NewsQ and Hacks/Hackers Guidance on safety protocols and precautions for Wikimedia-related projects
Who is This Document For
This document is for volunteers working closely with NewsQ and Hacks/Hackers on Wikimedia-related projects around information sources.
It might seem obvious to ensure reliable sources verify information on Wikipedia, but doing so involves marking or removing numerous sources as unreliable. This can provoke controversy, blowback, and even harassment.
Purpose of This Document
The goal of this document is to make clear that there are some risks involved in Wikipedia-related work on reliable sources or mis/disinformation. The aim is to make clear what types of risks exist, and how to mitigate them in advance when possible.
When threats do arise, we want to chart a clear path for:
- Getting help
- Contacting the right people for support
- Escalating the issue effectively and efficiently
Although specific strategies for repairing damage from threats are out of scope for this document, we also want to emphasize a commitment to help repair any damage that occurs.
Identifying, evaluating, and mitigating risk
Finally, this is a document about informed consent, awareness, prevention, and mitigation. When working online, risks cannot be eliminated entirely, especially when addressing controversial topics such as vaccines or misinformation. When needed, people should seek advanced help and we can suggest some potential resources.
- If you have a general question or concern about Wikipedia safety, contact firstname.lastname@example.org
- If you need to notify H/H staff, email email@example.com
- If you need help immediately, email firstname.lastname@example.org.
- If you are in physical danger, call the police line (9-1-1).
Otherwise, see the Protocols below for escalation.
How To Use This Document
All new team members should read, review, and agree to this document as part of their standard onboarding. Existing members should do the same within two weeks of its final version. Safety and security challenges should be addressed regularly in common dialogue at meetings and check-ins.
- If you need immediate help, just go directly to the protocols–that’s what to do in a bad situation.
- If you’re struggling with psychological effects of stress, the conclusion offers some holistic tips.
- If you have time to learn, the Risks and Mitigation sections act as a good primer for reducing harm and addressing threats.
- For further research, the references offer some guides from around the web’s better cybersecurity and journalism resources.
How This Document Is Structured
This is both a sequential and a scannable document.
- Reach out to Hacks/Hackers, Wikimedia Foundation, Law Enforcement, and people who can support you emotionally.
2) Safety Risks and Mitigation
- Expect pushback from critics but don’t handle it alone if it’s targeted, scary, or serious.
3) Security Risks and Mitigation
- Protect yourself from unwanted exposure of access to private information.
Framework: Risk, Safety, and Security
Risks Exist and Vary
The concept of safety
Working online to combat misinformation can attract negative attention, blowback, and retaliation. Key concepts about risk include:
- While risks can never be eliminated, they can be anticipated, mapped, mitigated, and confronted with appropriate speed and support.
- Not all risks are actual threats, not all threats pose credible danger, and not all danger is worth negating; but for each person the key is a sense of control and choice over their exposure.
- Every person’s tolerance and targets are different, so what works for one person may look different than what works for another person – and that’s ok.
‘Safety’ versus ‘Security’
The concept of safety
Safety, as in personal safety, is feeling sufficient comfort in your physical and psychological self to live day-to-day with peace of mind while effectively executing your job. Safety is being aware and able to respond to risks to your personal well-being, your mental health, your physical integrity, and your workplace environment.
The concept of security
Security, as in information security, involves the integrity of work operations and especially the private, confidential, identifying, or sensitive information collected and discussed during work operations.
Good security hygiene can enhance safety, and good safety practices reduce security risks.
Safety and security are both individual and collective. The safer each of us is, the safer we all are; the more secure we are as a group, the better we can protect each other; and when one of us has their safety compromised, or is threatened or violated, we are all implicated and damaged.
Getting Help: Protocols
When something threatens your sense of safety, flag it so someone with professional expertise and sufficient resources can examine it. Never handle a serious threat alone. You don’t need to have “thick skin” or “just ignore it.” Not every snarky comment is worth getting upset about, but we would rather you report something that turns out to be nothing than ignore something that turns out to be harmful to you or a colleague. We’re in this together.
Safety Protocol: Vaccine Reliable Sources Project
Who: Wikipedia volunteer
– Contact ‘Helpline’ for general aid
Contact for general support, advisement about specific scenarios, non-emergency
– Contact ‘Hotline’ in emergencies
Contact when there is threat of bodily harm; contacting the Hotline will result in contacting authorities
Who: Wikipedia volunteer
Action: Notify Authorities
– Telephone 9-1-1 (If in U.S. or other emergency number only if urgent or in direct danger)
Who: Wikipedia volunteer
Action: Seek Support
|Lean on Your Network|
Share your experience with:
> Spiritual Advisor
Safety Risks and Mitigation
Recap: Safety, as in personal safety, is feeling sufficient comfort in your physical and psychological self to live day-to-day with peace of mind while effectively executing your job. Safety is being aware and able to respond to risks to your personal well-being, your mental health, your physical integrity, and your workplace environment.
