The Content Creator’s Quickstart Guide to Cybersecurity and Internet Safety
In recent years, there’s been an explosion of people wanting to become content creators: streamers, TikTokers, influencers, etc. But you may be surprised to learn that even this seemingly-benign career choice can come with risks: stalkers, trolls, and haters abound. If you plan to pursue a career in the spotlight, you’ll want to take some extra precautions to protect yourself.
Step 1: Picking an Identity
I strongly discourage any aspiring public figure from using their real names. This goes for any kind of public-facing persona. See, for example, Texas politician “Ted” Cruz, whose real name is Rafael. This is especially important if you have a very unique name or a name with a unique spelling. Depending on the industry you wish to enter, the type of name you can pick varies wildly. If you’re planning to be a streamer or online figure, you can easily get away with using a handle as your identifier. Other industries may require a more realistic sounding name. In these cases, I recommend either making one up wholesale (I recommend Behind the Name’s Random Name Generator because it provides a variety of names from multiple countries and ethnicities) or going by a nickname (ex, “Nick” instead of “Nicholas”) or middle name. A fully fake name is preferred, but all options have their advantages.
Going forward, this will become your new identity online. If you plan to need a mailing address for this identity - like to receive checks or gifts from fans - I recommend purchasing a PO Box. Depending on who you go with, they may require you to register a legal entity or provide additional paperwork to receive mail in another name. Be sure to ask about this. If you live in a small town and don’t want your target audience to know this, be sure to get a PO Box in a nearby town, preferrably a major town with a large population if you’re willing to make the trip regularly.
You may also wish to change other details about yourself or fuzz them. For example, instead of saying you’re from “Orlando, Florida” say you’re from Central Florida (this could include the Tampa area). This is particularly important if you’re from a small town as mentioned before. Try avoid giving out your exact age or celebrating your real birthday. These may seem like small things, but a dedicated stalker could piece all of this information together to not only track you down, but confirm that they’re on the right track. If you want, you can even lie and say you’re from New York, but make sure to keep your story straight. This should also extend to include any visual information. For example, if you live in Orlando (as mentioned above), you may want to put a New York Yankees hat in the background to make people think you’re from New York. Again, make sure to keep your story straight. Don’t say it was hot out today if it was snowing in New York. (See Step 4 for more information on how to remove personal information that’s already out there about yourself.)
Step 2: Picking Your Platforms
When it comes to protecting yourself online, less is more. Fewer accounts not only means less work to keep them updated, but also less risk of data breach or accidentally sharing something you didn’t want to. Before you start building your online presence, ask yourself what platforms or support methods you really need and stick to just those ones. This is also true for support methods like Patreon or Venmo. These services require your real name and information, and if they ever suffer a data breach it may be possible to correlate your real name with your persona. Also be mindful of how these platforms display your data. For example, until recently Venmo did not provide a way to hide your transactions or friends list at all. Even now, these are visible by default. We’ll talk about changing the settings of your accounts in Step 3.
As you pick your platforms and start to sign up for them, remember that you should have picked a name for your public persona that is different than your own real identity. This means you shouldn’t simply reuse your existing personal accounts, you should sign up for all new ones using this new identity. With this mind, I have two suggestions to help keep your two identities separate in the event of a data breach or hack on the website’s end.
First, I encourage you to switch to an encrypted email provider. I’ll talk about why in Step 3. Whether you do that or not, I also strongly recommend using a email forwarding service. If you use the same email address everywhere - including in your personal life - your persona can be tied to your real identity through the dozens of perfectly free and legal sites that exist where you can simply enter an email address and see where else a person has an account. (Note: if you’ve been using the same email address for a long period of time, it’s likely already been caught up in a data breach.) An email forwarding service will give you a near-infinite number of email addresses you can use to outsmart both data breaches and search sites, but they’ll all forward straight to your regular inbox for easy management. (You can also use such a service to manage spam when you sign up for newsletters, order things online, etc.)
Next, I encourage you to use a Voice-over-IP phone number. You may already be familiar with these in the form of Google Voice. Google Voice is convenient because it simply can forward calls and messages to your existing number, but there are plenty of other options out there that offer better privacy and additional useful features. Unfortunately, many websites like Discord will not accept a VoIP number for verification. There are ways around this if you’re willing to put in the effort - such as getting an eSIM or prepaid SIM from a service like Mint Mobile or Visible Wireless - but in some cases you may simply have to ask if this is a sacrifice you’re willing to make (you may also be able to change the SIM number to a VoIP number after the initial verification in some cases). Remember: the goal is to not get caught up in data breaches and to not put your real SIM phone number somewhere publicly visible. In addition to being a dead-simple way to track someone (one private citizen reported being able to buy realtime phone location data for as little as $300), your SIM phone number can also be taken over in a SIM-swapping attack (a very easy, non-technical attack where the attacker simply convinces the phone company that they are you and ports the number to their device), thereby allowing them to get all your phone calls, text messages, etc, which often helps them access your online accounts via two-factor authentication (2FA) and recovery methods (note: this is one reason I do not recommend SMS-based 2FA. See this page for more information).
