Doxxing insurrectionists: Capitol riot divides online extremism researchers

Joan Donovan has a panic button in her office, just in case one of the online extremists she spends her days fighting tries to fight back.

"This is not baby shit," Donovan, who is research director of Harvard's Shorenstein Center on Media, Politics and Public Policy, said. "You do not fuck around with these people in public."

Which is why Donovan has been so worried about what she's seen happening online in the days since a violent mob overtook the U.S. Capitol. Scores of amateur sleuths are combing through terabytes of footage and openly trading tips on Twitter in hopes of piecing together the rioters' identities and bringing them to justice. To Donovan, these Twitter detectives aren't just running the risk of misidentifying innocent people; they may also unknowingly be putting themselves at risk by publicly pursuing potentially dangerous people.

Even more worrisome to Donovan: the role some prominent researchers are playing in organizing the hunt. So this week, she went on Twitter and shared some blunt words of warning. "This is one of the most dangerous uses of social media by a researcher," Donovan wrote. "Research ethics now. We must hold each other to account."

Her remarks were directed at another academic, John Scott-Railton of the University of Toronto's Citizen Lab, who has gained a following for his crowdsourced investigations of the riot, which most notably led to the successful identification of an Air Force veteran who was photographed in full tactical gear on the floor of the Senate. Two days after The New Yorker's Ronan Farrow used Scott-Railton's tip to confirm the veteran's identity and published a story with his findings, the suspect was arrested in Texas.

Scott-Railton shares Donovan's concerns — and admires her work — but says those concerns have led him to a different conclusion. He argues that in the wake of any public event caught on camera, be it a confrontation on a bike trail or the Boston Marathon bombing, there are bound to be crowds of extremely online people using digital techniques to assign blame. His goal is to harness that energy in productive ways and model appropriate behavior.

"I think the conversation has to be one that involves being very intentional in thinking about harm reduction and in trying to do one's best to always model the behavior you want to see from others," he said, noting that he has repeatedly urged his followers not to name potential suspects on Twitter and, instead, to funnel any specific names to the Federal Bureau of Investigation.

Besides, with the inauguration around the corner and the vast majority of the Capitol rioters still on the loose, Scott-Railton argues it's critically important to use the power of crowdsourcing to stop those people from committing any more violence. "There may be people who intend to do violent things around the inauguration," he said. "We urgently need to understand who they are."

The Capitol riot was a boundary-busting event in almost every way, and its impact on the digital privacy debate was no different. The insurrectionists' acts were so galling, so frightening, that suddenly, even those who might oppose digital surveillance and forensics techniques in other contexts, like, say, identifying peaceful protesters at a Black Lives Matter rally, feel justified in deploying those tools against the rioters. The shifting goalposts have sparked a tense debate among researchers of online extremism about the right way to stitch together the digital scraps of someone's life to publicly accuse them of committing a crime — or whether there is a right way at all.

Shortly after the riot, Vivian Schiller, executive director of the Aspen Institute's digital department, asked her followers a question on Twitter and stressed that it was not rhetorical: "Is there such a thing as 'ethical doxxing'?"

"Not really," replied Kate Klonick, an assistant professor of law at St. John's University, who studies online content moderation.

Others disagreed vehemently. "Yes, absolutely," wrote Sasha Costanza-Chock, an associate professor of civic media at MIT. "I would argue that in fact we have an ethical responsibility to expose people who are literal nazis and ensure there are consequences for their actions. Of course, this requires extreme care to verify so that innocents are not wrongfully accused."

Scott-Railton tends to see things that way, as does Aric Toler, a researcher with the group Bellingcat, which has been archiving vast troves of footage of the riot to help with identification. "The crowdsourcing element is obviously powerful and can go both ways, but I think it's overall more positive than not," Toler said.

The Capitol riot was virtually unprecedented in terms of the amount of digital exhaust it gave off. That's partly to do with the fact that the uprising was largely organized on social media, partly to do with the fact that some of the rioters were there explicitly to broadcast their actions on social media and partly to do with the fact that Parler, the go-to social platform of the far-right, had a bug that enabled a hacker to scrape and archive every public post and GPS coordinate before deletion.

Now, before anyone can get named and blamed, there's a virtual ton of information to sift through first. Toler sees much of the crowdsourcing work going on as a responsible way to divvy up the labor. "A lot of the work is just around sifting through ungodly amounts of photos and videos," Toler said.

Of course, a lot of it isn't. Already, a retired Chicago firefighter was wrongly accused of being involved in the riot, after Twitter detectives digitally enhanced a blurry photo of a man throwing a fire extinguisher at a cop and accused him of being "Extinguisher Man." In fact, he was back in Chicago, he said, celebrating his wife's birthday. "This story has fucked my life up," the man told a local news outlet.

Both Scott-Railton and Bellingcat had been seeking footage of that suspect on Twitter before he was misidentified. Though neither of them encouraged their followers to name names, and in some cases even actively discouraged it, the effort went sideways anyway.

That's to be expected, Donovan argues. Once you animate a crowd around a particular purpose, it's impossible to control what they'll do next, which she says is all the more reason for researchers to avoid such public investigations in the first place. "I have this overarching thesis that the internet turns us all into cops," Donovan said. "These are technologies of surveillance, and so use of them by the public to turn crowds into cops seems to me to be a very dangerous impulse."

That's to say nothing of the danger amateur investigators put themselves in, Donovan said. For all of the digital records the rioters have left behind, she stresses that the people looking into them often have their own digital trail that leaves them vulnerable to retaliation. "Say you identify some neo-Nazi militia member and think you're doing a good job, but you have your kid's birthday photos up on a Flickr account, which has the geotag of the apartment complex that you live in," Donovan said. "People don't understand how much is being revealed about them as they participate in these public campaigns."

It's not that only trained researchers or law enforcement should be able to do this work. Donovan argues there's a way to carry out crowdsourced investigations in private channels, where participants are educated about the risks they're taking and how to protect themselves. Anything less, she argues, is malpractice. "If you don't educate people before you call them into action," Donovan said, "you put them at risk."

Scott-Railton has tailored his approach somewhat in response to feedback from Donovan and others. For one thing, he's begun deleting old threads investigating people who have already been arrested to avoid leaving any misleading leads out in the open. He's also since deleted the tweet that Donovan first called him out on, in which he was seeking footage of people wearing earpieces at the riot. Donovan pointed out that such a directive could risk outing members of the media, who also regularly wear earpieces.

Perhaps, most importantly, on Thursday night, he tweeted an official notice to his now more than 100,000 followers. He told them that he was now moving to a "form-based intake model" for tips, in collaboration with Bellingcat, writing, "I feel this approach better balances the *many* reasonable concerns about a participatory & crowdsourced model done on Twitter."