1
Security: Outfitting Yourself Online
I spent my formative years on the internet. For most of high school, my mother limited my computer usage to a half an hour a day, but that didnât stop me from publishing blogs on whatever the platform of the moment was. When Facebook opened to high school students, I was an early adopter. I posted photos from behind the scenes of musicals I was doing, and when I got to college, would complain about assignments, summer jobs, and the weather in my status updates and Facebook âNotes.â I uploaded a regular stream of photos with what I considered witty captions from my on-campus escapades without much of a thought to them living in perpetuity on the internet or on anyoneâs hard drive who cared to download them. Relative strangers tagged me in photos when my band performed around the country.
I donât regret any of it. I had a great college experience, and compared with most American young adultsâ experiences at school, my time on campus was extraordinarily tame. There is no photographic or video evidence of me drinking heavily or using drugs because I never did. There are, however, a lot of less-than-flattering photos of me in my early college attire (sweatpants, t-shirt, and a messy bun), or acting like the enormous nerd that I was and am, singing with my college a cappella group, studying abroad in Russia, and playing concerts with my Harry Potter-themed band.
In 2020, a troll ran an ill-conceived smear campaign featuring videos of some of those escapades. He shared them on Twitter from an alternate account after I discussed disinformation in the presidential election. He tried to shame me into silence, but I wasnât ashamed. However, I was worried. This man had dug deep enough into my Google search results to find these videos. He selected the ones that made me look the least serious and professional, and went through the trouble of downloading, editing, and sharing them through an alternate account. If he found those, what else did he find? My phone number? My address? My motherâs address? Would he ever deploy them if I debunked another one of his claims? Would I encounter him or one of his acolytes next time I walked the dog?
The night those videos were sharedâthe culmination of a week-long trolling campaign against meâmy nerves and emotions were frayed. I felt unsafe and alone. I signed myself and my husband up for an anti-doxing service, which scrubs online white pages and other public records of your personal information for a fee. I had already been in the public eye for a few years, and so I took care with my physical and technical security, but that evening was a turning point in my online engagement. The days of posting my every fleeting thought or photographic evidence of the mundane occurrences in my life were already long gone, but now it was time for a new level of curation and caution.
* * *
Cindy Otis is one of the many women Iâve relied on to help me weather online attacks. Sheâs a former CIA officer and fellow disinformation expert. Lest we forget that social media can be a positive place where friendships are formed, Cindy and I met on Twitter when we were both preparing to release our debut books. Since then, weâve kept in touch through a steady stream of messages, celebrating our successes, lamenting days that could have gone better, and supporting each other through the worst the internet has to offer.
Just before the 2020 election, we were both called on to testify before the U.S. House of Representatives Permanent Select Committee on Intelligence, chaired by Representative Adam Schiff of California. The topicââMisinformation, Conspiracy Theories, and âInfodemicsâ: Stopping the Spread Onlineââcouldnât have been more timely or more likely to attract the criticism of the very people who spread the malign information we were discussing.
The day before the hearing, âQ,â the anonymous leader of the QAnon conspiracy cult, posted a message on 8kun about the proceedings. âShall We show them, Anon..?â [sic] it began, before listing the names of the all-woman witness panel and closing with the phrase âForewarned is Forearmedâ and a salute to the âQ Team.â The next day, Q adherents spent the two-hour hearing criticizing our appearances, making anti-Semitic slurs, and alleging we were all CIA plants. âDo we see a pattern here?â one poster asked, including a picture of the four women witnesses. âLook at the nose on that broad,â a commenter wrote of me. Another implored, âshow us your boobs!â Cindy, who is a wheelchair user and proud disability advocate, was grotesquely ridiculed. The discussion wasnât void of violent threats, either. One user wrote
Find their feathers
Light them up with truth!
They have exposed themselves.
Attack!
This is a digital battlefield and we will not go silently.
