Personal Safety Online
Personal Safety Online
Personal Safety Online is part of a larger resource for members of the writing community on personal and event safety concerns, both in-person and online. To see all the resources available, visit our Safety homepage. Personal Safety Online includes a general safety checklist plus information on doxing, harassment campaigns, effective record-keeping, and managing data you collect on other people. This includes general safety considerations for maintaining an online presence, dealing with online harassment and doxing, and information on how to manage the privacy of others when you handle their personal information.
General Safety Considerations
Authors can find themselves in a challenging situation when it comes to expressing their various “selves” online.
An author will typically have had a personal life online that existed before they started publishing, followed by a “public” self related to their work, and even a “marketing” self that attempts to broaden awareness of their work.
With the rise of “parasocial” relationships online, where many people can feel they have a relationship with a single person, there are pressures on all sides to give up more information or access than the author may ultimately be comfortable with. If an audience feels they are “owed” something, and the author feels pressure to maintain their livelihood, it can be difficult to enforce boundaries that weren’t established from the beginning.
These levels of comfort can also change over time. In a social media age where users are pushed to share more content to increase engagement for the platform, it’s important for authors to be aware of how the platform might be leveraging their information (i.e., trying to grow a network beyond what the author wanted, which brings attention they aren’t prepared for). This can especially happen in situations where something an author does goes viral that doesn’t involve their work.
Authors have a very difficult task in building communities around their work by being available, sharing of themselves, and moderating their audiences. Getting help with these tasks from someone you trust can help you maintain your boundaries and the space needed to keep doing the things you love, like writing. As your audience grows, it’s almost inevitable that you will get a negative response online or at public events, and a group of trusted friends can help deal with the negativity.
Using a pen name is often a marketing decision, and authors often use pen names to work with multiple publishers or develop separate audiences. Authors who wish to separate their writing career from other work often use pen names to maintain boundaries.
For safety reasons, a pen name can be used to protect your identity. Most modern sales platforms, like Amazon, separate pen names from the account owner, and multiple pen names can be used for books uploaded to a single account. Some considerations:
- Initials vs full name. Depending on genre expectations, a change as simple as using initials rather than a full name can work to separate audiences. Some readers appreciate the slight difference to help them differentiate between a single author’s different series.
- Author photos for pen names. Authors who don’t want to use their actual photo may use book covers, character art, or other graphics. Reader expectations will vary based on genre. A book cover seems to work for most audiences and works to provide book info on social media.
- Social Media for pen names. Depending on genre, some authors have the interest and time to maintain social media for their pen names and see benefits from additional marketing channels. Others maintain a single channel and are open about their pen names. This will vary depending on your audience expectations and how much privacy you want to maintain. Some authors have assistants handle these separate channels.
Be aware that most social networks will attempt to connect your networks. If complete anonymity is your goal, explore using a Virtual Private Network (VPN) when connecting as your pen name or having an assistant manage those profiles.
An email address is an identifier. If you’ve used an address for your personal activity online, be aware that it can often be searched for, as well as unique usernames or forum handles.
- Consider creating a new email address for your professional author activity. These can be forwarded to your personal account. You don’t have to use a name. A short professional phrase or place name works well.
- Don’t use the same email address or username that you use for online banking or other personal accounts.
Securing Your Author Website
It’s usually easier to secure a website than social media, since your website isn’t trying to link you to other people or share data you didn’t purposefully add, but there are still some things to consider.
- Enable 2-factor authentication on your website and set up approval for comments (as long as that’s possible).
- Keep any software (such as WordPress) updated.
- Your bio does not have to list family and places that could be used to link other identity markers (like mother’s maiden name, birthplace, birthday, etc.) Be careful publicly discussing employers or organizations where someone might find your full identity.
- Secure your Whois information with your webhost.
- Most newsletter services require a mailing address. This requirement can be fulfilled more safely by using a mail forwarding service or P.O. Box. Check that your newsletter service hasn’t auto-filled this info from your account.
- Photos can share information about your location, family, work, etc. Pay attention to the background of any photos you place on your site or social media.
- Phone forwarding/screening services like Google Voice can be used to secure phone numbers if you want to share that info on your site or need to enter a phone number to make an account. Don’t allow apps such as Facebook or LinkedIn access to your phone’s contacts.
Social Media continues to evolve and your engagement online is a personal decision. Your engagement can change over time and you’re allowed to distance yourself from social media whenever you want. Establishing strong boundaries from the beginning can make it easier to withdraw when needed.
Platforms each have their own culture, and before you engage with a platform you don’t know, it’s a good idea to study it and its users to see if you want to be part of that community, what purpose that engagement will serve for you, and the best way to secure your account there.
