Online harassment: tactics and the tools for fighting back

#blogpost #cybersecurity #feminisms #gender violence

By Gem Barrett | Boletim Antivigilância n.14

It has been nearly two years since Eron Gjoni, the ex-boyfriend of American game developer Zoë Quinn, wrote the blog post that sparked the now-infamous GamerGate harassment campaign. In that time, the harassment has spread across the internet, forcing the tech and gaming communities to take a good look at themselves in the mirror and assess their role in such a vile bigoted crusade. Of course, online harassment pre-dates GamerGate, but it was this movement that spread the furthest — most recently targeting Ghostbusters star Leslie Jones — and therefore garnered the most attention. As a result, harassers have found Twitter to be an ideal place for evolving their tactics into new, more creative ways to turn platforms for free expression into vehicles for abuse, threats and, ultimately, the silencing of diverse voices. Although the tactics I’ll describe occur across platforms, including comment sections and various social media platforms, I’ll be focusing on Twitter as that’s where the most public attacks have occurred and therefore where most of the solutions have been implemented.

Sock puppetry is a strategy that doesn’t just pre-date platforms like Twitter; it predates the internet itself. In the early 20th century, Portuguese poet Fernando Pessoa coined the term ‘heteronym’ to describe the 70 distinct characters he created — each with their own writing style and biographies — to discuss both his, and each other’s, work. Nowadays, the less romantic term of ‘sock puppet’ exists to describe the notion of a fake online persona created with the sole intention of either praising, or attacking, a target. In the case of GamerGate, the attacks involved abusive messages and threats directed at Zoë Quinn and anyone publicly supporting her. Such accounts were particularly popular on Twitter as, at the peak of GamerGate, it was easy to set up multiple accounts with a throwaway email address. Twitter recently attempted to address this by requiring a phone number for new accounts and improving their reporting system. However, harassment by sock puppet accounts is still a huge problem, not least because it’s as easy to set up fake phone numbers online as it is to create new email addresses. Few platforms seem to have noticed that such measures are rendered useless when loopholes in their systems are so simple to find.

So what can you do when you’re faced with a deluge of Twitter sock puppets shouting over each other to tell you you’re worthless and threatening your person with various horrors? One solution is Block Together. The most basic setting works on the premise that, unlike the detailed backstories and relationships between Pessoa’s heteronyms, Twitter sock puppets are simple personas that have limited relationships with other accounts. They’re also likely set up as a response to being suspended, so they tend to have short lifespans. As a result, the first thing this web app offers is a mass block on all accounts mentioning you who have fewer than 15 followers, and/or those who have been active for fewer than 7 days. This automatic mass block saves you the trouble of playing Whac-A-Mole trying to block individual harassers.

Those Twitter accounts which manage to slip through the Block Together net, either because they’re well-maintained sock puppets or because they’re actually real people, is where the main power of harassment campaigns becomes clear. At the core of online attacks is the tactic of ‘dog piling’ — when multiple accounts bombard their target with messages to such an extent as to render the platform unusable until the attack is over. While the sock puppets are annoying, and can be scary to face, their mass is small and tackling them is akin to swatting flies. In comparison, dog piling is much more like being attacked by a pack of dogs. The reason this tactic is so effective is down to its ability to drown out any messages countering it. Even “positive” dog piling with supportive messages results in a platform like Twitter becoming too noisy to be usable. Turning off mobile notifications and restricting the content shown in your Mentions tab can help a little but, although it shields you from the attacks, it doesn’t stop them from happening.

At the height of GamerGate, several supporters of Zoë Quinn were singled out for particular attention by harassers. One of these women was engineer Randi Harper who, after incurring the wrath of “GamerGaters”, experienced a severe campaign of dog piling equal only to that of Zoë Quinn herself — despite having done nothing but voice support for her. Being an engineer, she set about tackling the problem by building a tool for preemptively blocking potential or known harassers. Building upon Block Together’s success in anti-harassment measures, the GGAutoBlocker tool works by identifying relationships between Twitter accounts and, most importantly, their relationships to the ringleaders of the GamerGate movement. Those accounts are then added to a block list, which any user can then subscribe to through Block Together. Using this tool hides you from the accounts on that list, and hides them from you, resulting in a reduced chance of well-known harassers targeting you. The tool isn’t perfect. Early iterations resulted in accounts like KFC being blocked (this was sorted out quickly!) and those who are on the list need to go through an appeals process, which can take time. For the majority of users, however, GGAutoBlocker is really the only current option for tackling dog piling on Twitter.

