Press Freedom and Digital Safety

Tuesday, February 13, 2024

Communities Reporter, Seattle Times

Digital Security Advisor, International Women's Media Foundation

Introductory Remarks

Vice President for National Program and Outreach, Council on Foreign Relations


Senior Fellow, Council on Foreign Relations

Ela Stapley, digital security advisor at the International Women's Media Foundation, discusses strategies for the safety of journalists as they report on the 2024 election cycle. Tat Bellamy-Walker, communities reporter at the Seattle Times, discusses their experiences with online harassment and best practices for journalists on digital safety. The host of the webinar is Carla Anne Robbins, senior fellow at CFR and former deputy editorial page editor at the New York Times. A question-and-answer session follows their conversation.


FASKIANOS: Welcome to the Council on Foreign Relations Local Journalists Webinar. I’m Irina Faskianos, vice president for the National Program and Outreach here at CFR.

CFR is an independent and nonpartisan membership organization, think tank, and publisher focused on U.S. foreign policy. CFR is also the publisher of Foreign Affairs magazine. As always, CFR takes no institutional positions on matters of policy.

This webinar is part of CFR’s Local Journalists Initiative, created to help you draw connections between the local issues you cover and national and international dynamics. Our programming puts you in touch with CFR resources and expertise on international issues and provides a forum for sharing best practices.

We are delighted to have over forty journalists from twenty-six states and U.S. territories with us today for this discussion on “Press Freedom and Digital Safety.”

The webinar is on the record. The video and transcript will be posted on our website after the fact at CFR.org/localjournalists, and we will circulate it as well.

We are pleased to have Ela Stapley, Tat Bellamy-Walker, and host Carla Anne Robbins with us for this discussion. I have shared their bios, but I’ll give you a few highlights.

Ela Stapley is a digital security advisor working with the International Women’s Media Foundation. She is the coordinator of the course “Online Harassment: Strategies for Journalists’ Defense.” Ms. Stapley trains journalists around the world on digital security issues and provides one-on-one support for media workers in need of emergency assistance.

Tat Bellamy-Walker is a communities reporter at the Seattle Times. Their work focuses on social justice, race, economics, and LGBTQIA+ issues in the Pacific Northwest. Tat also serves on the National Association of Hispanic Journalists LGBTQIA+ Task Force, as a member of the Seattle Times Committee on Diversity, Equity, and Inclusion.

And Carla Anne Robbins is a senior fellow at CFR and co-host of the CFR podcast “The World Next Week.” She also serves as the faculty director of the Master of International Affairs Program and clinical professor of national security studies at Baruch College’s Marxe School of Public and International Affairs. And previously, she was deputy editorial page editor at the New York Times and chief diplomatic correspondent at the Wall Street Journal.

Welcome, Ela, Tat, and Carla. Thank you very much for being with us today. And let me turn the conversation now over to Carla.

ROBBINS: Irina, thank you so much. And, Ela and Tat, thank you so much for doing this. And thank you, everybody who’s here today.

We’re going to chat among us just for about twenty, twenty-five minutes, and then questions. You’re all journalists; I’m sure you’re going to have a lot of questions.

So, Ela, can we start with you by talking about the threat environment, as we national security people refer to it? The IWMF announcement on your safety training—and I want to talk about that—referred to, quote, a “spike in physical and digital violence” directed against U.S. newsrooms in particular. And it said, “This year alone, thirty journalists have been assaulted and eight have been arrested in the U.S., all following a surge of anti-media rhetoric.” And you also said that the U.S. currently ranks forty-fifth on the World Press Freedom Index, down from thirty-two just a decade ago; and also that this abuse disproportionately affects women and diverse journalists, who are often reluctant to speak out for fear of jeopardizing their careers. Can you talk a little bit about the threat environment here in the U.S., what’s driving it, and the different forms it’s taking—it’s taking?

STAPLEY: Yeah, sure. So I’m Ela Stapley. I’m a digital security advisor. So when I look at the threat environment, I’m looking at it from a digital safety standpoint. What we do see in the U.S., and we have seen now for a number of years, is a massive uptick in online abuse—or online violence, as it’s now called, in order to get across the seriousness of the situation. So when we’re talking about online abuse/online violence, what we’re really saying there is attacks on journalists that are now so serious that it’s really limiting their ability to do their work. And it’s really having—I don’t say this lightly—an impact on democratic conversation.

So one of the biggest issues that you see in the U.S. is this, along with common tactics that are used with online harassment and online violence. And that includes the publishing of journalists’ personal information online, known as doxing. This includes the home address or personal contact, such as a personal email or personal phone number for example, with an intent to do them some kind of harm. And we do see that being used against journalists in the U.S., especially if they’re covering particular beats. That includes so—kind of far-right or alt-right groups, for example, who—one of their tactics is doxing journalists online or people who talk about them in a way that they don’t agree with.

So that is one of the biggest threats we’re seeing. And we’re in an election year. I do think we did see this during the last election. There will be an increase in online abuse and harassment during that time, and all the other threats that come with it, which include doxing but also things such as phishing attacks, for example; malware attacks; and possible hacking attacks of accounts, for example, could also be something that we see an uptick in.

Other threats that journalists are facing. If they’re going out and they’re covering the election—so some of these rallies or places where they’re going—the chance of a physical confrontation might be quite high. So you’re seeing there kind of damaged equipment, which it sounds like a physical safety issue but is actually a digital security issue as well. So journalists quite often carrying their personal devices instead of work devices, that’s very common, especially for freelancers. And you know, if you haven’t backed those devices up, the content on them; or if you’re detained and those devices are searched, for example; what about the content that you have on them? How safe is that content? Not very. And do you have sensitive contacts on there or content that could put you or your sources at risk is something I’ll say that journalists, you know, need to be thinking about, I would say. And we do see that across the U.S. Obviously, some areas, some states may be more complicated than others.

