Protecting Yourself Online: Online Security and SWAT Mitigation

Back in 2016, we published a helpful primer on protecting yourself as a streamer. Digital technology and the Internet moves quickly, so we at StreamerSquare felt it was time to really dig into online security topics.

You are your only advocate for personal safety on the internet. This can’t be stressed enough.

Previous articles in this series have discussed DDoS attacks, parasocial relationships, and the importance of setting privacy boundaries with your community.

In this entry we’ll go in depth about how to secure your information online.

OPSEC. The most paranoid of all I.T. Sectors.

OPSEC (Operational Security) is a military term to describe the process of securing sensitive information that could compromise a mission.

With the ever increasing presence of the internet in our lives, this phrase has been co-opted by the general public to describe the how well an individual or business goes about securing their sensitive information online. “How’s your OPSEC?” is a legitimate question when discussing this subject.

What this author discovered during their research is, if you ever want to have strong urges to delete fricken everything and move off grid to a remote cabin from a Bob Ross painting, this is the one to dig into.

It’s a deep rabbit hole filled with technically intimidating advice given by gate-keeping posters who can be as toxic as a Dark Souls PvP forum.

Hyperbole and jokes aside, your personal OPSEC is extremely important and shouldn’t be taken lightly. As a content creator on a streaming platform, it’s vital to safeguarding you and your brand.

The Key Points

The goal of OPSEC as a content creator is for you to have control over how much information people have access to regarding your personal life. In our previous article discussing boundaries, we touched on the very basics of this idea. But setting boundaries with your chat is only the tip of the iceberg.

Your personal information can be broken into these data points:

  • Full Name
  • Home Address
  • Social Security Number
  • Date Of Birth
  • Email Accounts and Passwords
  • Your Mother’s Maiden Name
  • Personal Online Digital Footprint (Social Media, Forum Accounts)
  • Employment Information
  • Financial Information
  • Personal Telephone Numbers
  • Relatives and Family Members

These are like Pokémon. Catch enough of the right ones about someone, and they’re extremely powerful against their personal security.

So where do you even start protecting such a long list?

The Obvious

We’re going to skip over the obvious stuff with some bullet points.

  • Be careful of opening email attachments from people you don’t recognize.
  • Be careful about clicking on strange links in chat and discord.
  • Don’t give out your social security number or other identifying information unless you know and trust the person or place you’re giving it to.
  • Install a paid for and well reviewed AV program on your computer.

These are the security tips you get told time and time again. If you’re just hearing about them now, you might consider holding off on that full time content creator career until you can get a bit more familiar with the environment you’re working in.

Obligatory Password and 2FA lecture

We’re not going to lecture you about using passwords like “password123” for everything. By now, using something like Keepass or Lastpass is pretty standard advice. Same goes for using 2FA (Two Factor Authentication) wherever possible.

2FA is typically the service available on many websites where after you log in, a text message is sent to your cell phone with a unique code that the website prompts you for.

A newer concept of passwords are to use “passphrases” instead of complicated jumbles of symbols, letters, and numbers. A passphrase is a short string of unrelated words separated by a spaces that’s contextually meaningful that you’ll remember.

“89 Bouncing elephants!” is easy to remember if you and your significant other have an inside joke about bouncing elephants and your birthday is in 1989. It’s also statistically more secure than “!d10T3rr0r*” and meets most complexity requirements.

If you ARE using “password123” for all your accounts, please comment below with the username and web address of the account, and one of our representatives will assist you shortly… (We’re joking. Please don’t do this and for the love of all that is rendered, don’t use password123)

Brand and Business Registrations

Many of us end up registering our own domain to put a website on. A common security mistake made during this process is registering this new domain with no privacy settings enabled.

A simple “whois” lookup of any website reveals the registered owner’s information used when the domain was purchased. If you do this without enabling privacy settings, it’s a real quick way to loose the security of your real name, address and contact information.

When registering a new website, take advantage of the private registration features that almost all domain registrars offer. It might cost you an extra couple of bucks, but it’s worth it.

