Training modules/Online harassment/First draft
|Drafts: Keeping events safe (First • Second • Final) • Dealing with online harassment (First • Second • Final)|
- 1 H1: Introduction
- 2 H2: Basics
- 3 H3: Handling harassment reports
- 3.1 What makes a good reply
- 3.2 What to do with third-party reports
- 3.3 Replying to non-actionable reports
- 3.4 What types of reports should go the Wikimedia Foundation's Trust and Safety task force?
- 3.5 What types of problems should be redirected to community noticeboards?
- 3.6 What types of problems can an administrator or functionary handle individually?
- 3.7 What types of problems should be redirected to local functionaries or arbitrators?
- 4 H4: Communicating with victims of harassment
- 5 H5: Immediate action
- 6 H6: Investigating reports
- 7 H7: Providing support and advice
- 7.1 What kind of support can you offer?
- 7.2 What kind of support can the Wikimedia Foundation offer?
- 7.3 What kind of non-Wikimedia support can you direct someone to?
- 7.4 Support you should not offer
- 8 H8: "Doxxing" or release of personally identifying information
- 9 H9: "Off-wiki" harassment
- 10 H10: Image-based problems
- 11 H11: Closing cases
- 12 H12: Reporting out
- 13 H13: After a case
- 14 H14: Other resources
- 15 References
The following are a set of concepts for a future training module on dealing with online harassment. They are being created based on feedback from community members who have experience working with these issues. This effort is led by the Support and Safety team at the Wikimedia Foundation.
This content will be developed over the coming months. If you have ideas for content, comments on the draft content, or ideas for headings that are not included here, please join us on the talk page!
The Support and Safety team is responsible for delivering and deploying these modules, and will be ultimately responsible for final editorial decisions on the content. However, we highly value input from those in the movement with experience dealing with online harassment and will incorporate suggestions as appropriate.
Purpose of this module
This module is intended to help community leaders, functionaries, and groups deal with community challenges around allegations of online harassment and abusive behavior. Dealing with such complaints can be a challenging and time-consuming process. Wikimedia projects' decentralized system can mean a lack of consistent approaches to the issue between different Wikimedia projects, or even within a single project or group. Harassment cases can cause emotional strain on everyone involved, and it is often very difficult to find solutions that satisfy everyone involved.
However, helping fellow community members deal with this issue is important. Volunteers often struggle with finding assistance when they feel harassed, and the experience of feeling harassed is a deterrent to participation. Supporting them, and supporting each other in supporting them, may help us avoid losing good faith contributors who could be helping build out content for our reviewers.These training materials will evolve over time. Approaches to online harassment, policies, and tools are a expanding area of study, and the information provided here will grow as they grow.
What is harassment?
The word "harassment" can apply to range of behaviours, but English Wikipedia's article on the topic defines it as "commonly understood as behaviour which disturbs or upsets, and it is characteristically repetitive". The Friendly Spaces expectations define it as:
- offensive comments related to gender identity or expression, sexual orientation, disability, physical appearance, race, ethnicity, political affiliation, or religion
- violence, threats of violence, deliberate intimidation and personal attacks
- stalking, following, or continued one-on-one communications after being asked to cease
- sustained disruption of discussion
- deliberate "outing" and/or doxing of any person's identity without their consent
- publication of non-harassing private communication
You may have experienced harassment yourself in your time on Wikimedia projects, or you may have seen someone else experience it. Either way, you almost certainly know how horrible it can feel.
Harassment isn't always blatant name-calling; at times it can be specifically designed to be subtle, in a way that's meaningful only to the target or people like them. You may not think a particular situation is harassment, but when you receive a report or complaint, it is important to examine context and background. In situations like this, try to deal compassionately with the situation, listen empathetically, evaluate the evidence objectively, and determine how you may be able to assist.
Why do you need to care about harassment?
Online harassment has been an issue for a long time, almost since the launch of the internet itself. Areas of the internet where many people converge and communicate openly with each other – for instance, forums, multiplayer games, and social media – are particularly susceptible to it. Harassment and bullying can lead to distress and depression. In a survey published by the Pew Research Center in 2014, almost three quarters of adults using the internet have seen someone be harassed in some way online. Two in five have experienced it first-hand.
A culture of harassment has been one of the major criticisms of the Wikimedia community since its inception in 2001. Researchers from the Palo Alto Research Center in 2008 found that less-active editors who make two to nine edits a month were seeing their edits reverted up to three times as often than they had been in 2004. But it's not only low-volume editors who encounter harassment – long-term contributor David Shankbone wrote in 2008 that "if you become a target on Wikipedia, do not expect a supportive community." Women also tend to be targeted more often than men, which results in less female participation on Wikipedia. This leads to a lack of diversity in editors, and decreased quality of content, as a result.
The Support and Safety team is working to improve these processes on our end, but the majority of harassment complaints will be seen by you, the functionaries, first. It can be complicated to deal with often complex and subtle harassment claims and cases. This module will help prepare you for the best ways to deal with them.
Some common forms of harassment on our projects
Harassment comes in many shapes and sizes. Some of it is childish and easy to shrug off – throwaway insults by vandals, for example. You've almost certainly seen this type of abuse in the past. But while it can be easy for an administrator or vandalism patroller to brush this treatment aside, newcomers to the movement can be easily discouraged or offended by it. They might also be goaded into breaking rules by entering into petty edit wars or meeting name-calling with name-calling.
Some vandals can move beyond damaging on-wiki content and become focused on pursuit of a group of editors, or even one editor in particular. This pursuit often takes the form of something more subtle than "poop" vandalism, like wikihounding – the practice of "stalking" someone's edits to constantly revert or oppose them. Wikipedia's openness makes this very easy to do. Being wikihounded can result in the editor becoming disillusioned, upset, or frustrated, and make them less willing to make edits. Worse, wikihounding can lead to more general online stalking in places like email, social media, and personal blogs, and invade all aspects of a person's online identity.
Another form of harassment is direct, and sometimes plausible, threats against an editor or editors. Threats to life and limb must be considered as serious, and should be referred to the Wikimedia Foundation Support and Safety team through the email@example.com email address. Legal threats are not uncommon, and can be used to "force" editors to delete content or censor articles. Even if these threats are not plausible, they can be distressing, particularly to users unused to the processes in this area.
H3: Handling harassment reports
Reporting harassment publicly, or even privately, is a difficult thing for many to do. It's natural to feel uncomfortable accusing someone of harassing you or someone you know, especially when the person in question is powerful. It's possible also that the harassment is subtle and easily deniable. When people submit reports to you, they may be afraid that you may simply not take them seriously or that, even if you do, you won't care.
When you or your team receives a request, bear in mind that it may have taken a great deal of courage and caused a lot of anxiety to the reporter. Treat every claim as serious, even if its tone seems bombastic or overwrought.
What makes a good reply
The best thing you can do with a claim of harassment is to respond to it actively – even if there is nothing you or your team can do about it.
Be prompt: This is arguably the key aspect to an initial response. Don't leave reporters waiting for a reply that may or may not ever come. If you are able to action the complaint immediately, do so and let the reporter know. If the case is complex and you cannot immediately offer a substantive response, let the reporter know in the meantime that you have received their message and will be investigating.
- Be empathetic: Assume the report is genuine – at the very least, assume it is something that has genuinely distressed the reporting party. Respond kindly, letting the reporter know your team will look into it. Try to avoid boilerplate replies where possible – make it clear that you are responding to their specific situation and that you are responding as another human being.
- Give concrete details, and stick to them: Where possible, give estimates to the reporter on how long things will take to get moving. Be sure to allow yourself plenty of time in these timing estimates; things can come up, and delays can happen – this is not your full-time job, and you are not expected to be able to drop everything when a case comes up.
- Be transparent and open: This one is difficult, especially if the report came in privately. Being transparent doesn't always mean being public or detailed; however, it's usually a good idea to at least keep the reporter informed about the status of your investigations. Follow up with more emails as appropriate as the case goes on.
- Ask for updates: Let the reporter know that they should forward new developments to you as they occur. If you feel that you need more information to complete your investigation, reach out to the reporter to ask for it.
What to do with third-party reports
Sometimes, you will receive reports that are not from the target of harassment. For instance, someone might observe harassment occurring against someone else which they feel is serious enough to report on the other person's behalf. When investigating these situations, a good first step is to privately contact the person who is the reported target. Their opinions and any background they can provide will be valuable.
