Reactive Practices
Reactive practices are strategies implemented during an incident, breach, attack, or other crisis. When considering reactive practices, your organization needs to have managed expectations. The goal of an incident response can’t always be to stop the attack; sometimes it’s just to survive the attack.
Evaluating the efficacy of a reactive strategy based on whether or not it ends the incident often leads to an experience of helplessness. Evaluating it based on whether or not team members feel resourced, supported, and competent throughout the experience can lead to an experience of competence and a strengthening of team bonds.
Experts suggest thinking about this like a severe weather event. A preparedness plan for a severe weather event isn’t based on strategies to make the storm stop happening, but rather strategies to meet one’s needs, minimize damage, and continue to do what one needs to do, within the emergent circumstances of the storm.
For example, if an employee or member is subject to online harassment by a large group of non-state actors, your organization’s ability to stop the harassment is minimal. In those cases, the organization’s support of its employee or member can include steps like: trying to prevent the harassment from moving from online to offline; shielding the individual from encountering the harassment while monitoring it for escalation; isolating the incident by locking down other accounts in the network; issuing a statement in support; providing support to all impacted by the harassment; and carrying on with your work.
The first step of digital crisis response should always be to care for the physical and emotional well-being of the people at the forefront of the crisis. Human bodies respond to emotional danger the same way as physical danger, so even threats that never move from online to offline activate the fight-or-flight response. Stress and sleep deprivation make us more vulnerable to mistakes, including security missteps, and even most high-stakes situations aren’t as urgent as they feel. All incident response playbooks should balance acknowledging the harm of the incident with supporting collaborative and careful responses rather than panic.
These types of targeting create a wide range of specific experiences and circumstances, ranging from the physical danger of an arrest or effective SWAT to the isolation of being cut off from digital support networks because of the flooding of antagonistic messages. All of these experiences are potentially traumatic, and an effective response first and foremost cares for the trauma of the impacted person or people.
The requirements set by OSHA for responding to workplace violence begin with the responsibility to provide “comprehensive treatment for workers who are victimized personally or may be traumatized by witnessing a workplace violence incident. Injured staff should receive prompt treatment and psychological evaluation whenever an assault takes place, regardless of its severity, free of charge.” In the absence of this care, “consequences may include: short- and long-term psychological trauma, fear of returning to work, changes in relationships with coworkers and family, feelings of incompetence, guilt, and powerlessness, fear of criticism by supervisors or managers.”
The Digital Defense Fund provides the following guiding questions to assess the level of nervous system activation faced by an individual.
How immediate is this crisis? Does this crisis require an immediate response? Do I have time to do grounding exercises or reach out for tangible and emotional support?
How am I feeling? Are my emotions fleeting or long-lasting? Am I tired, energetic, or average? Do I need to eat something or rest?
How is my breathing? Is my breathing fast or slow? Am I exhaling from my stomach or chest?
How is my focus? Am I able to concentrate or am I distracted? Am I able to focus for a short or long time?
How is my body doing? Do I have any tension or pain? Do I need to rest my body?
What resources, internal and external, do I have access to? What do I not have access to? Who can I call for support?
Is the harassment targeted at one person, or is it broadly targeted?
Is it coming from one or a handful of actors, or is there a mob?
Are there specific threats, or are they generalized?
Has the personal information of one or more members or employees been obtained? Are there internal documents or data of the organization being shared publicly?
Are there state actors involved?
How organized are the attackers?
What playbooks have we prepared to cover incidents of this nature?
Crash Override: “Doxxing is the act of publishing someone’s personal information, of which there would be a reasonable expectation of privacy and dubious value to the conversation, in an environment that implies or encourages intimidation or threat.”
Personal information published could be relatively easy to find, or requiring significant effort. It frequently includes a target’s home or work address to make the target afraid that other attackers might come there in person to escalate. The intent of doxxing tends to be to make the target feel that their personal space and physical safety have been invaded and compromised. More information about doxxing can be found here.