You might have a registered L.L.C. or private business for your streaming brand. While you could use this entity to register your web address, keep in mind that virtually every Corporate Commission in the country has a public, searchable database.

Depending on how you set up your business, this database may link back to your personal details. We recommend you consult a business attorney for more information regarding your business registration and what details will be publicly accessible.

But essentially, the easiest way is to just use the “register domain privately” feature on whatever domain registrar you use. It’s quick, easy and virtually bullet proof.

Segregate Points Of Contact

If you watch our Stream Doctor sessions, you’re familiar with the suggestion to make all of your social media and contacts on brand. This means your stream channel name, Email, Twitter, Instagram and other outward facing points of contact all are consistently named. Do this early on and only make these contacts available to your community.

Likewise, keep all your off brand contacts segregated from anything to do with your brand. This will have the effect of building a firewall between people from your brands community and people from your personal life.

Make sure those branded accounts don’t link to things in your personal life, either. It’s fine to have an Instagram that your viewers can interact with, in fact, that’s a good thing! But be cognizant of what you post to that branded Instagram to ensure sure you’re not disclosing personal information when you do.

Also, try to limit cross posting the same pictures between business and private personal accounts. A google image search of a picture from your business account could return a result from your personal one. This could expose your private account’s name and give someone a foothold on your information.

Scrub and Separate

If you have old, non brand accounts with content that you would be embarrassed to have show up during a stream, delete them. Can’t delete them? Edit or remove as much of the content as possible.

If you want to keep them, change the username on them to something that you’ve never used anywhere else and create a burner E-mail to associate with it. Make sure the username, account details and content can’t be connected with anything related to you or your business.

The more you scrub your personal online footprint before creating your branded online footprint, the less risk you’ll have of someone being able to connect the dots.

A great rule of thumb for your branded accounts is: imagine each and every post made with them will also have a picture of your face and real name next to it. Keep them in line with the professional image you want to be known for. Remember, the internet loves to embarrass people.

Compartmentalize

For your personal accounts, the most secure practice is to have a wide range of unique usernames that get used once per website. It’s easy to figure out that a list of accounts on different social media sites all belong to one person if the user name is always “SmurfFan93” with the same avatar.

If you have a personal Deviant Art account with a specific username, don’t use that same username for your private Instagram account. Your private Twitter handle shouldn’t match your private Pinterest screen name. Internet forum names shouldn’t match up with your Tumbler name… you get the idea.

You don’t need consistency in your personal accounts, so the more UN-like the usernames are to each other, the less chance someone will have of connecting them all together should they stumble onto one of your personal accounts.

This way, if someone learns about your Tumblr account, they can’t “pivot” through the rest of social media with that username to find more of your information and postings. That’s one of the first things a stalker will do once they learn an internet handle that belongs to their target.

Pictures and EXIF Metadata

If you’re not familiar with what EXIF data is, you should all google “What is EXIF data?” Actually, we just did it for you. Click that link and familiarize yourself. In a nutshell, its a “fingerprint” encoded into each picture taken with a digital camera.

Check your frequently posted to places on the internet and find out if they strip EXIF metadata from uploaded pictures. While you’re at it, look into your phones settings to see if you can disable EXIF metadata from being associated with the pictures in the first place.

EXIF data can contain the specific GPS coordinates of where your pictures were taken. If you post a picture from your phone to an online site that doesn’t strip this data, anyone could potentially see the exact location of where you were when the picture was taken.

Definitely something you don’t want to leave lying around when you’re trying to keep your location private.

On Stream Awareness

“Misdirection is absolutely key for me. I will tell the truth and frame it as a lie, I will lie and frame it as the truth. I will even tell people publicly that I use misdirection which, itself, serves to further exacerbate the confusion about what (my) facts and fictions are. None of this is harmful, of course, but absolutely serves to protect me. “ ~ TheHunterWild | @Thehunterwildtv

TheHunterWild gives an outstanding example of active, on stream privacy awareness here.