ROBBINS: So I want to get to Tat and talk about your experiences and that of your colleagues, and then want to talk to both of you, because it seems like there’s this intrinsic tension here because—I mean, I’m going to really date myself—back in the day, when I started in the business, the idea that we would want to not share our emails or not share our phone numbers with people who we would want to be reaching out with us, we wouldn’t want to hide from potential—people who could be potential sources. So I understand there has to be, you know, a separation between the public and the private because the private can really be a vulnerability, but it's certainly a very different world from the world in which—when I started. And I will add I started writing with a typewriter back in the—Tat, there used to be typewriters. For you young’uns. OK. So, Tat, can you talk about your experience and that of your colleagues, in Seattle but also the people that you deal with in the groups that you work with?

BELLAMY-WALKER: Yeah. So I’ll talk a little bit about, like, my, like, personal experience. So last year I was covering, like, the local response to, like, the national, like, uptick in anti-drag legislation, and I interviewed, like, several, like, trans drag performers about, you know, how that had an impact on them. Like, it severely, like, limited their, you know—in terms of, like, violence, they were experiencing violence, and it was, like, difficult for them to navigate this, like, increasingly, like, hostile climate where, like, anti-drag, like, legislation was just going through the U.S.

So from me, like, writing that story, I started to get, like, a lot of, like, transphobic emails targeting me and my sources. And then from, you know, the, you know, transphobic emails and messages, later on, there ended up being, like, at this conservative Facebook page that also seen, like, the stories that I cover. And I’ve been covering, like, LGBTQ issues for a very long time including writing, you know, personal essays about my experiences as, like, a trans person. And they—like, they wrote this whole—this whole Facebook post about, you know, like calling me, like, a girl, like—it was, like, this whole thing. And they included, like, you know, that I work at the—at the Seattle Times. Like, it was, like, this very intense situation. And it ended up escalating even more to the Blaze writing a story about me.

And it just—like, it just escalated from me. You know, I wrote the story. Then, you know, there was the conservative Facebook page. And then, you know. You know, it ended up in a story being written about me. And so, like, things like that are very—are very serious, and really do you have, like, a negative impact on how, like, trans journalists, like, do our work. And for me, like, at that time, it did make me feel pretty, like, traumatized to see, like, how, you know, my story was, like, taken—like, it was—it just—it felt like it was just being used as this—like, this negative force, when I was trying to write about, like, why these drag performers were pushing for their craft, and why they—you know, be felt so intensely to push for their craft, at a time of such hostility targeting drag performers.

So for me, at that time, what was most important was to, like, assess, like, my online presence, and see how far was this going. Like, how far was this harassment going? So I made sure to, like, lock down my accounts. You know, that was very important for me to do. Also, having a friend document the abusive language that was coming up under the different post was very helpful. And just kind of like logging what was happening to me on, like, a day-to-day basis. Yeah, so that's essentially what I experienced. And it made me want to—I guess, in some way it made me want to make sure that I'm very careful about the information that I put out there about myself. So I have since, like, removed, like, my email address, you know, from the Seattle Times website. I try to be pretty careful about what I put online about myself. Yeah, so that—I would say those—that is how that had, like, an impact on me and my role in journalism.

ROBBINS: So before you wrote that story—because, of course, you were writing about people being harassed because of what they did—did you think about the fact that you were going to be harassed for what you did in writing about them?

BELLAMY-WALKER: At that time, I did not—I did not think about that, about how, like, writing about this story would have an impact on me. At that time, I did not think about that. But now, like, in hindsight, I know that it's important to be prepared for those, like, online attacks. And, like, vitriol and in everything. But yeah, it just—like, I didn't realize, like, how far it would go. Because at that time I was also pretty vocal about, you know, the lack of diversity of trans journalists in—just in journalism and the industry in general. So that also caught fire online with folks, you know, targeting me for that as well. So, I feel like all of those situations started to make me, like, a very big target for—you know, for these for these folks. But I know now in the future that it's important for me to prepare for these online attacks and everything.

ROBBINS: So you're talking about you preparing. Ela, I want to go back to the training that IWMF does, and this handbook, that we're going to share with everybody, that you all have developed. Which has really, I think, absolutely fabulous worksheets. This is one which I have here, which is an online violence risk assessment, which talks about things like have you previously been targeted. You know, questions that you want to ask yourself, that newsrooms want to ask themselves before the work starts.

Can you talk about the training that you all have done, and some of the—some of the things that take place in that training, that that makes—preemptively, as well as once things have happened? Some of them are big changes—raising awareness in the newsroom—and some of them are actually technical changes. Like some of the things Tat’s talking about, training people about how to even reel back their information. When I read this I thought to myself, God, there’s so much information out there. Is it even possible to pull that back?

STAPLEY: Yeah, so, unfortunately, Tat’s story is pretty familiar to me. It’s a story I’ve heard many times. And what we used to see—so I’ll talk a little bit about how online harassment kind of came to be and where it is now, just very briefly. So it used to be in the newsroom, online violence or harassment was seen as, you know, something that happened to normally women journalists, so nobody really paid that much attention, if I’m honest with you. It’s only in the last few years that newsrooms have started more seriously to pay attention to online violence as an issue in terms of protecting their journalists.

