Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
With papers to write, grants to apply for and students to teach, cybersecurity can be a low priority for scientists. Until, that is, it all goes wrong.
“Frankly, this is an awful time for science,” says Noam Ross, executive director of rOpenSci, a non-profit initiative in Berkeley, California, that provides open-source software tools for scientists. He should know. During the COVID-19 pandemic, Ross, who is based in Brooklyn, New York, was working for the US non-profit organization EcoHealth Alliance, which aims to identify areas where human activity has increased the risk of disease spillover from animal sources. “EcoHealth became the subject of conspiracy theorists about the origin of COVID,” he says.
That made the organization — and anyone who worked for it — a target. “It could range from hate mail to death threats,” Ross says. “I had colleagues where some of that stuff was directed at their homes, not just the office.”
As political divides deepen, such threats are multiplying. In February, many people working for US federal health agencies found themselves ‘doxxed’ — their photograph and work information, as well as records of their political donations, were published on a website called DEI Watchlist. The site was created by the conservative, US non-profit organization American Accountability Foundation, with the purpose of “exposing the unelected career staff driving radical Diversity, Equity, and Inclusion (DEI) initiatives”.
So … you’ve been hacked
Ariadna Gallo, a political scientist at Argentina’s national scientific and technical research council, CONICET, based in Buenos Aires, was doxxed in 2024 after being filmed at a public protest against cuts to academic funding in the country. A YouTuber featured her in a video and published her personal and academic details, triggering what Gallo calls a “torrent” of attacks in the video’s comments.
All scientists, regardless of their discipline or location, are potential targets, according to Matt Mitchell, chief executive of the Safety Sync Group in New York, which provides online and real-world advice and resources on security and safety. “This is where we are,” he says. “The problem is bigger than any one president, prime minister or leader of a totalitarian or authoritarian state.”
But there are things you can do to protect yourself, and resources that can help. Here are five steps to get started.
Get help
Your institution will have privacy policies and digital resources you can tap into, but there are also plenty available online. These include anti-doxxing tips from digital-rights non-profit group the Electronic Frontier Foundation (EFF) in San Francisco, California; cybersecurity risk-assessment tools from the Ford Foundation’s Grantee Safety Program in New York City; and assorted resources from the US government’s Cybersecurity and Infrastructure Security Agency.
Cybersecurity for the travelling scientist
Whatever you do, include your colleagues in the conversation. “This is absolutely vital,” says Thorin Klosowski, a security and privacy activist at the EFF in Los Angeles, California. “If everyone is not on board for the security steps you’re taking, it’s going to be less secure.”
Bouncing ideas around with colleagues outside your discipline can expose new problems and ways to fix them, he adds. “You might not think about the risk to a particular data set, or that your laptop might get stolen at a coffee shop, until you start having those conversations.”
Furthermore, it’s always good to know people who will have your back if you start to garner unwanted attention online. “Find a trusted colleague, mentor or loved one that knows what your concerns might be,” says Samuel Mendez, a PhD candidate studying public-health communication at the Harvard T. H. Chan School of Public Health in Boston, Massachusetts, who created a digital safety kit for public-health workers. That person can then be “someone you can reach out to for support if you do need help screening messages or documenting interactions at some point”, they add.
Scrub your online profile
“An immediate step you can take right now is to search for your own information,” Mendez suggests. That can be as simple as googling yourself in combination with names of former employers, schools, places of residence and so on, to see whether you can find any contact information that you don’t want to be public. “From there, you can manually request removal,” Mendez says. Success might vary, however — whereas residents of the European Union have relatively strong privacy protections, including the right to request that personal data be erased (the ‘right to be forgotten’), that is not true everywhere, including in the United States.
Cyberattacks are hitting research institutions — with devastating effects
Some firms will scrape your data from the Internet and sell it on, and you should definitely include these in your scrubbing. “My general recommendation is to make a request to one of the big ones, and just see what you get,” Klosowski says. Companies that scrape such data almost always give you your data set free of charge, he says; then you can decide how much you need to worry.
Alternatively, you can pay for a service that will remove the information for you, such as DeleteMe, Incogni or Kanary. In professions in which doxxing has been a problem, specialist services exist. Doximity’s DocDefender, for instance, will remove details from public sites as part of its package for physicians, who might be at risk from groups such as anti-abortion campaigners.
Institutions and professional bodies could make this process easier for researchers, says Greg Wilson, a cybersecurity educator in Toronto, Canada. Academic conferences, for instance, could include hour-long ‘bring your own device’ sessions during which people are walked through the process of securing their data and devices. Indeed, Mendez has run social events, such as a ‘digital safety disco’, where this goes on in an informal setting.
Practise good cybersecurity hygiene
The basics of cybersecurity are straightforward, Klosowski says: use a password manager and two-factor authentication; make sure that no two sites or apps use the same password; and remove apps and delete accounts that you rarely use.
