Privacy for Streamers
In today's highly digital world, online streamers are increasingly becoming victims of online abuse like doxxing, swatting and stalking. How can you protect yourself?
From harassment, extortion, and even violence, streamers are prime targets for cybercriminals, trolls, and account hijackers. With Twitch’s viewership growing at record levels, these problems won’t be going away any time soon, either.
Regardless of whether you have a few dozen or a few million followers, it’s imperative that you take some precautions before going live, or better yet, before setting up your channel.
Streaming is fun and, in some cases, highly lucrative, but like any other online activity, it also comes with its own risks.
Keep on reading to learn more about the types of risks and threats streamers face, if there’s any legislation that deals with them, and what you, as a streamer, can do to protect your online and offline privacy and security.
Risks and Threats to Streamers
Streamers face countless risks when they share their everyday lives with fans or play games in front of an audience. The most common threats to streamers are doxing, swatting, credential stuffing, stalking, harassment, DoS and DDoS attacks, malware, blackmail, extortion, and identity theft. Let’s take a look at each threat more closely.
One of the most common threats to streamers is doxxing. Also spelled “doxing,” this practice involves researching and usually (but not always) publicly sharing someone’s personal information — like their real name, phone number, and address — online without their consent.
Doxxers may use a variety of methods to dig up your personal data. For instance, they may scour your social media profiles, publicly available databases, and online forums, as well as data brokers and people search sites. Some doxxers may also buy and sell personally-identifying information on the dark web, hack your device, or send phishing emails or links designed to trick you into sharing sensitive data.
There are many reasons why someone may dox you. They may want to harass you or threaten you because of something you’ve said or done. In 2018, the part-time streamer Simone Scott was doxxed for saying on a livestream that she killed a dog (which was supposedly a joke). Some doxxers may also want to get back at you for beating them at an online game. It’s also not unusual for fans to become obsessed with streamers they watch and want to find out where they live so they could stalk them.
Needless to say, doxxing can have severe consequences. In 2018, an American streamer living in Taiwan decided to move back to the U.S. after he was doxxed for disrespecting Taiwanese culture, which led to harassment and his personal life falling apart.
Doxing often leads to swatting, a tactic where harassers call 911 and report a (fake) emergency (like a shooting) at an unsuspecting victim’s home. The term originates from SWAT teams who typically respond to these types of emergencies.
The fact that swatting is far from a harmless prank became evident in 2017 when an unarmed man was shot and killed in a swatting incident that originated from an argument over an online video game.
Streamers make popular targets for swatters because they give the prank caller a chance to watch the situation unfold in real-time via a livestream:
- In 2014 the gamer Jordan Mathewson, known as “Kootra” on Twitch, was swatted as he played an online shooting game. The entire thing, including police officers ordering him to lie down on the floor at gunpoint, was live-streamed.
- In 2015 Joshua Peters, known as “Koopatroopa787,” was swatted in his parents’ home, an incident he did not find remotely funny. “I see you posting my address. I had police point a gun at my little brothers because of you. They could have been shot, they could have died because you chose to SWAT my stream,” he said, as he closed out his stream.
Credential stuffing is when attackers take a list of stolen or leaked user credentials (i.e., usernames/email addresses and passwords) for one website and “stuff” them into other websites using an automated process. Credential stuffing attacks are possible because many people use the same password repeatedly across different accounts and applications.
Many credential stuffing attacks are zeroing in on gamers in particular. According to research by Atlas VPN, cybercriminals attacked gamers almost 9.83 billion times between July 2018 and June 2020. That’s around 14 million credential stuffing attacks daily!
Although statistics vary, a study by SecureAuth found that more than one in two people admits to reusing passwords. Indeed, in 2019, a large number of Twitch account users had their accounts taken over following a data breach of the online game Town of Salem (TOS).
Stalking and harassment
As is common with other public figures, streamers also run the risk of being harassed and stalked (online and in the real world) — especially if they’re women.
Worryingly, harassers, who may be streamers themselves, may target underage users. Past incidents show that Twitch is slow to respond to harassment allegations.
For example, in 2018, a man was arrested for stalking a female streamer in the second and third degree. The woman said that the man had sent her letters, lingerie, and a sex toy. He also apparently made numerous threats, including threats to rape her, kill her boyfriend, and blow her up with a home hydrogen bomb. The police arrested him after he traveled to her place of residence “to marry her” even though she had never spoken to him.
More recently, a Twitch streamer with 900,000 followers revealed that she has been dealing with a stalker who wasn’t honoring a restraining order. The stalker allegedly followed her home, sent her death threats, and physically assaulted her.
Don’t be fooled into thinking that harassers are only after women, though. In 2018, a male streamer ended his stream prematurely after someone shot at his house.
