 Good evening. Thank you all so much for joining us tonight. My name is Tori Bosh, and I'm the editor of Future Tense, which is a partnership of New America, Slate, and Arizona State University. There's a third one there. We explore emerging technologies and their implications for public policy and for society. For tonight's happy hour event, we're, which I like to think of as like a cybersecurity self-defense class, we're thrilled to partner with Penn America, the Freedom of the Press Foundation, and New America's Open Technology Institute. This event is also part of the Free Speech Project, a collaboration between Future Tense and the Tech Law and Security Program at American University. I think there's one or two institutions not affiliated with this event in DC, but I'm not sure what they are. All year, Future Tense will be publishing articles on Slate and hosting events about how technology challenges the way we think about speech. Tonight, our fantastic speakers are Victoria Vilk, who is the Program Director for Digital Security and Free Expression at Penn America. She leads initiatives on a range of free expression issues, including developing tools and strategies to empower writers, journalists, newsrooms, and publishers to defend against online abuse. Last year, I was lucky enough to sit in on an incredible training she did at Slate on how to protect ourselves for online abuse, which I'm still grateful for. Victoria is joined by Harlow Holmes, who is the Director of Digital Security at Freedom of the Press Foundation. Harlow is a media scholar, software programmer, and activist, and she contributes regularly to open-source mobility collective, the Guardian Project. Harlow and Victoria will speak for about 20 minutes first, and then they're going to start a hands-on portion of the event that'll go on for about an hour. We'll give you more information about that as the night goes along. A couple of quick housekeeping notes. This event is streaming online, so if you ask a question of the large group, please wait for the microphone and identify yourself. Please silence your cell phones, though we do expect them to be out tonight, unlike most events where we might want you not to. I'm going to find Kevin from the back. Yes, please do. And finally, most importantly, feel free to get up at any point to refresh your drink or grab another snack. The bar will be open the whole time because we do want this to be a fun event, even if we're talking about some challenging topics. I think wine can make that a little bit easier. So Harlow and Victoria, I'll let you take it from here, and thank you so much. Thank you. Public service announcement. Don't drink so much that you can't tell what you're doing with your passwords on your cybersecurity password, because then you'll be like, what did I do yesterday? I don't know, we don't want that. So hi, everybody. I agreed to sit for exactly two minutes. I know I'm not a sitter, I'm a standard. You can sit. So as Tori said, I'm Victoria. I work for Penn America. In case any of you are not familiar with us, we are a non-profit based in New York with an office in D.C. that celebrates and defends the written word in the U.S. and internationally, and defending press freedom has been a central part of our mission since we were founded almost 100 years ago. Do you want to just say a little bit about yourself? Sure, sure. Hello, everyone. I'm Harlow Holmes, as was said, the director of digital security at Freedom of the Press Foundation, which is a non-profit organization based in New York, San Francisco, and actually globally, where we do technology building, digital security training, curricula building, consultations and security auditing, and advocacy campaigns supporting what we like to call 21st century journalism, oftentimes working primarily with adversarial public interest journalism, whistleblowers and the like. I would like to get a sense of who we have here. So just let's do a show of hands. So who here is a journalist or an editor or works for a news organization? Raise your hand if you're a journalist editor or work for a news organization. Raise your hand if you are an activist a human rights defender. Do you work for a CSO, non-profit organization? You could raise your hand. Yeah. I know. It's okay. Raise your hand if, who else might we have in the room? If you're just concerned about your privacy and the fact that everyone's tracking you all the time and you don't know what of your information is out there online. Just raise your hand. And then it's very mutually exclusive, exactly. Who am I missing? Does someone wanna volunteer or organization to come from or what brings them here? Web development firm. So who here is a technologist or works kind of in the technology space? Quite a few people. Okay, that's great. And one thing you might notice, so rather than doing mics, which is gonna kind of be annoying and take a long time, you'll just notice that Harlow and I will paraphrase anything you say or ask so that the people on the live stream hear it and that way you don't actually have to be seen on the live stream or heard on the live stream if you're not comfortable with that. So thank you very much to Future Tense for having us to New America and Slate and thanks to all of you for joining just to give you a sense of how the evening is gonna go down. I'm gonna give you like a 15 minute, 20 minute, very basic intro on what is online abuse? What are some of the tactics that we're seeing, particularly targeting journalists and human rights defenders and activists and what impact does it have on people when they're experiencing it? And then we're gonna switch gears and we're really literally gonna take out our phones and our laptops and start plugging away and we'll offer you very, very practical, concrete things that you can do to protect your privacy and bolster your security to try to make yourself safer against online abuse and other threats to your safety online. So I think I have one caveat, which I always give is really important. I'm going to be exposing you to text and imagery and video that is deeply racist, sexist, homophobic and otherwise just appalling and gross because there's no actual way to talk about online abuse if you don't deal with it and all of its ugliness. That said, I understand that for some folks it is traumatic, it is sensitive or they just don't wanna experience it or see it. So if at any point you need to like take a break, walk out, whatever you need to do, like zone out, it's totally okay, we get it. So without further ado, I'm going to play you a very short video. It's like three minutes. Some of you may have seen it, but I think it's critical viewing for anybody. I'd like to start a petition for a ban on all links to Julie DeCarro's Twitter feed. Okay. Can we raise the volume folks? Whoever from the back, Sarah. You ready for some mean tweets? I'm ready. Sarah Spain sounds like a nagging wife on TV today. It's not even married yet. Julie DeCarro is a run of the mill mediocre beat writer. Not atrocious, not good. Just sorta there. I'm actually not a beat writer at all, but okay. Sarah Spain is just a scrub muffin. I don't even know what a scrub muffin is. I don't either. I love muffins. One of the players should beat you to death with their hockey stick like the whore you are. I'm just reading this. Okay. I mean, okay. This is why we don't hire any females unless we need, uh, unless we need our suck or our food cooked. Sarah Spain is a self-important know-it-all. Read the tweets, man. Just mean tweets. Um, this dumb. There's a lot of C word. There's a lot of C words. Yeah. Yeah. I hope your dog gets hit by a car. You. Hopefully this skank Julie DeCarro is Billy, Bill Cosby's next victim. That would be classic. I don't know what to say to that. I don't, mm-hmm. I don't think I can even say that. That video many times and it still makes my skin crawl. I don't know if you folks have any kind of got reactions to that. I don't know what kind of got reaction one could have, but utter and complete disgust. I mean, I guess, is this something that you folks are kind of, so many of us are now on social media, whether it's a professional imperative or personal kind of interest. Is this stuff that you guys are experiencing and seeing? Is it surprising or new to you? I mean, female sports journalists get hit among the hardest of anyone who does any job with this kind of abuse, but it's actually pervasive in so many industries. I've had people in finance write me and ask me what to do about online abuse. Obviously in the tech community, in the entertainment industry, definitely in media, it's a really widespread growing problem. I think for a long time we were operating under some strange delusion that the digital realm, the online world was somehow completely distinct from real life, right? Like, oh, but that's not real life. Just get a thicker skin or it'll just go away if you let it die down. And when you look at these women's faces and you see the toll that this has taken over years and years and years of putting up with this kind of junk, I'll try to use, not use foul language since I'm being live streamed, but that's how I feel about it, but you can see that this is real life. Like this is people's mental and physical health. And when you're talking about doxing, which we're gonna talk quite a lot about, and somebody posts your home address or tells someone where your children go to school, all these distinctions between real life and not real life completely break down. At Penn, when we talk about online abuse, we've actually created a definition because one of the issues with this, with online abuse as a phenomenon is that we don't yet have a shared language to describe what's happening to people, which is absolutely completely critical. And so we, you know, you've probably heard it called cyber harassment, other things. It's the repeated or severe targeting of an individual or group in an online setting through harmful behavior. And if it sounds kind of broad, it's because it's an umbrella term that encompasses a whole bunch of ever-evolving tactics, right? That are, it's like whack-a-mole. You think you've come up with a solution and something else pops up. And I wanna run you through some of the things that at least we're seeing, in particular affecting media and journalism, but I think you've probably seen in all kinds of other contexts. So hate speech, pretty self-explanatory, right? It's slurs and attacks that target someone because of their identity, whether it's their sexuality, their race, their religion, their gender, et cetera. Threats, threats of physical violence for women. It's often threats of sexual violence, which are really intended to make you feel unsafe. Dog piling are essentially coordinated attacks when it's such a large mob and you're dealing with things at such a high pace, at such high volume that it's almost impossible to navigate or keep up with. And doxing, which is publishing private sensitive information like your home address, your cell phone number, your social security number, other things. And we're gonna talk a lot of today's interactive section is gonna be about what you can do to try to protect yourself from doxing. Online impersonation is, it's a little bit different from hacking, right? Like someone can hack into your account and then kind of tweet or post as you. But online impersonation is a little bit different. It's often when somebody takes your photo and your name pretends to be you and then uses a fake account that looks like you to spread defamatory, humiliating, embarrassing information or to attack other people in a way that you would never would. Message bombing is when somebody floods your email account or your voicemail inbox with so many messages that you basically can't use it. You can't get through all the junk that's in there. Non-consensual intimate imagery. Again, this is a problem that disproportionately