Remember, however, that your investigation and any outcomes will not be contingent on the target's approval. The reported problem may represent a threat to other users and the community at large, and may need to be investigated whether the target desires that approach or not. In these cases, it is very important to respect the target's privacy – some targets of harassment choose not to report abuse because they legitimately fear retribution from the harasser.
Replying to non-actionable reports
When a report is non-actionable or contains inaccuracies, it can be tempting to just ignore it or dash off an abrupt "nothing we can do here" reply. Remember, though, that the reporter – for reasons stated above – may have put a great deal of emotional effort into putting the report together. So, how do you respond to these kinds of reports?
The key here is to be empathetic. Sympathize with the reporter. Use soft language where possible, even if the reporter hasn't. If there really is nothing that can be done, and this is confirmed through an investigation, let them know. Give some potential next steps for the reporter. Your target here is to make sure they have at least some way forward, though it may not be totally possible to completely satisfy them with your response.
It's also important to remember that the person who was reported in a non-actionable report may also be upset by the report. This doesn't mean the report was in poor faith; it may be a misunderstanding, or a genuine overreaction. Offer and provide advice to the person reported as well, whether that be cooling an editing conflict or avoiding the user altogether.
What types of reports should go the Wikimedia Foundation's Trust and Safety task force?
The Trust and Safety task force (T&S), within the Support and Safety team (shortened to "SuSa"), deals with severe harassment complaints, performing investigations where appropriate. These can, and have in the past, led to global "office bans" in the most serious of cases.
There are several situations where it might be appropriate to refer a report to T&S:
- Threats to life and limb: Serious threats, such as death threats or threats of terrorism, may be sent immediately to firstname.lastname@example.org. If you are comfortable doing so, you should also consider contacting your (or the target's) local authorities to report such threats. Assume all threats are serious, even if they don't sound plausible. If you are not comfortable making a call yourself, email the threat into the emergency email.
- Serious complaints of harassment: In the case of ongoing and serious harassment, serious enough that you or your team don't feel comfortable handling it yourself, the report may be forwarded to email@example.com. All members of the SuSa team are on this mailing list and can assist with investigating reports if need be.
What types of problems should be redirected to community noticeboards?
Community noticeboards are great for getting more attention onto a problem and for finding people willing to deal with sticky situations. They also enable transparency, and bringing an issue to a noticeboard avoids the appearance of underhanded dealings in disputes.
That having been said, noticeboard are highly visible and open to everyone. As a result, they can result in unwanted attention being focused on harassment victims, up to and including second-guessing and victim blaming. A harassment target may find themselves shamed or mocked by community members in a venue they came to for help. Noticeboard discussions are also often adversarial and hotly contested. Discussions can, and often do, flare out of control quite quickly. For this reason, we'd recommend not redirecting harassment reports to community noticeboards if there is a better option available.
What types of problems can an administrator or functionary handle individually?
Clear-cut cases of harassment, involving obvious targeting and bullying, can of course be dealt with by an individual administrator or functionary in accordance with local policy. Such types of harassment are normally easy to spot and, on many projects, uncontentious to deal with, though they can also be among the most persistent of case types. When in doubt, or if a situation expands beyond your comfort zone, it is always appropriate to escalate for assistance.
More difficult cases, such as more subtle harassment or cases involving long-term or otherwise-constructive editors, should be discussed by more than one person prior to any investigation being closed. SuSa would recommend these discussions be done in private, unless it is more appropriate, based on other considerations, to use a noticeboard for this purpose.
What types of problems should be redirected to local functionaries or arbitrators?
If you receive a report addressed directly to you, that doesn't mean you have to deal with it alone, or that you are responsible for resolving it at all. (Though you can do both, if it's appropriate – see below.) Sometimes, these reports are best dealt with by local functionaries or arbitrators. For the reasons stated above, it might be more appropriate to pass cases like this on in private, rather than on-wiki.
All but the most complicated of cases can usually be dealt with by local administrators, though the venue in which they do this depends on the severity of the accusations and, at times, the status of the reporter or reported party.
You'll usually receive reports of harassment from users in good standing. However, you might also receive them from users under editing sanctions, users with a negative reputation in the community, or even users who are blocked or banned from editing. Accordingly, you may want to consider the reporter's (and reportee's) community status when deciding the appropriate venue for referring a matter to functionaries.
H4: Communicating with victims of harassment
Appropriate communication with a harassment reporter should focus on two areas: first, appropriate communication style, and second, appropriate information and expectation sharing.
One of the most important things to remember when you are communicating with someone who reports suffering harassment is that harassment is, by design, intended to intimidate and upset. As a result, you will likely be addressing someone who is frightened, angry, hurt, or a combination of all three. Most reporters will have had to gather their courage to reach out to you for help. They may be worried that they will receive a dismissive response. Whatever the merits of the report itself, you can go a long way toward making the reporter feel safer than they may have feared simply by approaching it, and the reporter, with empathy.
What makes communication empathetic? The English Wiktionary defines "empathy" as "identification with or understanding of the thoughts, feelings, or emotional state of another person". Your goal in empathetic communication is to signal to the victim that you understand that this is a stressful and/or frightening situation for them, and that you are approaching it from that perspective.
Some ways to communicate empathy will involve your choice of words and phrases. Try to use language that shows you approaching the report with concern and attention, like:
- "I understand"/"could you help me understand" – Try your best to let the reporter know that you are not just reading the words they wrote, but rather are truly trying to grasp the situation. If the initial report is clear and thorough, show them that you understand their situation. If you need to ask questions to get a handle on the situation, don't hesitate to ask them – but ask them in a way that communicates "seeking to understand" rather than skepticism or doubt about the report.
- "That must be (frightening/hurtful/etc)" or "I see that you are (frightened/hurt/etc)" – Active listening is an important skill in these situations. Your communications to the victim should indicate that you understand why they felt it necessary to reach out to you.
Avoid using words and phrases that indicate skepticism or disinterest, like:
- "I disagree" – remember that they are reporting the situation to you as they understand it. Negative assertions and disagreement won't help you understand the situation better, and may lead the reporter to believe you are not here to help. (See section on responding to non-actionable reports if, after review, you believe they are misunderstanding or misrepresenting the situation.)
- "Nothing we can do" – there certainly will be cases where you cannot take action. However, there is a difference between simply shrugging and saying "nothing I can do", and offering things like advice or alternative routes forward. Even if a situation does not call for administrative attention, you may be able to help the reporter with suggestions of other venues for them to try, new communication strategies, or referrals to support organizations.
- "(Harasser) (is a long-term editor/is respected by the community/has no history of this)" – Sometimes harassers have a good reputation on their project; often it is others relying on this reputation that allows them to operate for as long as they do in ways that would lead to anyone else being sanctioned. It is important not to offer opinions on the person accused of harassment, and focus instead on the reported behaviour or actions.
Sharing information and managing expectations
Though your communications to the victim should be empathetic, as described above, remember that the investigation is your responsibility, not the victim's. For the privacy and safety of all parties, it is neither desirable nor appropriate to actively involve victims in the actual investigation or communications about the investigation, although you should, of course, make sure you have the full details of their complaint. You should be prepared to set reasonable expectations with the victim about what information they will receive and when they will receive it.
- Offer the victim as concrete a timeline as possible. Your goal should be to let them know what to expect. While you will never be able to promise them a certain result or a certain closure date, you should be able to give them a sense of the projected progress of their investigation. Consider whether you can offer the reporter a "check in" date.
- Alert them to any substantial delays that may alter the timeline you offered. Remember that while, to you, this may be one of a dozen active cases, to the victim it is likely a much higher (and more emotional) priority. Sudden, unexpected silence or lack of apparent progress will feel much more alarming to them than you might expect it to.
- Contact the victim in a timely manner to request any additional information your investigation requires. Particularly when an investigation involves multiple people, small delays can compound – someone will be away for a week, someone else's internet will go down for two days, and rarely will everyone be able to attend to a case at the same time; try not to add to that by putting off simple steps like asking an important question.
- Overshare. Again, this will be an emotional situation for the victim, and you may be tempted to err on the side of giving them as much information as you can. Remember, though, that the victim is not a neutral or confidential party, and an alleged harasser does not lose their right to privacy simply by being reported. Additionally, while an investigator must review evidence carefully to avoid reaching a false conclusion, seeing that rational evaluation unfold may distress reporters.