Cindy had already locked down her Twitter account. âI didnât need the stress of dealing with prep for [the hearing], executing that, and then coming back to disaster mentionsâ on Twitter, she tells me in a later conversation.1 Itâs not a decision she takes lightly. âI know for a fact that that has caused me to [lose] opportunities to expand my reach and ⊠increase my credibility,â she says. âWhen I lock down, nobody can share my content, nobody can follow me. There are those moments where you have that opportunity. I know Iâm limiting my professional progress each time I scale back on social media. Itâs the calculation I make each time to prioritize my physical safety, my mental health.â
As an open-source analyst and investigator who has uncovered disinformation networks that have made the pages of The Washington Post and other notable publications, Cindy is an expert on the digital breadcrumbs that can be used to target us. âEvery social media user needs to make choices about how authentically themselves theyâre willing to be online,â she underlines. The tidbits of our lives that make us more humanâour family issues, health issues, and personal storiesââthose can all be used to target you in the future, either by trolling or through attempted recruitment by intelligence services,â Cindy warns. âThe calculation might be that thatâs a vulnerability youâre willing to put out there, [but] you want to think carefully about the personal details youâre sharing that might put yourself in a more compromising position.â
But itâs not just the personal details that can get you in trouble; basic cyber hygiene is the foundation to any online security practice. No, it is not the most exciting part of protecting yourself online, but it is the part most connected to your physical safety. From password managers and two-factor authentication to being savvy about the seemingly innocuous tidbits you share on social media, you can build a moat around your public profile, adding an extra layer of security and peace-of-mind as you do your work and make yourself heard.
Basic Cyber Hygiene
Best practices to keep your data, profiles, and devices safe
In June 2021, Representative Mo Brooks, a Republican of Alabama, tweeted a picture of his computer monitor. What was displayed on the screen is unimportant compared to what was stuck to it: in the bottom corner, a sticky note appeared to show Rep. Brooksâs email password and a PIN number. The tweet remained online for 20 hours before it was replaced with a version with the sticky note cropped out.2
Women in the public eye do not have the luxury to be so careless, nor could we possibly expect 20 hours of safety in such a scenario. If Cindy or I had made a similar mistake around our testimonies, for example, itâs likely the QAnon cultists who dug through our online profiles would have attempted to gain access to our accounts. They wouldnât have been successful, because we follow the basic, easy practices Iâm about to outline for you that keep our personal information safe from anyone who might try to harm us.
Itâs time to banish the sticky notes and scribbles at the back of your notebooks and proactively strengthen your online security.
Password managers
In todayâs digital world, we all maintain hundreds of passwords that are the first line of defense for our personal information. It is tiresome to try to read a news article or make an online purchase to be prompted for your username and password and guess blindly as to what they might be until you finally scrounge around in your desk drawer for the paper scrap that might hold the answer. Worse yet, perhaps youâre in a rush, trying to buy a ticket to a popular concert, and are prompted to create a new account. Uninspired, you decide to make this password an ode to your dog. âILoveFluffy,â you type. The pet-less among us might go for a significant otherâs name, or worse yet, âpassword1234.â And then, of course, there are the days you donât want to create a new password at all, and repeat your email or bank password, which you know by heart.
Weâve all been there, but this behavior needlessly exposes us to potential security breaches. If the concert ticket website is compromised, criminals now have access to the other accounts where you used the same password. This is entirely avoidable. It is extremely easy to set up a password manager, a service that will generate, store, and even input every password, username, and security question you have.
Hereâs how they work: after signing up for a password manager service (I use LastPass; other services include 1Password, BitWarden, and Dashlane), you create a single password that will log you into your password manager service. This is the only password youâll ever have to remember so long as youâre using the service. From there, most password managers offer a browser plugin and mobile app that will store all the usernames and passwords for sites and services you use. You wonât have to copy and paste them from site to site, and if you ever update your passwords, the service will log the change automatically. Most of these services will also identify weak or potentially breached passwords affected by large-scale hacks or leaks. A good password manager will also offer two-factor authentication to keep your accounts even more secure (more on this below) and ensure that if someone did crack your complex login information to your password manager, they would not be able to gain access to your account. (You should absolutely turn this on if itâs available on the service you choose.) Best of all, when you create an account on a new site the first time, these services will generate a complex password, full of letters, numbers, and symbols, fitting the requirements of every site or service you use, and youâll never have to think of or remember one again.
Most web browsers and operating systems offer some version of a password manager (such as Apple Keychain or Googleâs Password Manager). Though they are aggressive, incessantly asking âWould you like to save your password?â, convenient (pre-installed with your browser) and cost-effective (most of the best services on the market require a subscription fee of around $30 per year for full operability) they do not always offer the same features that an external service focused only on password management would.3
You may also be tempted to use single sign-on, employing your Google, Facebook, or Amazon account to log in to other websites rather than create new accounts. There are two reasons you should avoid this at all costs. First, the web titans providing those umbrella accounts are likely to harvest data about your behavior on third party services when you log in using the credentials from their site. More importantly, however, if your password for your Google, Facebook, or Amazon account were ever compromised, criminals could then access all your information on sites where you used them to log in. Yikes.
It is likely that you have been the victim of a password breach in the past...