Doxing victims find their home address, social security number, and more posted online, typically because someone wanted to intimidate, humiliate, or harass them. Here’s what you need to know.
Doxing (or doxxing) is the practice of revealing personal information about someone online without their consent.
The word first emerged in the world of online hackers in the 1990s, where anonymity was deemed sacred; in most cases, people’s real-world identities were unknown to their allies and rivals. A feud between hackers might escalate when someone decided to “drop docs” on somebody else — that is, post documents revealing the legal name of a person who had only been known as a username or alias up to that point.
“Docs” became “dox,” which in turn lost the “drop” and became a verb by itself, occasionally being written with an extra “x” as “doxxing.”
How the meaning of doxing has evolved
The definition of doxing has since expanded beyond the insular world of hackers and now encompasses the exposure of personal information beyond mere identity. The term is still used to describe the unmasking of anonymous or pseudonymous internet posters, but that’s become less important in an era when most of us are active on social media accounts with our real names attached.
Modern-day doxers aim to reveal information that can move their conflict with their targets from the internet to the real world, including home addresses, employers, social security numbers, private correspondence, and criminal history or otherwise embarrassing personal details. The goals range from intimidating or humiliating victims, causing a loss of employment or breaking off of relationships, or making the target a victim of in-person harassment or assault.
Is doxing illegal?
The prospect of someone posting your home address for anyone on the internet to see is pretty scary to most people, and you may assume that it can’t possibly be legal. But the legality of doxing can vary from case to case, and depends on exactly what information is revealed and how that information is obtained.
The Reeves Law Group has a good breakdown of what forms of doxing are legal and what aren’t in the United States. Federal law restricts the publication of personal information about certain restricted categories of people: state or federal employees or officers as well as jurors, witnesses, or informants in trials or criminal investigations. If the doxing is part of a larger campaign of harassment, victims who don’t fall into those categories may be able to press charges based on state or federal stalking legislation or file a civil suit for damages. Of course, pulling this off will require the victim to be able to discover the real-world identity of the doxer, which, ironically, is often quite difficult.
Finally, the legality of the doxing process is in part determined by how the personal information being revealed was discovered by the doxer in the first place. In many cases, doxers can exploit failures in operational security (OPSEC) to piece together bits of information that their targets have posted in public view or hinted at on social media. We’ll get into some of the specifics of what that information might be and where you can find it our next section, but it’s important to keep in mind that collating that information or drawing people’s attention to it isn’t illegal, as intrusive as it might feel. But we’ll also see that there are methods that doxers use to gather data that are illegal no matter what they end up doing with them.
How does doxing work?
How do doxers sniff out personal data? Well, let’s start with the legal methods.
To begin with, if the doxer knows your legal name, a surprising amount of information about you is a matter of public record: your voter registration, property records, marriage and divorce records, mug shots, and more. These details aren’t necessarily a quick Google search away, but they can be obtained from government agencies readily enough, often at low to no cost.
If the target is associated with a specific internet domain, doxers may use whois records to learn the target’s name, address, and phone number; many domain owners don’t realize those can be set to private. And if you’re posting on a forum or online community, the managers of the site will have access to information about you that won’t necessarily be visible to the public.
Doxers can use other techniques to connect an online pseudonym to a real-world person. Since many people use identical or similar handles across multiple sites or online communities, for instance, breadcrumbs of personal data revealed in different contexts can be combined to create a fuller picture of a person than they might realize. OPSEC techniques can also be used to confirm suspicions that an online handle might be connected to a specific real-world person. (For a master class in this, check out how journalist Ashley Feinberg sniffed out former FBI Director James Comey’s and Senator Mitt Romney’s Twitter accounts.)
Another way to zero in on a target: file metadata. Microsoft Office files have information embedded in them about the user who created them. And sure, maybe you don’t usually post Word files online, but what about photos? These have EXIF data embedded, which can include the exact geographic location where the photo was taken — a quick way to figure out where someone lives, since many photos are taken at home.
However, doxers don’t necessarily restrict themselves to legal methods of tracking down information on their targets — and indeed more nefarious methods may involve less effort. The quickest route to finding and weaponizing personal information about a target may be to simply buy it, whether from legal, if shady, data brokers or from databases passed around on the dark web derived from the innumerable data breaches that afflict companies large and small. If a doxer can connect their target’s name, email address, or social media handle with a record in one of those databases, they can get a wealth of information that can then be posted publicly. There are even paid doxing as a service outfits out there.
Other techniques, like IP logging or packet sniffing, may be more frequently associated with hacking aimed at account compromise, but a compromised account can of course offer up personal data like names, addresses, social security numbers, and the like.
