Doxing (also known as doxxing – a term inspired by the word documents), is commonly a first-stage tactic mobs of people (and individuals) use to intimidate and scare people by digging up personal information across the web. It’s best described as a form of digital stalking where one person researches personally identifiable information about another and then broadcasts the information across the web. Doxers don’t need to be private investigators. In most cases the tools of the trade include Google, social networking sites, reverse phone number queries, and domain WHOIS searches.
It’s one of the most brutal types of identity theft and harassment on the web, yet it’s also one of the simplest to perform.
Before we go on, let’s briefly touch on those different avenues and how they contribute to the threat:
- WHOIS information: The information you use to register a domain name. It originally started out in the early days of the web as a way for webmasters to contact each other. Today however, it’s one of the first ways people are able to find addresses and phone numbers.
- Social Networks: If you’ve ever posted photos of where you lived, addresses, or general sensitive information online – these can all be used against you in a doxing attack.
- Third-party brokers: These databases typically contain information from courts, driving records, voter registrations, census statistics, utility companies, and more.
Doxing isn’t just a threat for celebrities and people in the public domain. Hactivism group Anonymous has been in the news quite a few times for releasing information on law enforcement agents, KKK members, and other people who didn’t necessarily agree with the mob’s views.
Anonymous isn’t the only group behind these attacks however. There also was the Ashley Madison hack, among many other data breaches, and more recently the intentional OkCupid data leak hit the headlines.
Whether you know it or not, your information is out there and the threat is only getting worse.
Shazam for People
Emerging technologies like facial recognition continue to increase the number of tools doxers have in their grasp.
One example of the sorts of emerging services doxing has already begun to take advantage of is a new website called FindFace. FindFace enables anyone to take virtually any photo of a person and match it to their profiles on Russian social network, VKontake.
The service recently made the news because people were using photos from porn sites to find out their true identities. It turns out what originally was a proof of concept experiment, quickly got out of hand and eventually resulted in extreme incidents of shaming and harassment.
Although FindFace is currently limited to Russia, the technology probably is going to come to Facebook and other social networks fairly soon. Facebook has already researched similar technology and published papers on their systems’ inner workings. The system sports a database of over 4,000 identities built from four million facial images. By examining 120 million parameters across a nine level deep network, the algorithm is able to identify faces with a 97.35% accuracy.
This has sparked such a concern that the State of Illinois recently filed a lawsuit against Facebook on the grounds of violating a biometric privacy law. The privacy conscious European Union also has been fighting the technology since around 2011.
Protecting Yourself from Doxing
Short of deleting all your profiles on the web and going off the grid, there’s a few relatively simple ways for you to make it harder for people to trace your identity.
- In the case of WHOIS information, you cannot legally provide false information on these records. However, you can purchase domain privacy services as a layer of protection.
- Look into creating a Google Voice or other secondary phone number for public use
- Use a PO box for domain registrations and general correspondence.
- Review Facebook and social posts from years back for sensitive information which you have since forgotten about
- Use this list of data brokers to opt out from their search services.
- Google your name with and without quotes. Check to make sure you’ve cancelled any social accounts you no longer need.
- Use a password manager such as LastPass so you can create hard to guess passwords for all your online accounts.
If You Are Doxed
If you happen to be the victim of doxing, there are a few steps you can take to mitigate the attack. Although the internet is filled with sites which call doxing a legal form of harassment, there are many laws on the books which provide some recourse for victims of these attacks. In general, doxing attacks are considered a type of threat, stalking, and harassment. If you find that you are the victim of doxing, you should reach out to the authorities in your region. Aside from reaching out to law enforcement, the Crash Override Network is a crisis hotline, advocacy group, and resource center for people experiencing online abuse.
What the Future Has in Store
Although facial recognition is one of the more notable applications of these technologies, the FBI has been developing technology to identify individuals based on their tattoos. As the Electronic Frontier Foundation mentions, unlike facial recognition, tattoos often have deeper meanings. For example, they can reveal passions, ideologies, religious beliefs, and even social relationships. The EFF points out that profiling anyone based on their expression is a violation of the first amendment.
All in all, there will definitely be more happening in the area of doxing as it continues to expand with emerging technology. We can only hope that emerging technology also is used for the opposite approach too – to defend against doxing, or at least reduce its effectiveness.
Have you had any experiences in being doxed? Or know of any other emerging tech that’s being used in doxing? Share your knowledge in the comments below.
Jump Start Git, 2nd Edition
Visual Studio Code: End-to-End Editing and Debugging Tools for Web Developers