- Make promises you may not be able to keep. While you may wish to reassure a victim with "I promise we will stop this behavior" or "You will have an answer by Tuesday", such a reassurance will backfire if you then prove unable to follow through with it. Know your limits, both in time and in your role.
Keeping yourself safe: your personal information
People who work on harassment complaints can become targets themselves and have their names and communications spread on the internet. When communicating with both the reporting party and the accused, use some simple rules to protect yourself.
- Realize that anything you write may be shared or "leaked" publicly. Think about how your words could be taken out of context, or used against you, as you write.
- For communications, consider using a separate email address, one that does not give personal details in the address name.
- Do not give personal details in your communications. Sometimes it is tempting to give personal experiences to empathize with victims (e.g. "I saw a very similar situation when I worked at my campus help center in Mumbai"), but you need to protect your own privacy.
Keeping yourself safe: your emotional well-being
Try to remember that while empathy is valuable, over-empathizing with a victim can make things more difficult for both you and them. If you connect too closely with the reporter, they may develop unrealistic expectations about what you can provide. You also risk exposing yourself to "secondary trauma", where you begin to experience the same negative effects as victims do. This will limit your ability to help people long-term and could lead to recurring psychological problems in the future.
Be realistic to yourself about what you can and cannot do, and realize that some distance and barriers will help you perform your role better. You can't solve all problems by yourself!
H5: Immediate action
Once you have been made aware of obvious harassment or threats, there are actions you may take immediately that don't require in-depth investigation. You might already be familiar with these actions, as they are fairly commonly used by by local administrators or functionaries.
Blocking users – the basics
If you are experienced with using the block tool, feel free to skip this section.
The block is one of the central tools available to administrators and those with advanced permissions. It prevents a registered user account from editing and an unregistered user from editing from a specific IP address. Blocking policies are project-specific. More information on performing blocks, and when they're appropriate, can be found on those projects.
Range blocks, where a group or "range" of IPs are blocked, can be a powerful weapon against IP-hopping users, but is also a solution with a lot of potential collateral damage. Consider consulting a colleague with experience or asking for help before applying a range block for the first time and make sure you are aware of and respect local policies about their use.
Revision deletion or suppression
Revision deletion (sometimes shortened to "revdel") is available to administrators. It acts in the same way as regular deletion, by hiding deleted content from those without sysop privileges. This is a reversible action and can be a good first response to obvious attacks, even if you feel the larger issue needs to be discussed more thoroughly. It can also be used when the harassment doesn't reach the criteria for suppression.
Suppression (also called oversight) is a tool that can be used to hide content even from administrators. Policies on suppression can vary a little by wiki. The usual criteria form a global policy that can be found on Meta-Wiki, which can also provide steward oversight actions for those communities that don't have local suppression functionaries. Of the criteria, those which most relate to harassment are:
- Removal of non-public personal information
- This includes information about users such as phone numbers, home addresses, and workplaces or identities of pseudonymous or anonymous individuals who have not made their identity public, or of public individuals who have not made that personal information public.
- Functionaries are encouraged to use common sense and intuition when making a call like this. Suppression can be reversed, so it is usually safest to remove when in doubt.
- Removal of potentially libelous information
- This is done either on the advice of Wikimedia Foundation counsel or when the case is clear and there is no editorial reason to keep the revision.
- Hiding of blatant attack names
- This action is applied to automated lists and logs, where such an action does not disrupt edit histories. A blatant attack is one obviously intended to denigrate, threaten, libel, insult, or harass someone.
Cross-wiki blocking and tracking
In the event that an obvious harasser is abusing someone across multiple wikis, it may be necessary to take global action. It is possible to globally lock accounts, though only stewards have this ability. They can also globally block the underlying IP address to prevent the creation of sockpuppets or "sleeper" accounts.
Global sysops (or users with administrator rights on more than one wiki) can also help to keep cross-project abuse to a minimum (or help support projects without administrators or with very few), though the role of combatting global abuse is generally best left to the stewards.
The Small Wiki Monitoring Team can help to track and prevent obvious vandalism or harassment through their own methods. They might be worth contacting to help keep track of harassment on smaller wikis and may have background knowledge of problem users on those projects.
H6: Investigating reports
There are a number of steps involved in a thorough investigation of a harassment report. It is not enough to simply look at the description or diffs a reporter submits – in almost all cases, deeper investigation is needed.
Your first step in an investigation, after replying to the reporter to acknowledge that you received their report, is to verify as many of the reported facts as possible. This will involve:
- Opening any diffs contained in the report and verifying that they say what the report says they say.
- Verifying the identity of the reporter and/or victim: Are they actually operating the user account they claim to be, or might they be only pretending to be that account's owner? (This might be done under the pretext of a disposable, single-purpose account.)
- Verifying the account status (if applicable) of the reporting party: do they omit any material facts, such as sanctions on their account? Are there any security issues related to this account, such as a compromised password, that may call for you to take immediate action?
- Verifying the identity of the alleged harasser. Be aware that "joe jobs", where someone pretends to be another person and misbehaves in the hopes of getting the imitated party in trouble, have occurred in the past. In most cases you will not be able – or want – to verify a "real life" identity; your concern here is making sure that the account the reporter says is doing the harassing is actually the one doing the harassing
- Verifying the account status (if applicable) of the alleged harassing party: are they under any sanctions that might be related to this situation? Are they blocked or banned? Does their account appear to have been compromised in any way?
The facts you verified usually come with context that helps you to navigate the issue and understand what has happened. That makes the background an important component of evaluating a case; if you skip it, you risk overlooking history or facts that are vital to resolving the current issue.
Your background research should cover researching the involved parties along the lines of below:
- Regarding the victim:
- Has your team dealt with this person before (whether as a victim, a reporter, or a harasser)? Were their reports and/or opinions reliable in any previous dealings you have had with them?
- Does this person have a history of having been harassed, whether by the current alleged harasser, or by others? (If yes, you may, for instance, be dealing with a sockpuppet of a previous account.)
- What is this person's reputation in the community, and are the events in this report uncharacteristic for that reputation? They may be known as someone superbly level-headed or as someone who overreacts; either of those being true will have bearing on how you interpret their report.
- Regarding the reporter (if different than the victim):
- Has your team dealt with this person before? Were their reports and/or opinions reliable in any previous dealings you have had with them?
- Does the reporter have a known relationship to either the victim or the alleged harasser? That is, might there be an ulterior motive in their report (backing up a friend who's in conflict, exaggerating a situation to make a rival look bad, etc)?
- What is this person's reputation in the community, and are the events in this report uncharacteristic for that reputation? They may be known as someone superbly level-headed or as someone who overreacts; either of those being true will have bearing on how you interpret their report
- Regarding the alleged harasser:
- Has your team dealt with this person before? Do they have a history of being reported for harassment? Have they been harassed themselves in the past?
- Does this person have any known friction with either the reporter or the victim? It may be that this reported harassment is simply the latest front in a long-term war.
- What is this person's reputation in the community, and are the events in this report uncharacteristic for that reputation? They may be known as short-tempered or tactless, or they may be known as someone who is never unkind to others; either of those being true will have bearing on your investigation. Search the archives of relevant noticeboards, and look at the block log of the user to determine whether they have been sanctioned for problem behavior in the past.
Adequate background research will not stop at just the two or three involved parties, however; it will also take into account the relationships those parties may have to other editors or groups, as well as any general history of the point of dispute (if any) in the harassment:
- Any organizations that any of the involved parties are affiliated with, and whether those organizations may also be in conflict
- Any off-wiki activities any of the involved parties may be involved with that are relevant (for instance, someone may be known to participate in a subreddit that enjoys doxxing others, or may be open about having a certain gender identity or political view)
- Whether the harassment report reflects a known long-term pattern of thematic conflict involving broader groups of users; for example, homeopathy-related editorial controversies.
A caveat on background research: Context is not synonymous with rationalization or excusing. Your background and context research will help you understand the situation at hand, and they may explain why harassment occurred in a valid report, but they will not make a valid report invalid. Therefore your analysis of a report should focus on the events described within the report.
This is primarily because all contributors are equally responsible for their words and actions. A long history of quality contributions does not excuse bad behavior, nor does being objectively "in the right" or having been victimized in the past. Likewise, a history of bad behavior does not make a contributor "automatically" guilty when accused.
Useful tools for gathering evidence
The editor interaction analyzer can help you see where and how two users have interacted on a specific wiki. It can be useful in examining the background of a dispute between editors or claims of long-term harassment.
