Updated March 20, 2023
Journalists have long faced threats in reprisal for their work, and in the internet era, attackers are leveraging information published on social media and professional websites to hack, abuse, shame, or defame their target.
Online abuse is becoming increasingly sophisticated, with coordinated smear campaigns being used against both individual journalists and media outlets as a way to discredit their work. These attacks are carried out by well-organized online groups, including state-sponsored actors.
Attackers may steal information to impersonate a journalist, manipulate it without consent, or they may dox journalists—and potentially their colleagues or family members—by researching and publishing their home address or other private details. Journalists should be aware of what information about them is in the public domain, consider what it reveals about them, and take steps to remove it where possible.
Be aware that it is very difficult to remove data from the internet completely. Information could be stored in internet archive machines, or a screenshot could have been taken and shared with others. Whether sites comply with requests to remove your personal information may depend on whether it is connected with an account you control, or owned by a third party.
Search engine algorithms also take time to reflect changes, so content may remain available for several days even if your request is successful.
Initial steps to protect your personal information:
Taking preventative measures is key to protecting yourself against online harassment. The more steps you take to protect your data before an attack happens, the safer your information is likely to be. Ideally, if someone were to look you up online they would only find professional information about you.
- Find out who could be interested in targeting you and their capacity to cause you harm both online and offline.
- Keep an eye out for news reports and accounts of other journalists having their private information published without consent. Such doxxing attacks increasingly target journalists on all beats, but awareness of new trends will help you take the right precautions.
- Sign up for credit monitoring services that can alert you of fraudulent activity on your financial accounts.
- Have separate accounts for your work and for your personal life. For example, create a work-only email account instead of having one email for everything. Choose whether your social media accounts are professional or personal. Mixing professional content and personal information in your online accounts, including your social media accounts, makes you more vulnerable. If an attacker accesses your account they will obtain data on both your personal and professional life.
- Review your social media accounts regularly to see what personal data is exposed based on your privacy and security settings. Check old content to see whether you have posted anything that you would not want others to see, for example a photo of your child, a photo that gives away your location or home address, or an old post that could be misconstrued. Backup and delete your personal messages.
- Understand what data is best kept private and offline. This includes information that can be used to identify you, such as your date of birth, data on your location–including your home address–and your contact information, such as personal email address or phone number.
- Set up Google alerts for your name and address and other information, such as your date of birth. Include alerts for any common misspellings of your name.
- Know what information is available about you on the internet. Do the following:
–Look yourself up online using all search engines. Use incognito mode or the private window function in your browser to do this, as this will give you all search results instead of your most commonly searched results
–If applicable, check Yandex and Baidu, the Russian and Chinese search engines
–Check photos and videos, as well as comments under news pieces that you have published
–Note down content you want to try and remove
–Look up close family members online to see what data is available about them, including their relationship to you
–Set regular calendar reminders for yourself to review your online profile - Journalists based in the United States should sign up to have their personal data and the data of family members removed from data broker sites. Examples of professional content monitoring and removal services include DeleteMe or Recorded Future.
To remove information from accounts and websites you or your family control:
- Log into your accounts and delete any personal data you have identified that should not be public.
- Review your website or any other sites you operate for sensitive, identifying information, and find ways to remove it where possible. For example, use a contact form instead of listing your email or physical address.
- Speak with family and friends about the information they publish about you and each other. Explain what data you are happy to share and what data you would like kept private. Talk to them about limiting what posts they tag you in.
- Be prepared to help family members check their security settings and take down content from their social media accounts.
To remove information elsewhere:
- Contact the sites to ask that they remove information about you. Depending on the type of site, where they are located, and the laws governing the information, they may or may not comply. Check each site to understand its policies. Don’t forget to check internet archive sites, such as the Wayback Machine, and request that they remove your data.
- Contact Google Maps, Apple Maps, and other companies to blur or remove your home or other identifying information.
- Ask Google Search to remove links from public search results. This now includes links detailing your personal data, such as your home address. Be aware that this will only remove information from Google’s search engine, not other search engines.
- Sites such as people directories take personal information from public databases.
- Ask directories to remove your information, though it is likely to reappear unless you are able to remove it from the source.
- Contact the creator of the public database, normally a government body, to see if your information can be removed or made private. Laws about this differ by country.
For more information on how to secure your online profile, consult CPJ’s safety notes on protecting against online harassment and protecting against targeted online attacks. For wellbeing support, read our guide on online harassment and how to protect your mental health. For more information on how to better protect against online abuse, take a look at our guide to other organizations and resources offering support.
The Committee to Protect Journalists is a member of the Coalition Against Online Violence, a collection of global organizations working to find better solutions for women journalists facing online abuse, harassment, and other forms of digital attack.
Editors’ note: This advisory was originally published on September 4, 2019. Information on assessing your personal information was updated on the publication date shown at the top.