5 doxing examples
So, once someone has your personal information, how exactly might they dox you? And, to back up a bit, why would they want to make your life miserable in the first place? Let’s look at some real-world high-profile doxing incidents to learn more.
Doxed by the sites where you comment. In 2013 a Temple University journalism professor left a comment on the website of the Neiman Journalism Lab criticizing what she saw as the organization’s left-wing bias. The site’s comments were powered by the Disqus commenting plugin, and anyone could have clicked on the professor’s “truthseeker” user name to see her comments on other sites, including those on right-wing sites that were derogatory towards Muslims. The Neiman Lab’s director, as a manager of the website, was also able to see the professor’s email address, which he used to discover her identity and name her on Twitter, which in turn got her in trouble with her employer.
No ethics in doxing. In 2014, the Gamergate movement claimed to be a crusade against unethical gaming journalism but seemed to have a particular hatred of female gaming developers who worked on nonconventional games or discussed feminist themes. One developer, Brianna Wu, posted some anti-Gamergate memes; Gamergaters on 4chan quickly found her home address and phone number, and death threats began to roll in.
When journalists dox. Michael Hirsch, a national editor at Politico, posted the Washington, D.C., address of white nationalist Richard Spencer in public Facebook and Twitter posts. After the Daily Caller drew attention to the posts, Hirsch resigned and Politico called the posts “outside the bounds of acceptable discourse.”
Dox by swatting. One particularly malicious form of doxing is swatting, in which the victim’s location is discovered and then called into local police as the scene of a hostage situation, which will inevitably lead to a heavily armed SWAT team bursting down the door. This is a frequent form of doxing used as a prank during gaming livestreams — streamer Jordan Mathewson, a victim himself, says that part of the appeal to the swatter is being able to watch the events unfold as they happen.
Doxing in error. Doxing is terrifying and confusing enough when the victim really is the person the doxer is trying to unmask, but sometimes doxers get the wrong guy (or gal). For instance, amateur sleuths on Reddit, trying to figure out the identity of the Boston Marathon bombers in 2013, wrongly fingered a missing young man who eventually was found dead from suicide. Similarly, online detectives looking at photos of torch-wielding marchers at the 2017 Unite the Right rally misidentified one person as an Arkansas professor who quickly found himself the target of death threats.
How to prevent doxing
So how do you keep from becoming a victim of doxing? Unfortunately, it’s impossible to completely remove personally identifying information from the internet, especially when it’s part of public records. Still, there are some tips to reduce your attack surface.
Keep your data close your chest. You have a lot of control over how much data about you is out there in the world:
- Try to avoid posting identifying information whenever possible
- Keep your social media settings at the most private level, and don’t accept friend requests from people you don’t know
- Change the settings on Office and your phone’s photo app so personal info isn’t embedded in those files
- Use a “burner” email address for signing up for accounts that can’t be connected to your real name
- Set the whois records on any domains you own to private
- Ask Google to remove personally available information about you, and request the same from data broker sites
Practice safe browsing. These steps are good internet hygiene in any case, but can also prevent a breach that can lead to your info being exposed to a potential doxer:
- Use a VPN, especially when using insecure public Wi-Fi networks
- Switch to a secure email system with built-in encryption
- Vary your usernames and passwords
Dox yourself. The best way to stop a doxer is to think like one. The New York Times has a good guide to get you started in doxing yourself so you can understand how vulnerable you are. If you’re even a slightly public figure, or if you’re engaged in potentially controversial encounters online, doxing is a possibility and you need to be prepared.
How to report doxing
As noted above, getting legal relief against doxers can be difficult: it’s often not clear what laws they’re breaking, and they usually take steps to obscure their own identity even as they expose yours. Nolo has a good guide on the sorts of documentation you’d need to put together to make the strongest case you can.
A lot of doxing takes place on social media, and there’s good news on that front: doxing, even when legal, violates the terms of service of most platforms. Reporting tweets or Facebook posts that include your personal information will generally get them swiftly taken down and the offending user suspended. Unfortunately, if you’re subject to a coordinated attack, it’s not hard for doxers to move across multiple accounts and keep up the harassment.
The EFF’s Eva Galperin offers some advice on how to deal with a doxing attack. Sadly, in many cases, the best you can do is lock your accounts and, as she says, “assess how much mental bandwidth you have for this … maybe even appoint someone else to watch the situation for you so that you don’t have to. Let somebody else do all of the emotional labor of dealing with these threats, and tracking them and reporting them to the platforms, because it can be really, really hard on a person mentally. You don’t have to do this alone. You have a network of support.”
By Josh Fruhlinger, August 31, 2020, published on CSO Online