The revision history tool (sometimes referred to as "Wiki Blame") can help you locate the appearance of text strings within revisions on a specific page and can be helpful finding a specific comment or edit.
Knowing how to search subpages of a given page (that is, to search pages under a certain prefix) will let you narrow an on-wiki search to the content of only those pages. For instance, if you wished to search all archives of the Meta Wikimedia Forum, and only those archive pages, for a specific term, you would put your search term in the search box, followed by "prefix:Wikimedia Forum/Archives/". The results Search returns to you will be occurrences of the search term only in pages whose names begin with Wikimedia Forum/Archives/.
Understanding "actionable" versus "non-actionable"
Not everything you investigate will ultimately turn out to be actionable. Even in situations where wrongdoing is confirmed, you may simply not be able to take measures against the reported user. For instance, if an attack has happened on social media and you are unable to reasonably connect the social media account with a Wikimedia one, you may have no options for on-wiki action. In other cases, the victim may have been subjected to negative treatment by another editor, but the actions don't meet the standard for harassment or rise to a level that merits action under local policies and guidelines.
In such cases, the best of your available courses of action is not to punish the alleged attacker, but rather to provide support to the reporter. Keep in mind that not taking action against a reported aggressor doesn't mean the reporter was necessarily wrong to report this as harassment. Nor does it mean the report was inaccurate, or that either party is totally innocent. A "non-actionable" report is not the same as a false report – it is simply one that you cannot take direct action to resolve.
Documentation of what you have learned and done in harassment cases is very important for a few reasons. First, private investigations performed off-wiki, as most harassment investigations will need to be, are not automatically documented the way on-wiki edits would be; all the future will know is what you record. Second, no single person or set of people who performed an investigation can be expected to remain in their role forever; if you drift away from your role in the future, others will need a way to find out what happened and why it happened in any given investigation.
On the other hand, it is important to be aware that "documentation" doesn't – and shouldn't – mean "public documentation". The parties involved in an investigation are entitled to as much privacy as you can reasonably give them while still doing your job, and it is your responsibility to protect information about them/the investigation by storing it somewhere reasonably secure.
What does appropriate documentation look like?
To a certain extent, what "appropriate documentation" looks like will depend on who is performing the investigation. If you are performing an investigation as part of a functionary or arbitration committee team, your team should:
- Record a summary of your investigation on your team's private wiki, if appropriate based on that wiki's policies.
- Record the names of those who investigated and/or voted on outcomes for the investigation.
- Take screenshots or gather diff links of evidence that informed any eventual outcomes of the investigation. Store these somewhere accessible to your team, such as on a private wiki or in an email to your team's secure, archived mailing list.
If you are evaluating an initial complaint before passing it on to other functionaries or to the Wikimedia Foundation's Support and Safety team, make sure that your communication to the other investigating group contains:
- Contact information for you
- Contact information for the reporting party and/or victim
- A summary of the complaint
- Functional links to any relevant URLs
- Functional diff links to any specific on-wiki edits relevant to the complaint (if you have them)
- A summary of any preliminary investigation work you may have done
Where should the documentation be stored?
The answer to this question depends on your role. Some groups, such as Arbitration Committees, may have their own "private" wiki. Other groups may primarily use email in their communications. Individuals receiving reports may have no designated place to document. So, work either in your team's designated space or in a secure document of your own creation to store the information.
Do not use an on-wiki "sandbox" or userspace page, and avoid hosting your documents in publicly accessible places, such as an unsecured "cloud" storage account. Collaborative documents such as Google Docs can be useful; however, careful attention to the "sharing" or security settings is required (see Google's help page on this topic). Your documents may well contain personally identifying information, and a "leak" could permanently damage the reputation and public trust that users have in your group.
H7: Providing support and advice
It's natural for you to want to offer as much help and support to a harassment victim as you can, but you must keep in mind that your skills and tools do not necessarily encompass all types of help and support that a victim may need. At times, there will be advice you simply cannot offer, either because doing so may inadvertently harm the victim or you or because it would be more useful to refer the victim to someone more qualified to offer that support.
What kind of support can you offer?
Before we go into types of support, remember: you should never feel obligated to counsel or advise harassment victims if you are not comfortable doing so. Your mental health and safety are as important as those of anyone else. It is much better for you to pass off a case to someone more equipped to handle it than for you to burn out trying to do it all yourself.
What you can do: Non-actionable cases
The most important part of offering support to victims is something you've already read about in this module: empathy. Your goal should be to communicate to the victim that you understand their feelings and that you are approaching the situation with those feelings in mind. Even in cases where you can offer no concrete action, providing emotional support can still help the victim feel safer. Your communications with a victim should balance honesty with sensitivity. While both of those are generally good things, being overly blunt or attempting too hard to shield a victim can lessen the effectiveness of your communications.
What you can do: Actionable cases
As a functionary investigating a harassment case, you are also the person best positioned to take concrete action to stop the harassment – where doing so is possible and called for. When a case is closed or a sanction put in place, you should let the victim and/or reporter know that action has been taken. Try not to make this communication emotional, whether apologetic or pleased; your goal is simply to let them know what has happened.
What you can do: Malicious or mistaken reports
A situation where a report was made to you in bad faith or with significant, compromising errors can be one of the hardest to communicate about. You will be dealing with an alleged harasser who is defensive, anxious, and impatient as well as a reporter who is likely to be pushing hard for action and reluctant to reconsider their views. The key in many of these situations is to carry out communication without judgment. When talking to a mistaken reporter, remember that if they believe that they were harassed – whether you believe they were or not – you can still offer links to support venues like RAINN or the Victim Connect Helpline. Support venues exist for support in other languages.
When you speak to the subject of a mistaken or malicious report, keep in mind that you are delivering positive news to them. They are not in trouble, and you know they didn't do anything wrong. That doesn't mean you should communicate emotionally, however – you are a neutral, evaluative party, not a friend congratulating them on being vindicated or a prosecutor going into detail about the other party's guilt. Repeated malicious reports are a problem that should be communicated to other people who may be receiving reports from that person. It is important that knowledge is shared, and that other people's time is not wasted on evaluating reports without basis. People intentionally abusing reporting systems may need to be sanctioned, and this behaviour can constitute a form of harassment itself.
What kind of support can the Wikimedia Foundation offer?
The Wikimedia Foundation's Trust and Safety team is always available as a resource to both you and harassment victims in cases where you need us. However, while SuSa is always happy to provide advice, it can only take action in the most severe of cases. This can include cases where a community has already taken unsuccessful steps to resolve the harassment or cases of harassment serious enough that the community cannot resolve it themselves. Here are a few types of help the Wikimedia Foundation can offer:
- Emergencies: If a threat to someone's real-life safety has been made on a Wikimedia project (for instance, a harasser threatening to find someone's home and hurt them), you should immediately report that threat (including diffs) to the Support & Safety team's emergency email hotline (emergencywikimedia.org). This hotline is monitored 24 hours a day, and the staff who monitor it are able to quickly pass such situations on to law enforcement or others who can help ensure the safety of the threatened person.
- Victim support: The Support & Safety team exists to assist and protect our users, and team members are available to offer support to victims of harassment. In the past this has included things like providing letters of good standing for harassment victims to give to employers who are receiving negative contact about the victim, connecting victims to non-Wikimedia resources that may help them, and simply being a sympathetic ear. If you feel actions of this type are needed in a case, please direct the person who needs assistance to cawikimedia.org.** Please note, however, that Wikimedia Foundation staff are neither social workers nor trained mental health professionals. For the safety of all involved, staff cannot provide counselling or emotional support, though they can direct community members in need to other available resources for these things.
- Legal support: The Wikimedia Foundation's Legal staff, under American ethics guidelines, cannot offer legal advice to individual community members. However, when an eligible community member is the subject of a legal threat or lawsuit, the Wikimedia Foundation's Legal Fees Assistance Program may be able to help them locate and pay for their own counsel. In these situations, please contact the Legal team directly at legalwikimedia.org
What kind of non-Wikimedia support can you direct someone to?
You will have noticed in the above sections that due to privacy, safety, and legal concerns, there are significant limitations to the types of assistance that functionaries and the Wikimedia Foundation can provide to harassment victims. This does not mean, however, that there is no help you can offer to victims in need of types of assistance you and the WMF cannot provide; you are free to use your judgment in referring those in need of further assistance to organizations and resources that can offer that assistance! The following examples are by no means exhaustive; for a more detailed listing of resources, see the Support & Safety Resource List.
