Digital Harassment Self-Defense
Threat Models
A good security plan starts with a threat model -- also known as a risk assessment. A threat model is personal, and it can be vague at first. As you continue to learn, plan, and take your first actions, the threat model becomes a touchstone that can help you decide which defenses are worthwhile for you.
Risk Assessment one-pager, Electronic Frontier Foundation (2019).
For background reading to help inform your threat model, see the section Understanding Harassment below.
Secure Your Accounts
Ideally, each of your accounts will have a unique, hard-to-guess password. Creation and storage of most of these passwords are best left to a password manager.
But for your most important accounts, you may want to create your own memorable, strong passwords, and keep them out of your password manager. You may also want to enable two-factor authentication for these most important accounts.
Don't forget to create a strong, memorable password for your password manager itself!
Create Strong Passwords
How to Create Strong Passwords, Electronic Freedom Foundation (2021)
Choose and Maintain a Password Manager
Why You Need a Password Manager. Yes, You., A. Cunningham (2021). Wirecutter: The New York Times
Have I Been Pwned? A safe, free tool that allows you to see if your email address(es) has been a username in any known credential hacks.
Choose a password manager, and install it on all your devices. Here are three easy-to-use options:
Bitwarden
Pros Open source. Well-designed and easy to use. Free for individuals.
Cons: Slightly less user-friendly than 1Password
Cost Free for up to 2 individuals. $40/year for families.
1Password
Pros: The absolute simplest to use, in our opinion.
Cons: No free tier
Cost: $36/yr for individuals, $60/yr for families
LastPass
Pros: Supported by Cornell while you're affiliated.
Cons: Its recent acquisition by a private equity firm raises questions. It's also the only third-party password manager known to have experienced a security breach (but only of its source code. No customer passwords were accessed.).
Cost: Free Personal plan or Family plan for Cornell affiliates.
After Cornell affiliation ends: Free for one individual and one device, $36/yr for full-featured individual plan, $48/yr for families.
Enable Multi-Factor Authentication
For your most important or most sensitive accounts, consider enabling two-factor authentication (2FA) with an authenticator app, a hardware token -- or both, which lets each act as a backup for the other.
The easiest and often default 2FA method is plain text SMS. But this is also the least secure method, as a determined adversary can spoof your phone number if they know it, and intercept plain SMS texts. That's why we recommend an authenticator app or hardware token.
Authenticator Apps
Authenticator apps are free for individual end users (like you) because their profit comes from the tech companies that pay for them to be compatible with their sites, and by enterprise customers (like Cornell).
Authenticator apps explained: There's a Better Way to Protect Yourself from Hackers and Identity Thieves, S. Morrison (2021). Vox recode.
You probably already use one authenticator app -- Duo Mobile -- to access your Cornell account. Follow these instructions to add additional third-party accounts to Duo Mobile.
Authy is another free and trustworthy authenticator app.
Some 3rd-party password managers also offer authenicator apps.
Authentication with a Hardware Token
A hardware token is the most secure form of 2FA. It's a small physical item that looks slightly like a thumb drive. Keep it with you -- on your keychain, for example -- and plug it into your device's USB or Lightning drive when you need authentication. It's particularly useful if you need 2FA access when you don't have reliable cellular service, or if you use burner phones.
Hardware tokens explained: Simplify and Secure Your Online Accounts with a Yubikey, J Colt (2018). WIRED.
The Yubikey is the most popular brand of authenticator hardware token
Data Brokers
Remove Your Details from Data Broker Storehouses
DIY: Reanna's Big List of data brokers and their opt-out links
If you decide to hire a service: DeleteMe
Plug Some Leaky Data Holes
Install tracking blocker extensions on your web browsers, like Privacy Badger or uBlock Origin.
Delete apps from your phone that you don't need.
Follow these steps for limiting location tracking on your phone. (NYTimes, Dec. 2019)
Guide: Data Detox Kit, by the Tactical Tech organization
Background Reading on Data Brokers
Public-Facing Data Brokers
I Shared My Phone Number. I Learned I Shouldn't Have. (B. Chen, NYTimes. Aug. 15, 2019.)
On the Failures of "Anonymized" Data
Where Even the Children Are Being Tracked (C. Warzel & S. Thompson, NYTimes. Dec. 21, 2019)
Phone Apps
The Loophole That Turns Your Apps Into Spies (C. Warzel, NYTimes. Sept. 24, 2019)
Who Is Policing the Location Data Industry? (A. Ng & J. Keegan,,The Markup. Feb. 24, 2022)
Control Your Purposeful Online Presence
Social Media
Identify all your accounts, including those you may have abandoned long ago. Search for old handles and email addresses. Delete accounts you no longer use. Delete old content you no longer need.
On Twitter, use the Block Party app to activate several very useful tools and strategies, such as proactive blocking of known bad actors, and quarantining of harassing messages.
Bulk delete old tweets with the tool Semiphemeral. You can also plan to delete them on an automatic schedule . See Instructions here. Many customization options. You can also save a spreadsheet of your old tweets for personal archiving, if you want.
Delete or hide old Facebook posts in bulk (Instructions from PCMag, 2021)
If you have social media accounts that you use primarily for communicating with friends and family (rather than professionally), consider making them private.
What kinds of information and images do you feel comfortable sharing going forward?
