Privacy is perhaps the number one issue surrounding internet users in the modern world. For all the many benefits and conveniences of being connected to the internet, the risk of your personal information being revealed online looms large. Sensitive information that should never be publicly available, such as your social security number, is just one of many different data points that are included in your online dossier, which is referred to as your dox.
Doxxing has been around for a while but has increased in popularity with how little effort it takes to find and publish a person’s dox. But shouldn’t doxxing be illegal? It should be illegal, and in some cases, it is. But it can be difficult for law enforcement to track down and enforce the laws against it.
What Is Doxxing?
Doxxing originated from the slang term “dropping dox,” a form of revenge practiced by hackers, which involved revealing personal information from another hacker. Dox is slang for docs, referring to a collection of documents, or a dossier on an individual.
A dox typically includes your name, home address, employment address, phone numbers, social profiles, personal photos, detailed family information, and social security number.
Doxxing originated with hackers in the 1990s but has recently become a more mainstream practice due to how easy it is to obtain much of this information. In the early days, if a hacker was out of line, they could get targeted by another hacker by having their dox exposed. This was considered a vicious attack, as hackers value their anonymity above all else.
Doxxing is mainly used either as a revenge tactic or a way for someone to target a group with differing beliefs. Ever since its inception, doxxing has been a tool used by those looking for vigilante justice.
For example, between 1993 and 2016, there were eight abortion providers that were targeted and killed using information from their dox. White supremacists and Nazis are also frequent targets of doxxing attacks.
“Dox a Nazi all day, every day,” said a protestor in San Francisco in 2017.
Is Doxxing Illegal?
Yes, doxxing can be considered a crime for multiple reasons. Doxxing can often be seen as a form of harassment. If doxxing is used to intimidate or harass someone, it is illegal in the United States. When someone is doxxed for a reason other than harassment or intimidation, it becomes a crime if the perpetrator used illegal methods to obtain the information.
There is no federal law that makes what is considered doxxing explicitly illegal. But there is a law that makes stalking a federal crime, and doxxing may very well apply. In 18 U.S. Code § 2261A it states:
(2) with the intent to kill, injure, harass, intimidate, or place under surveillance with intent to kill, injure, harass, or intimidate another person, uses the mail, any interactive computer service or electronic communication service or electronic communication system of interstate commerce, or any other facility of interstate or foreign commerce to engage in a course of conduct that—
(A) places that person in reasonable fear of the death of or serious bodily injury to a person, a pet, a service animal, an emotional support animal, or a horse described in clause (i), (ii), (iii), or (iv) of paragraph (1)(A); or
(B) causes, attempts to cause, or would be reasonably expected to cause substantial emotional distress to a person described in clause (i), (ii), or (iii) of paragraph (1)(A),
shall be punished as provided in section 2261(b) of this title.”
While doxxing may not explicitly be a crime on its own, it often leads to a crime being committed. Doxxing can be considered stalking, cyberstalking, or harassment and could also potentially involve extortion.
Penalties for Doxxing
As there is currently no federal law against doxxing, the penalties would be tied to the individual crimes committed.
Even if a person is not targeted by law enforcement, that does not mean that person is in the clear. The victim of doxxing always has the option of filing a lawsuit in civil court. The problem in these cases, though, is finding the perpetrator.
When you dox a publicly elected figure, however, it becomes much easier to be prosecuted for a crime. Formerly a Democratic congressional staffer, Jackson Cosko hacked into several Senate computers and doxxed three lawmakers for their role in the confirmation hearings for U.S. Supreme Court Justice Brett Kavanaugh.
Cosko first released the personal information of former Utah Senator Orrin Hatch, Lindsey Graham (R-SC), and Mike Lee (R-UT). He later released the personal information of Kentucky Senators Mitch McConnell and Rand Paul.
Cosko was sentenced to four years in jail for his crimes.
Once a dox is available, attacks can be carried out by individuals or large groups. In some cases, the person whose dox is revealed hasn’t actually done anything wrong, but the attacker has made false accusations in order to elicit a response. Other times, an innocent person may be attacked due to a case of mistaken identity.
Such was the case with Kyle Quinn, a University of Arkansas faculty member who was mistaken as a neo-Nazi and was the victim of doxxing as a result.
A man closely resembling Quinn was photographed at a Nazi in Charlottesville rally holding a torch, and word began to spread that Quinn was the man in the picture. However, Quinn was not in Charlottesville that night, as he was attending an art gallery with colleagues. But this did not stop a flurry of angry emails, voicemails, and threats when his personal information was released.
Quinn was fortunate to be employed by a university, which had the power to restore the truth. But most individuals wrongly identified and targeted do not have the same power to restore justice.
4chan is a website known as an imageboard that is often used to organize protests and attacks against organizations. The site can be likened to Reddit, in that it features a lengthy list of forums covering a wide variety of topics.
The creator of the website is Chris Poole, who launched the site in 2003 and acted as its administrator until 2015. At the time Poole stepped down as administrator, the website was receiving over one million daily visitors and over 600 million monthly page views.
But unlike Reddit, one of the unique aspects of 4chan is that it does not require a user to register with the site. This means you cannot message other users, view their profile, or establish any kind of relationship, which is pretty unusual for a social network.
What results is an environment where anything goes. It’s one thing to type away on your keyboard using an anonymous profile name, but that kind of internet tough guy act goes on steroids when there is no way of identifying who is on the other end of the keyboard.
While 4chan seems harmless enough as a collection of forums, an example of how it can go bad is the case of Jessi Slaughter, formerly known on YouTube as KerliGirl13.
A group on 4chan began trolling Slaughter relentlessly. A poster on the 4chan forums discovered Slaughter’s dox and posted her phone number, address, email, and Twitter account. Prank calls and hate emails ensued.