affects women, but it's the dissemination of real or in some cases totally manufactured explicit imagery without the consent of the person being featured in them. And there are contexts and regions of the world where that can actually get you killed. And swatting, which is very rare, but completely terrifying and again shows you that these distinctions between the digital world and the real world are completely arbitrary. It's when someone, it often goes along with doxing and it's when someone sends a SWAT team to your house, calls, you know, hoax account, sends a SWAT team to your house, it's incredibly dangerous, it's very rare, but it really does bring home why this stuff is real, right? I guess I'm curious, again, you're under no obligation to respond, but I'm curious, show of hands, how many of the folks in this room have either experienced something, one of these things or more of these things themselves or witnessed a colleague or someone they know being subjected to these kinds of attacks? So I will tell you, when I go to newsrooms, I've been to over a dozen newsrooms in the last year, everybody in the room raises their hand. You know, everyone from the people at the top to newbie journalists and everybody in between. It's really a pervasive problem. This is a study from 2017 from Pew. I guarantee you these numbers would be higher in 2020, but this study found that over 40% of Americans had experienced online harassment and over 60% had witnessed it targeting other people. And I think probably this will surprise no one here, but women, people of color, and members of the LGBTQ community are disproportionately targeted by more egregious kinds of abuse online. There have been some very good studies that have come out in the last several years. People have finally dug into this issue and started looking at this problem. Amnesty released a report just last year that, surprise, surprise, found that Twitter was an incredibly toxic place for women, that every 30 seconds there was a problematic or abusive tweet aimed at women on the platform. Black women were disproportionately targeted. They were 85% more likely than white women to be mentioned in abusive or problematic tweets, which is a crazy number. And it completely crossed the aisle in terms of political spectrums. People on all sides of various political divides are being targeted and attacked. It's a huge problem for journalism. This study from the Committee to Protect Journalists found that over 90% of journalists in the United States cited online harassment as the single biggest threat to their safety and security that they are dealing with. And a study from the International Women's Media Foundation found that it's on the rise, that this promise on the rise on the last five years it has gotten considerably worse across the board. And the last point I'll make, which is how we, Pan America, got involved in this issue, we are a free expression organization that is our mandate and our focus. We have over 7,500 members in every state across the United States and we started hearing from them. We started hearing from our members about the degree to which online abuse is making it more difficult for them to do their jobs. And so we did a research project and we found that over 2 thirds of the people who responded to our survey not only feared for their safety and the safety of their families, but engaged in all kinds of self-censorship. So they changed how they read about certain subjects. They stopped writing about certain subjects. Some folks temporarily closed down their social media accounts, other folks left social media entirely and a very small subset of people left the professional together and went on to do something else because they felt so unsafe. So we spent a year building this. You'll see the cards on the table. We spent a year building a toolkit specifically with the needs of writers and journalists in mind but it actually applies to anybody who needs to have a public presence online, right? There's a lot of advice that people will give you, cybersecurity advice where it's like lock everything down, make everything private, disappear off the web. But if you are a journalist or a politician or somebody else who needs to have a public presence that advice doesn't help you at all, right? Because you might use the internet to find sources or to publish your work or to get attention for what you're doing. And so we built this toolkit. It's got really good basic advice on how to prepare, respond, take care of your mental health. And it's got a lot of good advice for employers and how they can protect and support their staff. I also do training around this which is what Tori was talking about. What we're gonna do today is gonna be a pretty narrow slice. We're not gonna look at kind of the full range of things you can do when you're under attack. We're really gonna focus on cybersecurity and proactive kind of protection. Because it's much harder when you've been doxxing, your home address is floating around all over the place. It's very hard to get that information back. So trying to be proactive about it is a really good thing. And I think we're gonna play my favorite game which is no one else likes but me. I like it too. Yeah, you like it too. But that's cause you actually taught me how to do most of the stuff. I wanna know, the good news is, protecting your digital safety is not rocket science. Because we're not in Iran or Russia yet, you don't have the entire force of the intelligence service that the state directed against you unless you're a very particular journalist doing they're particularly kind of reporting in which case. And so the stuff that you need to do you probably already know what you need to do but might not be doing. It's a show of hands. How many people use passwords that are at least 16 characters long on their most sensitive accounts? Raise your hand if you're using passwords that are at least 16 characters long. Okay, this is not bad. I thought like no hands would go up. So there's a couple of hands that went up. When I first started doing this, I had 12 characters and then Harlow sat and she's like, no, it's 16 and then I tried to negotiate her down and she didn't work. Harlow, why 16 characters? Why? Well, the reason why we want to have long passwords is because they provide, like it's a computer return, it's called entropy but ultimately what it means is it's enough chaos and random that computers need in order to protect secrets as well as they possibly can. And so the longer a particular past phrase is the better chance you have to withstand someone trying all sorts of combinations in order to break that. How many of you earnestly, diligently answer security questions with the real information, like your mother's maiden name or when you were born? Harlow, why is that not good? Well, so especially in the advent of social media where so much of our lives are online, it's pretty trivial for someone to kind of do research into what these particular questions or answers to those questions may be. And ultimately all of our accounts, even if we have the best past phrase and all that stuff are really only as secure as what options get presented to you, when you've forgotten your password and need help getting back in. I would just, I guess, summarily say, safe security questions, like what's your mother's maiden name? What street did you grow up on and all that stuff? Treat those as an opportunity to use it like a past phrase would, like you would use a past phrase. Fabricate stuff. Yes, you can lie to computers, they will not get mad if you don't tell them your mother's maiden name. And if you're like, how on earth am I ever gonna keep track of all these different passwords and all these different security question answers? Consider getting a password manager. I've had one for I think seven years now. Last pass, Dashlane, one password is really good and if you're a journalist it's free for you, which a lot of journalists don't know, it's really good software. So basically a password manager will, you put a widget, like a web browser widget on your whatever web browser you use, you put the app on your phone, you have one centralized master password which you cannot forget. I have done that once, it was very bad, they don't let you change it, you just have to start over, don't do it. But once you have that in your head, it basically auto-generates secure passwords that you can adjust how long they are and how good they are, and then fills them in for you. So I strongly advise you folks, we're not gonna do that today because it's time consuming, but consider getting a password manager and centralize that stuff. If you're not totally comfortable having everything in one place, maybe you decide that there are three accounts, your email, your bank account, and some other account that you keep in your head or that you have somewhere secretly hidden in your house written down, but for everything else, all your newspaper subscriptions and all the other things that you're using, use the password manager. How many people have two-factor authentication? And I can explain in a second what that is, but how many of you have two-factor authentication on their professional email address? Keep your hand up if you also have it on your personal email address. It's not bad actually, not bad. How about social media accounts? How many of you have two, okay, we'll work on that today. Two-factor authentication, if you're wondering what is that, I think most of you know I saw a lot of hands go up, but it's essentially, actually, Harlow, can you explain it? You do this, but I'm sorry. So two-factor is based off of the idea that in order to get into any account, you have to have something that you know or something that your computer knows, which is that passphrase, but then something that you have, which is usually physical control over something that would grant you extra access by giving you a generated code that changes over time very, very quickly. And yeah, it's the best way to secure it. The basic premise is if somebody who isn't used trying to get into your account, they would have to have your passcode. And if the passcode is only on your phone, they wouldn't be able to get into your account. So it's like an extra measure of security to protect you from hacking and from people trying to get into your accounts. How many of you have heard of SIM jacking? SIM hijacking. Raise your hand if you've heard of SIM hijacking and you know what that is. Okay, so SIM hijacking is basically when somebody calls your cell phone pretends to be you and says, oh, I got a new SIM card. Can you route all this traffic to my new phone number? And then the cell phone company will do that. And then if, for example, you have two-factor authentication set up, not with an app, but with the actual, your phone number, all of your two-factor authentication goes to some other phone number that is now in somebody else's possession. Troy, you look disturbed. Oh, someone else at home. So if the best way to protect yourself against that, it's incredibly simple. All you have to do is call yourself a provider and ask someone to put a four-digit PIN on your account so that no changes can be made to the account without a four-digit PIN. And then don't make that four-digit PIN your birthday, please. Make it something a little harder and then you should be in good shape. A couple more tips. This is, is anyone else an XKCD narrator essentially? Okay, good. Oh, I'm in good company here. So one of my favorite, through 20 years of effort we've successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess. So a password like Troubadour with some fours that's really short, not a great password, correct horse battery staple, much better password. You might actually remember it because it's so weird. Couple things. How many of you religiously update your software and your apps as soon as you're told you