- Suicide prevention hotlines: United States / non-United States
- The Trevor Project LGBTQIA crisis support
- English/Spanish bilingual crisis hotline for "LGBTQ & HIV-affected victims and survivors of any type of violence"
- RAINN: Support for victims of rape, abuse and incest
- WHOA (Working to Halt Online Abuse) crisis support for victims of online harassment and threats
- Crash Override Network for victims of online abuse
- National Crime Agency Command (UK only) for protection of at-risk or abused children
Support you should not offer
There are some types of support and advice that you should not attempt to give to users; these include mental health counselling and legal advice, both of which should only be given by trained and qualified professionals.
Mental health counselling
If you handle harassment cases, you will be dealing with people in various levels of mental distress. Most people understand that functionaries are not psychology professionals and will not expect you to provide counselling, but in cases where someone is in crisis or where you feel the appropriate mental health advice is obvious, it can be tempting to offer it – please don't.
Why shouldn't you offer counselling, even in a case where the victim needs it or you believe you know what to do? For more than one reason:
- Boundaries: As a functionary handling a harassment issue, your community expects you to act in a neutral, investigatory manner. Reaching past that role to counsel a victim risks confusing them – "is this person an investigator or my friend/advisor?" – and overstepping the trust your community gave you.
- Not dividing your energy: You are a functionary in your community because your community felt you had expertise in the skills that role calls for: discretion, knowledge of IP address technology, good judgment in resolving disputes, etc. Even if you think advice beyond your functionary role could be useful, remember that you are of most use to someone in a harassment situation by using the skills the community asked you to use; try not to get sidetracked by trying to offer other services as well.
- Safety of the victim: Unless you are a trained mental health professional, you simply cannot know the appropriate way to treat or counsel someone in a mental health crisis. Trying to do so without the necessary expertise means that, if you make a wrong treatment decision, you could inadvertently cause harm the person you are trying to help. In the case of mental health and crisis counselling, this kind of mistake could lead to a victim being even more upset, or even to a non-life-threatening situation escalating into a life-threatening crisis.
- Liability: By representing yourself as someone able to provide mental health advice, you could be violating laws in many places that govern who may give medical treatment. If such a law applies to you, you could be held legally responsible for negative repercussions from the advice you provided. Professional providers have insurance to protect them in this situation; you likely do not.
In short, it is in everyone's best interests in a harassment situation for you to focus on assisting as a functionary, not a mental health counsellor. You may optionally wish to suggest to a victim who asks for counselling that they reach out to an organization like the National Association for Mental Illness (NAMI) (US only), which can help those in need find mental health treatment and resources, or provide them a link to a resource directory like the Metafilter "There is help" page (international), but you are not obligated to do so if you are not comfortable.
If you believe a situation is an emergency where the victim or someone else is in immediate physical danger, you should contact emergencywikimedia.org or local authorities immediately.
If you handle harassment cases, you will almost certainly eventually encounter one in which legal concerns come up. Perhaps a victim will want to know if they can issue a [Glossarylink|DCMA] to force another website to take down images of them; perhaps the harassment someone reports to you will be in the form of "I will sue you" legal threats; perhaps a victim will ask whether they should pursue legal action against the harasser.
As with mental health issues, it can be tempting to offer a victim with legal questions or needs whatever level of advice you feel you can. Please don't. Why? Many of the reasons are similar to the reasons you should not offer mental health counselling:
- Boundaries: see mental health counselling, above
- Not dividing your energy: see mental health counselling, above
- Best interests of the victim: Though giving poor legal advice is less likely to lead to physical harm than giving poor mental health counseling, the damage it can do is nonetheless significant. Being given incorrect legal advice could lead them to take (or not take) legal actions that are not easily reversible; it could even lead to a victim putting themselves in a situation where a harasser has grounds to file a legal case against their victim.
- Liability: In some countries, including the United States, it is illegal to carry out the unauthorized practice of law, which includes activities like "providing information about what actions to take or giving advice to someone that is specifically tailored to an individual's unique situation, under the guise of being an lawyer or person experienced in the law." Breaking laws of this type puts you in legal jeopardy of your own – you could be fined or imprisoned!
If someone involved in a harassment case asks for legal advice, you should explain to them that you cannot offer advice of that type. If you know of a resource that can connect victims to qualified legal assistance, you may wish to offer it, but you are not obligated to do so and if you are uncomfortable for any reason, you may choose to simply explain to the victim that you cannot provide such assistance. Linked below are two resources that allow a victim to search for legal aid by area, crime type, and other requirements:
- The Office for the Victims of Crime (US only)
- Citizens Advice page on free and affordable legal resources (UK only)
H8: "Doxxing" or release of personally identifying information
What is "doxxing"?
"Doxxing", or "outing", is usually described as the publication of personal information online, generally in order to intimidate or threaten. In some cases, this personal information is used to actively seek out and harass online users in real life. Even in cases where that doesn't happen, targets will be afraid it could. Real-life outcomes can involve someone unwelcome literally showing up at the victim's door, or "swatting" them – sending armed police to their address under the false pretence of a serious crime such as an active hostage situation. Doxxing has become an unfortunately common method to intimidate, harass, or punish people online.
What counts as "personally identifying information"
As previously covered, "personally identifying information" (often shorted to "PII" and sometimes expanded as "personally identifiable information") covers a fairly wide range of data that can be used to identify or trace a person in real life.
On Wikimedia projects, the category of PII includes information about a user such as phone numbers, home addresses, and workplaces, unless the user has chosen to publish that information on a Wikimedia project themselves. PII includes the real names of pseudonymous or anonymous individuals who have not made their identity public on a Wikimedia project. Private information about public individuals, such as addresses or phone numbers that the individual has not made public, are also considered PII. It also includes IP addresses and user agents of those who have not made this connection in the past.
Handling PII on-wiki
You may be asked to handle PII that is posted in a variety of locations, deliberately or otherwise. It isn't always with malicious intent. Sometimes a person will post something about themselves on a project without realising how public that page is. Or perhaps someone mentions a link between another user and their PII that they thought was known, but it wasn't. No matter the intentions of the person who posted it, PII that isn't willingly divulged generally needs to be handled with caution and removed and suppressed as necessary.
PII can be revealed on Wikimedia project noticeboards and talk pages, such as those used for mediation. This is not always done maliciously. Some examples of accidental publication of PII might include:
- Someone attempting to make a link between a user and his location, his employer, or an IP address to prove a point in a debate;
- Someone referring to another person by name (assuming the other person had not publicly linked this to their account);
- Someone uploading an image of an event that shows another user and their nametag, thus connecting a user to their real name, or that contains the user's real name in the tags or metadata.
In all of these cases, even if no action is merited against the person who made the edits, the edits themselves should be suppressed by an oversighter. Refer to the Immediate action section of this module for more information.
There is also the additional possibility of articles being used in harassment of this variety. This is of particular concern when the harassment is targeting an individual with a Wikipedia article of their own. Most of the time, such targets are fairly low-profile, if notable, individuals. Most projects' policies on biographies of living people contain information on how to treat articles on people such as this. Situations involving articles such as these might include:
- Posting street addresses or phone numbers into infoboxes or article text;
- Inserting unsourced or false material that is controversial or purports to reveal personal details (usually where those details are excessive – details of divorces, children's ages...);
- Adding links to unreliable websites or blogs that reveal previously unpublished or unverified personal details
Be wary of reacting to content-exclusive issues as harassment. Undue weight given to sourced content – such as criticisms or controversies – is a different matter and ought to be handled with on-wiki discussion.
Responding to posters of PII
There are a few ways you can respond to those who post personally identifiable information. Policies on assuming good faith vary greatly by project, but generally you will be able to use common sense to determine whether something is done on purpose or by accident.
Consider, first, if the PII was posted by accident. For example, a user may have posted their email address for further correspondence. Or they may have posted what they thought was a known connection between two online identities that had actually not been previously linked. In cases like these, treat the actual PII as serious, and try to communicate with the posting user as quietly as possible about why posting this type of information is not allowed.
If the posting of this information was obviously deliberate, or if a seemingly accidental posting is repeated, more severe action might be needed. Cases of deliberate PII release might include an attempt to "out" another editor, perhaps to link their account to a purported employer. It could also include leaking personal emails or other communication which could be compromising.
