Doxing
The term ‘Doxing’ is short for “dropping dox” ‘dox’ being slang for documents. Typically, doxing is a malicious act, used against people with whom the hacker disagrees or dislikes.
Doxing (sometimes written as Doxxing) is the act of revealing identifying information
about someone online, such as their real name, home address, workplace, phone, financial,
and other personal information. That information is then circulated to the public — without
the victim’s permission.
While the practice of revealing personal information without one’s consent predates
the internet, the term (term?) doxing first emerged in the world of online hackers in the
1990s, where anonymity was considered sacred. Feuds between rival hackers would
sometimes lead to someone deciding to “drop docs” on somebody else, who had previously
only been known as a username or alias. “Docs” became “dox” and eventually became a verb
by itself (i.e., without the prefix “drop”). The definition of doxing has expanded beyond the
hacker world community and now refers to personal information exposure. While the term is
still used to describe the unmasking of anonymous users, that aspect has become less relevant
today when most of us are using our real names in social media.
Recently, doxing has become a tool in the culture wars, with rival hacker’s doxing
those who hold opposing views the opposite side. Doxers aim to escalate their conflict with
targets from online to the real world, by revealing information which includes:
● Home addresses
● Workplace details
● Personal phone numbers
● Social security numbers
● Bank account or credit card information
● Private correspondence
● Criminal history
● Personal photos
● Embarrassing personal details
Doxing attacks can range from the relatively trivial, such as fake email sign-ups or
pizza deliveries, to the far more dangerous ones, like harassing a person’s family or employer,
identity theft, threats, or other forms of cyber bullying, or even in-person harassment.
Celebrities, politicians, and journalists are amongst those who have been doxed, making them
suffer from online mobs, fearing for their safety, and – in extreme cases – death threats. The
practice has also spread to prominent company executives; for example, when Proctor &
Gamble’s Gillette released its, We Believe ad, which claimed to target toxic masculinity.
Doxing entered mainstream awareness in December 2011, when hacktivist group
Anonymous exposed 7,000 law enforcement members’ detailed information in response to
investigations into hacking activities. Since then, Anonymous has doxed hundreds of alleged
KKK members, and their most recent targets have included Q-Anon supporters. The
motivations behind doxing vary. People feel they have been attacked or insulted by their
target and could be seeking revenge as a result. If someone becomes known for their
controversial opinions, they could target someone with opposing viewpoints. However, this
tends to be the case when the topic is especially polarized, rather than everyday political
disagreements.
Intentionally revealing personal information online usually comes with the intention
to punish, intimidate, or humiliate the victim in question. That said, doxers can also see their
actions as a way to right perceived wrongs, bring someone to justice in the public eye, or
reveal an agenda that has previously not been publicly disclosed.
Regardless of the motivation, the core purpose of doxing is to violate privacy, and it
can put people in an uncomfortable situation — sometimes with dire consequences.
How does doxing work?
We live in an age of big data; there is a vast ocean of personal information on the
internet, and people often have less control over it than they believe. This means that anyone
with the time, motivation, and interest to do so can turn that data into a weapon.
Some of the methods used to dox people include:
Tracking usernames
Many people use the same username across a wide variety of services. This allows
potential doxers to build up a picture of the target’s interests and how they spend their time on
the internet.
Running a WHOIS search on a domain name
Anyone who owns a domain name has their information stored in a registry that is
often publicly available via a WHOIS search. Suppose the person who bought the domain
name did not obscure their private information at the purchase time. In that case, personally
identifying information (such as their name, address, phone number, business, and email
address) is available online for anyone to find.
Phishing
If the person uses an insecure email account or falls victim to a phishing scam, the
hacker can uncover sensitive emails and post them online.
Stalking social media
If your social media accounts are public, anyone can find out information about you
by cyber stalking you. They can find out your location, workplace, friends, photos, likes and
dislikes, places you have visited, the names of your family members, the names of your pets,
and so on. Using this information, a doxer may even work out the answers to your security
questions — which would help them break into other online accounts.
Sifting through government records
While most personal records are not available online, there is a fair amount of
information that can be gleaned on government websites. Examples include databases of
business licenses, county records, marriage licenses, DMV records, and voter registration
logs – all contain personal information.
Tracking IP addresses
Doxers can use various methods to discover your IP address, which is linked to your
physical location. Once they know it, they can then use social engineering tricks on your internet service provider (ISP) to discover more information about you. For example, they can file complaints about on the owner of the IP address or attempt to hack into the network.
Reverse mobile phone lookup
Once hackers know your mobile phone number, they can find out more about you.