CSO: “Swatting is a form of harassment in which attackers try to trick police forces into sending a heavily armed strike force — often a SWAT team, which gives the technique its name — to a victim's home or business.”
SWATting goes hand-in-hand with doxxing because it requires knowing the target’s address. Attackers will call local or federal law enforcement to report a severe imminent threat, often a hostage situation, at the target's home. SWATting of individuals is not common (the most recent statistic gathered was in 2019, in which there were less than 1,000 cases ) but it can be extremely dangerous, having led to several deaths.
Once your team has gotten clear on what’s happening, the next step is to isolate the incident. Your incident response playbooks should identify the networks along which attacks can spread; for example, many attackers will dox an individual, learn the names of their family members, then move to attack those people. Coalition partners, community members, and affiliates may also be at risk as attackers try all possible avenues to damage their target.
You can use phone trees to follow those networks, alert potentially impacted parties to the attack, and instruct them to lock down (delete or set to private) their accounts, change all their passwords, and otherwise institute safety measures.
Refer to your Threat Model to identify what needs to be protected and who could be impacted by an incident spreading. Take into account both official social media accounts and the personal accounts of members or employees, particularly ones with a large following.
When isolating the impact of an incident, it’s also essential to anticipate the possibility of disinformation campaigns. Attackers targeting individuals often contact those individuals’ employers with fake allegations to try to get them fired; ensure the team is prepared for this and has a plan for how to respond.
Consider how to isolate the psychic impact of the incident as well, particularly in protecting more vulnerable members and employees. The more internal messaging can be crafted compassionately and delivered in an opt-in manner, the more you can contain the trauma to your team.
Mitigating an incident has the primary purpose of diminishing the impact of the incident on the targeted people. These protective steps, though they don't necessarily address the targeting behavior itself, can support the targeted people in weathering the storm.
Security Review: Take this opportunity to review the security and privacy settings on everything. All passwords should be changed and checked for data breaches; all data broker remediation practices should be redone. See the DIY guides in the resource section of this manual for tools that will walk your team through these reviews.
The most common advice for people in the potentially impacted network is simply “lock down your accounts and wait two weeks.” The vast majority of online harassment storms pass after a very intense yet time-delimited barrage, and shutting off avenues of escalation can usually be done by implementing the low barrier of basic digital security.
If the official social media accounts of the organization, or the members’ personal accounts, are being flooded or spammed with hate, there are a few options.
All abusive messages received by official organization accounts over social media, email, or any other medium should be monitored and documented. When they violate the Terms of Use of the relevant platform, they can be reported; otherwise, they can be blocked or muted. This task is often a strange combination of horrific and dull, and should be allocated strategically to minimize the overall traumatic impact of facing the volume of harassment and hate. For some teams, this means identifying a team member who is not personally impacted and feels up to the task; for others, it means rotating responsibility so that no one person has to do it for too long.
If the messages are coming through the personal email or social media accounts of individual members, the best practice is to provide a reasonable stipend to direct to someone in that individual’s personal support system to document and filter for them. This allows the organization to ensure that support is available to the team members without the team members having to provide the login credentials to their private accounts.
If the organization hosts any kind of forum, it can be made temporarily private or closed to new members, or the team can promulgate and enforce a strict code of conduct for participation.
Any person fulfilling the task of monitoring messages should save, screenshot, and document everything, and keep a careful log of the sequence of events. Public social media posts can be taken down by the person who made them, so don’t rely on the live post.
When an individual is at risk of doxing, SWATting, or otherwise has the safety of their home address compromised, they may be considering temporarily or permanently leaving that home. This is a difficult and painful decision that nobody should have to make, and that a person must make for themselves. The organizational policies about this must prioritize supported self-determination for all members and employees, including providing financial support where needed. If your organization can fund the targeted member or employee and their family to stay in a hotel for a few weeks, or can help cover moving costs, these are ways of supporting a targeted individual in taking the steps they deem necessary to secure their safety.
