Skip to Content
Humans and technology

A guide to being an ethical online investigator

The Capitol riot has inspired a new army of amateur sleuths who want to help identify protesters. But it’s an ethically fraught hobby.
January 14, 2021
person on laptop watching Capitol footage
Ms Tech | Unsplash, Getty

As rioters stormed Capitol Hill on January 6, Theo—like many Americans—watched, dumbfounded and in horror.

Then he had an idea. “What if we went on social and started pulling these screenshots together and tried to go around and crowdsource [the rioters’] identities?” he remembers thinking.

So Theo bought a burner phone, set up a fake email address, and created an Instagram account over a VPN: @homegrownterrorists. Within hours, and before the FBI had issued its plea for help to identify rioters, Theo (a pseudonym for the account holder, who asked to remain anonymous because of death threats he has received) had gained hundreds of thousands of followers as he furiously posted images and video. Thousands of people were commenting on and sharing the images, with the goal of identifying the perpetrators. 

The assault on the Capitol, its aftermath, and the prospect of what federal authorities have warned could be a second wave of violence in the days leading up to Joe Biden’s inauguration have inspired a new army of everyday online investigators. People comb social media and archive posts, photos, and videos before they are deleted. Then they cross-reference those findings with open-sourced information to identify perpetrators and, they hope, bring them to justice. Like Theo, they are politically interested and invested but wouldn’t consider themselves activists under normal circumstances; rather, the January 6 assault was the last straw for many people.

“This is the first time I’ve seen this amount of tagging on Twitter,” says Giancarlo Fiorella, a senior investigator at the open-source intelligence agency Bellingcat. “I’ve had people email me out of the blue and say, ‘Put me to work.’ I don’t think you can make a trend out of a singular event, but I’ve never seen this before.” Even celebrities like Pedro Pascal and Jane Lynch are getting involved.

But this activity raises some complex ethical and practical issues. How can you, an average person, be an ethical digital activist? What counts as going too far? How can you keep yourself safe? How can you participate in a way that doesn’t put anyone in danger? Below are some guidelines that might help.

Remember, you are not a hacker: There’s a big difference between accessing publicly available information, like a photo from a Facebook profile page that documents illegal activity, and hacking into a person’s otherwise private account to find that photo. That’s crossing the line.In the US, the Computer Fraud and Abuse Act (CFAA) limits the amount of access a person has to another’s information “without authorization,” which is undefined; this lack of clarity has frustrated lawyers who represent activists. “Those who do [violate CFAA] are breaking the law, and they’re criminals,” says Max Aliapoulios, a PhD student and cybersecurity researcher at New York University. It’s worth keeping in mind regional laws as well. In the European Union, “publicly identifying an individual necessarily means processing personally identifiable information; therefore individuals performing such activities need a legal basis to do so [under Article 6 of the GDPR],” says Ulf Buermeyer, the founder and legal director of Freiheitsrechte, a German-based civil rights organization.

Ethical issues abound: It’s not just legal issues that would-be amateur online investigators need to be aware of. Much of the online activity carried out in the wake of the Capitol riots raises ethical questions, too. Should a person who didn’t storm the Capitol but attended the rallies leading up to the riots be identified and risk punishment at work? Do those who were in and around the Capitol on January 6 automatically lose the right to privacy even if they weren’t involved in riots? It’s worth thinking through how you feel about some of these questions before you continue. Few are clear cut.

So, where does the information come from? “Our bread and butter is open source,” Fiorella says. “Open-source media” refers to information that is publicly available for use. Data archivists, or those who collect and preserve information online for historical purposes, accessed such open-source data to save posts before they disappeared as social media companies pushed President Donald Trump and many of his supporters off their platforms. “If you were at the Capitol storming and recorded video and took selfies that anyone can access, and it’s openly available on the internet, it’s fair game,” says Fiorella.

It’s your First Amendment right to access open-sourced information. Hacktivists and digital activists trawling social media alike will agree on this: they say it’s the most important aspect of their work. “Utilizing open-source intelligence isn’t a crime,” says Daly Barnett, an activist and staff technologist at the Electronic Frontier Foundation, a nonprofit digital rights group. “Archiving isn’t a crime. Freedom of information is good.”

Misidentification is a real danger. “Anyone with an internet connection and free time and willingness to do these things can be part of crowdsourcing efforts to clarify what happened,” Fiorella says. But crowdsourced efforts can be problematic, because people may zero in on the wrong individual. “There’s a fundamental tension here,” says Emmi Bevensee, a researcher and founder of the Social Media Analysis Toolkit, an open-source tool that tracks trends across mainstream and fringe social media platforms. “The more people you have working on a problem, the more likely you are to find the needle in the haystack. There’s a risk doing things like this, though. Not everyone has the same research skills or methodological accountability”—and mistakes can be devastating for the person misidentified. Misidentification carries potential legal risks, too.

