In an increasingly political and divisive climate, doxing is a growing threat. It threatens, in particular, any person with increased exposure to sensitive and extremist groups online.
These at-risk groups, and those tasked with protecting them, face increasing challenges in mitigating both cybersecurity threats and real-world security threats.
As we’ll discover in this article, doxing attacks are not slowing down anytime soon, as they are becoming increasingly simple to achieve due to the growing risks presented by data brokers.
Thus, a new solution needs to be considered by the industry – something which more effectively prevents and mitigates the possibility of threat events.
Due to the nature of doxing attacks, this article may sometimes broach topics surrounding controversial or political subject matter. Our exclusive concern in discussing these issues is in relationship to their privacy implications and the privacy rights of those involved.
What is Doxxing and Why Is It Dangerous?
Cyber Security experts generally agree there are 3 different kinds of doxing.
The most common kind of dox, deanonymizing a previously anonymous individual, carries the fewest implicit negative consequences or safety threats. Safety threats or other negative repercussions are usually involved in deanonymizing when the individuals’ anonymous activities are now verifiably tied to their real-world identity.
Targeting Doxing, revealing personal details of some sort about an individual, is more commonly associated with negative repercussions for its victims. Common examples are the doxing of personal home addresses, or the names of family members, thus increasing the exposure of the victim to real-world harassment or threats.
SWATTing is a more insidious version of targeting doxing. A “SWAT” attack occurs when someone calls in a false police threat on a specific address. Police respond in force, creating a potentially deadly threat to the victim.
Delegitimizing doxing is generally done with some kind of retributive intention. This might involve the release of private conversations, or other personal details about one’s life, with the intention of discrediting its target.
All Doxing Is Not Conducted Equally
None of these activities sound terrible on their face. In truth, the way a person is doxed and the reasons they are doxed vary widely, and the moral considerations are currently heavily deliberated.
It’s perhaps the case that, sometimes, a dox might be in the best interest of the public. At Privacy Bee, we do not pretend to be the arbiters of which cases are acceptable or when.
The fact is, doxing as it is performed online does frequently present a general threat to the public good. Our aim is to prevent those situations where doxing presents a genuine threat of harm to individuals and organizations, or violations of privacy rights.
In the West, this increase correlates with the rise of political extremism on both sides of the aisle. People from all walks of life – from Journalists and Police Officers to Medical Practitioners and everyday civilians – have been successfully doxed by other (often anonymous) Internet Users, and often to disastrous consequences.
Who is At Risk of Doxing?
While anyone can be doxed, certain types of people are at significantly increase risk and represent a majority of doxing cases. This is of most interest to businesses and organizations who are tasked with the security of those groups. Their increased risks can be due to a multitude of reasons demanded by different types of jobs across political divides:
Both an executive-level, and a mid-level employee at the video game company Bungie were doxed, harassed, and threatened after racist backlash to a company tweet.
Government Officials, Public Officials
Infamously, Paul Pelosi, husband of House Speaker Nancy Pelosi, was assaulted in his home by a mentally ill man with a hammer. While details at the time of writing are still being revealed, in a call with journalists the alleged attacker said “[the] people killing [liberty] have names and addresses, so I got their names and addresses, so I could pay them a little visit…have a heart-to-heart chat about their bad behavior.”
While it’s yet unclear how exactly he acquired those names and addresses, the attacker admits to having maintained an online database of “government corruption” before the attack. Certainly, it’s easy to understand how the public address information might have been obtained through legal or illegal means alongside this internet research.
One of the most doxed groups in recent years, Police Officers are both at disproportionate risk for being doxed and disproportionate risk of negative outcomes following a dox due to their proximity to violence and crime.
Worldwide, journalists are one of the most at-risk groups for doxing and its repercussions, as they are regularly revealing information that powerful and dangerous groups would prefer to remain secret.
In the United States, journalists regularly face doxing threats from politically left, right and non-politically affiliated extremist groups.
The Security Journalist Brian Krebs was SWATTed by attackers in retaliation for his reporting on their extremist activities. He was forced out of his home at gunpoint and handcuffed by police before they realized they’d been fooled.
Sensitive Service Providers (Medical Providers, etc.,)
Anti-Abortion extremist James Kopp used publicly available data to track down and murder Abortion Doctor at his home.
People who hold sensitive or difficult jobs, people put in increased conflict with volatile groups, and people who are more publicly exposed represent the majority of at-risk groups.