The most extreme and dangerous of tactics used in online harassment is doxing. Employed by the more serious attackers when they feel they’re not having enough impact, this tactic involves publishing your private information online. Phone numbers, addresses, family members’ information, medical details, government ID numbers, bank information, photos — all have been used to invade the privacy and damage the security of a target. Those who have had this tactic employed against them have been subject to blackmail and identity fraud, while others have lost their jobs or even had to leave their homes due to the threats against them and those close to them. Doxing is also closely related to the tactic of ‘swating’, which is particularly prominent in the US gaming community, as it requires the target’s address in order to deceive the police into sending a heavily-armed response to them.

Doxing, and all its resultant tactics, is not an easy problem to solve once it is happening — prevention is the main solution here. Ensuring that you control any information about you online is crucial. Of course, some doxing information will come about as a result of hacking — secure passwords and setting up two-factor authentication wherever possible will help with this. But thanks to the broadcasting culture we have online, and overwhelming privacy settings on social media, it’s no surprised that a lot of doxing information can be found just from a few minutes of searching. Because of that, the best way to determine your vulnerability is to “self-dox” — essentially, searching for yourself online. I recommend using incognito mode and/or DuckDuckGo in order to protect your privacy. Try thinking like a doxer and keep in mind that, with only 2–3 pieces of information about a person you can find out a surprising amount. Searching for your family and friends can also be a help to ensure they haven’t inadvertently left you exposed online. Aside from searching for doxing information, you should also be careful of information that could give away access to your accounts. For instance, you could have an email address you keep private and purely for social media logins. It’s also a good idea to watch out for exposing details like your mother’s maiden name, important dates and any pets’ names.

If it looks like you’re about to be doxed, or you already have been, there are things you can do. It can be difficult to get companies to remove private information, but there are organisations available who can lend weight to your request (and can sometimes contact platforms like Facebook and Twitter directly). Crash Override is one of those organisations. Created by Zoë Quinn with the express intention of helping the targets of harassment campaigns, Crash Override provides confidential, one-to-one assistance free of charge to those experiencing tactics like revenge porn, stalking and impersonation, as well as the tactics described in this article.

As you can see, there’s a lot of room for innovation in the space of anti-harassment tools. The technology world says it loves to “disrupt” industries, and yet very few have made any sort of move towards tackling this real, and very serious problem that is currently growing unchallenged. Making a real, tangible impact in this field is fraught with difficulties — most notably because it requires significant input from those who have been the target of harassment campaigns. It’s no wonder then that the two most prominent victims of GamerGate have been the two main success stories in the world of anti-harassment measures.

It’s not that others haven’t tried. In April, the Social Autopsy project by Candace Owens came to prominence when it attempted to raise $75,000 on Kickstarter. Its aim is to create a public, searchable database of harassment, including the harasser’s employment details and other identifying information. The dangerous potential for doxing that is provided by such a concept caused such controversy that Kickstarter soon shut the project down. Ignoring all warnings, the project still plans to launch, presumably being funded some other way.

Another project that had a bumpy start, but took on board criticism and learned from its mistakes, is HeartMob. Launched at the start of the year, the project aimed to connect those being harassed with those who wanted to offer support. Featuring a stringent vetting process, supporters would flood the harassed person with positive messages in order to counter the negative attacks. Unfortunately it was discovered early on that a security flaw meant anyone with an account could view any case (public or private) simply by changing the URL. That problem was fixed rapidly and the project has continued without issue. There remains the question over whether their project constitutes “positive dogpiling” and actually makes things worse, but it seems to be assisting those who have approached it so far.

Creating an anti-harassment tool is similar to the process for protecting yourself online: think like a harasser. Ask yourself where the vulnerabilities are, how they could be exploited and the impact it will have when such information is exposed. Having such a risk assessment approach is paramount when considering online harassment. Whether it’s protecting yourself, or helping others, there is so much at stake. Freedom of expression, financial security, physical safety — all are put at risk due to online harassment campaigns. Considering your privacy and security during online interactions should be as much a part of your daily life as updating your Facebook status.

Gem is a digital rights technologist focusing on information security, internet freedom and anti-harassment tools. She is a Making All Voices Count fellow with the Digital Rights Foundation, a Rapid Response Coordinator with ASL19 and an MSc Computing student. She also enjoys a good cup of tea and taking down zombies.

Originally published in portuguese and spanish at Boletim Antivigilância n.14 — violência online vs privacidade e anonimato?, on September 2016.