So online harassers were also seen as kind of just a guy in a hoodie in their basement attacking a person over and over. And that stereotype still exists. That person still exists. But now there’s a whole other layer, there’s a whole array of other actors involved, including state-sponsored actors, particular groups online who are hacking groups, but also other groups who feel very passionately about particular topics on the internet. And I use the word “passionate” there not in—not in a positive sense but also negative. So they have strong opinions about it. And they will target journalists that publish on these issues.

And I think before we could predict who those journalists would be. So if you were covering particular beats you were more likely to get harassment. But now we’re seeing it as just a general attack against journalists, regardless of the beat. So if you’re a sports journalist, you’re likely to get attacked by sports fans equal if you’re covering—you know, the journalists who are covering LGBTQ+ issues, anything to do with women, anything to do with race—disproportionately likely to face attacks. And if they are from that community themselves, even more so. There’s a lot of academic research that’s been done on this. So Tat’s situation, unfortunately, for me in my position, I would see Tat, I would think: This is a story that Tat’s covering. The likelihood of Tat getting abuse is incredibly high.

Now, from our work with newsrooms, what we began to see is that newsrooms started to think about how they could better protect their staff. In some newsrooms, you know, that conversation needed to be had. But some newsrooms were reaching out to us proactively. And I have to say, the Seattle Times was one of those. And I have to give a big shoutout to the Seattle Times for their interest in the safety and security of their journalists. And we’ve worked very closely with the Seattle Times on this guide, actually. So part of the pre-emptive support is not only raising awareness with upper management, because if upper management are not on board it’s very difficult to implement changes, but also putting good practices in place. So the more you can do in advance of an online attack, the better it is for you. Because it’s very difficult to be putting best practices in place when you’re in the middle of a firestorm.

So the more pre-emptive steps you can take, the better it is for you, as a newsroom but also as an individual journalist within that newsroom, especially if you fit into one of those categories that are more high risk. So we, at the IWMF, we've been working very closely with journalists. We started training journalists and newsrooms in data protection. So how to best protect your data online? This is the kind of information Tat was talking about—your email address, your cellphone, your home address. But what we realized was the training wasn't enough, because after the training the journalist would go, well, now what? And the newsrooms would be, like, well, we don't have anything. So what we needed was policy. We needed best practices that journalists could access easily and, ideally, roll out fairly easily to staff.

Now, I will say that a lot of content for this does exist. There are other organizations that have been working on this topic also for an equally long number of times, and they do amazing work. But what we were hearing from journalists was: There's a lot of information and we need short, simple one-pagers that will really help us protect ourselves. And also. editors were saying: We need it to help protect our staff. So they didn't want to read a fifty-page document. What they wanted was a one-page checklist, for example. So the guide that we created came out of a pilot that we ran with ten newsrooms in the U.S. and internationally, where we worked with—and the Seattle Times was one of those—we worked with the newsroom very closely, with a particular person in that newsroom. to think: What do they need and how could we implement that for them?

In some cases, in the Seattle Times, they created their online—their own guide for online harassment. In some cases, it was newsrooms that they only could really manage to have a checklist that would help them protect staff data as quickly as possible. So it really depends. Different newsrooms have different needs. There's no really one-size-fits-all when it comes to protecting staff. I can't say to this newsroom, you need to do this. I can say, what is your capacity? Because a lot of newsrooms are overstretched, both financially but also in terms of people. And how many cooks in the kitchen? Generally, the bigger the newsroom, the more difficult it is to roll out change quickly because you need more buy-in from different areas within the newsroom.

And the most successful pre-emptive support we see is from newsrooms where there is, what we call, a newsroom—a champion in the newsroom. Someone who pushes for this. Someone who maintains that momentum and is also able to communicate with HR, for example. Because some support needs to come from HR. What do you do if you've got a journalist who needs time off, for example because they've been getting death threats? Support from IT departments. Traditionally, IT departments in newsrooms are responsible for the website, for making sure your email is running. They're not generally resourced and trained in how to deal with a journalist who's receiving thousands of death threats via their Twitter feed.

So getting newsrooms to think about that, and also getting newsrooms to think about you have journalists who are using their personal social media for work-related content. And you request them to do this. But you are not responsible for protecting those accounts. And that’s a real gray area that leaves a lot of journalists very vulnerable. So their work email may have all the digital security measures in place and helped along by their IT team, but their personal Instagram account or their Facebook account has no security measures on it at all. And that is where they will be most vulnerable. Because online attackers, they don’t just look at the journalist in the newsroom. They look at the journalists, the whole picture. So your data that you have on the internet is really your calling card to the world. So when people Google you, what they see is how you are to them. So they make no distinction there. There’s no distinction for them in terms of work and personal.

So at the IWMF what we’ve been doing is really working with newsrooms to help them roll out these best practices, best as possible, to put them together, to help them write them, and then to sit with them and try and figure out how they can roll it out. And some do it quicker than others, but there’s been a lot of interest. Especially now, during the election.

ROBBINS: So, Tat, can you—what’s changed since your experience? What do you do differently now?

BELLAMY-WALKER: Yeah. I would say maybe like one of the main things that I—that I do differently is, like, trying to prepare ahead of these potential attacks. So that includes like, doxing myself and removing personal info about myself, like, online. So like signing up for, like, Delete Me, sending takedown requests to data broker sites, submitting info removal requests to Google. Sometimes that works. Sometimes it doesn’t. But trying to, like, take away that, like, personal information about myself.

I would also say, locking down my accounts and using more two-factor authentication. For, like, my passwords in the past, I have just used very simple, easy-to-remember passwords. But I have learned, like, since the training that it’s really important to have a password that’s way more secure. Even for me on the go, I just want something that’s easy to remember. So using, like, a password manager, like one password. So that has also been helpful for me. And also paying attention to my privacy settings. You know, on, like, Facebook or Twitter. You know, making sure that it’s only me that can look up, like, my phone or my personal, like. email address. So that is helpful.