- Levels of Personal Engagement
- Do you want to share personal information? Is your family comfortable being included in your social media? If you don’t want to share pictures of children or other family, other options include pets or personal hobbies and interests.
- How often do you share/post?
- What are your values, community or causes you support?
- Details. Be aware of backgrounds, places, times and people in photos you share. These can provide additional personal information that you did not intend to share.
- Network Effect. Sites and apps like Facebook use IP addresses (where you logged into their services), facial recognition and metadata from photos to link users in their system.
- Securing Professional Name. As new services come into being, it can be a good practice to secure your professional name on that service to prevent impersonation or identity theft.
- Securing friends lists, audience lists, and Patreon Supporter Lists, etc. Members of your audience and professional network as an author become ways to reach you. In a way this is inevitable as audiences grow, but consider the security of these lists if you want to maintain certain privacy, like your employer or personal address. Most sites have settings to make these lists private.
- Communication and Community. Finding community, sharing information with them, and raising any concerns about your online safety and security is one of the best ways to stay up to date and to get help when needed. Your friends want to help you, and you aren’t wasting their time asking for help.
- Two-Factor Authentication. Two-factor authentication means a user provides two methods of verification for their account, usually a password and then a text or app-based security code. If someone has your password, they still need access to your phone.
- P.O. Box. Using a P.O. Box for all business correspondence will help secure your home address.
- Family and Friends Understand Information Security. Let family and friends know your feelings about sharing your personal information. They may think they’re helping by posting about you, but could be sharing personal data that can linked to other parts of your profile.
- Data breaches are inevitable. Use strong passwords generated by a password manager like KeePass or those built into Firefox and Chrome, and change them regularly. Don’t use the same password or username for all your important sites and services.
Dealing with Online Harassment and Doxing
If you think you are in immediate physical danger, consider calling your local emergency number. Our Reporting Incidents to Authorities section may help.
Your first step should always be to document what has happened via screenshots or other recordkeeping. This is crucial reference material for escalating the matter to the websites where doxing or harassment is occurring, as well as creating records for possible legal action in the future.
This doesn’t mean you have to leave harmful messages or personal information posted, if you have the ability to have it taken down. Many websites have procedures in place to remove harmful information when they are contacted about it. Twitter, for example, has made doxing a violation of their terms of service, and accounts can be reported and the posts removed.
What is Doxing?
Doxing is the act of searching for and publishing someone’s private or personally identifying information, usually on the internet, typically with malicious intent. This may include posting someone’s real name, address, phone number, workplace, or other information that makes direct harassment easier. The result may be anything from threatening phone calls and mail deliveries to death threats or SWAT calls.
Unfortunately, the best way to deal with doxing is to prevent it in the first place.
- Use secure passwords and two-factor authentication on accounts wherever possible, especially for websites which retain financial or shipping information.
- Keep personal information private (for example, answers to common memes often match website security questions: childhood pet, hometown, maiden name, etc.).
- Avoid clicking unverified links or email attachments.
- Keep computer antivirus software updated (many operating systems come with native software, such as Microsoft Defender or Apple’s XProtect).
- Cover or unplug your device’s camera when not in use.
- Do not use social media location check-ins; do not share photos that show street views around your home or the exterior of your home.
- Disable location metadata on digital photos. This option is sometimes located in a phone’s general Settings, and sometimes in the Camera app’s settings; if it is not readily apparent, try a web search for your phone model + how to disable location metadata or geotagging.
Additional Security Tips
- Regularly check “people finder” websites. These are databases which combine social media information and public records and make them available to anyone to search. You can request that your information be removed from these websites, but future updates may reupload freshly collected data, so it is worth checking every few months.
- Examples include: spokeo.com, anywho.com, intelius.com, whitepages.com, truthfinder.com, peoplefinders.com, beenverified.com. There are dozens, and more being launched on a regular basis.
- If you have the means to do so, you can hire a paid service to remove your information from these sites and then monitor them to ensure it remains erased. One example is DeleteMe, which also has free DIY guides to manually removing one’s information from many data broker sites (note: this is an example and not an endorsement).
- Consider paying for private web domain registration. ICANN (the Internet Corporation for Assigned Names and Numbers) requires the mailing address, phone number, and e-mail address of all website domain name owners and administrators to be posted publicly in the “WHOIS” directory. Many domain name registrars provide privacy protection services, which will keep your information out of public searches. (Example: see more about enabling privacy protection on WordPress.com here.)
