In 1998, a column published in The New York Times recommended that people who were worried about online stalking change their email address to something that would be “hard to guess” and not to submit personal information to “on-line directories.”
Twenty years later, when online services dominate digital social interaction and employment services, and email addresses have become as recognizable as our faces, targets of online stalking and harassment face a far more complex landscape.
According to the Pew Internet Center’s July 2017 report on online harassment, 18 percent of Americans have been subjected to stalking, sexual harassment, or other forms of sustained harassment. And in an 18-month study it published in November 2016, the Data & Society Research Institute found that 36 percent of Internet users may have experienced direct harassment, including offensive name-calling, physical threats, or stalking.
Thirty percent of the Data & Society Research Institute study’s respondents, “3,002 Americans, ages 15 and older,” said they experienced invasions of privacy, such as having sensitive information or images stolen and posted online. And 17 percent said they experienced denial of access, such as receiving a large number of unwanted messages, having someone misuse a platform’s reporting tools to block them from using it, and denial-of-service attacks.
And although the study found that men and women are equally likely to face harassment, its female respondents experienced a wider variety of online abuse, including more serious violations, such as revenge pornography, harassment at work, and interference with potential employers.
Even in the age of government surveillance, Russian spying, and extensive online harassment and doxing campaigns, there are steps and techniques consumers can take to lock down their accounts, block their harassers, and move on with their digital lives.
Step 1: Document and report it
Experts The Parallax spoke with for this story say it’s important to document, with screenshots showing the website URL, all instances of online harassment and stalking, from abusive content posted to websites or social-media accounts, to evidence of having unauthorized access to an account, so that if you need to prove to a judge or a company that you’re the target of harassment, you have the proof at hand.
Documenting is the single most important, and arguably the hardest, task when facing online harassment or stalking, says Christina Gagnier, a privacy and intellectual-property lawyer and adjunct law professor at the University of California-Irvine who also sits on the board of directors at Without My Consent, an organization that fights online harassment.
“I tell victims to go immediately to law enforcement,” she says, though she acknowledges that some judges find online harassment a distant concern when they have to hear cases of physical domestic violence on a regular basis. “Take your cell phone, take your social-media handles, laptop, and screenshots of what’s happened. That will help law enforcement piece together what’s happening in the situation. And bring any information they can provide on the person who’s harassing them.”
Without My Consent’s guide recommends saving Web pages as PDFs, as well as taking screenshots that include the website URL, and the device’s date and time. Print them out for archival purposes, if possible.
Download full videos, take screenshots of text messages and emails, and make sure to back up everything to a secure drive. Without My Consent offers an evidence chart to help keep track of the documentation process.
The organization also recommends that people who are considering unmasking their harassers file a Litigation Hold Request, which asks online service providers to save evidence for potential later use.
In addition to law enforcement, victims should strongly consider notifying the service provider, Morse says.
“If it is a mobile-phone carrier, for example, alerting them of the situation could add a red flag to your account, so customer service agents are more skeptical of inquiries about your account,” she says. “This could help protect against social-engineering tactics by the attacker.”
Step 2: Evaluate the situation
Is it safe to go further? People who find themselves in domestic-violence situations may want to consider whether revoking access, changing passwords, and tightening account security could put them at physical risk. If that’s the case, contact a legal advocate, a lawyer, or a law enforcement agency immediately, Gagnier recommends.
“Even if you’re not sure, it’s important to go to law enforcement and get something on the books so if the behavior becomes more persistent, there’s evidence to help the local prosecutor build a case,” she says.
There are strategies Gagnier has seen victims use to elude harassment, including creating new accounts unconnected to the old ones while leaving the old ones active. Some victims have even left old accounts open to their harassers, just with sensitive information (such as banking emails) deleted.
“This could be as simple as creating private social-media accounts that only a select few people are permitted to view,” says Shannon Morse, co-host of the popular hacker podcast Hak5. “Or it could be as specialized as creating a secondary email account that all of your most important online accounts, like banks and utilities, are tied to.”
Step 3: Revoke access
If you’re ready to move forward, most online services now allow you to see where and when someone has accessed your account—and to revoke the access.
Most often, when you navigate to the relevant Settings sections for the major accounts you use, the log-ins listed will reflect where you were. (If you use a virtual private network, however, the time and location stamps may appear different from where you actually were located.)
If one or more of the log-ins seem suspicious, however, you can revoke its specific access. On Facebook’s Security and Login settings, for example, you can see where your account was logged in and revoke access on a per-log-in basis, or log out of all sessions at the bottom of the list. Similarly, Google lets you log out of all Google accounts (such as Gmail and YouTube) on a per-device basis.
Morse also recommends revoking apps and other third-party access from the compromised account. Even if they’re useful, like TripIt for staying on top of travel itineraries, revoking access can help during a time of crisis figure out who (or what) is accessing your account. You can always add them back later, she advises.
It’s a helpful trick to know, especially in light of a story detailing third-party Gmail services data-mining consumer emails.
Step 4: Tackle your passwords
Passwords are the weakest link in account security, but they’re not impossible to manage. All major modern browsers come with built-in password managers that can synchronize across devices and platforms, or you can install a third-party manager such as LastPass, 1Password, or DashLane.
Password managers are strongly recommended because they help generate secure passwords without repetition, a common flaw in account security, and they store all of your passwords so you don’t have to memorize them.
New passwords should be unique—never repeated on any of your accounts, no matter how trivial. They should be hard for a machine to guess yet, at least for your most important accounts, easy for you to remember.
Step 5: Add two-factor authentication
Two-factor authentication, which requires a one-time passcode, in addition to your password, keeps hackers at bay. The additional step of using a physical key, or entering a code sent to you via text message or email, can add a few seconds to accessing an account, but what you lose in time you make up for in peace of mind.
Our guide to adding two-factor authentication covers how to add it to the alphabet soup of major Internet services, from Amazon.com to Yahoo.
Whenever possible, experts recommend using a physical key to provide the second, one-time passcode for your account. Not all accounts support keys yet, but Google and Facebook do.
Two-factor authentication keys have kept all 85,000 of Google’s employees safe from account-hacking phishing attacks since it mandated their use, the company told Krebs on Security. The policy change has been so successful that Google has begun manufacturing its own keys, similar to the YubiKey, and plans to sell them to consumers as the Titan Key.
No price point has been announced.
Morse, who says she has been a hacking and harassment target as a woman and someone with a public presence, considers two-factor authentication to be the gold standard in preventing account breaches.
“I do security Web shows; I’m a target. But since I started using two-factor authentication, I’m not worried about it,” she says. “Using a physical security token is best.”