What good is having a secure online footprint if you just tell everyone on stream how to find your front door. Or worse yet, find that cringy account from when you were 13. You know, THAT one that you never got around to deleting with copious amounts of your hand drawn Edward Cullen fan pictures?

Be aware that you can overshare on your streams to your own detriment. If someone in your community is wanting to invade your personal boundaries, listening to you talk is the easiest way to learn how to do so. They can lurk in your streams without saying a word, and learn all they need to know.

A common way oversharing causes problems is through your family or personal friends. YOU might have great OPSEC, but how well does your dad practice it? What about your drinking buddy that snaps pictures of you and posts them all the time with your real name and location?

If you overshare information about these people, someone could find them online and through their posts, find you. Change their names and obfuscate the truth about people, places and events near you. Just a little bit. Is the corner store you walk to a “QT”? Make it a “7-11” on stream. That sort of stuff.

The picture of your identity that you share with your community should be a puzzle with several missing pieces. Not only that, it should have a few wrong ones thrown in as well for good measure.

Location, Location, Loca- Wait.. no.

Don’t. Disclose. Your. Location.

Don’t tell people where you live beyond general, vague terms. Definitely not anything more specific than your city. Most streamers disclose their city in their profile anyways. A viewer constantly asking for more specifics about your location should be made note of with your mod team.

While this might not always be for anything bad, you shouldn’t divulge this without careful consideration. Divert the conversation with something like: “I live in the [insert your stream’s name here] part of town!”

Be mindful when talking about local places and events. If you mention that you walk to a local store or shop, it pretty much tells everyone who can google that you live within a mile or so of said location. If you get a PO box for viewers to send you stuff, get one in a different zip code or neighborhood.

IP Addresses

In our last article, we talked about IP Addresses. Don’t worry too much about someone trying to troll you by saying they have yours. Best they’ll get is the city you live in. Since that’s a safe disclosure on your part already, it’s meaningless on it’s own.

But if they pair your IP address up with some other facts… facts like your PO box’s zip code, and what store you walk to? Now your location can be narrowed down to a few city blocks. Have you posted a picture from your backyard with a landmark in the distance? That’s as good as a google map pin.

Take a moment to read this story and never forget that with enough motivation, people can and will use every scrap of information they can.

What’s the worst that can happen? SWAT.

Having your physical address posted on the internet as a streamer is a dangerous result of poor information control. Once it’s out there, it can never be taken back. This exposes you and your brand to a veritable smorgasbord of trollish and stalker behaviors.

What’s worse than an overly friendly viewer suddenly ringing your doorbell with a 24 pack of Natty Ice and a DVD collection of Adam Sandler Rom-Coms? A troll SWAT-ing you on stream.

SWAT-ing is the most extreme and dangerous form of online troll behavior today. Innocent people have been killed as a result, others have been convicted of serious criminal offenses trying to do it. It’s abhorrent, morally reprehensible, and yet wildly popular with people who have little regard for common sense or human safety.

What happens is, while you’re broadcasting, someone phones in an anonymous tip to your local police. They report a situation of violence or other harmful behavior happening at your address. In almost all cases, you’ll have no warning or indications that it’s happening.

Law Enforcement shows up and does what it does, interrupting your stream. Much to the delight of giggling trolls, they’ll then post clips of it wherever they can get gratification from.

This clip from a recent StreamScene broadcast with Lowco, TheHunterWild, Backdraft, and Rocketbear talks about this very thing, and what you can do to protect yourself and your family:

So This Is My Life Now?

In essence, yes. If you value your personal safety and privacy while building your career online, you’re going to have to think about what you make available to the public.

This can be done while still keeping a friendly engagement with your community. It might be hard to tell people “no” at first, but the vast majority of your community will understand the need for your boundaries.

However, you can’t live in a bubble. In order for you to build an active and engaging community, you’re going to need help from people who have some access to your personal life. These people are typically your close community friends and mods. People you’ve entrusted to cross those boundaries and into your circle of trust.

In our next article, we’ll go over the importance of that circle not only to your brand, but to your own personal well being. We’ll give you some ideas on how you can leverage that for greater interaction with your community.

Sources