You can join up with more established investigators instead of going it alone. There is, obviously, the FBI, which has collected images and is seeking the public’s help in identifying domestic terrorists. Bellingcat, one of the most respected, thorough investigatory sites devoted to this purpose, has created a Google spreadsheet for images of suspects that need identifying. Organizations also often have ethical standards put in place to guide new sleuths, like this one Bellingcat created in light of the Black Lives Matters protests.

Don’t doxx. Doxxing—or digging up personal information and sharing it publicly—is illegal. “The majority of doxxing has occurred from open-source intelligence,” Barnett says, and data hygiene is still something many people online struggle with. If you come across passwords, addresses, phone numbers, or any other similar identifier, do not share it—it’s a crime to do so. r/Datahoarder, a Reddit archiving group, notes that its members “do NOT support witch hunting.” 

If you find something online that could be incriminating, ask, “Am I putting this person in danger?” Fiorella says he asks himself that question consistently, particularly in cases where a person might have few followers and is using social media just to share images with friends.

Show your methodology. Just like in middle school math class, show your work and how you got your results. Data researchers who do this work are famously diligent and exhaustive in how they record their work and triple-check their information. That sort of checking is especially important to ensure that people are properly identified and that others can learn from and retrace your steps for subsequent prosecution. (Methodology may take some technical expertise in some cases, and data researching organizations often run workshops and training sessions to help people learn how to do this.)

Do not share names online. Let’s say you see a picture of a possible suspect online and you recognize who it is. While you might be tempted to tag the person, or screenshot the image and put some commentary on your Instagram to get that addictive stream of likes, don’t. This work needs to be deliberate and slow, says Fiorella: “There’s a risk of misidentifying a person and causing harm.” Even if there’s no doubt that you have figured out who a person is, hold back and, at the most, submit your information to an organization like Bellingcat or the FBI to check your work and make sure it is correct.

You will run into situations where things are not clear. Theo shared the story of the viral video in which a Black Los Angeles woman is physically attacked by Trump supporters calling her the n-word. In the video, a man is seen with his arms around the woman amid the violent, jeering crowd. In initial reports, the man was described as part of the mob and harming the woman. Video footage seemed to show him putting her in the way of pepper spray, for example. Then police said the man was actually trying to protect the woman and that she had confirmed this version of events, though she later suggested to BuzzFeed that perhaps he ended up doing as much harm as good. Theo shared the image of the man in the immediate aftermath of the incident, and then he saw the account suggesting he was a good Samaritan. “I felt horrible,” he says. Theo points out that the man was also recorded using xenophobic and racist language, but “that got me to pause a little bit and think about what I’m doing that could impact people,” he says. “It’s a blurred line.” It doesn’t hurt to repeat it again: Do not share names online.

Your safety may be at risk. Theo says he has received death threats and has not felt safe in the past week, consistently looking over his shoulder if he steps out. Bevensee has received multiple death threats. Many digital activists have burner phones and backup computers, and work away from their families to protect them.

Keep your mental health in mind. This work can involve viewing violent images. Theo says he has been dealing with migraine headaches, sleep problems, paranoia, and the distress that comes with trying to keep up with his day job while handling his Instagram accounts and its sister Twitter account, @OutTerrorists. “I’m only one person, and I have to handle DMs and keep everything up to date,” he says, noting that he also updates posts with verified identifications from the FBI, goes through comments, and forwards information to the FBI himself. Take time to process and realize that it’s okay to feel upset. It’s one thing to use this as motivation to right the wrongs of the world, but nearly every expert and activist told me that having a way to deal with disturbing images is important.

Share your information with law enforcement—if it’s appropriate. Bevensee and Aliapoulios said the digital activism movement was a direct response to the perceived lack of official action. Many activists have a strong distrust of US law enforcement, pointing to the difference between how the Capitol rioters and Black Lives Matter protesters were treated. But in the case of the insurrection, which carries federal charges, experts and activists agree that the right thing to do is to take information to the authorities.

Deep Dive

Humans and technology

Unlocking the power of sustainability

A comprehensive sustainability effort embraces technology, shifting from risk reduction to innovation opportunity.

Building a data-driven health-care ecosystem

Harnessing data to improve the equity, affordability, and quality of the health care system.

Let’s not make the same mistakes with AI that we made with social media

Social media’s unregulated evolution over the past decade holds a lot of lessons that apply directly to AI companies and technologies.

People are worried that AI will take everyone’s jobs. We’ve been here before.

In a 1938 article, MIT’s president argued that technical progress didn’t mean fewer jobs. He’s still right.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.