DoS and DDoS attacks
If you’re a streamer, it’s highly likely that you’ll become a victim of a DoS or DDoS attack sooner or later. Just look at Reddit and other internet forums and you’ll see plenty of streamers complaining about getting DDoSed.
At times, hackers may target game servers themselves, affecting countless streamers at the same time.
A DoS attack is when an IP address or server is overwhelmed with a large amount of data from a single source. A DDoS attack is the same, except the data comes from multiple sources. In both cases, the goal is to slow down or crash the network or service and force the streamer to end the livestream.
Someone may get their hands on your IP address via:
- Video chat and call providers like Skype.
- P2P chat systems.
- Internet forums (admins and mods can see your IP address).
Another threat to streamers is malware, malicious software that’s harmful to computer users. Often, malware is hidden in pirated games, modifications (mods) to existing games, and cheat tools.
Ransomware is malware that encrypts a user’s device and then demands payment to decrypt it.
For example, in 2019, McAfee found a new ransomware family called “Anatova” on a peer-to-peer network.
“Anatova” used the icon of a game to lure users into downloading it and then locked down the victim’s access to the device until they paid a ransom (in this case, 10 DASH, a cryptocurrency that, at the time, was valued at $700). Worst of all, Anatova could morph quickly, which made it hard to analyze and contain.
In some cases, malicious software may be delivered via phishing scams. In 2014, attackers spread malware, known as “Eskimo,” through Twitch’s chat feature. A Twitch-bot account sent users a link to what was supposed to be a weekly raffle. However, users that clicked on the link were infected with malware that logged them into the gaming platform Steam and emptied their wallets and inventories.
Blackmail and extortion
Blackmail and extortion are similar crimes, but there are a few differences between them.
Blackmail is when someone forces another person to do something or pay money by threatening to reveal compromising information about them. On the other hand, extortion is when someone threatens another person with violence or destruction to obtain something or get the victim to do something.
Well-known streamers can fall prey to either crime:
- In 2019, Instagram told a famous female streamer that her account, which had 1.6 million subscribers, would be taken down if she violated its content terms and conditions again. The streamer hadn’t actually breached the platform’s policies, but someone was flagging her posts as inappropriate — and threatened to continue to do so unless the streamer paid the extortionist 0.25 bitcoin (around $2,600 at the time) a month.
- In 2020, a male streamer revealed that other streamers were blackmailing him for money, Twitch hosts, and a spot on his podcast. If the streamer refused their demands, the blackmailers threatened to publicize Skype audio recordings from 2015 in which the streamer and his friends apparently said “dumb, vile sh*t” to one another.
Unfortunately, pretending to be someone else on the internet is really easy. Don’t be surprised if one day you come across a streaming or gaming account in your name that you did not actually create.
For example, in 2019, scammers used the name of a well-known male streamer who had left Twitch for Mixer, another video game live streaming platform, to sell skins to fans.
Impostor channels are hard to spot, usually because they’re more or less identical to legitimate channels. Scammers typically choose a name that’s similar to the real streamer’s name (i.e., “Shroudleo” instead of “Shroud”), blatantly copy their avatar and profile, and stream old, recorded footage. Although these fake channels get a lot of views, they’re mostly from bots. In addition to selling goods to fans, scammers may also try to phish them by leaving malicious links in chat that supposedly lead to a giveaway.
When an impostor channel is inevitably blocked, scammers waste no time creating a new one and continue scamming unsuspecting viewers and tarnishing streamers’ reputation.
According to the video game website Kotaku, fans aren’t always aware that they fell for a scam, either. “Well I tuned in to your stream to see what’s up,” said one viewer on Twitter to a popular streamer who had his identity stolen. “I found out that the whole ‘10,000$’ giveaway was all fake. There were bots in your chat spamming the same message over and over again, the site was fake because you couldn’t do anything. I thought you were better.”
What Does the Law Have to Say About That?
Luckily, U.S. state and federal laws protect streamers from most (but unfortunately not all) online and offline threats. Here’s what the law says about each one of the threats to streamers we discussed above.
It’s not a crime to find or share someone’s private data online in the U.S., provided that the information is publicly available.
However, leaking someone’s personal information may be considered unlawful if:
- The personal details are off the public record.
- The information is used to harass or harm the victim in some way.
- The data was acquired illegally, for example, by hacking into the victim’s device or account.
Some states make swatting illegal. For example, California Penal Code section 148.3 states that anyone who intentionally makes a false emergency report to city, county, city and county, or state department is guilty of a misdemeanor. Moreover, anyone who makes a false report knowing that it’ll cause bodily injury or death to the victim is guilty of a felony.
At the moment, there are no anti-swatting laws at the federal level. In 2015, politicians Katherine Clark and Patrick Meehan sponsored a bill that would make swatting a federal crime. In revenge, an anonymous person swatted Clark.