have to update the security feature? Okay, there's like four or five of you. That's better than nothing. Why, why is that important? Well, it's annoying. Why is it important? Yeah, it can be annoying. However, the computers that we have, the phones in our pockets, all of these things are only as good at protecting you as they can be if they are currently, I guess, protected against vulnerabilities that are floating out there. So for instance, we were talking about that password manager, we were talking about getting an app with two factor authentication. If the phone that you're using for some reason gets malware on it, then all of those protections actually go away and it makes you feel not as empowered as you should in taking your security into your own hands. So when developers release patches or other updates to the software and to the operating system on those computers, take that into account and apply those updates because what they want to signal is that there are problems out there that need to be fixed and that's your only chance of fixing that. How many of you have done that thing? You know when you sign up for some new software or some new account? And it's like, you can just sign in as Google or you can sign in directly through your Facebook and how many of you click that button? Cause it's just so convenient, raise your hand. Yeah, also not good. Why is it not good? I also used to do that until someone told me I wasn't supposed to do that. Well, I mean, there are some cases where that actually might make sense and be really, really handy. However, we just want you to make those choices consciously and be selective about applications that you allow to also do things like post to your Facebook wall on your behalf or add and remove friends on your behalf or even read the contents of your entire Gmail account. Bad actors that are masquerading as good, helpful actors exist and so it always is worth taking the time to just go over these choices and make the right decision. And it's actually not just that, there are some actors who are not bad actors or just sloppy actors. Like there are apps that are just built poorly, don't have very good security and if you give them a backdoor to your most precious accounts, your most sensitive accounts, you're actually making yourself vulnerable. So it's probably in most cases not worth the convenience. Just make a new username and password. Could I tell my favorite story real quick? You can do whatever you want. Okay, so. You're the co-bot here. My favorite, this actually happened to me a while ago. I joined Facebook a very long time ago and I remember maybe about a decade ago, there was this app that Burger King created and it was like if you let this Burger King app drop 10 friends of yours from your Facebook account, they would send you a coupon for a free whopper. So I got the free whopper a decade ago but then like maybe a year ago I was looking at my Facebook settings and I still was letting Burger King have access to my friends and so that freaked me out because who knows who developed that at 10 years ago and where they are now and what's happened to this app that I just like gave total control on my Facebook account. That was very kind of me to share that because Harlow is truly one of the leading cybersecurity experts out there. So if Harlow has done it for you. But I love whoppers. All right, on that note, last two, well last question really, let's get the last one. How many of you have like a dummy phone number? Like a Google voice number or some kind of phone number? That's not actually your main phone number. Some people. That is a very good idea and I will tell you why and I'll tell you how. Why is because if your actual SIM based phone number gets doxxed and it makes it really difficult to use your phone, you're basically cut off from one of your primary means of communication to your friends and family. Like it used to be that we had land lines and we had office lines. Now everybody just has their cell phone. If you get a virtual phone number like Google voice. So it's basically an app. You don't exactly pick your number but you can pick the zip code. It works just like the app on your phone that's like built in, the built in calling, right? But it's just on a different number and you can use it anywhere where you have to publicly list your cell phone. Use your Google voice number, right? So anywhere on the web, if you are someone who you need people to be able to get in touch with you, I get it, right? Journalists often will list their cell phones. Just don't list your actual SIM card based cell phone. Use that just for friends and family, for people you trust, people you know and for everybody else, get the dummy number. I also, somebody told me recently that Verizon, at least Verizon and possibly one of the other cell phone companies have a service that you can pay, I think, $10 a month and get another phone number, so it's all built in. I've used Google voice for a long time. It works for me. So just a thought. All right, I think we are going to now, I will make one more point because it's really important. Buzzfeed, some of you may know about Buzzfeed. Buzzfeed's reporters have been on the front lines of getting hammered by online abuse for a long time. And so they've actually developed sort of guidelines for their staff where they try to encourage their staff to start putting up boundaries between their personal and professional self online. And I know that sounds cumbersome and annoying. A lot of the tech companies sort of didn't really want us to do that. They tried to funnel us into something where we're putting all of our information out there all the time and kind of fusing everything together. A practical way to, I don't expect anyone to have like two Twitter accounts and two Facebook accounts and two of everything because it would drive you insane, right, it's enough to try to keep track of one. But what you can do, and we're gonna talk a lot about this over the course of the evening, is to be strategic about which account you use for which purpose. So let's say your Facebook profile that has more personal information on it is just for friends and family and then you can go into the settings and we'll show you how today and make sure that that's set to friends, to friends only, to really tighten the privacy settings. Maybe you're somebody who uses your Twitter almost entirely for professional purposes, in which case you can have those settings set less private, but then don't put your home address or imply where you live or talk about your kids or other things that are kind of sensitive and private on your Twitter profile. And then make sure that you have two email accounts at least, you have one professional email where you maybe use it publicly and you have a personal email. And I also encourage people to have like a junk email which is like the stuff where you sign up for crap, you know, and ideally two cell phones. And without further ado, we are now going to teach you the art of how to dox yourself. And I'm gonna, but not actually literally, so let's just make that clear. And I'm gonna hand over to Harlow who's gonna be doing the legwork here. Yes, we also have plenty of folks in here who will be like circulating around. Who are the folks who are gonna be circulating around? We can have our volunteers. Thank you volunteers for coming here to help us. Basically, as Harlow tells you stuff that you can do, take out your phones, take out your laptops as the time. And if you get stuck, just hold your hand up in the air and I or one of the folks in the back will come over. And help walk you through whatever you're stuck on. All right, so first off, actually, Victoria gave a really, really excellent definition and several examples of what doxing is and why it impacts people. But what we're gonna do right now is we're going to do a little bit of a role play and step into the mindset of people who do do this, understand their rationale behind why they do it, understand the tools they have at their disposal to do so, and also understand exactly how that impacts someone who's being targeted. So one of the reasons why we emphasize protecting our personal information so much is because obviously there's so much information about ourselves that's associated to our names to our personas that circulates widely across the web. Go ahead and Google yourself. You can, yeah, let's start with Google, okay? Has anybody done that before? Yeah. Do you like? People think that Googling yourself is vanity project. It's not, it's really important to know what of your information lives on the web. What you look like to the rest of the world. So there's a couple of things. One, people who have, let's say, unique names like mine, for instance. Actually- Victoria with a K and a Y. Yeah, like Victoria, we have a little bit of trouble being able to hide amongst the search results. They're really, you know, like you don't- John Smith is okay. If you're John Smith, you might be in good shape. Yeah, exactly. John Smith might fare very well. Another thing actually has to do with the fact that, or with how these search engines work. So you'll notice in this screenshot we have, we actually can kind of infer that Victoria is logged in here. So the search results that you're going to get from your logged in Google account are probably going to be more like tailored to you, tailored to that vanity project. So what I encourage you to do is not only like, you know, start Googling wherever you are, but also perhaps open up an incognito window and see if the results differ. You can try it now, if you- Yeah. Prepare to be afraid now. Does anyone have any questions about the incognito window? No, okay. Okay. No. So the incognito window for those of you who aren't familiar with it is another mode that you can enable in most of your web browsers that does one thing really well, which is make sure that like your browsing history or any cookies that you might encounter when you're on that window will be removed from your computer as soon as you close the window. However, it doesn't change who you are. A lot of websites that you visit have very sophisticated ways of telling that it is you regardless of whether you're using the incognito mode or not. So if you do need to do some research that requires increased anonymity, which is beyond the scope of today, just understand that the incognito window isn't going to do you much help. And I should actually just point out that if you have questions that you think are of general interest to the group, please feel free, raise your hand, ask questions, we'll paraphrase to make sure that people on live stream can hear. If you have questions that are very specific to getting stuck on a particular task, then just raise your hand and we'll come over and help you. Did you, I saw some questions, no, okay. Onwards. All right. So that's the first step. So we've started Googling ourselves, cool. Now, here is a little bit of an advanced technique when people are researching other people. This is what's called Google dorking. Yeah, it's a funny term that refers to, you know, different, what we like to call operative words, that you can apply to any search query in order to get even more detailed results back. So, let's, this is my friend Rose. And if I were totally stalking Rose in order to dox her, I might do things like one, use quotation marks. So instead of getting, you know, a rose by any other name may smell as sweet or something like that in my search results, I actually am going to use those quotation marks in order to be absolutely sure that the entire name is used there. We also, you know, recommend that in addition to those names, you might wanna search, use quotation marks to search in addition to including a username of yours, perhaps. That might even like make sure that, you know, the search results that you're getting actually do bring you to social media