Some organizations respond to threats by obtaining one-on-one consultations for affected members with private security firms; some give out equipment like personal alarms; some bring in self-defense trainers; some go through safety planning checklists borrowed from DV contexts; some arrange for another worker to walk to and from the subway or parking lot with the person being targeted, and so on.
The most important thing to remember is that these risks and harms are a direct result of your people's courageous advocacy and work with your organization. Building the systems and networks to respond to them is the organization's responsibility.
Managing public messaging during an attack can be tricky. It is essential to do what you can to keep control of the narrative, especially in a climate rife with disinformation. The groups that plan these attacks have a built-in amplification tree that efficiently escalates things from private text threads to national television, and it’s an uphill battle to push a counter-narrative effectively.
Remember that public statements and counter-narratives should not be aimed at the attackers themselves, but at the community and broader public audiences, including coalition partners and funders with whom your relationship may be at risk from the disinformation. It can be tempting to say nothing for fear of escalation, but that’s rarely an effective strategy.
Public statements should be crafted carefully, with the assistance of trusted communications consultant, and in collaboration with the most impacted individuals. Prioritize standing by and supporting your people, and making sure it’s clear both to the public audience and to your people that any attempts by attackers to damage the relationship between individuals and the organization is a waste of time.
Most digital platforms have a built-in mechanism for responding to abusive behavior, but these mechanisms are unreliable and often enforced in ways consistent with existing axes of oppression. While reporting attacks to the platforms on which they occur, where available, is valuable, it is rarely effective to stem the tide of them, even when the platform’s purported anti-harassment systems are functioning as intended. A large or powerful organization may be able to escalate concerns to a platform’s content moderation team or existing direct company contacts, but expectations around this strategy’s efficacy should be limited.
Bringing an attack to the press can be beneficial in limiting the attack's broader impact, but this strategy can also be trigger escalation by the attackers. Decisions around whether and when to do this should be made carefully and in collaboration with the most impacted team members to ensure it doesn’t damage their safety planning.
The question of whether and when to involve law enforcement is among the most difficult to answer in this manual. There are many intersecting concerns to consider when considering the complex set of legal options available.
When making this decision, your team may encounter a variety of experiences, needs, and boundaries around law enforcement. This range often stems from differing life and community experiences, and is a common source of strife within LGBTQ+ communities. Some team members may believe involving law enforcement can accrue no possible benefit, or that it would put them in more danger. Other team members may feel that the purpose and effect of involving law enforcement would be to protect them from malicious actors in a frightening world. In making these difficult decisions, it’s crucial to take into account the differing needs and backgrounds of a diverse team, enter into discussion with mutual compassion, and prioritize the needs, boundaries, and risk assessment of the most impacted team members.
Legal strategies often aim to change a defendant's behavior; with a nebulous and often anonymous group of defendants, that may be less possible. For this reason, most of the strategies in this manual are not aimed at changing an individual’s behavior, but rather at minimizing the impact on the target.
It’s often painful and difficult to integrate the possibility that no legal relief may be available, accessible, or worth pursuing when you’re unequivocally being harmed. When the trauma of the attack is compounded by the trauma of learning that the state may not offer any remedy for the attack, team members will rely on the organization's culture and community to validate and provide support and comfort for their experiences.
Civil legal strategies involve lawsuits brought by one person or entity against another, as compared to criminal legal strategies, which involve a case brought by the state. There are a few civil legal strategies that have been tried in cases of online or online-to-offline harassment and abuse, but few have been very effective to date.
Some plaintiffs have tried to bring civil suit against social media platforms, but §230 of the Federal Telecommunications Act protects platforms from being treated as the “publisher” of any content posted by a user, so they cannot be held legally responsible for the actions of users.
Some plaintiffs have also tried bringing civil suit against individual harassers, but this has also tended to be ineffective as no individual can effectively be held responsible for most harassment campaigns, and if one is deterred, more appear. Further, individual harassers are often “judgment proof,” which means they don’t have enough assets for a meaningful judgment to be brought against them.