Stalking and harassment
All states have anti-harassment and anti-stalking laws. Notably, some states include the two crimes under the same statute. Some states also have specific cyberstalking laws.
Stalking and harassment are illegal at the federal level, as well. A person that crosses state lines to injure or kill someone, cause them emotional distress, or harass/intimidate them, is committing the felony of stalking.
If the stalking or harassing behavior involves the internet, the crime can be charged as a federal offense, too.
DoS and DDoS attacks
At least 26 states have laws that address DoS and DDoS attacks. In California, for example, DDoS attacks are typically punishable by up to a year in jail for a misdemeanor and up to three years for a felony.
Under the federal Computer Fraud and Abuse Act (CFAA), DoS and DDoS attacks are illegal if a person intentionally causes damage to a computer system that’s part of interstate or foreign commerce. Violating this law can make perpetrators subject to penalties, including up to 10 years of prison and $500,000 in fines.
For example, in 2019, a man was sentenced to 27 months in prison and had to pay a fine of $95,000 for orchestrating DDoS attacks against online gaming companies and servers.
While every state has computer crime laws that may apply in cases that involve malware, some states address malware more specifically. For example, California explicitly criminalizes ransomware.
At the federal level, transmitting malware could be prosecuted under a number of federal laws, including the Computer Fraud and Abuse Act (CFAA).
Blackmail and extortion
Both blackmail and extortion are a crime in all 50 states. In some states, like California, the two crimes are covered under the same law and have the same penalties.
Blackmail and extortion are also punishable under federal law. Under 18 U.S.C. § 873, it’s prohibited to demand or receive money, or something else of value, “under a threat of informing, or as a consideration for not informing.”
Stealing someone else’s identity or impersonating another person is illegal under both state and federal law.
Creating a streaming account in someone else’s name is also usually a violation of the streaming service’s terms and agreements and will likely result in the perpetrator’s account getting banned.
How to Protect Your Privacy as a Streamer
Protecting your privacy as a streamer may seem like a time-consuming process, but it’s not something you can afford to overlook. After all, you can’t put a price on peaceful sleep! Below we go over 12 things you can do to ensure your safety online and offline.
1. Perform a digital audit
If someone wanted to dox, swat, or harass you, how easily would they be able to find information about you online? To figure that out, Google your channel name and your real name. However, don’t forget to log out of your Google account first so as not to skew search results. Alternatively, use Incognito mode or another search engine, like the privacy-focused DuckDuckGo.
Make sure you check the photos that come up when you Google yourself, too, and do a reverse image search to see what other sites have pictures of you and how they’re using them.
Your name will likely appear on at least a few data brokers and people search sites like Spokeo and WhitePages. These sites collect information about you, including things like your home address and phone number, and then sell it to other companies and individuals. Luckily, you can opt-out of these sites. Read our guide to see how or get us to do it for you.
Your personal information may also show up on third-party sites and blogs. Removing your data from here is more difficult because you’ll need to contact the site owner directly. You may be able to locate their information under the “Contact Us” page (if it exists). Otherwise, check out Whois to find out who the site is registered to.
As a last resort, you can get in touch with Google. They’ll remove certain personal information from showing up in search results, like your bank account number and explicit photos.
Ideally, you want to search for your name and your streaming name regularly. If you set up a Google alert, you’ll be notified when your personal information appears online.
2. Be careful with how much information you reveal
Now that you’ve deleted all sensitive information about yourself off the internet, you will want to avoid doing it again. That means being careful about what you put out on the internet in the first place.
Before you setup your channel:
- Don’t use your actual name (or any other personal information, like your home address) on your stream, related social media channels, and Amazon wish list.
- Use a different birthday (not only can you find people based on their date of birth, but some sites may also use birthdays to verify or modify login credentials).
- Don’t use the same photo of yourself that you also use elsewhere online (someone could do a Google reverse image search and find your other accounts).
- Use Masked Email or create a new email account for all gaming, streaming, and social media accounts.
- Don’t use the blacklist function in chat to block your name or other personal information because that could help people figure out who you are.
During a stream:
- Be wary of what you say (could answers to personal questions be cross-referenced with something else you said to reveal your identity?) or show during a stream (like famous landmarks, your emails, or a geo-targeted ad).
- Make sure you don’t accidentally leave your mic, camera, or screen capture on when you hadn’t intended to.
- Never talk about where you’re planning on going or what you’re thinking of doing until after the fact.
- Use a different browser to one you usually use to avoid showing synced accounts or browsing history as you go to type.
- Have moderators delete personal information about anyone on chat.
- Don’t confirm when someone has your information right by calling that person out.
- If you live with your parents, tell them when you’ll be streaming so that they don’t suddenly burst into your room and accidentally expose your identity by saying something revealing.
- If your friends are in your stream or participating in your stream via chat, talk to them beforehand about the information they should and shouldn’t mention.