properties, social media being a huge target for somebody who's doxing someone else. Cool? We do have like, you know, pre-synced explanations, so I'm just gonna go over any of the highlights and if anyone has any questions about any of these techniques, this is a perfect time to ask them and we can have that conversation. But my favorite ones are the ones that actually include what are called file types. So if you Google, you know, your name or your email address or, you know, your social media handle or whatever and then add file type colon, let's say in this example, PDF, does anyone have an idea what that does? Anybody? Yeah, what does it do? It can bring up public records, sure. What else could it do? Back in the day when everyone was putting their CVs or like, you know, their curriculum vitae, their resumes online on, you know, LinkedIn and things like that or publishing it on their website, that stuff is probably still up there in PDF form. And it probably has your home address and your cell phone. Oh yeah. A bunch of other information you forgot that you ever put in a PDF to float around the web. Yep. Another thing that you might do is to include a site. So this operator site colon, let's say for instance reddit.com or, you know, slate.com or stackoverflow.com or whatever site you choose, this actually will instruct your search results to include or to weigh those sites more prominently in your search results. And so if you had a question about whether or not people were talking about you behind your back on Reddit, that's actually a really, really effective way to guide your search results towards the answer. Any questions? All right, so let's play around with that. Go ahead and do some Google dorking. I'll give you, in like a minute, I think folks have been quietly Google dorking in the background. It's... Yeah. Yeah, it's a really good thing to do. Yes, for file type you can use PDF. You can also look up Excel spreadsheets. Usually for doxing oneself, I don't think that spreadsheets are especially illustrative, but if you were doing an investigation, let's say on a financial firm, that actually might come in handy. Sure. This is why it's important to do. Okay, how many people are finding stuff that they had no idea was online about themselves? Raise your hand if you're finding stuff where you're like, how did that end up over there? Yeah. All right, should we take people to Spokane? Mm-hmm. Oh, well that's a good point actually. I added this. Yes, do you want to? Yeah, so folks, another thing you might want to try, I know that Google has become synonymous, literally synonymous with searching, but there are other search engines and they might pull up different things. And depending on the line of work you're in or the things you need to think about, you might also consider searching for yourself on something like DuckDuckGo, which, DuckDuckGo is more like a privacy oriented, right? Yes, DuckDuckGo is personally my favorite search engine. It's a great alternative to Google because it has your privacy in mind. So there's no ad profile that is attributed to you as you're doing your searches. And the cool thing about that working within this context is if you want more neutral search results that are not necessarily tied to you searching for yourself on the internet, this actually gives you a greater perspective. And you can also try something like Baidu, which is for those, some of you may know that China has entirely its own social media and searching ecosystem. They have their own websites, the social media companies for searching, et cetera. So consider searching for yourself on Baidu and seeing what's out there. Yep, I highly recommend getting comfortable with a variety of search engines because they all have different qualities. So another thing that you might want to do is to, this is another vanity project, is to set up Google Alerts. Who here has ever done that? Who's worked with Google Alerts before? Okay, so we're familiar with it. Okay, so ultimately what it does is it allows you to get emailed whenever Google, as a search engine, indexes something that contains that content. So you can add one for your own name. I highly recommend the full name. And you can- You could also add your cell phone or your home address if you're concerned about those popping up online all of a sudden. If you wanted to, yeah. Yeah, a variety of personal information is great for having a Google Alert on. You can also easily add and remove them. So if you just published a story, you might want to set up a Google Alert associating your name to certain keywords within that story. So that way, if you were concerned about retaliation for having printed something, that might give you a better indication of where people are conversing about that behind your back. So Victoria mentioned using Google Alerts to keep tabs on certain personal information like addresses, telephone numbers and things like that. There are certain limitations to what a Google Alert can do. So Google as a search engine has immense reach in indexing all of the content of the internet. However, it's not going to go into the scary dark web or whatever and look at really, really dangerous places on the internet for this information. So while it can, you might find yourself in a situation where, I don't know, an address of yours is published in the open internet and is indexed by Google. You might also, you don't fool yourself in thinking that this is a complete look at what the internet is talking about regarding that information. But it is a good place to start. I really, I will emphasize that. It's a really good thing to know if someone has started putting your information up online because you may have no way of knowing until somebody notices. But if you have a Google Alert, that will be a start. Oh, one thing that actually didn't mention. Another thing that you might want to look for a site for deeper information is something like Pastebin, which is a site where people tend to just like randomly throw up dossiers of information that can be used in a doxin campaign. All right, so we talked about Googling, we talked about search engines. Now we're gonna talk about data breaches. Has anyone ever gotten an email saying? From, let's say, Equifax or something or Dropbox or LinkedIn or I could keep going. It's just like, we're real sorry we lost all your everything. That's unfortunate and it happens. It happens increasingly as the internet is a thing and we live in a society. But there's a really, really cool site that actually aggregates all of the information from. So I recommend you go on right now. Yeah, definitely. HaveIBeenPoned.com aggregates information from data breaches and allows you to search to see if a particular email address of yours has been included in whatever data breach it has knowledge of and it shows you where. You can also sign up for them to send you email alerts so you don't actually have to do the work of visiting the site. So yeah, go ahead and type in that email address and let's see if you've been phoned. HaveIBeenPoned.com, haveIBeenPoned, that's the website. And you can put your various email accounts that you use to sign up for whatever it is you sign up for on the web, right? And so I have, so if you have been phoned, it's okay because this is not your fault. This is not your fault ever. Most of this isn't your fault, actually. Just to clarify, data breaches are going to happen to just about every company and really like the best we can ask is that they respond to them responsibly, but they are gonna happen. So this is actually my personal tones. Since 2013, 2000, even earlier than that, I think I had a breach at any rate. All of these services that I entrusted with my user names, my passwords, my addresses, phone numbers, all of my personal information had been taken from them. And what happens when a data breach happens is that the content of the data breach, usually in a database that contains all that information, goes up on a variety of sites where hackers tend to congregate and hackers will do the following. What they will do usually is actually well covered in the first part when Victoria was telling us about how to use a password manager. The reason why is because your typical hacker does not care that they can get into my Bitly account, right? They don't wanna impersonate me on Bitly. What they want to do actually is they want to see if the same password I use on my Bitly account will unlock my bank account or will unlock my Gmail account. For those of us who use the same password for most of our accounts. And this is why the password managers are the best because they encourage the habit of generating unique passphrases and keeping them stored in a safe place for you. So I can't underscore that enough. But in the context of doxing, hackers who know of the existence of these repositories of people's personal identifying information online, stolen information, they will go to those sites and they will look for stuff on you specifically. And that's when you see someone perhaps finding something that they found in a breach and trying to get into your accounts in order to embarrass you by pulling all of your emails for a decade and posting them online or to be able to impersonate you in a social media context or something like that. So what you do if you discover that, you know, you did the have I been phoned and you get it, the screen turns red and you have all these accounts, you wanna go to your, whatever your username and password is on your Adobe account or your Bitly account, you wanna just change the password there to something very long and very complicated and do it as soon as possible. Unless you happen to know that you've done that recently on that account, if you haven't go in there and do it and make sure that you're not using that password in 10 other places and if you are, change those too. Because I mean, someone out there probably knows that password now. Are there any questions about this? Yeah, come on. Straight forward. Okay. Yes. What if you've been phoned? What if you've been phoned by a site you've never heard of? That was the question. We actually, we are going to talk about this. And so yes, if in your results you find out that you've been enrolled in a service that you've never heard of, there are a number of reasons why that may happen and we are gonna get to that in a moment. So, hold on to that thought. All right, so next we're gonna talk about image searching. Has anyone ever done that or reverse image search? Cool. Yeah, it's fun. It's a really, really excellent way to see where a particular photo of you or your likeness exists elsewhere on the internet. A lot of the search engines, well Google does pretty efficient reverse image searching. Can we talk through the easy Google way to do it first before we talk about the harder way to do it? Sure, sure, sure. So basically you can, if you, you could do it right now. If you Google your full name, you can put in quotes. And then you know at the top you get the tabs that are like search and then image, click on image. Any image that pops up of you, you can right click it and do a reverse image search and see if that image is floating around anywhere else. So you could, those of you who are interested, you could try that now. And then Harlow will show you more kind of involved or complex but nuanced ways to do reverse image search. So Google has great reverse image search capabilities. I personally like Bing the best. I don't like Bing for anything except for reverse. This is a live stream Harlow, but that's fine. Oh, I'm sorry, Bing is awesome. No, it's great. Why do you love Bing for a lot of times? So actually why I love Bing for a reverse image search is that you can actually crop regions within the image itself in order to search on that region. And I find that really, really interesting from an investigative standpoint, like if there is a picture, but then you