Step 3: Secure Your Accounts
Next, you’ll want to secure all of your accounts. It would be awful to build up a loving, dedicated audience and then lose access to your accounts where someone can take advantage of your fans - posting spam, scams, or simply just content you don’t agree with. This could be devestating to your community. Start by learning the value of strong passwords. Use a password manager and be sure that you’ve got strong, unique passwords on every site (details about all of this are outlined on the page I linked). Once you’ve done that, be sure to harden all your accounts and make them nearly unhackable by using two-factor authentication (2FA), preferrably TOTP (app-based) or hardware token. Try to avoid SMS if possible. Again, all this is detailed on the page I linked. Doing these two things will make all your accounts nearly unhackable. You should also be sure to check the settings of your accounts: what profile information is shared publicly by default? What settings can you restrict or avoid filling out to further protect your privacy? Remember not to stop at your public-facing accounts - like Discord or Twitch - but also secure your behind-the-scenes accounts like your email, any sponsorship sites, etc. I strongly encourage you to practice this stuff in your personal life, too.
Finally, I recommend the use of encrypted email. With a traditional email provider - like Gmail - your inbox is not encrypted against the company. This means that if your email provider ever suffers a data breach - or gets compromised by a rogue employee, which is unfortunately fairly common - your email contents can be exposed. That includes bank statements, event reminders, contracts, or even personal correspondence. This is not just a possibility, it’s actually happened before and could again at any time. When you use an encrypted email provider, this is no longer possible. These companies encrypt your inbox in such a way that nobody - not even the employees - can access your inbox. This protects your content from both data breaches and rogue employees.
Step 4: Online Data
You’re almost ready to start sharing yourself with the world, but you still have a few considerations to tackle. For starters, when you start your new venture you may be tempted to share with friends and family. This may be a good idea, but know that they are a weak spot. For example, your family may not remember to use your fake name when they talk about you. Or, as another example, they may share your content online and say “my son/daughter/brother/sister/etc did this!” Did you know that for most people, vast amounts of personal data are freely available online to anyone who uses the right search terms? A potential stalker who sees your parent’s status and Googles them may find your name listed as their child.
The best defense here is to stress how you want people to refer to you. Remind them that you’re building a brand. It’s not just about privacy, it’s about making sure people know how to find you and follow your content. Using myself an example, I don’t want people to follow Nate, I want them to follow The New Oil. That’s where the real content is.
Another set of tools available to you here are online moderation tools. Sites like Twich and YouTube allow you to block certain words, for example. This is the perfect place to enter - among other things - your real name and address. Anyone attempting to dox you will either not be able to send the message, or the message will be invisible to others. (Note that this may also backfire by confirming to them that they have the real information.) As you grow, let your community moderators and other staff members know how to respond to such attempts. Maybe they should spam the chat with messages until your data is offscreen. Or perhaps they should lie and say that they know your real name and that isn’t it. There are many options.
On that note, you should consider using a data removal service to help reduce your odds of being doxxed by removing your personal data from public searches. These tools are not bulletproof, and will require you to pay a subscription fee (or invest the considerable time to do it yourself), but if you have the resources to put into them, they will almost certainly reduce the odds of your data being found so easily. I have an entire page dedicated to this topic and teh various tools available to you here. On that page I also discuss the tool Redact (non-affiliate link here) to help remove old content - especially on personal accounts - to avoid accidentally revealing too much over time.
Have Fun
This is the tip of the iceberg. There’s a lot more you can do to protect yourself from all kinds of tracking - this website is full of fundamental, foundational advice to get you started if you want to learn more - but I think this information should get you off to a solid start. Using this information, you’ll be able to defend against most attackers - the “script kiddies” who are just bored or angry and looking to mess with someone, as well as the unsophisticated stalkers and doxxers who have very little in the way of time or resources to truly unmask your identity and harass you further. With this off your plate, you should be free to focus more time and attention on building your brand, your community, and enjoying your work. And by all means, if you have any questions or want to learn more, don’t hesitate to contact me.