story/what-do-to-if-you-are-being-doxed/
Vaas, L. (2014).
Another game developer flees her home following Gamergate death threats.
Sophos. Retrieved from https://nakedsecurity.sophos.com/2014/10/14/another-game-developer-flees-her-home-following-gamergate-death-threats/