And just generally, like, using the resources from IWMF’s online violence response hub. That has been very helpful as well, and making sure that I have a good self-care practice. And having, like, a team of folks that I can process these different challenges with, because unfortunately, like, you know, this won’t probably be, like, you know, the last time that I experience threats like this, given the nature of my reporting. So it’s really important for me to also have, like, a self-care practice in place.

ROBBINS: So maybe, Ela, you want to go through some of that a little bit more deeply, although Tat sounds like Tat’s really on top of it. So these online data brokers, can you just—do you have to pay them to delete yourself? Or are they legally—you know, do they have to respond to a request like that?

STAPLEY: OK. So let me start by saying that the U.S. has some of the worst data privacy laws I’ve ever seen.

ROBBINS: We’ve noticed that before.

STAPLEY: So it’s very difficult for a journalist to protect their personal information, just because so much information in the U.S. has to exist in a public-facing database, which, for me, is quite astounding really. If you buy a house—I don’t know if this is statewide or if it’s just in certain states—

ROBBINS: Let me just say, as journalists, we are ambivalent about this, OK? On a certain level, we want to protect ourselves. But on another level, that’s really useful if a corrupt person is buying that house, OK? So we’re—you know, we’re not really crazy about the ability to erase yourself that exists in Europe. So we’re ambivalent about this. But please, go on.

STAPLEY: Yeah, but I think from a personal safety standpoint it makes you very vulnerable. And the reason for this is that journalists are public-facing. So but you don't have any of the protection that is normally offered to kind of public-facing people. If you work in government, for example, if you're incredibly famous and have a lot of money, for example, you can hire people. So a lot of journalists don't have that. So it makes them very vulnerable. And they're also reporting on things people have strong opinions about, or they don't want to hear. And they're also very—they're very visible. So and they give—this gives people something to focus on. And when they start digging, they start to find more and more information.

So and when I talk about journalists having information on the internet, I’m not saying that they shouldn’t have anything. Because a journalist has to exist on the internet in some form, otherwise they don’t exist and they can’t get work, right? So it’s more about the type of information that they have on the internet. So ideally, if I were to look a journalist up online, I would only find professional information about them, their professional work email, where they work, probably the town they live in. But I shouldn’t be finding, ideally, pictures of their family. I shouldn’t be finding pictures of their dog in their home. I shouldn’t be finding photos of them on holiday last year, ideally.

So it’s more about controlling the information and feeling that the journalists themselves is in control of that information that they have on the internet, rather than people putting information on the internet about you. So data brokers sites, you’re very familiar with them. As journalists, you use them to look up sources, I’m sure. But people are also using them to look up you. If I was a citizen, never mind just a journalist, in the United States, I would be signing up to a service. There are a number of them available. One of them is called Delete Me. And they will remove you from these data aggregate sites.

Now you can remove yourself from these data aggregate sites, but they are basically scraping public data. So they just keep repopulating with the information. So it’s basically a constant wheel, basically, of you requesting the information to be taken down, and them taking it down, but six months later putting it back up. So companies will do this for you. And there’s a whole industry now in the U.S. around that.

Now the information that they contain also is very personal. So it includes your home address, your phone number, your email. But also, people you live with, and family members, et cetera. And what we do see is people who harass online, if they can't find data on you they may well go after family members. I've had journalists where this has happened to them before. They've gone after parents, siblings. And so it was a bit about educating your family on what you're happy and not happy sharing online, especially if you live or have experienced already harassment. So that's a little bit about data broker sites. We don't really see this in any other country. It's very unique to the United States. With all the good and bad that they bring. But in terms of privacy for data for journalists' protection, they're not great.

Other preemptive things that journalists can do is just Google yourself, and other search engines. Look yourself up regularly and just know what the internet says about you—whether it’s negative, whether it’s positive. Just have a reading of what the internet is saying about you. I would sign up to get Google Alerts for your name, and that will alert you if anything comes up—on Google only—about you. And when you look yourself up online, just map if there’s anything there that you’re slightly uncomfortable with. And that varies depending on the journalist. It could be that some are happier with certain information being out there and some are less happy. But that’s really a personal decision that the journalist makes themselves. And it really depends on, what we call in the industry, their risk profile.

So what do I mean by that? That’s a little bit what I was talking about earlier, when I was talking about Tat’s case. The kind of beat you cover, whether you’ve experienced harassment previously, or any other digital threats previously, who those attackers may be. So it’s very different the far right or alt-right, to a government, to, you know, a group on the internet of Taylor Swift fans, for example. So knowing who the threat is can be helpful because it helps you gauge how more or less the harassment will be and also other digital threats. Do they do hacking? Are they going to commit identity theft in your name? So getting a read on that is very important. Identity theft, a lot of groups like to attack in that way, take out credit cards in your name. So it’s quite good to do a credit check on yourself and put a block on your credit if you are at high risk for that. And you don’t need to have this all the time. It could just be during periods of high levels of harassment. For example, during an election period where we see often a spike in online harassment.

Once you have seen information about yourself online, you want to take it down. If you are the owner of that information, it’s on your social media, et cetera, you take it down. The internet pulls through, it removes it. Please bear in mind that once you have something on the internet it’s very difficult to guarantee it’s completely gone. The reason for that is people take screenshots and there are also services such as the Internet Archive, services like the Wayback Machine. These types of services are very good at taking down data, actually, if you request. You have to go and request that they remove your personal data. So you may have deleted information from Google or from your own personal Facebook, but maybe a copy of it exists in the Wayback Machine. And quite often, attackers will go there and search for that information and put it online.

