Every time you like something on a social network, join a community of neighborhood residents, publish your CV, or get caught on a street camera, the information accumulates in databases. You may have no idea how vulnerable leaving all those traces of information — every action on the Internet and almost every action in the real world — leaves you.
The wrong biker, driver, father
Doxing can happen to anyone, as these three anecdotes illustrate.
When Maryland cyclist Peter Weinberg began receiving insulting messages and threats from strangers, he learned that his workout app was publishing his cycling routes and somebody had used them to deduce that Weinberg had recently passed not far from where somebody had attacked a child. The crowd quickly — and incorrectly — identified him as the suspect and found and published his address. In a very familiar pattern, the subsequent corrective tweets and other clarifications were shared far less widely than the original information was.
On the other side of the world, an animal rights activist from Singapore published the name and address of a person whose car hit a dog, with a call to “give her hell.” According to the car’s owner, the public accusations harmed her career: After vigilantes figured out where she worked, hate posts hit the company’s Facebook page. As it happens, another person was driving the car at the time of the accident.
A more famous iteration of the story involves former baseball pro Curt Schilling, who saw tweets about his daughter he considered inappropriate and offensive. Schilling tracked down their authors (which he said took less than an hour), collected a sizable dossier on each, and posted some of the information on his blog. The offenders who were connected with the baseball community were fired or removed from their athletic teams within a day.
All three stories provide simple examples of doxing. The word describes the collection and online publication of identifying data without the owner’s consent. Apart from being unpleasant, it can also be damaging in real life, to the victim’s reputation, employment, and even physical safety.
Doxers’ motives vary. Some believe they’re exposing criminals; some are trying to intimidate their online opponents; still others are in it to avenge personal slights. Doxing as a phenomenon emerged in the 1990s, but it has since become much more dangerous — and with the volume of private information now available to all, doxing really requires no special skills or privileges.
We’re not here to analyze the legality or ethics of doxing. As security experts, our task is to outline doxers’ methods and suggest ways to protect yourself.
Doxing: A look from the inside
Because it requires neither special knowledge, nor many resources, doxing has become very common. The tools doxers use tend to be legitimate and public, too.
Ordinary search engines can provide a lot of personal information, and using their advanced search functions (for example, searching among specific websites or file types) can help doxers find the right information faster.
In addition to first and last name, a nickname can also betray a person’s online habits. For example, the common practice of using the same nickname on several websites makes things easier for online detectives, who can use it to aggregate comments and posts from any number of public resources.
Social networks, including specialized ones such as LinkedIn, contain a wealth of personal data.
A public profile with real data is basically a ready-made dossier. Even if a profile is private and open to friends alone, a dedicated investigator can collect bits of info by scanning a victim’s comments, communities, friends’ posts, and so forth. Add a friend request, perhaps from someone posing as a job recruiter, and you arrive at the next level, social engineering.
A hallmark of many attacks, social engineering takes advantage of human nature to help doxers gain information. Using publicly available information about a mark as a starting point a doxer can contact the victim and persuade them to give up their own information. For example, a doxer might appear in the guise of a medical admin or bank rep to try to wheedle information out of a victim — a ploy that works a lot better with a few bits of truth sprinkled in.
People in the public sphere tend to have the hardest time maintaining network anonymity, but that doesn’t mean rock stars and pro athletes are the only ones who need to safeguard their personal information.
A doxer may even use an employer to betray a potential doxing victim’s confidence, such as with a full name and photo on a corporate About Us page or full contact info on a departmental site. Sounds innocent, but general company info gets you close to the person geographically, and the photo may lead to their social network profile.
Business activities, too, typically leave traces on the Internet; and, for example, quite a bit of information about company founders is publicly available in many countries.
More sophisticated methods include use of nonpublic sources, such as compromised databases belonging to government entities and businesses.
As our studies have shown, darknet outlets sell all sorts of personal data, from passport scans ($6 and up) to banking app accounts ($50 or more).