notice like a reflection in it and you're like, well, where's that reflection from? And then, you know, zoom in and enhance and then all of a sudden you can find out the location of where something has been taken. I remember we're thinking like a doxer right now. This is not something Harlow would normally care about. Yeah, for the most part. So to actually kind of build off of the workflow that Victoria was proposing, whether you're doing it in Google or if you're doing it in Bing, what you wanna start out doing is either by taking a photo that you already have of yourself on your own machine and then just like dragging and dropping it into the search field or going to a place where you have images of yourself online that you are aware of and then throwing that into the image search as the URL, okay? Does that make sense? So you especially wanna do that with your Facebook photo or Twitter photo, any of your social media kind of profile photos that you use because one of the things that has happened to a lot of women journalists is that some bad word that I won't say jerk, let's just say jerk will take their profile photo, doctor it, paste it onto somebody doing something, naked or something else and then circulate that online. And sometimes people are pretty good at Photoshop. And so it's really useful to see if your images have started floating around in ways that you don't understand and have nothing to do with. Yeah. Another thing that I like about reverse image searching is that it does show, it gives you visibility into where these images are circulating. And so some of them, I'm like, all right, yeah, open news. That makes sense that my image is up there. But then there might be, I don't know who Vision Times is. I mean, maybe they're great, I don't know. But it definitely does indicate that there was one point in my life where I lost control of my image. And so this is a really, really helpful tool for people to just get a handle on that and also understand how that works from an attacker's point of view. Cool. Sorry, image searching. How are we feeling? Let's do a quick gut check. Are we feeling, is this helpful? Or are we like, yes, keep going? Yes, does anyone freaked out? Yeah, okay. Good. No, not good. But you can be proactive once you know, right? It's better to know than not know. Onwards, now you're really gonna get freaked out. Okay. And so to come back to the question, why is my personal information where it is? I have absolutely no idea who gave these people my data. And where did that data even come from? Victoria? Oh, my favorite. Yeah. There are these things called people finders. They're also called data brokers. For reasons I still don't understand, it is totally legal right now in the United States for these companies to comb the web, amass your personal information, bundle it, and sell it for literally 95 cents to anybody. At any time. And so I actually recommend, even though it will make you quite unhappy, unless you're John Smith, in which case you're fine, probably fine, to go to a site like Spokeo. There's dozens of these sites. Intelius, Spokeo, White Pages, but I recommend go to a place like Spokeo and put your name in, or your email. And if you have the misfortune of having even a slightly quirky name, or really just any non-extremely common name, you will see things about yourself like your mother's maiden name and everywhere you've ever lived and where you went to high school, which is why using those things in your security questions and in your passwords is bad, right? Because I am not a hacker or a techie person and I could find your mother's maiden name probably in two seconds, which is not a good sign. So I strongly recommend while you're sitting here to go and see which of these people finders has some of your information. The first time I did this, I actually got physically ill. Yeah. But I've since done a lot of work to clean it up and now when you Google me, you see a lot less of my information than you used to, which is why even though it's not fun to be freaked out, it is useful to know how to be proactive and fix some of this stuff. How do you get your name off these things? Like with all things in life, there is a free, extremely labor intensive way to do it and a expensive way where someone else does it for you. And we will show you both. Yep. So the good news and there's good news. The good news is that every single one of these data sites does have a process where you may opt out. And they have to take your information down, eventually, if you hassle them enough. Some of them are more cumbersome than others. Is it permanent? Is it permanent? Nope. That is it permanent. So yes. Which we'll talk about. That's the bad news. I was going to do the good news first. Start with the bad news next time. But no. So these data brokers individually might have different requirements. They might simply, like you click on something or you send an email to this address. Or you have to send even a picture of your government issued ID in order for them to do that. If you ever need to do that, block out the any core information that I ID. Block out your number, et cetera. You don't want to send them your actual driver's license number. I had to do that earlier today. Like just put tape or post it or whatever over all the pieces of your ID. You don't want them to see. But at least when they see your name in a photo, they will then proceed to take some of your information out. Our friend, Yael Grower. Les Hercil. Made this amazing, amazing resource that shows you the most prominent data brokers. It's a pretty exhaustive list. And shows you exactly what is required for you to opt out to these individually. The bad news is, yes, you do have to do it one by one. And also, it is a game of whack-a-mole, as you mentioned. Every year, you might find yourself in a situation again where you have to go through the same process. But once you figure out the process, it should actually like you would hope that it will be easier the next time because you know exactly like where to look and what might be required of you. A lot of folks basically treat this like journalists who are really dealing with this problem intensely, treat it like spring cleaning once a year. They will sit down and they will plow through a bunch of these sites to make sure either information hasn't come back and if it has, how to get it taken down. I mean, you know, to write to get it taken down. Again, there is a paid way to do this to have someone else do it for you, which is what I did a year ago. And it was really worth it, but also it cost money. Yes, so the two services that we recommend that will do all of this for you. So you pay people money. Unfortunately, security and like privacy is a cottage industry right now. So super messed up, actually, if you think about it. But the ones that we recommend are DeleteMe by a group called Abine, or A-Bine, I guess. And also PrivacyDuck. PrivacyDuck is a little bit more expensive. DeleteMe will cost you around $130? $130, $140 a year. I often recommend that people do a family account. Again, I'm not like a shill for DeleteMe or PrivacyDuck. It's just that some people don't have the time to do this manually, or they're lucky enough to be able to afford to pay someone to do it for them. But if you are someone who is very concerned about getting docs because of the nature of the work that you do, it's often a good idea to put your family on that account. Because unfortunately, what really determined docsters will do is if they can't find any information about you, they'll come after your spouse or your parents or your kids. Assuming that those folks probably are less tight about their cybersecurity, and that's often the case. Or you can sit down with your family, which is what I did with my parents two weekends ago, which they didn't very much enjoy, but we did it. And look through just core information of theirs, what's out there online, and help them tighten it up. Question, yes? Yeah, so the question was, do these companies cover the long, long list? Yes, they have various services like anything else. There's a basic service, then they have services for people where they do incident response and they help you walk through a really tricky situation where you're being bombarded by trolls and whatever. But they have various things that they offer, but they will go through, and you can even email them and say, look, I found my information on the site, can you get it taken down, and they will do so. So I think I started using Deletion a year and a half ago, or a year ago, and it's dramatically different when you Google me now than when you used to Google me, even though I was actually quite careful about my cybersecurity, but it does cost money. I will say that I and others have controlled several of these companies to offer discounts to journalists and to other folks who belong in various ways to vulnerable communities, so you should ask for a discount. And if you want to, come find me, and I may or may not be able to give you a code, but anyway, so that at least helps, but it is real that not everyone can afford this stuff, and so we want to make sure you had options for how to do it manually if you decide that that's the route that you need to go. This is kind of, they send your report, actually, on a quarterly basis, detailing your progress as your information is removed online, and so this is an example of what one of those reports currently looks like from Deletion, where they definitely do detail exactly what they've seen and what the status is of your pending removal. It's very important to make one point, though, that I always forget to make. If you are concerned that next week you could get doxxed, this stuff doesn't help so much. You have to do this week's out. Sometimes it takes up to six weeks, even for these services to get your information taken down, so it's really something you need to do proactively and not wait until you're kind of, like the day before you're about to publish something or about to do something, and that is not at all to imply that any of this stuff is your fault. It sucks, it's not your fault, but we're just trying to help you be more proactive and empowered to protect yourself. Yeah. Onward, Tal. One last thing about this type of information. Honestly, this is the type of information that you definitely don't want available to anyone with a connection to the internet from a computer of any kind, right? That said, the most determined adversary might go a little bit further because there are tools that are available by private investigators, other law enforcement groups and things like that, that does not obfuscate this information, so. And I will say, look, honestly, I hate to say it, there's no silver bullets for this stuff. The goal is to make it harder for people because many, many trolls are quite lazy. And so the harder that you make it, the less likely that it is and that someone's gonna dig into your personal information, but Harlow's right that at a certain point, there's really only so much you can do, but if you can make it harder, that's a good idea. And I saw a question over there, yeah? Yes. So the question was about archival services like the Wayback Machine that would preserve states of any particular website historically. So to answer your question, the internet archive and the Wayback Machine and things like that will most likely not be able to be used in that regard. But that said, there are other ways of preserving this types of information. So for instance, let's say a place where you might find people's personally identifying information like a government site, like the unclaimed funds records, which is public information. And actually if you are owed money, the government will just publish your address right out on the internet. And what people will do is take advantage of that in order to scrub that data instantaneously and then put it on another