Safety risks vary by location and type, intention, and execution. Some safety risks exist solely online, some cross-over to fully offline, and some bridge between the two. Some speech targets your reputation while other speech seeks to bully or intimidate you into silence or cause psychological harm. Offline threats can target your residence, workplace, or regular hangouts and in extreme cases could involve a physical attack on you or those close to you or your property.
Remember: the goal of threats to your safety is to silence you, to stop you from doing important work, to punish you for your actions, and to discourage others from joining or following you.
Common safety threats
Below are some common safety threats you might face and some basic advice for mitigating those threats.
- Verbal harassment includes unwanted or aggressive behavior like name-calling, mocking, shaming, or insulting. Avoid engaging with the person who is harassing you. If possible, block them on social media or other platforms. Notify your team.
- Threats of harm indicate someone intends to cause physical or emotional damage to another person. These threats can be made in person, over the phone, or online. Take any threats seriously and report them to your team immediately. Contact police if threats are credible, direct, imminent, or dangerous. Seek support from friends, family, or a counselor if the threats continue.
- Online stalking involves repeatedly watching, following, or harassing another person on the internet. This can include monitoring social media accounts, sending unwanted messages, or tracking online activity. Limit the amount of personal information you share online and be cautious about friending or following people you don’t know. Use privacy settings to control who can see your posts.
- Brigading happens when a large number of people coordinate to attack or harass someone or a group of people on social media or online forums. Avoid sharing personal information online and be cautious of who you interact with on the internet. Use privacy settings on social media to control who can see your posts and information. If you are being targeted by brigading, report it to the platform and seek immediate help if necessary. Feel free to just log off until you feel safe.
- Doxxing is researching and broadcasting personally identifiable information (PII) about a person without their consent, with the intent to harass or intimidate. Be cautious about sharing personal information online and use privacy settings to control who can see it. Be prepared to document any harassment or threats you receive.
- Swatting is making a false report to law enforcement with the intent of getting a SWAT team or other heavily armed police response to someone’s home or workplace. Avoid sharing your home address or other personal information that could be used to locate you. If you receive a threatening call or other warning that you may be targeted for swatting, contact law enforcement immediately.
- Offline stalking is physically following and/or harassing an individual in person. If you are being stalked, take the threat seriously. Tell friends, family, and coworkers about the situation and ask for their support. and seek help from law enforcement or legal protection.
- Physical violence is any act inflicted on a person to harm or kill them. If you are in immediate danger, call 911 or the local emergency number. Otherwise, consider contacting law enforcement and a lawyer for help. If possible, try to remove yourself from the situation and seek safety. Tell friends, family, and coworkers about the situation and ask for their support. Consider seeking counseling or therapy to help you cope.
Security Risks and Mitigation
Recap: Security, as in information security, involves the integrity of work operations and especially the private, confidential, identifying, or sensitive information collected and discussed during work operations. Risks to security involve exposure of sensitive information and access to private accounts.
Basic security hygiene can mitigate many of these risks.
- In general, anything important, from devices to documents, should be password protected with two-factor authentication, shared with as few people as necessary, and containing as little PII (personally identifiable information) as possible. Update passwords after breaches.
- You should never reuse passwords between accounts or services, you should use unique strong passwords that are sufficiently long and complex, and you should use a secure password manager to keep track of your multiple unique, strong passwords
- To create strong passwords, avoid using easily guessable information such as your name, birthdate, or favorite sports team. Instead, use a mix of upper and lowercase letters, numbers, and special characters.
- To protect yourself from phishing attacks, be wary of emails or messages from unknown senders, especially if they contain links or attachments. Don’t click on links or download attachments from untrusted sources. If you receive an email claiming to be from a financial institution or other organization that you do work with, do not click on any links in the email. Instead, go directly to the organization’s website and log in to your account from there to verify if the message is legitimate.
- To protect yourself from hacking, keep your software and security programs up to date. This includes your operating system, web browser, antivirus and firewall software, and any other programs you use regularly.
- Avoid using public WiFi networks for sensitive activities such as online banking or shopping, and consider using a virtual private network (VPN) to encrypt your internet traffic. Finally, be cautious about sharing personal information online, especially on social media, and use privacy settings to control who can see your posts and information.
Conclusion: Staying Sane While Staying Safe
When you’re feeling stressed, it’s important to take care of yourself physically and emotionally. Practicing self-care and prioritizing your well-being is essential, even when work is chaotic – especially when work is chaotic. There are many healthy ways to cope with stress and anxiety.
