Doxxing: From Pitchforks To Keyboards
This is post 2 of a 3-part series about real world privacy threats.
How Do You Handle Doxxing?
Since the dawn of media, public figures have been followed closely and publicly ostracized for sharing their views, having a bad take on a social issue or simply nothing at all. The first peasant to ever cry “Grab your torch and pitchfork!” didn’t have a clue what they were starting.
Today, everyone is watching everyone. Our movements are tracked and shared with our friends and followers via social media. Our behaviors are recorded and evaluated by companies using surveillance technology, like Clearview AI. With so much information available, any one piece can be isolated, cropped, spread, and interpreted at will.
“What the human being is best at is interpreting all new information so that their prior conclusions remain intact.” - Warren Buffet, Investor
Pitchforks have become keyboards and the digital mob can publicly manipulate and spread your personal info like photos, addresses, emails, and phone numbers with a single keystroke. This is called doxxing.
Why Would You Become A Target?
Perhaps there’s a political motivation. In 2013, First Lady Michelle Obama’s credit card statements were released by a Russian hacker group. A seemingly inconspicuous attempt to discredit FLOTUS, it brought negative attention to her finances.
On a local level, activists and minority groups experience harassment for expressing their views. An LA-based Black Lives Matter activist recently dealt with armed police arriving at her home in response to a fake kidnapping report. This is called swatting, the criminal harassment tactic of finding someone’s address and sending armed authorities. The reason? An anonymous person who didn't agree with her values was trying to “send a message.”
How Does It Happen?
First, someone blames you or your community for something they see as unjust, evil, or corrupt. You may be involved in the movement or group being targeted. Or people might be acting based on hearsay, conspiracy, or rumors perpetuated by social media platforms, unwilling to challenge entrenched beliefs.
“It may seem like a very objective system that relies on data, but if historic data bears strong bias, we are automating these biases,” - Ruha Benjamin, Technologist
A single leader or group then feeds the anger and outrage by positioning the issue at hand as absolute, urgent, and punishable. Finally, instead of using established legal channels, they embolden each other to take matters into their own hands.
Recently, Tucker Carlson propagated the idea of doxxing a reporter’s private information on air. As if on cue, some loyal fans took it upon themselves to go to the reporter’s house, prompting a call to the local police.
Starting in late 2015, the bot account @EveryTrumpDonor tweeted personal information about those who contributed to Donald Trump’s presidential campaign. Today it operates as a stand-alone website, posting information about those who have donated as little as 80 cents to the campaign.
In 2016, middle-of-the-road voter Ken Bone was seen as a “hero” after asking a question at a presidential debate. Then, he became a “villain” when the internet bandwagon exposed his inappropriate Reddit history.
If you’ve gone viral, you can’t control what’s next, whether that’s threatening messages, vandalism, or violence. Celebrities and public figures have the luxury of lawyers and security details. But what do you do if you don’t have the resources of a global pop icon or FLOTUS?
Acting In The Moment
Call the authorities and make sure a report gets on file. Create a document or text/email yourself to start some way to track the report number, the name of the person you talk with, and the date of the incident. If things escalate to legal charges, having a paper trail and records with local law enforcement is critical for the law to work in your favor.
But don’t expect a quick fix, or any action at all. Police are often ill-equipped or unsure how they can help. Just last year, 467,361 complaints were filed with the FBI's Internet Crime Complaint Center. The likelihood of seeing a successful resolution is the equivalent of finding a needle in a haystack.
Since law enforcement assistance isn’t guaranteed, make sure you prioritize protecting your physical safety. Your parents’ or best friend’s address might be easy to find and trace back to you. Instead, try a friend of a friend, an aunt or uncle out of state, or a hotel you can book discreetly. Being physically safe puts you in a better mental state to take other measures.
Many non profit and privacy groups provide support in cases of emergency. We’ve put together a list here and encourage you to seek support as quickly as possible.
What Puts You At Risk Of Doxxing?
First step is understanding which locations are traceable back to you — your work, school, friends’ or family’s addresses. Any of these are likely to be included in a doxxing incident. Take caution sharing your home address and only share it with essential services and businesses you can trust. Consider reserving and using a PO Box at your local post office. It only takes five minutes to set up and costs about $200/year in most major cities.
Removing an address from the public web is difficult. Whether it’s a stubborn neighborhood watch website or a multi-million dollar real estate platform, these companies make money by posting your address. You should be able to remove your name, phone number, and photos from the listings but you may need the assistance of a lawyer.
Next, understand how easy it is to hijack your phone number. Doxxing attacks involve people redirecting authentication texts, intercepting calls, or spoofing your phone number to get into your email, manipulate someone at your bank, or target a loved one. Whether you use AT&T, T-Mobile, Verizon, or Sprint, each carrier offers quick and easy instructions to protect your digits from being hijacked. Consider using a burner phone number whenever possible. You can set up a free Google voice account in minutes. Then in the case of emergency, you can easily start using a different burner number.
Finally, understand which of your account credentials are easy to guess or publicly accessible. While doxxing doesn’t always involve someone trying to access your accounts, if someone can easily find or guess your email and password, they’ll likely try to take over a social media or financial account. Use HIBP to find out which of your emails and passwords have been posted online or sold.
Finally, if you have the time and commitment to “disappear from public view,” take a look through the personal data removal workbook by a former investigator to the FBI’s Cyber Crimes Task Force.
Thirty years ago, doxxing required photocopiers, scouring the phone book, and relationships with media publications. In today's world, the internet has opened up a seemingly infinite number of ways to expose information. Looking ahead, emerging technology like neural networks, virtual reality, and facial recognition will create a whole new arena for doxxing and harassment. Our ability to protect our privacy and security will start with our awareness of risks and willingness to take caution. Working with our communities, tech platforms, and regulators, we'll need to embrace and create new policies and tools.
Kanary’s mission is to help you manage your online risks efficiently and effectively. Let us know if you have any questions or thoughts to share. We’d love to hear from you.
Stay safe out there,
The Kanary Team