- Safely complying with newsletter footer requirements. The FTC’s CAN-SPAM Act requires a physical address be attached to email campaigns such as newsletters, marketing and promotions. One acceptable alternative is to pay for a small P.O. Box and use that address in the footer of your newsletters or other mass mailings. If you have a literary agent, you can also ask whether it is all right to use the agency’s address.
Consider sharing this guide with any family members you are publicly connected with (whether public knowledge, linked via social media, etc), as harassers may search family members in order to find you.
Some Types of Leaked Information
- Phone number. In the case of prolonged harassment, the only recourse may be to change phone numbers. However, law enforcement may have an easier time investigating harassment by phone than by the internet, so be sure to document everything that has happened.
- Home address. One’s home address being made public may result in threats by mail, invasion of property, pranks such as fake food orders, or false law enforcement calls.
- Compromised credit card numbers, banking information. Notify your relevant financial institutions and change account information as appropriate. If your doxed information includes common answers to security questions, such as mother’s maiden name, update these as well.
- Hijacked accounts. May be used to impersonate you, to yield additional personal information such as shipping addresses, or to gain access to additional linked accounts. If you suspect one or more of your accounts has been compromised, quickly attempt to change your passwords, log out of all other sessions, and notify anyone else who may have been contacted from it. Enable two-factor authentication wherever possible and do not repeat passwords across platforms. Consider using a password manager such as KeePass or those built into Firefox and Chrome.
- Workplace Info. If your workplace has been made public, you may experience attempts to harass you at work, embarrass you, or get you fired. Consider talking to your supervisor(s) or coworkers as appropriate to get ahead of the situation.
- Email address. Your email address may be used to send hate mail, sign you up for spam mail, or register you for embarrassing forums and services. Services such as Unroll.Me and Mailstrom can help you quickly unsubscribe from junk mail. Look carefully through your inbox and spam folders, in case the flood of junk mail is meant to push down notifications of account sign-ins and security breaches on other websites.
Ways to Respond
The primary ways to respond to doxing or other forms of online harassment are:
- to ignore them;
- to block or mute instigators on specific social media platforms;
- to expose your harassers or publicly confront them;
- or to delegate tasks to allies, such as asking a friend to moderate your accounts until the situation is resolved.
Each of these options is easier said than done. SFWA does not recommend exposing or publicly confronting your harassers as this may only increase harassment. You can find more comprehensive advice in iHeartMob’s “Basic Protocol on How to Respond to Online Harassment” including further links.
If you are the subject of a prolonged harassment or stalking campaign, and you are a resident of the United States, you may be eligible for a confidential address program (most effective immediately following a move). These vary by state. A list of these programs and their eligibility requirements can be found here.
- Guide to Talking to Family & Police (from Crash Override Network)
- Digital Safety How-To Guide (from iHeartMob)
- Security-in-a-Box (digital security tools and tactics)
- Online Privacy and Safety Tips (from techsafety.org)
- Digital Hygiene Course (from Trollbusters)
Managing the Privacy of Others
Any time you are handling the personal information of other individuals, you need to be aware of several things: compliance with applicable laws such as GDPR and CAN-SPAM; safe storage of the data; and the general consideration not to make anyone’s information public without explicit permission.
Circumstances in which you may be handling the personal information of other individuals includes, but isn’t limited to:
- Collecting information for mailing lists;
- Collecting names and addresses for giveaways;
- Managing contact information and preferences via subscription services, such as newsletters or Patreon accounts;
- Receiving submissions for magazines, contests, or awards reading;
- Making contact information public for con staff, magazine/project personnel, or awards judges.
Even in situations where spam laws do not apply, it is a general best practice to consider the privacy of anyone whose personal information you are handling, to be clear about the ways you will be using or sharing that information, and to obtain explicit consent to do so. Only collect information strictly needed for a specific purpose, and consider carefully what you share with others, even within the same organization.
Here are some examples of ways you can protect the privacy of others:
Patreon: Consider making your patron list private, rather than publicly visible on your page.
Magazines/Anthologies/Contests: Only request strictly necessary identifying information on initial submissions. If you need legal names and mailing addresses at the acceptance stage, consider only requesting that information upon acceptance, rather than having this information visible to all members of the organization throughout the submission process.
Award Judges: For juried awards in which authors and publications can submit work directly to the judges, ensure that your judges are aware of exactly how their contact information may be shared. Do not share or post online (or allow other venues to publicly post) anyone’s personal email or home address without explicit permission. This consideration should also be extended to volunteers in other situations: convention staff, editors and first readers at publications, and so on.