website that's owned in a jurisdiction where we might not have much control. So for instance, I had seen copies of New York City's, sorry, New York State's unclaimed funds repository hosted on a site in Palau that was never going to get taken down. So yeah, it's totally a possibility. Also keep in mind that there are things like public records. So if you're a homeowner. I think we don't want to give people too many ideas or they can go looking for some business. Well, I think that's a good to be informed. Yeah, it's good to be informed. All right, well, I've said too much. There are certain public records that are always going to be available to anybody who's researching into something, criminals, and you know. Which is why there's no silver bullet. Good citizens alike. But someone has to be very motivated to start digging around in some of those places. They can for the websites? You mean the Wayback Machine? No, so the actual, the question was what's the difference between scrubbing that data and like, or sorry, scraping that data and keeping it somewhere else and what the Wayback Machine does. And it is a matter of how these sites are constructed. So ultimately what a bad faith adversary like the people in Palau that I mentioned will do is that they will visit that site with the intent of grabbing all that data, which is alive, and then storing it elsewhere. So they're ultimately recreating a database from what they see at the time of their visit. However, the Wayback Machine is not constructed to do that, or to work in that way. It's just kind of a technical difference. But ultimately the effect is the same in that data's going to always live somewhere. I think we should probably, I think we need to keep going and make sure we get through some of the media stuff. Yes, because. Because this is the really fun and important stuff. Okay, so now we're gonna talk about just locking down some of our social media accounts. We wanted to start with Twitter, because that one's my favorite. So the cool thing about Twitter is that in addition to allowing you to enable two factor authentication, you can do it in a variety of ways. You can do it by using a text message, which we said was not really the best option. It's not a gold standard. Yeah, but you can also use even better. You can use the authentication app by using something like Google Authenticator or Authy, which are great examples of that. And the third thing that you can do is you can use what's called a security key, which is an actual physical kind of like key chain looking thing, that you can use in the same way. And Twitter is cool in that once you, let's say, set up your Authenticator app or whatever, you can then remove your tech, you can remove your phone number from Twitter as your two factor authentication method. So that way, if anything ever happens to your phone number, like a SIM jacking, that phone number is no longer linked to that Twitter account in a way that an attacker can abuse. Here's my question, raise your hand if you want us to walk you through setting up two factor authentication on your Twitter account. Because if we want to do what's actually useful to the people in the room, so how many folks would like to set up two factor authentication on their Twitter account now, and we can show you how to get an Authenticator app? Raise your hand. Raise your hand high, so that I can see how many people we're looking at. We're looking at four-ish people. Everyone else is like either I already have it or I don't want to. Okay, what do we think? Should we, yeah? Yes, yes, which is great. I wasn't sure what's the best solution. Can you use a, I think you guys can give me a key for this book as well? Yes, you can. Okay, so the question was like multiple accounts. I might have you clarify that question again, but once again, there are certain instances where we have multiple accounts that we are managing across things like Facebook and Twitter, and whether we can be creative about getting the most security, but also, you know, like having... Practical. Yeah, yeah, practically being able to use it. So when I mentioned the hardware token, it depends on the service. Twitter allows you just one hardware token per account. However, they're going to be like, for instance, Google allows you to have multiple hardware tokens per account if you wanted to. As far as the phone number stuff is concerned, that might not be a problem on Twitter, but I have not, I mean, I trust you when you say that you've had that problem on Facebook and that you're not able to have two Facebook accounts that are linked to the same phone number. Is that correct? Yes, I think so then. Yes. Which may be an authenticator, that might be a better bet for you. And also... And it's generally a better bet. Yeah, so one of the reasons why Facebook is also really great now is that when you do enable two-factor authentication, you have to use your phone number. There may be privacy implications to that, but that said, it's still better to have two-factor authentication than not. But Facebook also allows you, after you've enabled two-factor, to remove the phone number in the same way that we discussed with Twitter. So you can conceivably use your authenticator app across multiple accounts, even though you only have one phone number to share with Facebook. So I have an idea, because we've got four or five people who want to set up two FA, but not the rest of the room. What if the folks who would like to set up two FA go to the back where the folks from OTI, the Open Technology Institute, bless you all, can walk the folks in the back through it and we're gonna keep going, but we'll go kinda slow so that you can kinda multitask the folks who want to try to do both at the same time. Does that sound fair? So go to the back with the folks who are standing in the green sweater. They will help you do two-factor authentication. I'm sorry, I don't know your name. Tell me your name. And then the rest of us are gonna keep moving along, but we'll kinda keep a slow pace so you can keep up. One other thing about two-factor authentication whenever you enable it, is that you are offered the ability to save what are called backup codes. This is important. Everyone, this is very important. Go on, Harlow. And backup codes are super-duper-duper important for two reasons. One is that if you ever get locked out of an account that has two-factor authentication enabled, it's going to take so much to get back into that account. So two-factor means business, right? That's why it actually protects you well. Yeah, exactly. And so once you enable two-factor authentication, the very, very first thing that I recommend people do is having a look at those backup codes and saving it someplace safe. Like in your password manager. Like you could put it in your password manager, sure. Or on a USB stick, or just someplace that's only for you that you can get to in the event that you get locked out of your account. Cool. Hey, all right. So now we're gonna start getting into our settings. And I just wanna point out, a lot of this stuff is gonna have to be your call, right? What one person is comfortable with in terms of their privacy and security is not gonna work for someone else because of the nature of the work that they do or their public profile or whatever. So we are not going to be prescriptive. We're gonna give you recommendations, but ultimately it's your call, how you're gonna navigate some of this stuff. Because we don't know what's gonna work for you. But if you head into Twitter, into your privacy settings, does anyone, does everyone know where to go for that? Yes? Well, first of all, just check your profile real quick to make sure that you have not put your city that you live in or your birthday or any other things in your profile that are maybe like too sensitive or private to have on a public facing Twitter account. And if you have done that, it's very easy to fix. Just hit edit, take that information out, put something else instead. Probably solved. Make sure that your birthday is set to only you or leave it blank. For some reason, Twitter asks you for your birthday. You don't really need to tell Twitter your birthday. You definitely don't need to make it public. You can totally lie to computers about your birthday. I do that all the time. It's none of their business. And so also in terms of your privacy settings, this is similar to what we were talking about with accidentally letting an app post on your wall or whatever. Make sure that you are not giving apps permission to abuse your Twitter account. Sometimes you might want to, but just make sure that every single app in there you recognize and are happy using. This is how Parlo found the hamburgers. Yeah. So you go to settings and privacy. You go to account. You go to apps and sessions. And then you will see that you have the option to revoke unauthorized applications that are linked to your account. So if you see applications in there and you're like, Burger King, I don't understand how that happened. You can undo that. And you can also see, where are you logged in? So if you're suddenly logged in in some country that you have never been to and don't understand why you're logged in, you can boot that out. Again, if you get stuck or you can't find something, just put your hand up in the air and someone will come over and help you. It's not only just like unrecognized sessions, but also it's a really, really good opportunity to clean up. So like maybe you got a new phone, but for some reason your old phone is still logged in. If you don't need that old phone still logged into your Twitter account, perfect opportunity to just tidy up. Right, should we keep going? How are people doing? Okay. Not if you wanna, if you've done whatever we just showed you and you're ready to keep going. All right. So here's some more advanced privacy settings. The capability to protect your tweets means that no new followers can see your posts. And that's why some friends of yours might see like a little lock icon. And then maybe you're looking at like a thread in Twitter and for some reason this tweet is unavailable or whatever. It's because those participants are Twitter users whose accounts have been protected. And it's not, it's always reversible if for some reason, like you find yourself in an incredibly vulnerable position where you're being attacked online over Twitter, that might be the perfect opportunity to protect your tweets so as to avoid other people going through your entire Twitter account and using that as a reason to attack you. Just to be clear, so you understand how this works. So you go to settings and privacy, then you go to privacy and safety and we've done our best to kind of follow the order in which the stuff actually appears to make it a little bit easier for you. We might be a little bit off because if you're on your computer or your phone it's a little bit different. But, and I will say look, protect my tweets is not for everyone and it's not for all the time, right? If you have, if you really wanna use Twitter very publicly, you're using it professionally that might not always work for you. But Harlow is right that if you're in a situation where you're concerned about something that might happen when you publish something or you do something online, it can be something you toggle on and then toggle back off later. Yeah, photo tagging, I mean, we're just gonna call your attention to why it's there. I personally don't like being tagged in photos simply because you might, what you are tagged in might not always be a photo of you. And so if- Or it might not be flattering. Yeah, or it might not be flattering, exactly. But giving people the opportunity to attach something visually offensive to your Twitter handle is a pretty effective abuse tactic and so be very, very mindful about the power that you might give people on the internet in order to tag you in photos. You can