Slaughter then took to YouTube to complain about being harassed. In a video that went viral and spawned the meme, “you done goofed,” Slaughter is crying while her dad yells at the camera. In the span of three weeks, the video had more than a million views, and Slaughter, only 11 years old at the time, became one of the more mainstream examples of cyberbullying.
Victims of Doxxing
While doxxing has been used to a large extent as a way to attack people for perceived wrongdoings, anyone can be the victim of doxxing. As detailed as the information in a dox file is, that information is surprisingly easy to find if you know where to look.
Famous victims of doxxing include:
- Al Gore
- Britney Spears
- Charlie Beck
- Hillary Clinton
- Joe Biden
- Mel Gibson
- Michelle Obama
- Paris Hilton
- Robert Mueller
- Sarah Palin
How to Avoid it
Luckily, there are many ways you can defend yourself against online attacks.
Use a VPN
A virtual private network (VPN) can mask your IP address to hide its true identity from online stalkers. The VPN routes your IP address through a different location that could be anywhere in the world. Some paid VPN’s allow you to select exactly how you would like your IP to be routed, while free versions will choose a location at random.
When you use a VPN, hackers can’t track what you are doing online. You can buy most paid VPN’s for under $5 per month.
Create a junk email address that you use for sites that require an email address to sign up. Anytime a website asks you for your email address, you will have an extra one ready to go. An added bonus to having a junk email address is the future sanity of your inbox.
Whenever you register a domain, your personal information will be stored on a database available to the public known as WHOIS. The information included will be whatever information you have on file with your domain provider. This information can be found both at the WHOIS directory and at your domain sales broker, such as WordPress.
Most domain providers provide you with an option to hide your personal data from going onto the WHOIS database, but for an additional fee.
Social Network Privacy
When social media first started taking over the world, privacy was much less of a concern for some people. This laissez-faire attitude led to many people sharing more information about themselves than they should. Take a look at every one of your social profiles and look through the security settings. Many people make mounds of information free to anyone willing to look via their social profiles.
Twitter accounts are public unless you explicitly change your settings. Facebook and LinkedIn have a variety of different security settings you can put into place, allowing you to choose exactly what information is available to see and who can see it. Google Plus is no longer a thing, but you may have left personal information on your profile that is still discoverable.
A few ways to keep your social profiles more private:
- Ask friends to not tag you in pictures or un-tag you in pictures already posted.
- Only accept friend requests from people you know well.
- Report spam on friend requests from total strangers.
- Do not post details about where you work.
- Limit your posts and photos.
- Do not post details about where your kids go to school.
- Do not log into other websites using your social credentials.
Remove Personal Data from Apps
Some people choose to put their name and other information in the properties of an app, such as Microsoft Office. What this means is that, anytime you send out a document, it will have your name and information contained within. To be completely thorough, you can check the properties of the apps you frequently use to ensure that you aren’t sharing information you would rather keep private.
Encrypt Your Email
Email is an incredibly insecure way to communicate. While many email services encrypt the information in the email during transit, the text of every email is stored in a server before arriving in the recipient’s inbox.
To keep your emails 100 percent private, you can use a third-party encryption service that can be built into your email provider.
Use a Password Manager
A password manager is almost a must in today’s world, with so many different passwords being added and changed on a regular basis. There are many different password managers you can choose from, varying from free to paid, offering a selection of features.
Vary Your Passwords
If you would rather not pay for an additional service to store and keep your passwords private, you must vary your passwords across different services. You should always avoid personal details in your passwords and keep them as vague and random as possible. Avoid information such as birthdays, favorite hobbies, and other information that would be easy to decipher with a little digging.
Part of what makes doxxing so easy these days is the existence of data brokers. Data brokers collect data from a variety of different sources to find as much information as possible about an individual. As more information is collected, individuals get categorized into different segments and are then compiled into a list with other similar individuals and sold to other companies.
Data brokers get their information from a variety of different sources, including:
- Browsing history
- Social media profiles
- Purchase history
- Credit card information
- Government records, such as birth certificate, marriage license, census data, and driver’s license
The information data brokers collect and sell to other companies includes:
- Information about owned real estate
- Social security number
- Current and former addresses
An example of a data broker that provides information to the public is Spokeo. Simply type someone’s name into Spokeo, and you have access to a plethora of information.
But are data brokers legal? Most of them operate within the law, but data brokers have faced increased scrutiny ever since GDPR laws went into place in 2018.
What is GDPR?
The European Union’s General Data-Protection Regulation set a standard for how data was allowed to be collected on a website. In order to process data, one of six different criteria must be met. One of these criteria is having a legitimate interest, which is a vague and flexible way some sites will justify tracking your data.
So how do you keep data brokers from collecting and selling your information? A website like DeleteMe.com exists for the sole purpose of deleting your information from websites across the internet.
In the old days, if you wanted to play a mean prank on someone, you could call multiple pizza delivery places posing as someone else and have them delivered to the unsuspecting victim’s address. The victim would spend the rest of the night explaining away his innocence to an incessant fleet of pizza delivery people.
The modern form of this type of attack is known as SWATTING. During a SWATTING attack, someone poses as the victim but does something much worse than play a pizza prank. In a SWATTING attack, the offender threatens to set off a bomb or going on a shooting spree. The result is a SWAT team showing up at the victim’s front door, ready to bust in.
If not for doxxing, SWATTING would not exist. This kind of attack is much more than a prank, as it has resulted in tragic deaths in some cases.
Celebrities that have been the target of a SWAT attack include Ashton Kutcher, Chris Brown, Miley Cyrus, Taylor Swift, and Tom Cruise.