In cases of deliberate PII release, it may not be enough to have a quiet talk with the poster; you may need to block or threaten to block their account in order to make them stop posting the information. Use your judgment to decide whether a stern warning will suffice or whether a block is necessary. If you choose to use a block, be aware that you may also need to restrict the blocked user's ability to edit their talk page in order to keep them from posting the PII there.
Possibly the hardest part of dealing with the public posting of personal information is corresponding with victims.
On-wiki steps they can take
The first and most important step a victim in a case like this should take is to contact oversighters directly. If oversighters don't exist on the project in question, instead contact the Wikimedia stewards through email or on IRC. This should be done as quietly as possible to avoid drawing attention to the personal information and to prevent its spread.
Functionaries might wish to take action against the poster of this PII, assuming it was posted with malicious intent or is posted repeatedly.
Off-wiki steps to recommend they pursue
Off-wiki posting of information is much more difficult to remove than on-wiki edits. Once information is posted online, it can spread quickly and be difficult or impossible to completely remove.
It can be a good idea to contact the hosts of the website on which the leaked content has been hosted and ask them to remove it. This is especially effective when the website in question has a Trust and Safety team set up to deal with these situations.
If the victim has concerns for their safety as a result of the leak, they may contact their local law enforcement. This should ideally be done by the victim themselves, as some authorities may not accept reports by a third party. The posting of personal information online may be illegal depending on where the victim or suspect is located, especially if that information is illegally obtained.
What not to do – The "Streisand effect"
The "Streisand effect" is a term used to refer to cases where trying to hide something actually makes it more visible. It is named after American actress Barbara Streisand, who attempted to stop the media from publishing a photograph of her house with a court order. The press attention from this court order led to more people seeing and sharing the photograph.
When attempting to handle "outing" claims, it is important to keep in mind things that you shouldn't do or that could make the situation worse. Of course, the number one priority should be ensuring the information leak is contained, and doesn't spread any further.
- If you are not an oversighter, and cannot deal with this information right away, don't explicitly link to it in public. This includes on IRC and on administrative noticeboards. Doing so increases the chances of bad actors copying the information and leaking it in the future. Instead, contact an oversighter or oversighters directly, by email or on IRC. If the leak was on a wiki in which doesn't have oversighters, contact a steward instead.
- If suppressing PII will require hiding many revisions, be aware that this will look strange and can look suspicious. There is every chance that such an action will raise suspicion and that the reason for the suppression might be questioned. Be sure to clarify this risk with the reporter and ensure they are willing to take the potential extra scrutiny.
H9: "Off-wiki" harassment
The Wikimedia projects' low tolerance for harassing behavior sometimes leads people to take Wikimedia-related harassment to other platforms and websites. This often, but not always, occurs after an Wikimedia account has been blocked; in rarer cases, a uses in good standing will go off-wiki to target an opponent in the belief that doing this off-wiki means they cannot get in trouble on-wiki. Off-wiki of harassment is among the most difficult to deal with, because local administrators and functionaries cannot directly stop or remove the harassment.
Often, helping a harassment target with off-wiki harassment means educating yourself on the policies and procedures of the site where the harassment occurs, so that you can help the victim figure out what options are available to them. Some websites have good procedures to help people remove harassing comments or images, while others may expressly ignore the problem.
Types of off-wiki harassment you may encounter
There are a number of different forms off-wiki harassment might take, including but not limited to:
- Doxxing – publishing the personally identifying information about a victim
- Impersonating the victim – in this type of attack, a harasser pretends to be their target and carries out behavior elsewhere that would embarrass or harm the target if it were linked to them.
- Brigading – advertising at an off-wiki venue for other users to come to Wikipedia and attack or revert the victim
- "Revenge porn" (real or forged) – this may involve publishing actual photos of a victim in sexual situations, or it may involve the forging of such images (for instance, by photoshopping a victim's head onto a sex-related photo)
- Phone calls or emails directed at victim – a harasser may use these communication venues to intimidate, issue threats, or carry out sexual harassment
- Phone calls or emails directed at victim's family or job – often used to make negative accusations about the victim, or to intimidate them by showing they can access loved ones. This type of intimidation can be particularly frightening for a victim.
When you receive a complaint about off-wiki harassment, it may or may not say who the reporting party believes the perpetrator is. If it does include such an allegation, your first priority should be to verify, if possible, this claim: is the Wikipedia user actually the same user as whoever is doing the off-wiki harassment? A distressed victim may not be a reliable judge of guilt. It is always possible for a malicious third party to be carrying out an impersonation that victimizes both the victim and the alleged perpetrator, or for someone to take advantage of our system to target a good faith user they disagree with.
Verifying the identity of the harasser may be a simple task, or it may be essentially impossible. It is your team's or community's responsibility to determine what amount and type of evidence is adequate to take action; in general, you should remember that a wiki is not a court of law, and your team have been entrusted with your advanced rights because your community trusts you to make good decisions.
Some ways you may be able to investigate the identity of the harasser include:
- Comparing the off-wiki perpetrator's interests or language with the alleged on-wiki user
- Using search engines to try to connect the off-wiki perpetrator's username on that site with the details of a Wikipedia account
- Checking to see if the Wikipedia username has ever mentioned the other account being theirs anywhere on-wiki (the reverse, where the off-wiki account identifies itself off-wiki as a Wikipedia account, is not verification of the linkage.)
Some ways your team may be able to request more information about the identity of the harasser from outside parties include:
- Reaching out to the off-wiki site's Trust and Safety team for assistance
- Filing a complaint with the perpetrator's ISP, if it is identifiable
- In extreme cases, contacting legal assistance, which may be able to subpoena information about the perpetrator
Where harassment is taking place on external websites, it can be possible to request intervention from these websites themselves. Many of the major social media networks now have Trust and Safety teams, though the existence of and best practices for these teams are often quite new. As a result, many of these teams are still trying to firm up policies and procedures for dealing with cases, and may not have a definite, immediate response to give to a complaint. That having been said, most trust & safety teams care about protecting their users and are receptive to complaints about these issues.
Some websites have streamlined the process of requesting content be taken down; for instance, Facebook allows users to report problematic content of many types with a button and Twitter accepts reports of copyright violations via an online form.
Assistance you can offer the victim
How to protect their personal information
For a more extensive list of ideas, see RAINN's list
A user who has been doxxed or threatened off-wiki will often be extremely concerned about their personal safety, given that the perpetrator has such information about their life. While you cannot directly protect a user's information or safety, there are some resources you can direct them to about how to protect their information:
- They should verify, and potentially tighten, their social media privacy settings. Most of these websites offer a help page or wizard to help users choose what privacy settings work best for them. For instance, here is a guide to Facebook's privacy settings
- They may want to request removal of their personal information from "people search" websites. In some countries, personal details such as names, addresses, and phone numbers are considered public information, and for-profit websites gather and package this information for re-sale. Most such websites include an "opt-out" method for people who do not want their information shared this way, but those methods are not always easy to locate. A "how to" guide like this one may help a user have their information taken down.
How to secure their accounts on other sites
When a user reports that an account they own has been compromised, or "hacked", you can suggest some important steps they should take immediately:
- Ask the user to check their password security. It is usually a simple matter for the user to reset their password for the hacked account, and they should be sure to do the same for any other online accounts for which they have used the same, or a related, password.
- Contact the administration or Trust and Safety team of the website their account was hacked on, if it has been. These teams can often secure or restore an account with the tools available to them.
- Consider enabling two-factor authentication on sites where it is available. This service will mean that even if someone has their username and password, they will still not be able to access their account without the second "factor". This process usually involves linking an account to a mobile device.
H10: Image-based problems
In some cases, users can be the victims of harassment involving images. This can come in many forms, but all have the potential to be upsetting or intimidating. Some examples of how images might be used to harass a user include:
- An attendee of a Wikimedia event being photographed without their consent, with the resulting photographs posted to Wikimedia Commons or a sister project;
- Images of pornography, violence, racisim or otherwise shocking images are sent to users;
- Editing a user's photograph, for example to combine it with a shocking or controversial image;
- Using a user's image to illustrate an article that has negative connotations (for example, replacing the lead image in the "pedophilia" article with the user's picture)
How and when to get an image deleted
Getting an image deleted can be a complicated process. The most important aspect to consider is whether the image actually breaks any rules. Sometimes the image itself isn't causing the issue so much as an attacker using it maliciously. Commons has some shocking images, or images that might cause distress to users. This by itself is not normally a reason to have them deleted.
