It is not often that we cover subject matter in a computer security blog that require a “trigger warning”, but today is one of those days. The following blog deals with potentially difficult information regarding protecting people who have been the victims of domestic abuse or stalking that could trigger an extreme reaction in people who’ve been traumatized by similar experiences.
Domestic violence is not something that gets discussed much in information security circles, for a variety of possible reasons, but there are few people that need advice on assuring their online safety more urgently than victims of stalking and domestic abuse. How exactly do the particular information security needs of people in these situations differ from the norm? What can people do to protect themselves when there is a known and persistent threat? After looking into this, I am left with as many questions as answers.
Before we get into the meat of this article, let me provide a frame of reference: I will be focusing on those victims of domestic abuse and stalking that have escaped the situation, and are now looking to avoid further contact with their abusers. The subtleties of getting protection while still in the environment in which domestic abuse is taking place go more into the realm of psychology than simple computer security concerns. And because there is so much more to be explored on this particular subject, think of this article less as something prescriptive, and more of an open-ended discussion. If you have experience on this subject, I welcome you to add your voice to the comments to help educate me as well as other readers.
Before discussing specific security recommendations, it’s important to point out that any computing devices (that is to say, both laptops and desktops as well as phones and tablets) that predate exiting the domestic violence situation should be considered compromised, and should ideally be replaced, or at least restored to factory default if at all possible. This will decrease the possibility of spyware or other tracking software being present on the device. You may wish to back up (and encrypt) your data to an external hard drive or remote location first.
It is obvious that all those things that security advocates are wont to say to help people protect their data applies far more acutely to those who are trying to hide themselves from a determined and potentially violent individual. Let us quickly cover those security basics that are even more essential to victims of abuse:
Everyday activities are fraught
Whether an intruder’s motivation is financial or personal – as in the case of domestic abuse – anyone looking to gain another’s data has two main ways to go about it: by force, or by social engineering. Gaining data by force would include approaches like direct attacks (either physical or digital), such as the use of malware or hacking into online accounts. Social engineering is a term sometimes applied to any way an attacker can convince someone to give them access to data. The target may be either the victim himself or herself, or a third party.
The advice given above is primarily intended to protect against direct attacks like malware, and hacking, and to a lesser extent phishing. Technology and good common sense will not necessarily protect you against every sort of direct attack, but it can lessen the risk considerably or at least make it far more difficult and time-consuming for the attacker.
However, not all our data is within our control, and this is where things can get very problematic and complicated. We are all required to provide a variety of personal information in our day-to-day lives – everywhere from the car service center to the accountant. Unfortunately, once the data is out of our hands, it is also out of our control. Many companies have data retention policies and are strict about giving out customers’ information, but many other places do not. Fortunately, the places where it is most important to keep your contact information up to date are also the ones that are most likely to have strict policies.
This is where there are more questions than answers. There is plenty of advice out there for people who are trying to protect themselves after a domestic violence incident. The variety of tips and techniques are seemingly endless, but they boil down to a few basic ideas:
The advice here is solid in theory, but in practice things can be significantly more difficult. Keeping this in mind, you may be able to be proactive against some of the hurdles you may face. Having legal paperwork including your restraining or protection order may make it easier to get hefty fees or objections waived when you try to cancel accounts or withhold certain information.
And other well-meaning people may undo your efforts to keep your information private, if they are not aware of your situation. In a case in Sweden, a woman and her two children left their abuser, but the abuser posted a plea on Facebook and asked people to share his request to help him find his children, resulting in the protected identities of the mother and children being blown. As we often advise in security circles, no protection is 100% secure. But the more ways you manage to cover your risks, the more time and space you can gain to allow you to resurrect damaged defenses.
There are additional steps you can take if you are looking for a more thorough change of identity, though be aware that these changes will not give you a completely clean slate, one that is unattached to your old identity. The National Network to End Domestic Violence website debunks some of the myths surrounding the process of changing your name and social security number.
You may also wish to try to remove as much of your presence from the Internet as possible. While it is not entirely feasible to completely remove your digital presence, you can certainly reduce it. This Gizmodo article lays out instructions for removing your presence from some of the more popular social networks.
Some final thoughts
The more real and physical the possible danger against which we are recommending protection, the more scary it is as a writer to provide a list that could potentially be (or in this case necessarily is) incomplete. This article barely scratches the surface of things to consider. Due to the huge volume of legal requirements and permutations, there are an almost infinite number of things you can (and potentially should) do to protect yourself from an abuser. Ideally this is something you should discuss with a lawyer or a social worker, so that you can thoroughly cover ways to keep yourself safe.
Here are some additional resources, should you wish for further information on the subject:
Author Lysa Myers, ESET