So if somebody has put information about you on what we call a third-party platform—they’ve written a horrible blog about you, or it exists in a public database—then it’s very difficult to get that data taken down. It will depend on laws and legislation, and that varies from state to state in the U.S., and can be quite complicated. I’ve had journalists who’ve been quite successful in kind of copyright. So if people are using their image, they’ve—instead of pursuing it through—there are very few laws in place to protect journalists from this, which is something else that that’s an issue. If you do receive online harassment, who do you go to legally? Or maybe even it’s the authorities themselves that harassing you, in certain states. So maybe you don’t want to go to the authorities. But there’s very little legal protection really there for you to get that data taken down and protected.

So once you’ve done kind of knowing what the internet says about you, then you just need to make sure you have good account security. What do I mean by that? That means having something called two-factor authentication turned on. Most people are familiar with this these days. They weren’t when I was doing this five years ago. Nobody had heard of it. Most people are using it now. Most people are familiar with this through internet banking, where you log into your account and a text message comes to your phone or an email with a code. Most online services offer this now. Please, please turn on two-factor authentication. There are different types. Most people use SMS. If you are covering anything to do with alt-right, far right, anything where—or hacking groups, or particular—if you’re covering foreign news, I don’t know if there’s here, and you’re covering countries that like to hack a lot, you want to be looking at something a bit more secure, such as an app or a security key.

And then making sure yeah, and Tat mentioned a password manager. The most important thing about passwords is that they're long. They should be at least fifteen, one-five, characters. And they should be different for each account. Sorry, everyone. And the reason for that is if you are using the same password on many accounts, and one of those services that you have signed up for gets hacked, they've been keeping your password in an Excel sheet on their server instead of an encrypted form, then everyone will have your password for your Gmail account, your Instagram account, et cetera. That's why it's really important to have different passwords for different accounts.

How you can do that? Using a password manager or, it is statistically safer to write them down and keep them safe in your home. If you feel safe in your home, if you're not at risk of arrest and detention and you don't cross borders, statistically it's much safer to write them down. Don't obviously stick them to your computer, but you can keep them somewhere safe in your home. Much safer than having passwords that are very short or reusing the same password on many accounts. Or, on any other account. That will prevent hacking, basically. Which online abusers do like to do? So that's kind of a little bit of a very quick walkthrough on that. And we do have resources that we can send out which will guide you through that.

ROBBINS: So I want to turn it over to the group. I’m sure you guys have questions. You’re journalists. So if you could raise your hands or put it in the Q&A, please. I’m sure you have many questions for our experts here. While you’re doing that, I’m just looking at the participant list. If not, I’m going to start calling on people. It’s something I do all the time. It’s the professor side of me that does that.

Well, while people decide what they’re going to ask, Tat, so since I said Ela said that your newsroom is actually one that’s been trained in, and that’s actually quite good, how much support they give you? And what sort of support? I mean, if something costs money, did they pay for it, for example? You know, have they—you know, have they given—paid for password manager? Have they given you, you know? And what’s the—what’s the support they gave you, and what do you wish they gave you?

BELLAMY-WALKER: That’s a really good question. Well, I would say, maybe the first thing that they had—like, you know, they sent over the different, like, resources, and, you know, for, like, online harassment. And also, they recommended that I take out my, like, email address from the bio online. Since so many of my—since so many of the messages were coming to my email. But in terms of, like, money towards, you know, getting, like, a password manager or, you know, trying to delete some of these, you know, information about me from the internet, I was not provided, like, support with that.

And I think just, like, in the future, I—you know, at the time of these stories I was very new to my position. And I think it’s, like, you know, it would be great if, like, news organizations, like, give more trainings on online, like, risk. I think that would be very, like, helpful. Like, alongside having a guide, like a training as well, for, like, new employees. I think that would be very helpful.

ROBBINS: So sort of basic onboarding? I mean, this should be a required—a required part of—a required part of it. Ela, are there newsrooms that are doing that now? They've just sort of included this as part of the onboarding process.

STAPLEY: Well, ideally, it would be included in the onboarding process. A lot of newsrooms we’ve worked with have included it within the onboarding manual. But obviously, training is money. Newsrooms are short on money these days. So it can be quite difficult. And also, if there’s a high staff turnover, one of the issues we’ve noticed is you can create the best practice, you can train journalists, but journalists leave. New journalists come. Who’s staying on top of that and managing that? And that’s why it’s important to get HR involved from the beginning because maybe HR—in some newsrooms, HR is the editor and also the IT person. So it really depends on the size of the newsroom and how much support they can offer, in terms of financially as well, how much support they can offer.

Delete Me is expensive if you add it up for many journalists within your newsroom, or other data broker removal services. One Password actually does free accounts for journalists. So I would recommend that you have a look at that. They have One Password for journalism. And you can—and you can sign up for that. But obviously, it costs money. You know, and there are bigger issues newsrooms need to think about as well. So one of the things we encourage them to think about is how much support can you offer, and also to be honest about that support. So what you don’t want is a journalist who’s been doxed, their home addresses all over the internet, they’ve had to move out, but they find out their newsroom can’t pay for that. So where did they go? Do they still have to work during that period, for example? So getting newsrooms to think through these issues in advance is really helpful for the newsroom because then they can say, look, if this happens we are able to provide this for this amount of time, and after that, you know, we can do this, this, and this.

