What this is, and what it isn’t
I was, initially going to put together a full training for folks to handle proactive defenses to Doxxing, including active counter-operations. In truth, I might still do this over time in book form; I will not be able to acheive it for this.
What I can do, however, is put together a few FAQ type questions, and provide some resources on how to handle the situation.
- What is Doxxing?
- Doxxing is short for “Dropping Doc(ument)s”. It is the act of publicly and conveniently posting a target’s personal information. Generally with the goal of either intimidating, embarassing, or otherwise impacting them to change the target’s behavior. It is often used to doxx individuals of opposing beliefs (something endorsed by the center for Digital Ethics and Policy of Loyola Loyola1)
- I have been doxxed! What do I do?
- First, do not panic. Much of the goal of doxxing is to intimidate and cause fear. By panicking and acting out of fear you are responding to the situation in the way the target wants you to. There will be a sudden urge to disappear, and hide. This is not the best idea, but there is some usefulness in it.
Second, change all passwords, usernames, and validate privacy settings. Good security hygiene in the modern day tells us to use different passwords and usernames for services we need to be secure on. It may be time to take a leaf out of the early 90s codebook and start going by an alias. Another thing to do after changing credentials to differentiate your various site identities is go through and check all of your privacy and security settings on websites you use regularly. Make sure to enable multi-factor authentication if it is available. These systems will often send you a code if someone tries to access it. You should also freeze credit if you are not looking to make a big purchase. A bad side effect of doxxing is it makes it really convenient for ID thieves to steal your identity.
Third, make reports to anyone who can help you in the process. Many workplaces have security services that will be able to keep an eye out for suspicious activity. Your bank should be able to put up a monitor for any suspicious activity or requests for information. Most other services that have your personal information can be alerted as well, although YMMV with asking for a monitor. Some institutions may charge, and some you may have to ask rather forcefully before they will assist you. If all else fails… well…
Fourth, talk to an attorney. Call one. Most have pro-bono counselling services some businesses have legal representation or assistance for employees, and almost all communities have a legal-aid office who are built for exactly this kind of thing. They will be able to give you step-by-step instructions on how to proceed and may be able to provide you advice on local security services.
Finally, you need to set up a safety and security plan. This safety net will be there to help protect you and help you if something goes wrong. Start working with friends and relatives to have a secure social net. Make sure that they are OK with helping be your resource for the following:
- Knowing when you go out and when you will be home
- Checking in on you periodically by phone or verifiable communication
- Keeping an eye out if they see anything suspicious at your home (neighbors only… obviously)
In short, do a safety/privacy checkup on all accounts, freeze your credit, report the incident to relevant authorities, talk with legal counsel, set up a safety net.
If you feel safe doing so, you are always welcome to reach out to law enforcement in these situations. They will likely have resources that will be able to help you through this process as well.
- What are some ways I can prevent being doxxed?
- The first thing I would do is set aside a few hours once a month or so to check on privacy settings, where your personal information is, and where you can have it removed from.
Individuals in California, Virginia, and within the EU have various laws protecting their data and information, how it is disclosed, and how to remove it from services. If you are in one of these areas, take a look at your local laws (The CRPA, VCDPA, CCPA, and GDPR).Squire Patton Boggs2
If you do not live in one of these states there are some options you have. Check with legal counsel regarding local laws that may protect your data (some states have laws allowing individuals to not be listed in public record if they work in certain professions, or belong to vulnerable groups). Additionally, counsel may be able to provide you with resources you may be able to use to have your information removed from various public databases. For private companies it can be more tricky, but most are responsive to services such as DeleteMe3. These services will remove your data, and keep checking to ensure it is removed periodically.
I would not suggest you try to manually have your information removed from these services unless you are knowledgeable in how they operate and willing to check every 4-6 weeks every service you need to remove your data from
- How do people get doxxed?
- Generally, individuals doing the doxxing use Open Source Intelligence (OSINT)
techniques to associate the presence of the target on the website with other
sources of information (other social networks, old forums, picture sharing,
email addresses, etc.) and put together a profile on their target.
This information is then shared on information sharing websites, social media, and chatrooms over IRC and services such as Discord and Matrix.
This profile can include such items as:
- Real Name(s)
- Alias(es), Username(s)
- Physical Addresses
- Images (compromising or otherwise)
Essentially, people consolidate publicly available information into an easily digestible form.
- Have they hacked my phone/email/account?
- This is unlikely. Most instances of doxxing are simply some keyboard warrior having access to publicly available resources. In truth, they usually only post information that a reasonably capable teenager probably does more to find out where to get to the next party, or where that cute guy from Facebook they met on spring break was from. All it normally takes is a first/last name, address, and a workplace to make most people back off. In truth, the actual risk from doxxing is pretty negligible… about 90% of the time.
There are, and are increasingly, situations where doxxing turns into actual harm. I don’t mean job loss, which honestly means the activity that got the individual removed from a job was conduct not fitting for the organization who ultimately chose to fire them. I mean actual physical harm, death threats, harassment, and vandalism.
With that said, if you find yourself asking the above question, it may be prudent to be a little more vigilant for a couple of days to weeks. The most important part is to remember that you need to stay calm. Panic will only give the doxxer more position, and will cause you to make mistakes.
If at any point you find your life at risk, reach out to a legal resource for assistance, be that an attorney’s office who can assist you as an intermediary, a local resource group, or legal aid agency. All of these individual groups can interface between you and Law Enforcement if it comes to that level of risk.
Ultimately, if you feel comfortable, you can reach out directly to a law enforcement resource.
Quick Link to this page: