How to protect yourself from doxing

How to protect yourself from doxing

“Abandon hope all ye who enter.”

This ominous inscription affixed atop the gates to Hell in Dante’s Divine Comedy applies peculiarly well to describe the state of the Internet today.

It’s hard to draw a parallel to the utility that the Internet has offered to modern civilization—perhaps no other technological innovation has brought about greater change. Yet, one of its many consequences is the steady erosion of individual privacy, as cybercriminals (and even regular users) become more creative with malicious activities perpetrated against others online.

Among the many harmful techniques of threatening a user’s online privacy is doxing. Doxing refers to the collection of a user’s private information, which is inevitably spread across multiple platforms (including social media), and publishing it publicly. Doxing may be conducted by researching public databases, hacking, or through social engineering. While there are some legitimate reasons for doxing, such as risk analysis or to aid in law enforcement investigations, it’s mostly used to shame, extort, or enact vigilante justice.

The act of doxing poses serious dangers not only to the privacy of an Internet user, but also to their physical safety. It’s not uncommon for a doxing victim to be harassed in person or be targeted for swatting spoofs. Nonetheless, you can take some effective measures to prevent becoming a potential victim of a doxing attempt.

1. Make all social media handles/usernames private

It is a fairly simple matter for anyone stalking you online to cross-reference your multiple online personalities (read usernames/handles) from different social media platforms. If all your profiles are visible at a single click to any random Tom, Dick, or Harry with a working Internet connection, you may be leaving yourself open to doxing.

The good news is that most popular social media platforms have considerably improved their privacy controls. It is advisable to explore privacy settings for all your profiles, and keep personally identifiable information, such as your phone number, addresses, and other sensitive data invisible to anyone you don’t know.

2. Use unique usernames for each platform

The easiest way to make yourself target practice for someone learning the art of doxing is to use the same username for every online message board, social media, and service you are using. Avoid this at all costs—unless you are developing an online persona or influencer program. If so, hiding personal details associated with those profiles becomes even more imperative.

For the rest of us, it’s wise to have a unique username for different situations and compartmentalize usernames on the basis of purpose. For instance, if you use Instagram, comment on an online gaming forum, and participate in a community for political discussions, use a different username for each of these purposes, with no obvious connection between them. For this reason, we don’t recommend using social media profiles to sign in to other services (i.e. sign in using Facebook or Twitter).

Separating online account identities makes it quite difficult for anyone that might take an interest in launching a doxing attack against you to collect all the necessary pieces to form a true identity. And while it can be frustrating to manage so many different usernames and passwords, software such as password managers can assist in the juggling act.

3. Be wary of online quizzes and app permissions

The philosophy of maintaining online privacy is simple: limit sharing of personal information online unless absolutely necessary. Online quizzes and needless mobile app permissions are the antitheses to this philosophy.

Online quizzes seem completely innocent, but they are often goldmines of personal information that you happily provide without thinking twice. For example, some parts of a quiz may even serve as security questions to your passwords. Since many quizzes ask for permission to see your social media information or your email address before showing who your spirit animal is, they can easily associate this information with your real identity.

As we saw with Facebook’s Cambridge Analytica fiasco, those online quizzes aren’t always as innocent as they seem. Without much context on who is launching the quiz and why, it’s best to avoid taking them altogether.

Mobile apps are also rich sources of personal data. Many apps ask for access permissions to your data or device that shouldn’t concern the app software at all. For instance, an image editing app has no logical use for your contacts. If it’s asking to access your camera or photos, that makes sense. But if it also wants to look at your contacts, GPS location, and social media profiles, there’s definitely something fishy going on.

So while we can’t say “avoid downloading apps that request permissions” altogether, we do recommend you take a good look at which permissions are being requested and consider whether they’re necessary for the app to function.

4. Use VPNs

VPNs (virtual private network) hide your IP address from third parties on the web. Normally, every website that you access can see your IP, which can reveal a lot about you, such as the city you are located in and even your real identity. VPNs boost your online privacy by giving you a fake IP address associated with a different location, which can easily throw off a doxer trying to track your trail.

The only problem is that there are a lot of VPNs out there, and not all of them are secure. The task of choosing one that suits your needs can be made easier with VPN comparison resourcessuch as this, as well as our article on mobile VPNs.

Learn how to configure your VPN to support all devices in your home network. Read more: One VPN to rule them all

5. Hide domain registration information from WHOIS

WHOIS is a database of all registered domain names on the web. This public register can be used to find out details about the person/organization that owns a given domain, their physical address, and other contact information—all the stuff doxers would love to get their hands on.

If you are planning to run a website (domain) anonymously without giving your real identity away, don’t forget to make your personal information private and hidden from the WHOIS database. Domain registrars have controls over these privacy settings, so you’ll have to ask your domain registration company about how to do so.

Final thoughts

Online privacy is becoming harder and harder to preserve as our connectedness expands, courtesy of the Internet. Organizations look for personal details of their customers for more successful, targeted marketing opportunities. Applications request private information to support functionality—and sometimes ask for too much. Social media networks and search engines mine personal data for advertising profits. At this point, simply having an online presence is enough to put your privacy at risk.

At the same time, remember that for a great majority of cases, taking a few extra steps to hide, scatter, or make more difficult to access personal information online can throw doxers off your scent and protect your privacy. This strategy is effective in turning away all but the most persistent doxers from gathering pieces of information about you and publishing it on the Internet. As an added bonus, protecting your PII from doxers also makes it more difficult for cybercriminals to scoop up your details to use in a social engineering attack. 

Perhaps we needn’t abandon all hope online after all.


Osama Tahir

Osama Tahir is a writer who covers online privacy, science, and the sociological impact of technology in modern times. He is a contributing author at Hackernoon and The Globe Post.