choose, yeah, you can turn it off altogether so people can't tag you or you can only choose only people who follow you which makes a certain sense, right? Then you have at least some idea who those people are. Consider disabling the receiving messages from anyone. You don't necessarily want to invite random people from the internet to slide into your DMs. Maybe you do want that, I don't know. But if that is not desirable, that is exactly where you toggle it off. In terms of the discoverability, I highly recommend unchecking the ability to let people find you by your email or phone number. There have been a number of campaigns that literally leverage scraping up a bunch of email addresses, feeding them into Twitter's discovery tools and creating like very, very targeted list of people who's wanted to maintain their anonymity over the platform or like relative anonymity. It's also a really fun thing to do. No one needs to know the exact location you are on Earth when you are tweeting something or even this also comes to play in Instagram as well. So I highly recommend removing, disabling locations to automatically be filled in with your tweets. That is definitely to protect your physical safety as you walk about this Earth, making comments about coffee or whatever. This can also be deleted historically. And just because you definitely do like, or sorry, I would recommend turning off like data personalization because this actually protects you a little bit more from Twitter's aggressive ad profiling of their users. Personalization, basically it means that you won't get ads that are specific to the thing that you tweeted or searched like two days ago or an hour ago. If you're someone who really likes to have customized content shoved right in front of your face, do what you need to do. But for the rest of us, I do recommend just turn it off. You don't need to have all that stuff. They'll still bombard you with ads but at least it won't be related to what you're Googling or tweeting or et cetera. Yeah. Okay. What's our video here? This is just a video basically to show you where you're going in case anyone was lost. But setting some privacy, privacy and safety and then you can scroll your way through some of the stuff that we were just showing you. Yes. No, but, but I have two resources I can give you which are actually as good if not better. And I'm going to toot my own horn here a little, but I just published an article with Slate on how to dox yourself. And the New York Times bless them. The New York Times trains its own journalists to dox themselves much like we're doing for you now. And they've offered totally open source, totally free for everyone. They've created a bunch of Google Docs that any of you can access. If you Google how to dox yourself, New York Times, it is incredibly detailed. It's amazing. So there's nothing here that you won't find there if you want to go home and check on some of this stuff yourself, or you can look up my article. You can do both. They're a little bit different, so. Thank you. Yay. Tori and I worked on it together, so. Let's talk a little bit about Facebook. So similar to Twitter and actually I'm going to kind of breeze through this in the interest of time, but we have two factor authentication in the exact same way. You do have to give them your phone number first, but once you've done that, start using the app, so your Google Authenticator or Authy, and then at that point you can remove your phone number from it entirely. And yeah, double thumbs up if you haven't used it. Let's do this again. Raise your hand if you want to set up two factor authentication on Facebook right now. If you do, head to the back just for a little bit that you can come back for the folks in the back who will show you how to do that so that everyone else can kind of move forward. So the folks in the back over there are the experts and will show you how. Or actually maybe someone can come to you if you raise your hand high, proud, someone can come to you and show you how to do it. Don't be shy guys, it's gonna be paying attention to what you're doing. Similar, Facebook also gives you excellent tools to review where you are logged in and revoke any device that you no longer use or you do not recognize. And also you can totally see if you have the Burger King app. Getting, I really highly recommend getting alerts, emails to you. Let's just make sure people know where to go. So you're going to Settings and Privacy in Facebook, right? You're going to Settings and Privacy, Settings, Security, and then Security and Login. We show you, you can see the animation showing you how to do that. So if you're on your phones, if you just follow that path, it'll get you to all the stuff that we're telling you right now that might be useful to check or uncheck or look at. And again, if you get stuck, just put your hand in there. Sorry, Harlow, continue. No, that's great, that's great. Get alerts about unrecognized logins. Did you mention that? Yes, yeah, yeah. Highly recommend getting Facebook to email you if ever you're logged into a new device. If that actually does give you like a little bit of heads up time, if in the event your account had been taken over, you can actually use that as like a jumping off point to contact with Facebook support and it gives you all the information that you need to have in order to gain control of your account again. And one of the cool things that I like is that you can actually, in the event of getting logged out of your Facebook account, choose three to five friends who can be enlisted to work together in order to get your access to your account restored. If you are gonna go this route, highly recommend it. Choose three to five friends who are, who you trust not to be easily fooled, not to be easily fooled by something like this and also similar to like our mother's maiden name and other like personally identifying stuff, you don't necessarily want that those three to five people to be so obvious people in your life, right? So then if you go to apps and websites, so if you're still, you follow the same path settings and privacy, settings, security, and then you go to apps and websites. This is that thing that Harlow was telling you, a Burger King thing where again in Facebook, you can see if you long ago signed up for some quiz that's still for some reason is accessing your Facebook account or something else and boot it out. All right. So as far as like, who should have access to your content from your personal Facebook account? Consider the following. And let's start in the video. And again settings and privacy, settings, privacy, privacy settings. It's like, some of this stuff is kind of funny because they kind of bury it under all these words that sound almost exactly the same and you're like, I don't know, go. That's why we spell it out for you. Settings and privacy, settings, privacy, privacy, settings. And then Harlow will continue. Kind of absurd, but whatever. So obviously friends or friends of friends should be able to see your post. You don't necessarily want that to be public for the entire world. Same thing with the people, pages and lists that you're taking part of. In terms of like who should see your friends, I actually highly recommend keeping that, your information about like your social graph as close to you as possible. They're actually, it's a really effective tactic for somebody to have, to look at your social graph to see who your cousins are and things like that in order to further harass you, target you, attempt to impersonate you. By going after your friends and family. Absolutely. Who might be a little more lax about their cybersecurity than you are. Not only that, but also they can be impersonated to fool you. So before I did make these recommended tweaks to my account, I started to notice that someone that I was like make friends with but like knew from like a decade ago or whatever would have their profile picture pulled and used in an impersonation account in order to get me to be friends with them in order to see my personal photos and things like that. So you do want to employ tactics that keep that information that allow you to be easier fishing fodder. Fist, fist. Is there a fist? Yeah, exactly out of the public view. And so the same thing goes with like, making sure that your profile is not part of search engine search engine results because that definitely does open you up to the same thing. And again, if you're using an account entirely professionally, entirely publicly, you've made sure you've gone into that account and you don't have a bunch of personal stuff. You may need to have your Facebook or your Twitter pop up when in search engines and people Google you. But for everybody else, you don't need it, right? And you might as well uncheck it and then you don't have to worry about people finding your Facebook page if they are ill-intentioned and want to do something to harm you. Okay. Again, let's walk people through them. Do you want to? Yes. I feel like Vanna White, but much more boring. Settings and privacy. Settings, privacy, timeline and tagging. So you want to end up in this section called timeline and tagging. And again, we're showing you what that looks like on the screen to the right. Mm-hmm. Yeah, the same as we were discussing in Twitter. Tagging can be used to abuse people. And so you definitely do want to limit the people who can tag you because hopefully limiting that to people that you trust will keep you from being vulnerable to people you may not trust. We have started to see a certain, well actually, Victoria mentioned this in the intro. A really, really effective online harassment tactic actually does have to do with like, going through people's social media, pulling out stuff that is potentially incendiary and recontextualizing it in such a way. You may have completely forgotten you said when you were 15, for example. Absolutely. In order to pressure, let's say, an employer to fire you or to pressure something of yours being taken down. And the easiest way to do that is, or sorry, the easiest way to prevent that is to limit exactly who can historically go back to every utterance you've ever posted on your wall on Facebook. So, yes. Do we want to pause for a minute? This part's a little trickier. So does anybody have questions, concerns? Does anyone, raise your hand if you need a minute to do some of this stuff? We're actually good on time. I think we're gonna get to everything we wanted to share with you. We've got 15 minutes left. So if you need a little, you're all very quiet. I don't know how to register what's happening here. You all terrified? I'm sorry. I thought we're empowering you, terrifying you, but then empowering you. Is that the general temperature of the room? Are we in a state of fear? Do we need to like, okay. Yeah, get another beer, you'll be fine. That does help. All right, okay. Last point, settings and privacy. And then you're gonna go to location services. This one's really important. So if you have a phone, this one you should definitely do right now. Yep. So this is really, really excellent settings that you can control in order to limit how much Facebook is tracking you across the globe, which is limiting their reach into your phone and leveraging location services. Location services, not only do you have location services not only in Facebook, but also on our iPhones and androids and things like that are incredibly contentious because they tend to keep a very detailed history of not only where you go, but also given that these are fundamentally ad companies, like they are using that to infer very, very, very intimate details about your personal lives. And while there's only very unique possibilities for an attacker, like a troll on the internet, someone who's angry at you for existing to abuse these services, you also want to, it's important to limit, like, you know, ad technologies reach into your personal lives because