Some newsrooms can't afford to pay for journalists to move out of their home because their budget is too small, but maybe they can offer time off, for example, paid time off, or mental health support through insurance. Maybe they can start to build community networks in the newsroom. This is increasingly more important, as newsrooms—we were speaking about this earlier—are more remote. So people aren't coming into the office so much. So you're not connected to people as much. There's no kind of chatting to people around the water cooler like they used to. So, you know, this kind of self—almost kind of exchanging information between journalists around, like, how to protect against issues or which issues are causing more conflict or—could be tricky.

It may not be being picked up, on especially for younger journalists coming into the newsroom because, you know, they're just starting out on their journalism career. They don't have years of experience behind them. And they can often be vulnerable to attacks and, you know, I, on several occasions, spoke to editors at newsrooms, small local newsrooms, who had sent out, you know, like, a young reporter or just a reporter—junior reporter to cover a protest, which was actually a far-right, or alt-right march. And then that journalists would be doxed.

And the journalists were completely unprepared for that. The newsroom was completely unprepared for that. Because they hadn’t assessed the risk. They hadn’t seen what the risk, and they wouldn’t have known that doxing was a very common tactic used by these groups. So planning for that in advance is really important. That’s why risk assessment can be really great—a great tool. Getting newsrooms to think through risk assessment processes.

ROBBINS: So we have two questions. One from someone named Theo. I’m not sure, I don’t have a list in front of me. Do you recommend any apps for password managers? This person says: I went to a seminar that suggested LastPass, and then LastPass had its data stolen a few months later. This has always made me actually nervous about password managers. I sort of wondered how secure they are. It seems to me every time I get my snail mail I’m getting another warning that, like, something else of mine has been hacked. And we’re going to give you a year of, you know, protection. Are there any of these apps—are they actually secure?

STAPLEY: So, one of the things about digital security and safety that journalists really hate is that it’s a changing environment. So, something that was safe, you know, yesterday, isn’t safe today. And the reason for this is, is that tech changes, vulnerabilities become open. Hackers attack. Governments and other groups are always looking for ways to attack and find access. And people in my industry are always looking for ways to protect. So it’s always in a kind of constant change, which is frustrating for journalists because they just want to say use this tool, it’ll work forever, and it’ll be fine. And I’m afraid digital safety is not like that. So nothing you use that is connected to the internet in any shape or form is 100 percent safe, or any device. And the reason for that is, is there is always a possibility that there is a vulnerability that in some area that could be leveraged.

So what you’re looking for is really for journalists to stay up to date with the latest tech information. And you’re all journalists. So this, you know, it’s just research. So it should be pretty OK for you to do. The best way to do it is just to sign up to the tech section of a big newspaper, national newspaper, and just get it coming into your inbox. And you’ll just stay up on, like, who’s buying who, what data breaches have there been, who’s been hacked, what hacking groups are out there. You don’t have to investigate in depth. You just have to have a general read of what’s happening in the global sphere around this issue.

I think Elon Musk's buyout of Twitter, for example, is a very good example of, you know, what happens when a tech tool that we all depend on changes hands, right? I know journalists who built their entire careers on Twitter and are now just really floundering because it's so difficult to access audiences and get the information. So in order to answer your question, no, nothing is 100 percent safe. But if you're looking to use something, there are certain things that you should look for. Like, who owns this tool? What are they doing with your data? And how are they storing that data? So in terms of password managers, for example, password managers are currently the industry best practice for passwords for the majority of people. There are certain groups within that who may be advised not to use them, most of them are the more high-risk ones.

So they—password managers are keeping your passwords in encrypted form on their servers. What does that mean? If someone hacks a password manager, they can't gain access to those passwords. In terms of LastPass, what we saw was security breaches but no actual passwords being accessed. But the fact that they'd have several security breaches made people very unsettled. And, you know, people have been migrating off LastPass, basically. It means their general security ethos may not be as secure as people want. So, you know, you have to move elsewhere. And that is for any tech tool that you use. So now maybe people aren't using Twitter; they’re moving over to LinkedIn. You may be using iMessage one day but may have to migrate over to WhatsApp another. So having many options in play is always—is always good as well. So don’t just rely on one thing and expect it to work forever in the world of tech. Generally, it doesn’t.

ROBBINS: We are we have—so, Theo, I’m just going to answer your question really quickly, because that’s one that I actually know something about. This is—Theo asked whether there’s any suggestions—and Theo, I believe, is Theo Greenly, senior reporter at KUCB. Suggestions when finding/choosing a fixer on a reporting trip, especially abroad? Questions to ask or things to look for when initially assessing risk before a trip. I would just say, for finding a fixer, find somebody who’s worked in that country already and ask their advice. That’s the only way you can do it. It’s just—the same way if you’re going down a road and whether or not you think there are mines on that road, ask people who know.

There’s, like, no—you just have to rely on the kindness of people who’ve already worked in that environment. And it’s just—that’s what I did for years and years and years working abroad, is that I always relied on people who knew more. I can tell you the first trip I had was in Haiti. The overthrow of Baby Doc. Yes, I’m that old. And I was flipping out. And I called my husband, a very experienced foreign correspondent. And he said to me, find Alfonso Chardy from the Miami Herald, and do everything that he’s already doing. He was completely right. And that’s how I learned how to do it. So that’s—you know, there’s no secret here. It’s just find more experienced reporters. And they’re usually really kind, and they’re really, really helpful.

So there’s a question from—is it Steve Doyle? StDoyle. What suggestions do you have for journalists facing physical threats? How should journalists be prepared for that? Ela, Tat? I don’t know if you—this is focused on digital, but do you guys—have you heard of any training? I know that when my reporters at the Journal went overseas, they had a lot of training on security, particularly the ones who went to Afghanistan and Iraq. And we had to pay for it. We went to security companies that trained them. Have you heard anything about people being trained for physical protection in the United States?