You are doing important work and your efforts make a difference: remember why you do the work you do. If possible, don’t let criticism or negativity discourage you. Even when it’s hard, try to find gratitude and focus on the positive aspects of your work and your life. Keep a sense of perspective and try not to take things personally.
Look for activities that you enjoy that help you relax and recharge. Set boundaries around when you look at and engage in work – turn off the screen or the feed. Take breaks and give yourself time to recharge and refocus. If you’re overwhelmed, mindfulness can help you stay present in the moment.
Remember: you are not alone and that others have faced similar challenges. Seek out and surround yourself with supportive people. Find role models and mentors who can guide you through a difficult time.
Tips for Managing Safety and Security on Wikipedia
On-wiki version: https://en.wikipedia.org/wiki/Wikipedia:SAFE
Account, Registration, and Access
- Register an account. When you edit logged-in, your i.p. address is hidden
- Choose your username to minimize identifiable information, real name, or online handles
- Create a strong password that you do not use elsewhere.
- Create a dedicated email account to be used for Wikipedia, not your everyday email account.
- Always login: Any time you forget to login, your edit shows your i.p. Address
- Some people onwiki qualify for 2-factor authentication during login: you can request it.
- Some people on wiki qualify for a VPN/TOR exemption and you can request it.
Publicity and Disclosure
- Every page is public: There are no secret, sacred spaces to work, except offline
- Your pages are public too: userpage, talk pages, sandbox pages are visible to everyone
- You can’t unpublish content: In extremes it can be hidden, but once it’s seen it’s seen
- Be careful what you reveal early on: You never know when disclosure will become a risk
- People can follow your contributions: Watching others is a feature but also a challenge
- People can investigate you from what you edit: towns, politicians, sports teams, schools…
- As a Wikipedian, you become a ‘public person’ in a way: some outside scrutiny is to be expected.
Email, Files, and Exposure
- If someone emails you, and you email back then they see your real email address.
- Set your preferences to send password reset emails only when both email & username are given.
- Files uploaded might have sensitive information such as GPS or author name.
- Photographs might have identifiable features that might show location.
Networks and Media
- Beware connected social media profiles and posts that reveal date of birth, friends, and employer.
- Real life events (meetups, editathons, wikimania) expose you to unknown actors
- Journalists might reveal your identity if you tell them how long you’ve edited, favorite topics, etc.
- If you encounter harassing behavior onwiki, contact an administrator privately, via email.
- You can also privately reach out to the Arbitration Committee
- Some staff offwiki can help defend you: Trust and Safety (email@example.com)
- Some staff offwiki can call police for you: Trust & Safety (firstname.lastname@example.org)
References and Resources
Internet Safety Tips & Internet Safety Rules
Safety Tips for Managing Online Risks – ConnectSafely
21 Top Cyber Security Threats: Everything you Need to Know
20 internet safety tips and checklist to help families stay safer online | Norton
8 remote access security risks and how to prevent them | TechTarget
10 Absolute Best Ways to Mitigate Security Risk | Liquid Web
10 Ways to Reduce Cybersecurity Risk for Your Organization | UpGuard
12 Tips for Mitigating Cyber Risk | JPMorgan Chase
How to Dox Yourself on the Internet | by The NYT Open Team | NYT Open
What do you need to protect?
Guides & Training
Industry Standard for Safety Training | ACOS Alliance
Basic preparedness: Risk assessment – Committee to Protect Journalists
Safety Management | ACOS Alliance
Digital safety: Using online platforms safely as a journalist – Committee to Protect Journalists
Digital Safety: Protecting against online smear campaigns – Committee to Protect Journalists
Digital safety: Adversarial or confrontational sources – Committee to Protect Journalists
Editors’ checklist: Protecting staff and freelancers against online abuse https://cpj.org/2022/07/editors-checklist-protecting-staff-and-freelancers-against-online-abuse/
Digital Safety: Protecting against targeted online attacks – Committee to Protect Journalists
Journalist Safety and Emergencies – Committee to Protect Journalists
Digital safety – Committee to Protect Journalists
Digital Safety: Working from home – Committee to Protect Journalists
Online Harassment Field Manual – PEN America
13 security tips for journalists covering communities of hate online
Online Harassment Field Manual – PEN America
The Journalist Survival Guide
28 Decisive Pros & Cons Of Online Activism – E&C
Psychological safety: Online harassment and how to protect your mental health
Psychological safety – Committee to Protect Journalists
NICAR2019_Self-care for Journalists – Google Slides
Last edited on May 22, 2023