Professional data collectors
Doxers outsource some of their work to data brokers, companies that sell personal data collected from various sources. Data brokerage is not a custom criminal enterprise; banks use data from brokers, as do advertising and recruitment agencies. Unfortunately, however, not all data brokers care who buys the data.
What to do if your data has leaked
In an interview with Wired, Eva Galperin, the Electronic Frontier Foundation’s director of cybersecurity, suggests that if you learn that your personal information has been misused, you should contact any social networks where doxers published your data. Start with customer service or tech support. Disclosure of private information without the owner’s consent normally constitutes a breach of user agreement. Although doing this will not solve the problem completely, it should reduce potential damage.
Galperin also recommends blocking your social network accounts or finding someone to manage your accounts for some time after an attack. Like other available post-breach measures, it can’t undo the damage, but it might just save your nerves and perhaps help you avoid some difficult situations online.
Protecting yourself from doxing
You are certainly better off reducing the probability of a data leak than dealing with its consequences. Immunity doesn’t come easy, though. For example, you can hardly influence data dumps or leaks from governmental or social network databases. You can, however, make doxers’ jobs harder.
Do not reveal secrets on the Internet
Keep your personal data off the Internet — especially your address, phone number, and photos — to the extent possible. Make sure any photos you post contain no geotags, and likewise that documents hold no private information.
Check your social network account settings
We recommend choosing strict privacy settings on the social networks and services you use, leaving profiles open to friends only, and monitoring your list of friends regularly. You can use the step-by-step instructions on our Privacy Checker portal to set up social networks and other services.
Protect your accounts against hackers
Using a different password for every account may be a hassle (although it doesn’t have to be), but it’s an important safeguard. If you use the same password everywhere, and one of your services leaks it, then even the strictest privacy settings won’t help you.
We recommend using a password manager. Our solution, Kaspersky Password Manager, saves not just passwords, but also the websites and services they access, leaving only one master key for you to remember. We also recommend using two-factor authentication wherever you can, to further strengthen your defense.
Play it smart with third-party accounts
If possible, avoid signing up for websites using social network or other accounts containing your real data. Associating one account with another makes your online activities easier to follow, for example, by linking your comments with your own name.
To solve the problem, keep at least two e-mail accounts, reserving one for your real-name accounts and the other for websites where you prefer to stay anonymous. Use different nicknames for different resources as well, to make collecting info about your Internet presence harder.
Try building a dossier on yourself
One way to learn about the state of your privacy is to play the role of a doxer and search the Internet for information about yourself. That way, you can learn about any issues your social network accounts have and find out which bits of your personal data are roaming the Internet. What you find can help you track down the source of such data and possibly even learn how to have it deleted. To keep an eye out passively, you can set up Google to notify you about any new search results on queries containing your name.
Delete info about yourself
You can report any content infringing on your privacy and ask search engines and social networks to delete your data (for example, here are instructions for Google, Facebook, and Twitter).
Social networks and other services typically disallow unauthorized publication of personal data through their use policy, but in reality, only law enforcement authorities can get a handle on certain dubious resources.
Legal data brokers normally allow individuals to delete their personal info, but based on the sheer number of such companies, removing everything won’t be easy. At the same time, however, there are agencies and services that can help erase digital tracks. You’ll have to find the balance of ease, thoroughness, and cost that works for you.
One can get targeted by doxing at any time, with or without apparent cause. These tips will help you preserve your online privacy:
- Keep your personal data — real name, address, place of work, and so forth — off the Internet;
- Close your social network accounts to outsiders and use robust, unique passwords and two-factor authentication. To manage your passwords, install Kaspersky Password Manager;
- Avoid using account in one service to sign in to another — particularly if one of those accounts contains your real data;
- Be proactive: Try building a dossier on yourself and request data deletion from any services that know too much about you;
- Consider deleting accounts altogether. It’s a radical (if defeatist) method to thwart doxing, and we can help you do it right while preserving important data.
Doxing represents just one incursion of online data ubiquity into real life, but it’s a big one that has the potential to ruin lives. We post regular news and practical information about doxing and how to stay safe.