When you make it:
- Upgrade your PayPal account to a business account to hide your real name and email address when you receive donations.
- Consider getting a P.O. box (if you come from a small town, you may want to get a P.O. box in a neighboring town to ensure no one can pinpoint your exact location).
If you buy your own domain, use a Whois privacy service. Otherwise, your information will be publicly listed for anyone to see.
3. Lock down your social media accounts
Make your personal social media profiles private (you can interact with your fans on your streaming-related social media profiles).
You may also want to use a different username for each one of your personal accounts. That way, even if someone finds your Twitter handle, they won’t be able to immediately locate your Instagram, Tumblr, or Pinterest (or any other social media site you may be using).
4. Register yourself with the local law enforcement
If you’ve been swatted already or are worried you may be in the future, tell your local police department you’re a streamer and a possible target for swatting (if they don’t know what swatting is, explain it to them).
Although this won’t stop swatting from happening (the police have to respond to every emergency call as if it’s a real call), it’ll likely be a less hostile situation when it does. The police may ring you on their way to your house to cross-check the swatter’s claims and tell you to meet them at the door (so keep your phone near you and audible when streaming).
5. Don’t click on every link in chat
It’s common for cybercriminals and trolls to post links in chat and Discord that, when clicked on, show the hacker your IP address. Once someone knows your IP address, they can doxx, stalk, swat, and DoS you.
Your best bet here is to never click on any links. However, if you do have to click on a link for some reason, some tools let you check whether a URL is safe.
You could also make it a rule that followers can’t share links in chat or have moderators receive them and decide whether to post them or not.
6. Get a password manager and enable multi-factor authentication
If you use the same email and password for each service, all it takes is for one account to be breached for all your other accounts to be compromised. For this reason, you should use a different, strong password for each service.
Can’t memorize all the unique passwords you come up with? Or maybe you’re having a hard time thinking of complex passwords in the first place? Either way, a password manager like Abine Blur can help. With a password manager, you can easily create unhackable passwords and store them securely. Even better, a password manager will automatically fill your passwords into login pages for you.
However, having a good password is not enough. You should also enable multi-factor authentication (MFA). MFA requires that you present two or more pieces of evidence of your identity when logging in. So, if you enable MFA on Twitch, you’ll have to type in a password as well as a code you’ll receive via an app on your phone.
In this way, MFA can keep your account safe even if hackers somehow get their hands on your password.
7. Ensure your antivirus and firewall are working
Antivirus protects you against online and offline threats. It scans your device for unwanted applications like spyware and viruses and removes any malicious threats it finds. On the other hand, a firewall monitors all incoming and outgoing traffic and determines which traffic can pass and which traffic should be blocked.
Although annoying, antivirus updates are crucial as they tend to contain files needed to mitigate new forms of threats.
Speaking of updates, you should update every piece of software on your device once an update becomes available. That will not only make the user experience better, but it will also patch any security holes that could be exploited by cybercriminals.
8. Invest in a VPN
If you have to connect to a public WiFi or other networks you haven’t set up yourself (for example, if you’re streaming on the go) or if you’re worried about getting DDoSed, get a good virtual private network (VPN). A VPN conceals your internet protocol (IP) address and location, thus protecting your online identity.
9. Be careful about the software you download
If a game isn’t out yet, but someone says they have a link where you can download it, be wary. The person may be hoping to install ransomware on your device or discover your IP address.
Similarly, be on the alert with early access games, mods, and cheat tools. Always get your games from legitimate sources. You may save a few bucks by downloading a pirated version, but you could also lose your privacy.
10. Don’t let your smart home dox you
Believe it or not, but Amazon Alexa and Google home can expose your personal information. In 2018, for example, Asian Andy’s followers used the text-to-chat feature to ask Alexa to ring his mom, add NSFW items to his shopping list, and reveal his location. It may be wise to unplug your smart home assistant altogether before you go on a livestream.
For additional information on how you can protect yourself on the internet, check out the below resources:
- AccessNow, a non-profit that protects and extends people’s digital rights, explains how to dox yourself.
- Abine Blur password manager creates strong passwords and stores them for you.
- DeleteMe is a subscription service that deletes your personally identifiable information from data brokers and people search sites.
- Have I Been Pwned? lets you see if your sensitive data, like your emails and passwords, have been compromised by hacks.
- IdentityTheft.gov is where you can report identity theft. It also provides information on how you can recover from this crime.
- Phishing.org, a resource for IT specialists and other internet users, has useful information on phishing. It also provides a list of free tools, such as a Phishing Security Test.
- The No More Ransom project offers tips and tricks on how you can prevent a ransomware attack. It also has decryption tools in case it’s too late and you’ve already experienced a ransomware attack.
- VirusTotal checks files and URLs for malware.