A common form of image-based harassment is the posting of images taken of volunteers without their content. At events, there are usually precautions taken to ensure those who do not wish to have their images taken are catered for. This is usually done with stickers or lanyards. In some circumstances, these may be ignored – maliciously or otherwise – by photographers or camera operators at events. It can be distressing to have a photograph linked to a username, especially if the link wasn't apparent before. It's also treated as a form of [Section link to H8|personally identifying information] on the projects.
Note that images used to harass users are often posted "off-wiki". Learn more about dealing with harassment taking place on external websites.
Images on Wikimedia Commons
Most images found on our projects are hosted on Wikimedia Commons. You can identify if an image is hosted there, rather than on a local Wikimedia project, by the appearance of the "View on Commons" tab along the top of the page. There will also be a note just below the image stating that the file is accessible on Commons.
Wikimedia Commons has a guideline around images of identifiable people which can be useful in situations like this. It states: "The subject's consent is usually needed for publishing a photograph of an identifiable individual taken in a private place, and Commons expects this even if local laws do not require it."
Wikimedia events are usually considered private places. This can be a little more blurry if the event is held in a normally-public place like a library or a university. A well-run event will have either something to sign if you are okay with photographs being taken, or more usually stickers or lanyards to indicate you are not comfortable being in photographs.
Even in public places, country-specific rules exist on consent. These rules can be complicated, and not all are legally binding. Check whether or not the country in which the offending photograph was taken is covered by a rule such as this.
"Selfies" or other images of editors which are uploaded by themselves are fairly common on Wikimedia Commons. Of course, while these are usually fine, users should be aware that images of themselves have the potential to be abused for harassment in the future.
Images on local projects
Images hosted on local projects are dealt with slightly differently. Policies on this tend to vary by project. On most, the unauthorized posting of someone's photograph counts as the release of personally identifying information.
Images involving minors/child pornography
Where there is a suspicion that an image might contain child abuse or child pornography, please immediately report it to the Wikimedia Foundation through legal-reportswikimedia.org to alert the Trust and Safety team. Include a URL link to it so that it can be reviewed quickly. Even though situations like this are rare it is important that the material is reviewed promptly – having all relevant information available at first contact helps speed things up substantially. The Trust and Safety team at the Wikimedia Foundation is tasked with reporting and otherwise handling such images.
Even if there's no obvious abuse or suggestion of pornography involved with an image of a minor, it can still be upsetting. There currently is no hard rule regarding the treatment of images of younger editors, uploaded by themselves or by others. Generally it is best to use your common sense – would this image be harmful if it remained? Is this image within the scope of Wikimedia Commons?
H11: Closing cases
We've covered a lot of skills that are important for closing a case in previous lessons in this module. Let's review them now.
Any case closure will need to start with documentation. While the case is still fresh in your memory, write enough information down so that anyone who is asked to review the case in the future can figure out what went on. Your documentation should have information about what the case was about, who investigated the report and what they found, and what the outcome was.
This documentation may be stored on your team's private wiki, or in a post to your team's private, secured mailing list. Do not document your cases publicly or in a low-security location like an etherpad; remember that while you are trusted with access with private and/or personal information about editors so you can investigate these cases, not everyone is; this information is still private and personal and should not be made public.
Closing non-actionable reports
Even in a case where you and your team take no action – whether because the case was weak or erroneous, or because there's simply nothing your team can do – there are some steps you will need to carry out as you close a case.
First, you will need to notify the victim of the outcome of your investigation. Remember to communicate with empathy and to offer the victim further resources for help if such resources exist. You may wish to provide some detail about why the case was deemed non-actionable, but do not become over-detailed: it is relevant to the victim whether the case is being closed because the facts could not be verified, as opposed to because the facts were verified but no on-wiki action was possible, but it is rarely a good idea to go into detail about whether you, personally, believed their report or whether a particular piece of evidence was found lacking.
Third, you may need to notify the subject of the report. Whether this is necessary will depend on the situation: was the report obviously mistaken, and you closed it at a glance without needing to do a full investigation? In that case, the subject of the report may not know a complaint was even filed, and will be surprised to hear from you. On the other hand, did you do a full investigation, including speaking to the subject and/or witnesses about the existence of the case? In that case, you owe it to the subject to let them know that the case is closed and what the outcome is.
Closing actionable reports
Closing an actionable report is a bit more involved, though it is based on most of the same steps.
Usually, your first step in closing an actionable case will be to take any on-wiki action your team has decided on. The timing of this step is important; if it has become necessary to place a block or ban on a user, you want to avoid leaving them in a state of "nothing left to lose," especially if they have advanced user rights that could be misused in retaliation. That will mean placing any blocks or bans first, before notifying the sanctioned user. Remember that in severe cases that involve advanced user rights, you may need to contact a steward or bureaucrat to request removal of those rights, and that these teams may not make instantaneous decisions on such requests. In a case where you must reach out to stewards or bureaucrats for higher-level action, you needn't delay your closing of your case or your taking any necessary local actions unless you have reason to believe that the need for these actions will be affected by the decisions made by the stewards/bureaucrats.
There should not be a gap in time where the sanctioned user is left wondering why a sanction has been placed on them; immediately after placing any blocks or bans that are needed, you should notify relevant parties. This will include the sanctioned editor, first; the victim or person who reported the case to you, second; and possibly any on-wiki venues your community requires sanctions to be posted in (for instance, your community may expect things like desysops to be announced on a noticeboard – see H12, below, for more on public reporting).
When communicating with the subject of a report in cases where you have decided to take action against them, keep your statements factual and as non-judgmental as you reasonably can given the situation. Your goal is to communicate what action is being taken against them and, in general terms, why, and what they can do if they wish to appeal your decision. Even in the context of explaining how to appeal, however, it is not appropriate to provide a sanctioned user with the name of, or detailed information provided by, their accuser or victim.
As always, you should attempt to communicate with victims with empathy, but without violating your obligation to protect the privacy of others involved in the case. Let them know the outcome of the case and any additional details they need to know, and provide them with additional resources if you know of them. Do not go into detail about evidence or how it influenced your team's decision, and do not be congratulatory or speak negatively about others involved in the case.
H12: Reporting out
Once you have finished placing any necessary sanctions, it's time to think about updating involved parties and, potentially, posting a public notice of the case outcome. Doing so will not be necessary in all cases, and you will usually need to use your best judgment when deciding what to say publicly about a case and how to say it.
Deciding whether a public announcement/notice is necessary
Whether you need to make a public announcement about the outcome of a harassment case and/or the sanctioning of a user via a private case will depend, for the most part, on your project's local policies and norms.
Some projects, like English Wikipedia, publicly announce all removals of advanced user rights via a noticeboard; if your case's closure included one of these actions, your team will be expected to make a public statement about it. Other projects rely more heavily on individual administrator discretion, or on private discussion about these topics; if your project is one of those types, you should not make an undue spectacle of your case's closure.
Choosing what details to release in a public announcement
Even when you do need to make a public announcement about a case closure, however, you are not obligated to – and in nearly all cases, should not – release the entirety of the case, evidence, or investigation; most of these will contain private or sensitive information that may lead to either the victim or the perpetrator being targeted in the future. Your announcement should be factual and as neutral as possible; it is your responsibility to make any necessary announcements in a way that will not harm the involved parties.
However, it is also important to remember that most people who view a notice about the outcome of your investigation will not be aware of the detailed background you have on involved parties, nor will they have seen all or most of the evidence you examined. Do your best to make your statement understandable to community members in this position; failing to do so may undermine the community's trust in your team's decisions. It is a balance.
Things your announcement should contain:
- The username of the sanctioned user
- The basis of the case (i.e. "harassment" or "misuse of private information")
- The outcome of the case ("user is banned" or "user is desysopped", etc)
Things that might be appropriate to include in your announcement:
- On-wiki diffs of problematic behavior by the sanctioned user if and only if they are vital to describing this case, and they contain no private or hurtful information about either the targeted editor or others
Things that are not appropriate to include in your announcement:
- Personal details of, or links to content that includes the personal details of, parties involved in the case. Do not refer to users by their real names, or provide links to places like their personal websites
- The content of, or links to the content of, the harassment. The reason you or your team handled the case privately was because this content was potentially hurtful or embarrassing to the victim
- Explicit accusations of activities you believe the sanctioned user has carried out. While your announcement should provide some information about why you are sanctioning the person, be aware of the fact that an internet pseudonym is not an impenetrable shield, and there is potential for any accusations you make to harm the real life of the person about whom you make them.