STAPLEY: Yeah, the IWMF is currently actually on their U.S. safety tour. So they’re visiting states and training them in physical and digital safety. So you can go to the website and check that out. So they do do also the HEFAT training as well. I’m not a physical security expert, so I can’t really speak to that. But, yes, there are organizations that offer this. But there’s a lot more that are obviously paid for than are actually free. But, yes, there are organizations out there that do offer this type of training, press freedom organizations.

ROBBINS: Tat, have you done any training on physical security? Because you’re out and about in the community all the time.

BELLAMY-WALKER: Hmm. Yeah. So I would also echo the IWMF’s HEFAT training. During the training, like, we learned how to, like, you know, if we’re in a protest and it gets extremely, like, hostile, we learned how to navigate ourselves, like, out of that situation. We learned how to navigate—if there’s a mass shooting, like, what to do. If—you know, if we’re, you know, getting kidnapped or something, we learned how to navigate that situation. So I would definitely recommend IWMF’s HEFAT training has something for folks to use to learn how to navigate these different physical threats that can come up in the field.

ROBBINS: Great. Well, we will share a link to that as well when we send out our follow up—our follow-up emails. That's great to know, that that's available. Also never go in the center of a crowd. Hug the buildings. You don't want to get trampled. It's another thing my husband taught me in the early days. These are all really useful things.

Question: For a reporter who covers a remote minority community in a news desert, she must be visible on social media for sources to reach her. At the same time, she’s getting harassed/doxed. We provided Delete Me, but she still needs to be findable. Best practices? That was—I mean, it seems to me, sort of that’s the great paradox here. You know, how can you be visible so people can find you, but at the same time you don’t want to get people—the wrong people finding you? How do we balance that?

STAPLEY: Yeah. And, like I said, it’s different for each journalist. Depends on the degree of harassment, and how comfortable, and who’s harassing you as well. So generally, if the people who live close to you are harassing you, the physical threat level is higher. So that’s something to be mindful of. So, you know, if you’re—some of the most challenging cases are journalists who report on the communities that they are living in, and those communities are hostile to them in some form. And it can be very, very difficult for them to stay safe, because they also know where you live. Because, you know, they know your aunt or whoever, like they live three doors down.

But I think really it's then about putting best practices in place. So having a plan for what if this happens, what will we do as a newsroom to support this journalist? And maybe seeing—asking the journalist what they feel that they need. So when it comes to harassment on social media, I'm afraid—a lot of responsibility for managing that harassment should come from the platforms, but it doesn't. And there are very few practices now in place, especially, you know, what we've seen with X, or what was previously Twitter. You know, the security there is not as efficient as it once was. I think I could say that. So you can be reporting things, but nothing's happening. Or they say that it adheres to their community guidelines. Often we hear that from Facebook, for example, or Instagram.

One thing you should know, if you’re reporting harassment, is you should read the community guidelines and see how that harassment—you need—you need to parrot the same language back to them. So you need to show them how the harassment is violating their community standards, and just use the same words in your—in your report. And document it. So keep a spreadsheet of who—what platform it happened on, take a screenshot of the abuse. Don’t just have the URL, because people delete it. So make sure you have the handle name, the date, the time, et cetera. And the harassment, the platform it happened on, whether you reported it, who you reported it to, have you heard back from them.

Why would you document it? Well, it really depends. Maybe, you know, it’s just personal, so you can track it. Maybe it’s for you to show editors. Maybe it’s to take to the authorities. But that’s not always appropriate for everybody. You may or may not want to document—and you can’t document everything. So you’re just looking for threat to life there, I would say. And it can be helpful to get—I know Tat mentioned this—to have, like, a community of people who can help you with that. So in the case of this journalist, like, what’s their external support network like? Are there other journalists that journalists can be in contact with? What can you offer that journalist in terms of support? So does that journalist need time every week to kind of document this during work hours so she doesn’t—or, he—doesn’t have to spend their time doing it on the weekend? Do they need access to mental health provision?

Do they need an IT team? So it sounds like it's a small outlet, you probably don't have—maybe have an IT team? Or, you know, the owner's probably the IT person. That's normally how that works. So what can you do there to make sure their accounts are secure, and make sure they know that they don't always have to be online? So one of the most important things for journalists is for people to contact them. But if you're on a device all the time, and that device is just blowing up with hatred, it can be quite useful to have a different device, a different phone number that you use for personal use. And that, you know, maybe you don't work on the weekend, you switch your work phone off so you don't have to be reading all this abuse.

I know switching the phone off for a journalist is like never going to happen, but in some cases it could be useful. If you’re in the middle of a sustained, like, vicious attack, you know, just having your phone explode with calls, messages, emails, all just coming at you 24/7, is really not great. And it really impedes your ability to do work as well. So, you know, putting a bit of separation there, and helping that journalist—letting that journalist know that you support that journalist doing that is really helpful. That’s a really good, important step for a newsroom to do, kind of giving them that support.

ROBBINS: So one of the things that Ela said, and, Tat, I want to ask you about it. Ela said something about knowing something about who your attacker is, because then you might know more about whether they just—they’re just going to dox you—I don’t mean “just”—but if they’re going to focus on doxing, versus they maybe want to hack your personal accounts, or they want to go after your aunt, or they may actually come to your newsroom and physically threaten you. That people have patterns of their attacks. When you were getting attacked over the story you were doing about drag laws, did you have a sense—did you know who was attacking you? Did you research it?