For example, reverse phone lookup services like Whitepages let you type in a mobile phone
number- or any telephone number- to find out the identity of the person who owns the
number. Sites such as Whitepages charge fees to provide information beyond the city and
state associated with a mobile phone number. Though, those willing to pay can discover
additional personal information about you from your mobile phone number.
Packet sniffing
The term packet sniffing is sometimes used in relation to doxing. This refers to doxers
intercepting your internet data, looking for everything from your passwords, credit card
numbers, and bank account information to old email messages. Doxers do this by connecting
to an online network, cracking its security measures, and then capturing the data flowing into
and out of the network. One way to protect you from packet sniffing is by using a VPN.
Using data brokers
Data brokers exist to collect information about people and sell that information for
profit. Data brokers gather their info from publicly available records, loyalty cards (which
track your online and offline buying behavior), online search histories (everything you
search, read, or download), and from other data brokers. Many data brokers sell their
information to advertisers, but several people-search sites offer comprehensive records about
individuals for relatively small amounts of money. All a doxer has to do is to pay this small
fee to obtain enough information to dox someone.
By following breadcrumbs small pieces of information about someone scattered across the
internet, doxers can build up a picture that leads to uncovering the real person behind an alias,
including the person’s name, physical address, email address, phone number, and more.
Doxers may also buy and sell personal info on the dark web. The information found can be
wielded in a threatening manner, for instance, tweeted at someone in response to a
disagreement. Doxing can be less about the availability of the information and more about
how it is used to intimidate or harass a target. For example, someone who has your address
can locate you or your family. Someone with your mobile phone number or email can
bombard you with messages that disrupt your ability to communicate with your support
network. Finally, someone with your name, date of birth, and Social Security number could
also hack into your accounts or steal your identity.
Anyone who has the determination, time, access to the internet, and motivation will
be able to put together a profile of someone. And if the target of this doxing effort has made
their information relatively accessible online this is made even easier.
Examples of doxing
The most common doxing situations tend to fall into these three categories:
● Releasing an individual’s private, personally identifying information online.
● Revealing previously unknown information of a private person online.
● Releasing information of a private person online could be damaging to their
reputation and those of their personal and/or professional associates.
Famous and commonly examples of doxing include:
Ashley Madison
Ashley Madison was an online dating site that catered towards people interested in
dating outside of committed relationships. A hacker group made demands of the management
behind Ashley Madison. When those demands were not met, the group released sensitive user
data, doxing millions of people in the process and causing humiliation, embarrassment, and
the potential for harm to both personal and professional reputations.
Cecil the Lion
A dentist from Minnesota illegally hunted and killed a lion living in a protected game
preserve in Zimbabwe. Some of his identifying information was released, which resulted in
even more personal information publicly posted online by people who were upset by his
actions and wanted to see him publicly punished.
Boston Marathon bombing
During the search for the Boston Marathon bombing perpetrators, thousands of users
in the Reddit community collectively scoured news and information about the event and
subsequent investigation. They intended to provide information to law enforcement that they
could then use to seek justice. Instead, innocent people who were not involved in the crimes
were outed, resulting in a misguided witch hunt.
Is doxing illegal?
Doxing can ruin lives, as it can expose targeted individuals and their families to both
online and real-world harassment. But is it illegal?
The answer is usually no: doxing tends not to be illegal, if the information exposed lies
within the public domain, and it was obtained using legal methods. That said, depending on
your jurisdiction, doxing may fall foul of laws designed to fight stalking, harassment, and
threats.
It also depends on the specific information revealed. For example, disclosing
someone’s real name is not as serious as revealing their home address or telephone number.
However, in the US, doxing a government employee falls under federal conspiracy laws and
is seen as a federal offense. Because doxing is a relatively recent phenomenon, the laws
around it are constantly evolving and are not always clear cut.
Regardless of the law, doxing violates many websites’ terms of service and, therefore,
may result in a ban. This is because doxing is usually seen as unethical and is mostly carried
out with malicious intent to intimidate, blackmail, and control others. Exposing them to
potential harassment, identity theft, humiliation, loss of jobs, and rejection from family and
friends.
How to protect yourself from doxing
With the vast array of search tools and information readily available online, almost
anyone can be a doxing victim. If you have ever posted in an online forum, participated in a
social media site, signed an online petition, or purchased a property, your information is
publicly available. Plus, large amounts of data are readily available to anyone who searches
for it in public databases, county records, state records, search engines, and other
repositories. While this information is available to those who really want to look for it, there
are steps you can take to protect your information. These include:
Protecting your IP address by using a VPN
A VPN or virtual private network offers excellent protection against exposing IP
addresses. A VPN takes the user’s internet traffic, encrypts it, and sends it through one of the
service’s servers before heading out to the public internet – allowing you to browse the
internet anonymously. Kaspersky Secure Connection protects you on public Wi-Fi, keeps
your communications private, and ensures that you are not exposed to phishing, malware,
viruses, and other cyber threats.