- Be cautious! In extreme cases, you could be held legally liable for inaccurate or unprovable statements you publicly make about someone.
Responding to third-party questions about a case
As you did when you were writing your initial public statement, remember after you release the statement that community members who see your announcement do not know the details of the case and may not know much about any of the involved parties. It is understandable that members of a transparency-centric movement might express concern if you announce an investigation that was conducted off-wiki and without public discussion; your team's decisions in such a situation may appear shocking or unjustified, and community members may want you to answer questions ranging from the general ("Does this outcome affect how we apply Policy X?") to the very specific ("Is this about that post user:Y made on Reddit about user:X?")
Though these community questions are understandable, when attempting to answer them, you should remember that there is a reason that your community charged your team with handling these investigations in private when needed. A question being asked does not mean you are obligated to fully answer it if doing so would reveal case details that are best kept private.
In a situation where third parties are asking you questions about a case, aim to provide as much detail as you safely can, but no more. Use your best judgment to determine where to draw the line; below are some general rules of thumb, but if you're not sure whether a question can be answered without stepping outside those lines, always check with your team or a colleague.
- Is the question answerable without violating the privacy of any involved parties? If yes, go to 2. If no, do not answer publicly.
- Is the question answerable without violating any confidentiality obligations that apply to your team's discussions? If yes, go to 3. If no, do not answer publicly.
- Is the question directly relevant to the case at hand? If yes, go to 4. If no, suggest the question be brought to a more appropriate venue.
- Does the question appear to be relevant to helping the community understand your team's decisions, or does it appear to be a matter of curiosity? If relevant, answer the question publicly based upon your best judgment. If it seems to be curiosity, respond by explaining the reasons why it is important to conduct harassment investigations privately.
H13: After a case
Dealing with harassment cases is tough for all involved. This doesn't just apply to the parties of the case, but to the mediator as well. It is important to know how to effectively care for yourself after handling a case, no matter what the outcome of the case is.
It's not uncommon to feel personally invested in cases, particularly ones which do not have an easy solution or which uncover information that upsets you. You may experience "secondary trauma" or "caregiver burnout" – a common feeling of guilt or mental exhaustion experienced by those providing care to others. It is important to recognize that this might impact you as well, and that you should deal with it seriously. Your ability to care for others depends on you keeping yourself safe and healthy enough to effectively give that care.
Some resources around caregiver burnout include WebMD and Australia's HealthDirect, which provide steps on what to do to deal with this. Many other resources are available to help you deal with stress. It is most recommended to speak with your doctor if you feel this is getting in the way of your activities both on and off the projects.
Immediately after a case, you and the group in which you work (for example, local oversighters or the stewards) should gather to "debrief" on the case you just helped to mediate. Ask yourself questions to help with this, like:
- Was the result the best possible given the circumstances?
- What went well in this case? (Perhaps note down some things you did or said which were received well, or which led to progress.)
- What didn't go well in this case? (Perhaps note down some areas where progress was slow, or where processes made things difficult.)
- How could you work to make things better for next time? Are there policies that could be improved or discussed?
While it may seem odd to discuss a case, finish it, and then return immediately to talking about it, this type of debrief is useful to work out better processes, as well as to keep at least an informal record of how things are going. It is best done soon after the case, before people begin to forget details. It should make future cases that are similar easier should they come up, or it might even prevent them coming up at all. Your debrief doesn't need to be public – it can be done on an email thread or on a platform like IRC. The important thing is to think about whether your processes can be improved, and to start to understand where problems exist.
Responding to questions from the community or in public venues
Cases don't always end with a final decision and a report-out. Sometimes – especially in more controversial cases – your decision or actions taken will be questioned. Information on what to include in your answers to questions like these can be found in a previous section of this module. There is more to this than just answering the questions, though. You also need to be able to manage your own mental health here, balancing it with the well-being of those involved in the case.
If a question from the community is stressing you out, by all means discuss it with other people on your team. It might be a question that's difficult to answer without compromising the privacy of the parties involved in the case. Or it may be that the asker is less interested in the actual case than in making a point about policy or your team's enforcement methods. While you need to be able to navigate these questions calmly, accurately, and in a reasonable timeframe, those obligations shouldn't come at the detriment to yourself or those involved in the case.
You are never obligated to take an action you aren't comfortable with, particularly in a case that involves the potential for harassment; however, the community should be able to expect that relevant and non-intrusive questions will be answered. If you're concerned that doing something like answering a public question might result in harassment directed at you either onwiki or on external websites, consider asking another team member to answer it, or referring the questioner to a more private venue like email for discussion.
Follow-up tracking and appeals
Once you've finished dealing with a case, there's usually an avenue for the punished party to appeal later. This is usually at some point after their block or ban is placed. (In some cases your team may need to restrict the frequency of or time frame of such appeals.) For the mediator, this means it's not unlikely that a case comes up again in the future. Even if there is no appeal, it's worth keeping an eye on these cases after they come to a close.
You don't need to keep a personal log of every case you've ever looked at. For the most part, you should just know where to look for records about previous cases, and know how to parse them in the future. For those on Arbitration Committees and on other committees which rely on decisions made in previous cases, this is a key part of your work. In particular, you should know how to find:
- The result of the case
- The parties involved in the case
- The reporter, assuming they weren't otherwise a party in the case
If the case was dealt with privately for some reason – if it was a sensitive issue, or if revealing any of the above points would be dangerous somehow – then you should at least be aware of these details in case they are needed in future cases.
H14: Other resources
Find or learn about a policy
- "Biographies of living persons" (find yours)
- Blocking policy (find yours)
- "Doxing": English Wikipedia article, English Wikipedia policy
- "No personal attacks" (find yours)
- "No harassment" (find yours)
- Oversight policy (global)
- "Photographs of identifiable people" (Commons)** Laws by country
- "Wikihounding" (English Wikipedia policy)
Get help from teams within the Wikimedia movement
- The Wikimedia Foundation's Support and Safety team
- Small Wiki Monitoring Team (global)
- Wikimedia Foundation's Legal Fees Assistance Program
- Requesting oversight
- Wikimedia Stewards
Learn more about concepts and best practices
- Learn about "Active Listening"
- Learn how to use Wikimedia Search's "prefix" feature
- Tips for staying safe on social media
- How to have your personal information removed from data websites
- Find out whether a website offers 2-Factor Authentication
- What does "practicing law without a license" mean?
- One person's explanation of why giving mental health advice can be dangerous
- Learn about the connection between internet harassment and depression (pdf)
- A summary of Pew Internet's harassment study** Read full study (pdf)
Learn more about other sites
- Managing your Google Documents sharing settings
- Reporting inappropriate content on Facebook
- Making a DMCA claim on Twitter
- Managing your Facebook privacy settings
Get help from support organizations
- RAINN: Support for victims of rape, abuse and incest
- National Crime Agency Command (UK only) for protection of at-risk or abused children
- The Office for the Victims of Crime (US only)
- Citizens Advice page on free and affordable legal resources (UK only)
- Extensive list of support organizations (international)
- Support & Safety's resource list
- Suicide prevention hotlines: United States / non-United States
- The Trevor Project: LGBTQIA crisis support
- English/Spanish bilingual crisis hotline for "LGBTQ & HIV-affected victims and survivors of any type of violence"
- WHOA (Working to Halt Online Abuse) crisis support for victims of online harassment and threats
- Crash Override Network for victims of online abuse
- Victim Connect Resource Center (US)
- Contact the NAMI helpline
- Research:Harassment survey 2015
- Ybarra, M. L., 2004. Linkages between Depressive Symptomatology and Internet Harassment among Young Regular Internet Users, Cyberpsycology & Behavior, 7(2). Mary Ann Liebert.
- Duggan, Maeve (2014-10-22). "Online Harassment". Pew Research Center.
- Johnson, Bobbie (2009-08-12). "Wikipedia approaches its limits". The Guardian. Retrieved 2014-05-25.
- Shankbone, David (2008-06-07). "Nobody's Safe in Cyberspace". The Brooklyn Rail. Retrieved 2008-07-10.
- While the Support & Safety team is multilingual and will do their best to handle reports in any language, you may feel that it would be more useful to reach out directly to your or the victim's local authorities. We encourage you to do so – especially in combination with reporting to SuSa – if you feel comfortable doing so.