The Not-So-Advanced World of Online Troll Investigation

As a result of other posts on this blog, I’ve got used to being asked for help in unmasking “trolls”. Most typically, the requests have come from political activists who think they have the right to verbally attack those with whom they don’t agree, but should themselves be immune from any such attacks. Because… well, you know… Because their opinion is right, and everyone else’s is wrong, basically.

After a quick skim through their interaction histories, I more often than not find that the person approaching me as the victim is actually a proactive aggressor, themselves hiding behind a fake ID.

One was a proactively gobby male approaching me in the guise of a female victim, which made me wonder why he’d bother asking me for help. Surely, if I had the ability to unmask his enemies, I had the ability to see through his own façade. And if I was too stupid to see through his own façade, I’d have zero chance of unmasking his enemies. Another dude on a mission brought with him a nice little halo of toxicity. Go away! It’s your slanging match – not mine!…

RELATED: Snooping Protected Tweets
Think that when you select “Protect My Tweets”, it’s all hidden?… Think again…

But not everyone is a thrice-suspended mouth almighty or a hypocrite complaining because others do what they themselves are doing. And whilst I won’t normally get involved in other people’s online disputes, I have, when it’s warranted, privately offered a piece of advice which does not appear anywhere on this blog. It relates to a technique widely used by professional detectives, but which is the absolute antithesis of technological hackery. The name of the technique?… Bluff.


Bluff is in fact one of the most powerful weapons in deterring online trolls. As a privacy fanatic who’s been required to understand privacy laws in the course of work, I noticed over time that a lot of the legally-themed warnings which more authoritative social media users were issuing to trolls, were mostly bluff.

The basic method these people were using was to inform the troll that they had identifying information about him, and then state that they were about to pass this info over to their lawyer or another authoritative body. It was clear to me that in most cases, they had not identified the troll. But particularly if the assertions were backed up with some information which the troll did not consider to be publicly accessible, bluffing had an incredibly high success rate. In these situations, I’ve never seen a single troll say: “Okay then, so come on: who am I?” They wouldn’t dare. That’s the beauty of the system.

One of the reasons why bluff works so well is that trolls are by nature ignorant, and cowardly. They don’t actually know anything, and are too idle to find out. Their entire contribution to the Internet is opinion, which they pick up secondhand, and interpret as fact, because it suits the ends they’re seeking to achieve. They have no empathic compass, so they’ll continue to attack even when it’s clear they’re making others distraught. But there are certain responses that do tend to change their behaviour. One in particular is incredibly effective with anonymous trolls…

“We know who you are and we have your IP address.”

To avoid sounding like bluff, this phrase does, however, typically need to be backed up with some real information. Where that information comes from is often down to circumstance. But there are many known tricks that enable pretty much anyone to get hold of small pieces of identity information and then assemble them into something pretty convincing.

RELATED: Identifying the Twitter Fake
An in-depth look at how catfish and fakes can get caught and identified on Twitter.


For example, on Twitter, one could use the Chris Monteiro password reset trick, which will reveal part of the user’s email address for the majority of Twitter account holders. Anyone who hasn’t taken the trouble to protect their password reset function, basically – and it seems that’s most people.


Another classic technique is to bait the troll into inadvertently handing over their IP address. For example, linking to a WordPress Contact Form in a Twitter bio. This is a big temptation for some trolls, because they often want to get in touch and vent after they’ve been blocked. But when they send their message via the WordPress form, their IP address is automatically captured and forwarded to the email recipient. The troll’s victim may get a nasty email, but they also get an IP address, which, if the troll is confronted with this and other information, plus a considerable amount of bluff, may be enough to end the trolling campaign.


Then there are the little bits of tell-tale info the troll leaves around the web. One particular troll had posted Google search links, which, seemingly unbeknown to him, carried data about his whereabouts and device. Google search links are simply links to an actual Google search. Search for something on Google, then grab the Google search page URL from your browser’s address bar, and that’s your Google search link. People post them to show actual search results for a given phrase. Trolls might post them to try and indicate that their victim is seen in a bad light.

Whilst these links cannot, in themselves, reveal who you are, they can, in conjunction with other information, serve as crucial component evidence.

Of course, Google is not purposely trying to destroy your privacy with its complex-looking search URLs. What it’s trying to do is replicate your exact search results for everyone to whom you pass your link. Google’s search results fluctuate from region to region, and alter according to your search settings, your browser’s language settings, etc. So if Google doesn’t record this type of information within the actual URL of the search, different people will see different results. To keep the results consistent, Google stores the important parameters in the link to a given search.

But post that link, and you’re literally posting info about your computer or device. Whether you’re using Apple, whether you have Safe Search on or off, what your language settings are (and therefore your probable world location)… And perhaps one of the most revealing bits of info contained in the Google search URL is the device window size. This will give a good indication of whether the user is on mobile or desktop. But more than that, it can even give a likely ID on an exact device…

Often, because of the way an individual user has their system set, their browsing window size will be different from the device default. Instead of having a full monitor width of, say, 1920 pixels, the user may have their browser opening at 1643, or another quite random width. If they’re using a browser at 1643 x 811, that’s a pretty unique size.

So if the troll’s victim has a website with full Analytics capability (and many real victims of trolling do have websites), they can simply search for that odd screen resolution in their website hits. If they find that screen res, they have a pretty good idea the hits were from the troll, whose screen footprint they found in the Google search link. And their website Analytics will tell them a lot more than that search link could. They’ll probably have a local geographical location, and a lot more device info, for example.

RELATED: Browse Twitter Articles
Access more essential reading about Twitter, from the site that says it first…


By now, they really are in a position to scare the troll. But it’s the bluff that hammers in the final nail…

“We know who you are.” [“We” is more authoritative and scary than “I”] “We also know you use an iPhone and are posting from Birmingham”. “It would be against the ToS to post your full personal information on social media, but you’re using your icloud email for this Twitter and we collected your IP address from email correspondence”. “If you don’t desist with immediate effect, this WILL now become a legal matter”.

That’s going to be game over for 99% of anonymous trolls.