BELLAMY-WALKER: Yeah, I did. At first, it just seemed like it was just, like, random folks, you know, from, you know, the internet. But I started to see that there was definitely this, like, conservative Facebook page. Like, everyone from that conservative Facebook page. They were all definitely emailing me. You know, I’m definitely maybe not 100 percent sure about that, but it seemed like the Facebook page took the harassment to a whole different level, especially because they included, like, where I work. They, you know, had spoke about like a tweet that I had wrote about, like, the journalism industry in general, in terms of diversity. So many of the attacks started to heighten from the Facebook page, and then the article that was written about me.

And so for me, it’s really important for me to, you know, check, you know, what is being, you know, written about me through either Google searches or I will search Facebook, and that’s how I came across this, you know, conservative Facebook page. I think they were called, like, the Whiskey Cowboys, or something like that. Yeah, yeah. So that’s how I look at—that’s how I came across them. It was after I had done, like, a search of my name in Facebook. And if I had not done that search of my name, I would not have realized, like, why it was becoming so intense. Because before then, I did—you know, definitely I get some emails here and there, but never something as targeted as it was. I’m like, whoa, like, these are getting, like, really, really personal. And then with the Facebook page, it was very, very personal attacks on me.

ROBBINS: So, Ela, I think my final question to you is, sometimes a Facebook page isn’t necessarily who we think it is. I mean, it could be the Iranians. It could be somebody in New Jersey. It’s not—I mean, there’s Donald Trump, it’s some 300-pound guy in a basement in Newark, New Jersey. OK, well, that’s a story for another day. Do you guys or does someone else have—you know, has done more forensic research so that if we’re getting—we’re getting attacked we can say: That looks like X group, and we know that they tend to mainly focus on doxing, or you probably should be more aware that they’re going to go after your financial resources? Is there some sort of a guide for particular groups in the way they do their work?

STAPLEY: Not a guide, as such. But, yes, there are journalists who’ve researched the people who have harassed them. And it also makes very good stories—I know journalists who have written good stories about that. And, obviously, there are tech professionals, IT professionals, who can also look into that. They can study things like IP addresses and things. And it helps build up a picture of who the attackers are.

But I think here, the important thing is if you are writing on a particular story—on a particular topic or on a particular region of the world, knowing who’s active online with regards to that topic and regards to that region of the world, and what they can do in terms of their tech capacity, is important. Ideally, before anything happens, so that you can put steps in place.

ROBBINS: But how would I, if I work at a medium-sized or small newspaper—you know, where would I turn for help for that sort of risk assessment, as I’m launching into that? You know, how would I know that if I’m going to go down this road that I might draw the ire of X, Y, or Z that has this capacity? Where would I look for that?

STAPLEY: Yeah, speaking to other reporters who cover the same beat is very helpful, whether in your state or just, like, if you have reporters in other areas of the country or in other countries. You know, if you’re covering international news, like, speaking to them and finding out if they—what digital threats they’ve faced is a really useful step. So connecting to that network, like we talked about fixers in different countries. Like, getting a feel for it.

But ideally, this should come from the newsroom themselves. So, you know, ideally, newsrooms should be proactive about doing risk assessments. And ideally, they should train managers. They should train editors on this. So a lot of responsibility does kind of fall to the editor, but a lot of them haven’t been trained in how to, like, roll out a risk assessment appropriately. And so getting newsrooms to really be proactive about this, training their editors, and being—you know, looking at the risk assessments, putting them in front of people, and getting them to—and asking them to fill them out. Because the risk assessment really is about mitigating risk. It’s getting you thinking, what are the risks? How can you reduce them in a way that makes it safer for you to go about your daily life, but also to continue reporting? Which at the end of the day, is what all journalists want to do.

ROBBINS: Has anybody—like Pew or anybody else—brought together sort of a compendium of, you know, significant online attacks that journalists have suffered, sort of organized by topic or something? That would be really useful.

STAPLEY: Yeah, there’s a number of organizations that have published on this. There’s been a lot of academic research done. The ICFJ and UNESCO did one, The Chilling it’s called. That was a global look, against women journalists, and involved a lot of case studies. We have our online violence response hub—which Tat mentioned earlier, which I’m very pleased to know that Tat was using—which is a one-stop shop for all things online harassment-related. And there you will find the latest research. So you can go there and search for academic research, but it also has, like, digital safety guides, guidance for newsrooms, as well as for journalists and for those who want to support journalists to better protect themselves.

ROBBINS: That’s great. Ela, Tat, thank you both for this. I’m going to turn it back to Irina. We’re going to push out these resources. And this has just been—I’m fascinated. This has been a great conversation. Thank you so much, both of you.

STAPLEY: Thank you.

FASKIANOS: Yes. And I echo that. Ela Stapley and Tat Bellamy-Walker, and, of course, Carla Anne Robbins, thank you very much for this conversation. We will send out the resources and the link to this webinar and transcript. As always, we encourage you to visit CFR.org, ForeignAffairs.com, and ThinkGlobalHealth.org for the latest developments and analysis on international trends and how they are affecting the United States. And of course, you can email us to share suggestions for future webinars by sending an email to [email protected].

So thank you for being with us today. And thanks to all of you for your time. We appreciate it.

ROBBINS: Ela and Tat, thank you for the work you do. Thanks, Irina.


Top Stories on CFR



The closely watched elections on July 28 will determine whether incumbent President Nicolás Maduro wins a third term or allows a democratic transition.

International Law

The high court’s decision could allow future U.S. presidents to commit grave abuses of power with impunity, with serious implications for U.S. foreign policy and national security.