William Shakespeare in period clothing sitting in school desk with laptop computer shrugging at viewer.

Explained: Doxing

Definition of Doxing (sometimes written as doxxing): gathering identifiable information about a person or a group of people with the objective to shame, scare, blackmail or bully the target.

What is it?

The technique as such was already known in the 1990’s when Usenet users researched and posted the real names belonging to online handles that they had an argument with. Very much like Shakespeare who’s true identity has been fruit for many “doxers” before their time. The terms “dox”, derived from docs (as in documents) and doxing started to get used around 2005 when journalists considered it a useful part of investigations.

Nowadays, when it concerns the doxing of persons it is usually seen as a form of cyber-bullying. When it comes to doxing organizations it usually plays down to blackmail. Consider for example the Ashley Madison hack where data were put online when the demands of the attackers were not met. In both these cases doxing is considered an illegal activity, as it is in many countries.

On the Dark Net there are special sites like Doxbin where you can find published dox, but you would be amazed to see what can be found at unrelated, legitimate sites like Pastebin if you know where to look.

kidsThesedays2

Children doxing each other on Pastebin

Why doxing is always illegal (in the USA)

“Doxing is a form of stalking or threatening and is illegal under many different federal and state laws, depending on the exact facts and location.”

Revealing a name that belongs to an online handle may, or may not be considered “Doxing” depending on the level of anticipated anonymity. However, in the law, the term “restricted personal information” means, “with respect to an individual, the Social Security number, the home address, home phone number, mobile phone number, personal email, or home fax number of, and identifiable to, that individual.”

This is an important distinction to remember, because it implicates that once you revealed information that put another person in danger, and disclosing an address to the wrong people could do just that, you have violated the law.

How to shield yourself

There are a few pointers to keep in mind if you feel you are in danger of anyone using doxing against you.

  • Passwords: Use strong passwords and don’t re-use the same username – password combination for several resources. It is bad enough if someone gets hold of one password, a disaster if that password can be used for all your accounts. Use a password manager like LastPass for example.
  • Social media: Think about the information you post on social media and about who can access that information. Friends of my “friends” may not be so friendly. Every bit of information can give a doxer another angle to work on. Needless to say that your address and when you plan to be on vacation are a really bad combination. For you, not for the burglar.
  • Email addresses: If possible, use several different email addresses. Especially if you are the kind of person that likes to do subscribe to newsletters, take online quizzes or if your email address has been compromised before. If you post your email address on your own site, consider using one of these methods to stop bots from finding it. You can check if your email address has been compromised at haveibeenpwned for example.
  • Revenue model: When signing up for something free, especially if it’s too good to be true, try and figure out how the business giving it away makes money. They might be doing it by selling your information.
  • Domain privacy: If you are the owner of a website or a domain name, check if the organization that gave out your domain name offers “domain privacy”. If they don’t your full name and address will be listed online. Or consider using a PO Box for domain registration purposes. This depends on where you live however. In some countries the information who owns a PO Box is not hard to find out.
  • Phone number(s): Unless you need to put your phone number online in order for (potential) customers to reach you, don’t give it out to just anyone.
  • Be friendly and respectful: If you don’t make people angry they have less reasons to go after you.
  • Remove personal information from sites that you no longer find useful. Justdelete.me  is a good resource when you want to attempt this.
  • If your country uses an electoral register make sure that your data don’t go on the publicly available list. Countries using this system should have an opt-out system.
  • False identity: A very time-consuming and difficult task at best, but if you feel you are a potential target, it is something to consider.

Summary

We have given you a short explanation about what doxing is, namely gathering personally identifiable information with intent or threat to publicize it, and we tried to give some pointers about prevention.

Links:

The Rise of Political Doxing

What doxxing is, and why it matters

ABOUT THE AUTHOR