Practice good cybersecurity
Anti-virus and malware detection software can stop doxers from stealing information
through malicious applications. Regularly updated software helps to prevent any security
‘holes’ that could lead to you being hacked and doxed.
Use strong passwords
A strong password normally includes a combination of uppercase and lowercase
letters, plus numbers and symbols. Avoid using the same password for multiple accounts, and
make sure you change your passwords regularly. If you have problems remembering
passwords, try using a password manager.
Use separate usernames for different platforms
If you are using online forums like Reddit, 4Chan, Discord, YouTube, or others, make
sure you use different usernames and passwords for each service. By using the same ones,
doxers could search through your comments on different platforms and use that information
to compile a detailed picture of you. Using different usernames for different purposes will
make it more difficult for people to track your movements across multiple sites.
Create separate email accounts for separate purposes
Consider maintaining separate email accounts for different purposes professional,
personal, and spam. Your personal email address can be reserved for private correspondence
with close friends, family, and other trusted contacts; avoid publicly listing this address. Your
spam email can be used to sign up for accounts, services, and promotions. Finally, your
professional email address (whether you are a freelancer or affiliated with a particular
organization) can be listed publicly. As with public-facing social media accounts, avoid
including too much-identifying information in your email handle (for example, steer clear of
firstname.lastname.dateofbirth@gmail.com)
Review and maximize your privacy settings on social media
Review the privacy settings on your social media profiles and make sure you are
comfortable with the amount of information being shared and with whom. Be strategic about
which platforms you use for which purposes. If you are using a platform for personal reasons
(like sharing photos with friends and family on Facebook or Instagram), tighten your privacy
settings. Suppose you are using a platform for professional purposes (such as monitoring
breaking news on Twitter and tweeting links to your work). In that case, you may decide to
leave some of the settings public in which case, avoid including sensitive personal
information and images.
Use multi-factor authentication
This means that you and anyone else trying to access your account will need at least
two pieces of identification to log onto your site, usually your password and your phone
number. It makes it harder for hackers to access a person’s devices or online accounts because
knowing the victim’s password alone is not enough; they will also need access to a PIN
number.
Get rid of obsolete profiles
Review how many sites have your information. While sites like MySpace may now be
out of fashion, profiles that were put up over a decade ago are still visible and publicly
accessible. This applies to any site that you might have formerly been active on. Try to delete
obsolete and old/unused profiles if you can.
Be alert for phishing emails
Doxers might use phishing scams to trick you into disclosing your home address,
Social Security number, or even passwords. Be wary whenever you receive a message that
supposedly comes from a bank or credit card company and requests your personal
information. Financial institutions will never ask for this information by email.
Hide domain registration information from WHOIS
WHOIS is a database of all registered domain names on the web. This public register
can be used to determine the person or organization that owns a given domain, their physical
address, and other contact information. If you plan to run a website anonymously without
disclosing your real identity, make sure your personal information is private and hidden from
the WHOIS database. Domain registrars have controls over these privacy settings, so you will
need to ask your domain registration company about how to do so.
Ask Google to remove information
If personal information appears in Google search results, individuals can request its
removal from the search engine. Google makes this a simple process through an online form.
Many data brokers put this type of data online, usually for background checks or crime check
information.
Scrub your data
You can remove your information from data broker sites. If you want to do it yourself
without incurring costs, it can be labor-intensive. If you have limited time, start with the three
major wholesalers: Epsilon, Oracle, and Acxiom. You will need to regularly check these
databases because your information can be republished even after being removed. You can
also pay a service like Delete Me, Privacy Duck, or Reputation Defender to do this for you.
Be wary of online quizzes and app permissions
Online quizzes may seem harmless, but they are often rich sources of personal
information that you happily provide without thinking twice. Some parts of a quiz may even
serve as security questions to your passwords. Since many quizzes ask for permission to see
your social media information or your email address before showing you the quiz results,
they can easily associate this information with your real identity, without much context on
that is launching the quiz and why it is best to avoid taking them altogether. Mobile apps are
also sources of personal data. Many apps ask for access permissions to your data or device
that should not concern the app software at all. For example, an image editing app has no
logical use for your contacts. If it is requesting access to your camera or photos, that makes
sense. But if it also wants to look at your contacts, GPS location, and social media profiles,
then proceed with caution.
Avoid disclosing certain types of information
Wherever possible, avoid disclosing certain pieces of information in public, such as
your Social Security number, home address, driver’s license number, and any information
regarding bank accounts or credit card numbers. Remember, hackers could intercept email
messages, so you should not include private details in yours.