Critical Insights

Research shows that the lack of tools is merely a symptom, not the root cause of the overall problem. The underlying root cause for the poor threat responses ostensibly is an immaturity of IT systems; which is to say, an absence of the following components:

• Management frameworks for risk-based decision-making
• Clear processes for threat response and escalation
• Defined roles with authority and capability to act
• Trust mechanisms between individuals and organizations
• Feedback loops from experience to policy improvement

Evidence synthesis:

• Survey A: 25% no formal process, 50% assess only during incidents, responsibility fragmented across 6+ roles
• Survey B: 33% don’t report threats, 65% want collaboration but unclear how to achieve it
• Interviews: “Threat assessment rarely central to CSO functioning” / “Assumed someone could help rather than engaging with protocols”

Any solution to responsive transparency should be part of a holistic approach: e.g. capacity-building around forming an organizational threat response, or an organizational campaign of formalized adoption of new software/systems, etc.

The speed requirements for removals reveal a potential gap between threat propagation speed and protection deployment speed.

The velocity gap:

• Threats propagate rapidly: < minutes (social media spread, doxxing forums, coordinated harassment)
• Information cached: minutes to hours (Google cache, Archive.org, web scrapers)
• Current protection: hours to days (manual editing, organizational approval)

Interviewees mention that threats “propagate faster than current responses,” creating “critical threat windows” where staff are vulnerable.

Why this is safety-critical:

1. Harassment campaigns can mobilize hundreds within hours
2. Personal information can be archived/cached before removal
3. Doxxing packages can be compiled and distributed rapidly
4. Physical threats can escalate from online to offline quickly

This means that any activation time for removals greater than 30 minutes will potentially fail a significant portion of threat scenarios of the target audience. It may also be prudent to test if a 5-minute emergency activation is a safety imperative.

One-third of individuals experiencing threats don’t tell their organizations because of general problems with trust and capabilities. Specifically, why they don’t report**:**

1. Past experience: previous reports led to sympathy but no action
2. Organizational capacity: Unclear what org can/will do
3. Social dynamics: don’t want to be seen as “overreacting” or “creating burden”
4. Lack of process: no clear mechanism or known escalation path
5. Fall into a vicious cycle:
   1. Threats occur but aren’t reported (33%+)
   2. Organizations develop threat models on incomplete data
   3. Organizations underestimate risk, don’t invest in tools
   4. When threats are reported, inadequate response reinforces non-reporting
   5. Cycle repeats, gap widens

The survey showed that breaking the cycle requires**:** easy reporting mechanisms (low friction, low stakes); consistent, visible responses; clear process documentation, and individual agency–meaning staff can still protect themselves even if their org is slow to act.

The research consistently shows that the target audience’s need for protection against digital threats extends beyond their individual organizations across their networks, to their partners, families, and communities.

Evidence of collective vulnerability:

• Survey A: 64% act when partner organization attacked (highest trigger after direct threats)
• Survey B: Concerns about “family safety if someone finds my information”
• Interviews: “Sharing the load of danger,” “safeguard staff AND partners, sources, beneficiaries”

The ecosystem reality:

• Organization attacked → partner organizations potentially targeted
• Staff person doxxed → family endangered
• Single vulnerability → network exposure
• Ecosystem anchors/hubs compromised → credibility and trust damaged between network nodes

Current solutions are organization-centric:

• No partner notification mechanisms
• No automated and/or coordinated response capability
• No shared threat intelligence
• No collective activation triggers

There is a type of vulnerability that emerged across all the research, which is that content removal from a live site doesn’t address archived/cached versions. This creates ongoing exposure even after “successful” protection has been implemented—a systemic problem identified in the research plan and project brief that is now supported by the survey. Indeed, resolving the persistence of sensitive information/ PII that has been cached to web archives, content delivery networks, and the like can vary depending on the service. From the interviews, we gathered that the practice of friendly/self-doxxing (using services like DeleteMe for example) is key to resolving this.

Evidence:

• Survey A: “Not sure - especially with legacy data (archive.org)” - repeated concern
• Interviews: “Enduring presence of data in archives as significant vulnerability”, “Sensitive details remain accessible, exposing organization to renewed risks”

The archive problem:

• Archive.org may have years of snapshots
• Google cache persists for days/weeks
• Third-party scrapers and aggregators
• Social media caches and quote-tweets
• Screenshot circulation

Current response (organizations don’t know how to):

• Request archive.org removal
• Manage Google cache
• Detect web scraping
• Assess historical exposure