that helps you better contextualize what's a real credible threat and what's just Facebook being nosy and following you around. So, I want to point out, we've just shown you Twitter and Facebook and we showed you all the Googling. You can do the same thing with your Instagram. You should definitely do this with your LinkedIn. A lot of people forget that a lot of their information is on LinkedIn and maybe when they put their LinkedIn account up they forgot that, you know, or they didn't know at the time and they forgot all the things they put into LinkedIn and all the things that they have defaulted automatically to public to be seen by everyone. That New York Times kit that I told you about will walk you through all the settings on LinkedIn to Titan and all the settings on Instagram to Titan, so I do recommend that you sit down. It'll take you like an hour or less. I mean, we've been at this for less than a full hour. The actual interactive part. So, it's not that much time and it'll make you feel safer and more secure. You also probably want to do it for Google. Like, if you have Gmail or you have, you know, Google accounts of any kind, it's quite useful and it's not, it's quite easy to find, going into the back end of Google and just making sure that your privacy settings there are tight and you can turn off all of the ad tracking, the personalized ad stuff. Most of us don't need it. You know, you don't really use the little ads that pop up on the sides to get products anyway and it just means that you're getting trackless. Does anybody have general questions, thoughts, other platforms they're concerned about? Yes. The question is what do you want? Google Authenticator or? For an Authenticator app. As opposed to using your cell phone to do two-factor authentication, we recommend you use an Authenticator app and the question was Authenticator. Authy, there are others. Carlo, I mean, I have a thought. Yeah, we both have ideas. They're probably different. My ideas are usually, Carlo's are usually the ones to follow. But I personally find Google Authenticator more convenient because I use a lot of Gmail products and it's smoother, but I think Authy is actually the one that is better recommend, is that right? I mean, they're both lovely products. The difference between Google Authenticator and Authy is that Google Authenticator lives on your device only and so you can't sync it across different devices. Authy actually gives you, like it's an account that you have and so it's going to store your two-factor stuff in such a way that if you get a new phone or you wanna put it on several phones or whatever, then you're always going to have that across devices. So this is where I reiterate, like you always need to save those backup codes someplace safe because if you're using Google Authenticator and you can't back up, what happens if you drop your phone in the toilet and the rice trick doesn't work? You're going to get locked out of your two-factor authenticated protected account. It's very specific, Carlo. I mean, it's not like I'm speaking from experience or anything. Any other questions, thoughts, accounts you're worried about? Yeah. Go for it. We never said that. Yes, that's a big part of my job is to travel the country to newsrooms and sit down with senior leadership and have those conversations where I will often explain or I'll bring people in who are in the newsroom experiencing these things to explain. So the question was, there's a lot of pressure not just actually for journalists, but in other fields to be online and to put all your information and you have to be a real human who has a life and you shine, you know, all that stuff, right? Plus there's freelancers who are trying to build a brand and get, you know, get business. And so there are different things you can do. If, you know, we can talk privately, but it may be that I or someone else can come and, you know, do a training in your newsroom and talk to your senior leadership, but there are other things you can do. One of the things I actually recommend is that people take a bunch of screenshots of abuse that they're getting and internally talk to their other colleagues who are getting abuse, put together a whole bunch of screenshots and then sit down with management and be like, just so you can see physically, this is some of the stuff that we're dealing with. And so maybe we need to have an internal conversation about what the boundaries are between our public and our professional selves because there actually are ways to have a public persona online but not give away all of your personal and private information online. And there are also sometimes moments when particular journalists, because they are targeted more than everyone else, need to take breaks from social media, right? Maybe they deactivate their account for a few days or whatever, they don't deactivate, you can pause it. Maybe someone on the social media team actually helps manage that account for a few days. There are all kinds of things that employers could do and some employers are starting to do to offer more support to staff because it's actually not fair when the onus is always on the people on the receiving end of abuse to find their way out of it. Does that sort of help? Yeah, okay. Different newsrooms are gonna have different tactics. I have definitely seen certain newsrooms who emphasize compartmentalization where they do say like, okay, you have to have a Twitter account but you're like Josh on your score CNN, you know. And that needs to be coupled with a commitment from editors and managers and other higher ups that individuals are going to have to set boundaries. Maybe that means that like, no, I will not log into this account on my phone because that's not where I want to take work with me in that regard. And so conversations that establish those ground rules is kind of the best we can do. I will say, and I mean this earnestly, I've spent a lot of time in closed door meetings with editors and chiefs of newspapers and news organizations. And they have often said to me, we're not, the pressure is less real than it's perceived to be. Like, we know that there are certain people in our newsroom who are dealing with disproportionate amounts of abuse and we are totally okay with those people having less of a profile or having putting up more boundaries for those people. And some of it is just conversations that, like perception and conversations that happen happen. And some of it actually has to be pressure that staff band together and put on the folks who are managing them, yes. This question is, have we spoken to platforms themselves? Yeah, so I think probably a lot of us in this room have the experience of reporting abuse that is so clearly a violation of the terms of service of the platform and then you get this little message that's like, this is not actually a violation of our terms of service and you tear out all your hair. I don't have easy answers to that question, especially on live stream. We can turn it off and I can share some more thoughts. But I will say, but honestly, I will say that the platforms are getting better very slowly because they keep being embarrassed publicly about how poorly they've done in terms of content moderation. They are trying, they are building better mechanisms and they are hiring more content moderators, but they still do not have enough human content moderators who are paid a living wage and not like locked in basements watching horrifying images that then damage their mental health. I will say tips to help. Having a bunch of people report with you and for you can make a huge difference in making content surface in the kind of algorithms. So there are a lot of people who are very, very good at leveraging their cyber community to jump in and help them report because anybody can report on most of the platforms. Well, the rest, when we turn that off, I can offer some other tips. But I would say find a human at a tech company, especially if you work at an institution. Sometimes that helps. Harlow's thoughts. I don't have too much good to say about the platforms and I will say that on the live stream. I, so the tactic has usually always been, you have to know someone at Twitter or Facebook, which does not scale, especially given the size of this threat and how easily weaponized it is against our population. And yeah, and they're only going to be a handful of organizations who even have the ear of someone at Twitter. And so that further like minimizes the amount of good you can actually do using that tactic. I agree with Victoria that, they don't want to do this industry a disservice. They do want to do it well. But in addition to content moderation, which also doesn't scale, there's a huge sexy problem of how to solve this with algorithms, how to solve this with machine learning and things like that, which I fear cloudies, like how effective they are ultimately going to be in servicing the people that they need to service. I mean, I guess part of the reason, it's not that I'm afraid to complain about tech companies on live stream, but I will say that there are the tech companies which are megaliths, right? There are these huge beasts. But then there are individuals within the tech companies who care and are actually trying to solve the problem from within. And so I think our organization and Harlow's organization, we do have relationships and we do talk to people and we know that the platforms are actually getting marginally and slowly better because there are people in them trying to make it better. But at scale, it's still an enormous problem and the response has been pretty abysmally limited, is the truth. And I guess finally, I would say that, or maybe not finally. We have many thoughts on that. Which are trying to, to climatically phrase. The good people on the inside who we've had so much success with talking to, and yeah, ultimate respect for, they still also have to kind of jockey for position within the organization with other interests, which includes engagement, which is actually like the opposite of harm reduction. Like going after engagement for age and sake because advertisements and whatever, and clicks and likes that runs counter to what these other people are trying to do. I do want to offer two thoughts. So when I do trainings on dealing with online abuse, they look quite different. We talk about a lot of things. We talk about mental health care and self care and all these other things. But I will say two things. One, the more people publicly write about this, talk about this, put up screenshots of some of what they're experiencing and generally just like have an open conversation about it. The more pressure it puts on the companies, especially if you have a profile or you know people who have a profile to do better. And I cannot emphasize enough that the goal of most abusers is to make you isolate yourself, right? And that is true in digital world and physical world and everything in between. They want you to isolate yourself. So if you are under attack, to the extent that you feel safe and comfortable, find people you can talk to about what's happening to you, maybe they're friends and family, maybe they're colleagues, maybe if you're lucky enough to have a good relationship with your manager, it's your manager. But talk about it, right? You might not feel comfortable talking about it in some public setting, but find people to talk to about it because it does wear people down over time when they hold it in. Other questions, thoughts, yeah? Oh, we have five minutes left. Oh, we're out of time. Yes. So rather than, so we're out of time. So what, we can have a one on one and chat and give you an update. But yeah. But if you folks, we're gonna kind of start wrapping up and there's snacks and stuff. But if you have any other questions that are really pressing, come find one of us or the folks from OTI in the back and we can help. Thank you so much.