Guide: A Guide to Twitter and Social Media Safety for Academics (And Everyone Else) by historian Paula R. Curtis (2022)
Note: Since Twitter ownership changed in later October 2022, a significant portion of the company's Trust and Safety team, including is leader, have left, and the company does not currently employ a data protection officer. Observers are raising concerns about basic data security and privacy, as well as the potential for moderation and other harassment policies to change without warning. The situation is still developing, but some information in the above guide may become outdated.
University Websites & Personal Websites
Do you want a photo on your department website? Do you want your campus address posted on university or personal websites?
If you maintain a personal website, use a contact form rather than publishing your personal email address.
If you have a personal website, be sure to keep security patches updated. Or, build your site using a static site generator; static sites are more resistant to denial-of-service attacks and other attempts to cause harm. Talk to Digital CoLab staff for help with building a static site.
Your Academic Work
Be aware that your email correspondence with colleagues at state universities may be obtained and published via public records requests.
If you maintain a profile on a third-party host of preprints/postprints, be cautious with commercial surveillance sites such as Academia and ResearchGate. Instead, consider repositories and networks built, owned, and maintained by scholarly communities, such as OrcID, ArXiv, Humanities Commons, eCommons, or others in your field.
When a library database vendor pushes you to create an account while using it, avoid doing so, unless you have a specific reason for wanting to do so.
Consider adding a copyright statement to your syllabus that prohibits students' posting course materials publicly. This Faculty Senate page offers suggested language. If you find your work posted on third party sites, you can request removal. Cornell Library Copyright Services offers a guide for finding re-posted course material and requesting its removal.
Early Warning System
Set up a Google alert for your name, so that you will have a heads-up if you become a target.
Proactively request colleagues and family not share your contact information, schedule, or other personal details with cold callers or e-mailers. Speak with:
- Departmental faculty and staff
- Anyone who is connected with your name in your academic work
- Anyone (usually family members or roommates) who you find linked to you in data-broker records
Plan in Advance:
How To Respond in the Event of an Attack
Is there a friend you would trust to screen your email for you, so that you don't have to read the messages in the moment? Talk to them in advance.
Who in your personal or professional networks could you tap to report social media abuse? Threatening posts have a better chance of being taken down if reported by someone other than the target.
Will you want to save abusive materials in order to have documentation later?
Consider starting a conversation with colleagues in your unit or department about the collective harm of targeted and network harassment. As a group, consider how you might respond collectively, or not, to cases of sustained and severe harassment.
Consider contacting Cornell Health's Victim Advocacy Program for mental health and other support.
Collective Harms & Collective Responses
It's important to remember that, while the largest burden of targeted or networked harassment is borne by individuals, the goal of such harassment is to discredit and delegitimize higher education, the academy, the research process, academic freedom, and academic institutions collectively.
Therefore, the problem can never be solved by individual responses alone. Here are some resources to consider if you are planning collective defenses with your department, professional organization, or other group.
The American Association of University Professors (AAUP), informed by years of research and practice, recommends clear and forceful condemnations of harassment and intimidation from institutions, boards, and faculties, individually and collectively.
How Should Administrators Respond to a Campus Reform Story? I. Kamola, Faculty First Responders Project
"Academic Outrage: When the Culture Wars Go Digital" [blog post], T. MacMillan Cottom, 2017.
A Model Public Message in Support of Targeted Faculty Member , Syracuse University, Sept. 2021
Against the Common Sense: Academic Freedom as a Collective Right E. Cherniavsky, Journal of Academic Freedom. 2021
Understanding Harassment
A collection of essays, research, and journalism.
First-person Accounts by Targeted Academics
Confronting Anti-Asian Racism: A Statement on (In)visibility and Online Targeted Harassment, R. Esmail (2021), Up//root.
A Statement Concerning My Public Talks This Week, K. Taylor, posted on Facebook by Haymarket Books, 2017.
"Are You Willing to Die For This Work?" Public Targeted Online Harassment in Higher Education: SWS [Sociologists for Women in Society] Presidential Address, A. L. Ferber (2018), Gender & Society 32(3).
US-based Far-right
Data Snapshot: Whom Does Campus Reform Target and What Are the Effects? H. Tiede, et.al., American Association of University Professors Reports & Publications. Spring 2021
The Conservative Dark-Money Groups Infiltrating Campus Politics P. Vogel, Media Matters for America, 2017
Sensationalized Surveillance: Campus Reform and the Targeted Harassment of Faculty S. McCarthy & I. Kamola, New Political Science. Nov. 2021
A Billionaire-Funded Website with Ties to the Far-Right Is Trying to "Cancel" University Professors A. Speri, The Intercept. April 2021
Guide: Faculty First Responders: Understand Right Wing Attacks on Faculty, from political scientist Isaac Karmola
Science-denialism
In the Line of Fire C. O'Grady, Science, March 2022
On the networked harassment of scientists, particularly those working on COVID-19 research.
Foreign Affairs
Under Fire from Hindu Nationalist Groups, U.S.-based Scholars of South Asia Worry About Academic Freedom N. Masih, The Washington Post, Oct. 3, 2021
"They Don't Understand the Fear We Have": How China's Long Reach of Repression Undermines Academic Freedom at Australia's Universities Human Rights Watch, June 30, 2021
Guide: Hindutva Harassment Field Manual, from the South Asia Scholar Activist Collective
Get Help
Have questions about any of the above? We're here to collaborate as you plan, implement, and troubleshoot. Email us anytime: DigitalCoLab at cornell.edu