These are only a few examples of situations in which you may be managing the privacy of others, and you should apply similar consideration to any other platform on which you are collecting information. The following sections include more specifics about your legal obligations. This is not a comprehensive list.
The General Data Protection Regulation (GDPR) is a privacy and security law passed by the European Union (EU) that went into effect in 2018. It is applicable to any organizations who collect data related to people in the EU, regardless of the location of the organization itself, with violations punishable by hefty fines.
If you process data, you have to do so according to seven protection and accountability principles outlined in Article 5.1-2:
- Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
- Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
- Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
- Accuracy — You must keep personal data accurate and up to date.
- Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
- Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
- Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
There are six “lawful bases” for you to “process” (collect, store, use, etc.) people’s data. These are listed in Article 6. The first is consent, which must be obtained unambiguously and after a full explanation of what you plan to do with the data. Specifically:
- Consent must be “freely given, specific, informed and unambiguous.”
- Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
- Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
- Children under 13 can only give consent with permission from their parent.
- You need to keep documentary evidence of consent.
For the average author collecting information for a mailing list, this means getting clear consent to collect only the necessary information for a specific purpose (one example: a clearly labeled newsletter sign up form with a double opt-in*). It also means providing an easy means to unsubscribe at any time and discarding data when it is no longer needed (for example, deleting physical addresses after mailing giveaways and only retaining contact information for a mailing list if the individuals who signed up for the giveaway gave explicit consent to also be added to your list).
Some additional considerations for managing visitors to a website include acquiring consent before using any cookies other than strictly necessary cookies, posting a privacy notice, and removing personal information when requested, including deleting blog comments.
A popular solution is to outsource data management to a third-party service that is GDPR-compliant (say, a newsletter service with clear opt-ins and automated unsubscribe links, or website builders with GDPR-compliant settings), but be aware that you are ultimately responsible for the data you manage, so you should review all of these settings carefully.
Many third-party services have already written pages to walk you through their GDPR settings and ways for you to ensure compliance. Some examples:
More Information: There is an informational site about navigating the GDPR here. It is co-funded by Project REP-791727-1 of the Horizon 2020 Framework Programme of the European Union, but is not an official EU Commission, and does not replace legal advice. The website includes compliance checklists (a general one here and a U.S.-specific one here), as well as articles on email encryption, the full text of the regulation, and more.
* A double opt-in occurs when a user signs up for an email list, and then an email is sent to the user with a link to click and confirm the subscription. The user is not officially added to the email list until after the confirmation click is completed. This two-step process ensures that the user did not sign up in error; and that a third party cannot sign someone up without their cooperation.
The CAN-SPAM Act is a law that was passed in the United States in 2003, setting national standards for the sending of commercial email, with financial penalties enforced by the Federal Trade Commission (FTC).
You can find the FTC’s compliance guide for businesses here. There is a large overlap with GDPR compliance, in that you must be clear about what you are sending and provide recipients an easy option to unsubscribe. The main requirements are as follows:
- Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
- Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
- Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
- Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
- Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
- Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
- Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.
On a personal information security note: pay special attention to Item #4: tell recipients where you are located. Whether you are managing your own mailing list manually, or using a third-party newsletter service, your emails must contain a physical mailing address, most commonly placed in the footer. If you are agented, you can ask your literary agency if they will let you use their address as your official place of business.
If this is not an option, and you do not have another business address available to you, you should consider setting up a P.O. Box for business purposes rather than put your home address on all of your email.
Additional Spam Laws
The GDPR and the CAN-SPAM Act are not the only laws guiding the use of email marketing. Additional laws include, but aren’t limited to:
The CASL laws in Canada: These laws also require meaningful consent when collecting email addresses, prompt response to unsubscribe requests, and maintaining do-not-call lists. You can find more information from the Canadian Radio-television and Telecommunications Commission here, including FAQs and compliance tips.
The Privacy and Electronic Communications Regulations of 2003 in the UK: The short version: “You must not send marketing emails or texts to individuals without specific consent. There is a limited exception for your own previous customers, often called the ‘soft opt-in’.” You can find more information from the Information Commissioner’s Office here, including regulations regarding other forms of marketing.
The running theme between all of these laws are clarity of use, consent to collect data, and an easy way to opt-out, but it is always worth researching the laws in your own country to ensure you aren’t missing the finer points of spam law compliance.
Safe Data Storage
Use two-factor authentication wherever possible, especially on services where you will be managing other people’s data (Patreon, newsletter services, your email account, your website, etc.). This will significantly reduce the chances of someone gaining access to your accounts, and therefore your customer/visitor/marketing data.
Consider moving your website to HTTPS, which encrypts communications between your website and a user’s browser.