H9: "Off-wiki" harassment
The Wikimedia projects' low tolerance for harassing behavior sometimes leads people to take Wikimedia-related harassment to other platforms and websites. This often, but not always, occurs after an Wikimedia account has been blocked; in rarer cases, a uses in good standing will go off-wiki to target an opponent in the belief that doing this off-wiki means they cannot get in trouble on-wiki. Off-wiki of harassment is among the most difficult to deal with, because local administrators and functionaries cannot directly stop or remove the harassment.
Often, helping a harassment target with off-wiki harassment means educating yourself on the policies and procedures of the site where the harassment occurs, so that you can help the victim figure out what options are available to them. Some websites have good procedures to help people remove harassing comments or images, while others may expressly ignore the problem.
Types of off-wiki harassment you may encounter
There are a number of different forms off-wiki harassment might take, including but not limited to:
- Doxxing – publishing the personally identifying information about a victim
- Impersonating the victim – in this type of attack, a harasser pretends to be their target and carries out behavior elsewhere that would embarrass or harm the target if it were linked to them.
- Brigading – advertising at an off-wiki venue for other users to come to Wikipedia and attack or revert the victim
- "Revenge porn" (real or forged) – this may involve publishing actual photos of a victim in sexual situations, or it may involve the forging of such images (for instance, by photoshopping a victim's head onto a sex-related photo)
- Phone calls or emails directed at victim – a harasser may use these communication venues to intimidate, issue threats, or carry out sexual harassment
- Phone calls or emails directed at victim's family or job – often used to make negative accusations about the victim, or to intimidate them by showing they can access loved ones. This type of intimidation can be particularly frightening for a victim.
When you receive a complaint about off-wiki harassment, it may or may not say who the reporting party believes the perpetrator is. If it does include such an allegation, your first priority should be to verify, if possible, this claim: is the Wikipedia user actually the same user as whoever is doing the off-wiki harassment? A distressed victim may not be a reliable judge of guilt. It is always possible for a malicious third party to be carrying out an impersonation that victimizes both the victim and the alleged perpetrator, or for someone to take advantage of our system to target a good faith user they disagree with.
Verifying the identity of the harasser may be a simple task, or it may be essentially impossible. It is your team's or community's responsibility to determine what amount and type of evidence is adequate to take action; in general, you should remember that a wiki is not a court of law, and your team have been entrusted with your advanced rights because your community trusts you to make good decisions.
Some ways you may be able to investigate the identity of the harasser include:
- Comparing the off-wiki perpetrator's interests or language with the alleged on-wiki user
- Using search engines to try to connect the off-wiki perpetrator's username on that site with the details of a Wikipedia account
- Checking to see if the Wikipedia username has ever mentioned the other account being theirs anywhere on-wiki (the reverse, where the off-wiki account identifies itself off-wiki as a Wikipedia account, is not verification of the linkage.)
Some ways your team may be able to request more information about the identity of the harasser from outside parties include:
- Reaching out to the off-wiki site's Trust and Safety team for assistance
- Filing a complaint with the perpetrator's ISP, if it is identifiable
- In extreme cases, contacting legal assistance, which may be able to subpoena information about the perpetrator
Where harassment is taking place on external websites, it can be possible to request intervention from these websites themselves. Many of the major social media networks now have Trust and Safety teams, though the existence of and best practices for these teams are often quite new. As a result, many of these teams are still trying to firm up policies and procedures for dealing with cases, and may not have a definite, immediate response to give to a complaint. That having been said, most trust & safety teams care about protecting their users and are receptive to complaints about these issues.
Some websites have streamlined the process of requesting content be taken down; for instance, Facebook allows users to report problematic content of many types with a button and Twitter accepts reports of copyright violations via an online form.
Assistance you can offer the victim
How to protect their personal information
For a more extensive list of ideas, see RAINN's list
A user who has been doxxed or threatened off-wiki will often be extremely concerned about their personal safety, given that the perpetrator has such information about their life. While you cannot directly protect a user's information or safety, there are some resources you can direct them to about how to protect their information:
- They should verify, and potentially tighten, their social media privacy settings. Most of these websites offer a help page or wizard to help users choose what privacy settings work best for them. For instance, here is a guide to Facebook's privacy settings
- They may want to request removal of their personal information from "people search" websites. In some countries, personal details such as names, addresses, and phone numbers are considered public information, and for-profit websites gather and package this information for re-sale. Most such websites include an "opt-out" method for people who do not want their information shared this way, but those methods are not always easy to locate. A "how to" guide like this one may help a user have their information taken down.
How to secure their accounts on other sites
When a user reports that an account they own has been compromised, or "hacked", you can suggest some important steps they should take immediately:
- Ask the user to check their password security. It is usually a simple matter for the user to reset their password for the hacked account, and they should be sure to do the same for any other online accounts for which they have used the same, or a related, password.
- Contact the administration or Trust and Safety team of the website their account was hacked on, if it has been. These teams can often secure or restore an account with the tools available to them.
- Consider enabling two-factor authentication on sites where it is available. This service will mean that even if someone has their username and password, they will still not be able to access their account without the second "factor". This process usually involves linking an account to a mobile device.