Doxing is not limited to these groups; indeed, over 43 million Americans have been “doxed” at least once by some form of public exposure. Generally, anyone whose activity, personal or professional, might increase the motivation of others to dox them is at an increased risk of doxing and its repercussions.
What Are The Legal Protections Against Doxxing?
Doxing legal protections vary widely from country to country and, in the US, from State to State. Federally in the United States, doxing is only a crime if it releases information “with the intent” to harm, threaten, intimidate, or otherwise intimidate an individual. This bill, introduced in 2016, does little to defend against present-day doxing. It remains legal to publish personal information so long as there isn’t clear intention to do those individuals harm.
Statewide doxing legislations vary, with more and more states beginning to introduce doxing legislations, often alongside cyberbullying bills.
Doxing Legislation Enforcement Remains Challenging
Enforcement, discouragingly, remains a key issue. Foremost, the challenge in defense against a dox attack is that its victims will rarely, if ever, know who perpetrated the dox. Unless personal information was clearly obtained illegally, and distributed with intent to harm, jurisdiction is difficult for Federal investigators to establish. At the state level, investigators are more limited in their capability to track down and identify attackers (if they are even within the United States.)
Because of these challenges, only 2 out of 3 victims of a dox reported their incident to authorities, and alarmingly few see any legal recourse.
So How Can Individuals and Organizations Defend Against Doxxing?
Given the challenges post-incident remedies presented, most institutions and authorities recommend proactive measures to defend against dox attacks. Primarily, this means mitigating the ability of “bad actors” to source information in the first place.
How Doxing Occurs
Legally Obtained Data
In the case that illegally-obtained data is used, teams have minimal recourse in defending against already disclosed attacks. Recent Data Breaches disseminated through the Dark Web allegedly show identifying information for extremely at-risk groups, including the data and locations of stationed military officers.
However, these extreme cases are the outliers: the truth is, most doxing involves the release of legally obtainable information, and a bit of elbow grease on the part of the exposer.
By reviewing social media profiles, particularly public ones, a surprising amount of personal information can be obtained about an individual. Thus it’s crucial for exposed or high-risk individuals to maintain strict privacy through the use of Privacy Settings as well as careful posting on social profiles.
Furthermore, there is a massive threat presented by the oft-overlooked public databases, such as public court records and property information, that reveal more verifiable sensitive information (i.e. home or work addresses.)
These court records and databases would be nigh-impossible to sort and sift manually for any intent attacker, but that is not where the threat lies.
Data Brokers Aggregate and Sell Information, Enabling Effortless Doxing
Data Brokers, services and platforms which sell public data “profiles” on individuals and groups, have enabled with great speed and accuracy dox attacks for a huge percentage of the population.
Because they use automated tools to scrape and aggregate addresses, emails, phone numbers, personal details, and other characteristics from across the web, they’re able to build extremely detailed profiles of information about huge percentages of the population.
This information is then sold to anyone with a credit card. Assuming someone knows your full name, or email address, or perhaps even pseudonyms, they are only a few Google Searches and a credit card purchase away from finding your full home address and the names of your family members.
Cleaning Your Data from Data Brokers
Experts recommend their employees clean and clear data from these brokers.
The Free Press Foundation, a leading non-profit authority dedicated to upholding the rights and abilities of journalists to perform their duties unperturbed, recommends that journalists scrub data from public profiles and data brokers. The New York Times, in their Guide to Doxing Yourself training material, does the same.
The challenge is, of course, this is easier said than done. There are hundreds of massive data brokers. The data broking industry is one of the fastest-growing in the current decade – generating over $250 Billion in 2021 alone.
What’s more, data removal is not a one-and-done effort. The same NYT training material linked above mentions that, due to the pernicious ability of these sites to repopulate data upon life changes: “We recommend reviewing your information once a year and removing any new records that may have appeared.”
The Rising Need for Privacy Services
Thus the need for Privacy as a Service solution, like Privacy Bee. Our platform is designed to automate the more difficult parts of privacy assurance online. We scan and identify exposures of personal information online for individuals, and teams.
We regularly assist customers from all mentioned at-risk groups, and more, with securing and improving their online External Data exposures, to reduce the threats of doxing.
Team leaders, like CISOs, IT teams, and Cybersecurity professionals, can securely upload their list of employees to Privacy Bee, to immediately see across their entire organization who is already at-risk due to private information exposure online.
Privacy Bee can then remove this private and personal information from data brokers and other data aggregators.
This is only one of a suite of privacy-focused tools we offer to give your organization a complete picture of your External Data risk profile.