While there are some open questions in terms of legal doctrine and strategy that may come out differently as the legal landscape slowly moves to catch up with quickly evolving threats, the civil court system is not likely to be the first place to look for solutions.
There are a few specific types of harassment that, depending on your state, may be able to be specifically addressed by criminal law. Some states have laws addressing cyberstalking, the nonconsensual publication of intimate imagery, and credible threats of physical violence. If any of these are in play, consult a lawyer in your state to see whether a protective order may be possible.
However, a protective order needs an individual named defendant. In most instances of online harassment, there are many actors involved, who are loosely if at all affiliated with each other, and in most cases, very difficult to identify. This renders a protective order an impractical first line of defense; even if this were not the case, many police departments are uninformed about online harassment and uninterested in doing anything about it.
If your organization is receiving bomb threats, or other threats of imminent harm, it may be necessary to involve law enforcement to reduce the risk that the threats will result in harm. If this becomes necessary, bring all team members into the decision-making and safety planning to prevent additional harm from that involvement.
When your team is responding to threats by state actors, or to threats by non-state actors in connection with their work in a field of criminalized advocacy, it adds another layer of complexity to the decision-making process. In the world of LGBTQ+ advocacy in 2023, some of us are operating in states that are currently, or will soon be, criminalizing our work.
In the limited circumstances where your team determines that involving law enforcement is necessary, it needs to be treated as an extremely high-risk situation. Information should be carefully compartmentalized to ensure that you are not putting any clients, patients, or coalition partners at risk. Get legal advice as part of the process to understand your own rights as complaining witnesses.
In certain specific circumstances, affirmatively contacting law enforcement may be a useful strategic step. If an individual or organization has already been doxxed, or by necessity already has a public address, and is concerned about the threat of SWATting, it can be helpful to call the local law enforcement’s non-emergency line and inform them of the risk. In some cases, having this information will mean that if an emergency call comes in about your address, they’ll know to reach out to you before sending an armed team. This step does not require significant interaction with police and could significantly reduce the risk of specific harm.
Some protective or reactive processes need the documentation of a police report. Many states have privacy redaction processes, including removing public addresses from voting records, for which a police report documenting credible threats is necessary. Similarly, to get insurance coverage or remedy for financial harms or identity theft, a police report may be required. A police report is the most effective way to convince most institutions that the threat is genuine, which may be necessary for certain protective steps. If this step seems necessary for a team member, work with them around a safety plan to ensure any interaction with law enforcement is as safe as possible for them.
If a team member is contemplating seeking redress through the criminal justice system, the team should focus on supporting that team member in their safety planning around interacting with law enforcement. Many training programs in “victim advocacy” provide strategies for supporting a person through this kind of process, including the Justice Clearinghouse and the National Organization for Victim's Assistance.
Individual team members will be the experts in their own risk tolerance for interacting with the legal system. In circumstances where team members are already experiencing coercion, threat, and terror, the best support is to empower and support their agency and self-determination at every step.
Tracking and Record Keeping: Incident logs and documentation should be saved and collected consistently. If you choose to use legal tools or press, you’ll want as much documentation as possible. Also, a few organizations, including the Abortion Access Front and the Digital Defense Fund, have started to collect data on these attacks. Submitting records to these organizations can help them build a body of data about the prevalence and trends of these attacks, which will help to create better tools to respond to them in the future.
Within your organization or in coalition with other impacted organizations, you can aggregate incidents and identify common characteristics and trends in order to better allocate resources and understand your organization’s vulnerabilities.
The impacts of experiencing trauma at work are varied and can significantly impair a team member’s ability to do their job, including “short- and long-term psychological trauma, fear of returning to work, changes in relationships with coworkers and family, feelings of incompetence, guilt, and powerlessness, fear of criticism by supervisors or managers.” The organization’s responsibility to provide support and healing to impacted members doesn’t end when the attack does, but continues for as long as the member remains in the organization.
Some types of support that impacted members may need include:
