A Safeguarding Hub – 15-minute briefing
What is Doxing?
Doxing is the slang term for hacking and publishing other people’s private information online. Sometimes this is a mistake, but normally it is done with malicious intent. Typically, the information obtained by a ‘doxer’ will be anything that your online digital footprint has left behind on the web. This is generally your name, address, phone numbers, photographs, email addresses, social networking accounts, passwords and credit details. However, this is just the start and some doxers will steal and obtain as much information about your life as they can. This can include information on your family, friends and associates.
Why do they do it?
There are several reasons for doxing. Mainly it is to punish, publicly shame, harass, take revenge or coerce a person into doing something they don’t want to. Doxing can also take place for criminal purposes such as identity theft or extortion. Many of the recent high-profile cases have come about because the victim has publicly spoken or written about a specific contentious topic, or they hold a controversial belief. Doxing has become a way of publicly shaming high-profile figures and celebrities. The results can lead to vigilantism, with the victim being subject to both online and offline harassment. Examples of doxing include:
- being falsely accused of wrongdoing e.g. a suspect in a crime. This may include being accused of sexual offences of children, which can often lead to a vigilante mindset in a community and have tragic consequences.
- falsely accused of being a member of a prohibited organisation or accused of having extreme ideology.
- having your beliefs and personal details being published to a target audience, who may share opposing views e.g. your pro-hunting opinions being shared with anti-hunt campaigners, or your support for the right of women to have a termination, being supplied to anti-abortion campaigners.
- publishing details of your employment (and name and address), if your job is perceived by some to be contentious or controversial e.g. scientist/technician with a pharmaceutical company connected to animal testing. Parking enforcement officers, police officers, lawyers and journalists are just some professions that are not particularly liked.
These are fairy extreme examples, but it might just be a case of:
- publishing private photographs of victims on social media sites. There are many examples of women (and men) having nude or sexualised images stolen and posted online. Once on the internet your private and intimate moments will be there for all to see with little prospect of ever having them permanently erased. At ‘best’ this will inevitably invite online sexual harassment, but if they publish an address, then they potentially leave the victim at the mercy of physical harassment or stalking. This won’t be from the doxer, for they have done their ‘job’’ and will have left the victim at the mercy of those strange people in society you would never dream of engaging with.
- harassment through fake signups may include: having pizzas delivered at your house every night, that you never ordered; receiving copious amounts of junk mail landing on your door mat; or numerous emails in your inbox confirming your membership of organisations you would never dream of belonging to.
- discrediting your business, either because you have a disgruntled customer or by a rival.
Who are the victims?
Doxing is not just reserved for celebrity. It can affect anybody and even organisations can become victims. Becoming a target depends on the motivation and aims of the doxer. Making it easy to hack your personal information heightens your chances of becoming a victim.
How it can impact on the victim
The impact on victims will vary. It is wholly dependent on how malicious the doxer is, what information they obtain and what they go on to publish about the victim. It might cause some victims embarrassment or be seen as a minor irritation, whereas in others it may have a significant effect on their emotional wellbeing. Being publicly shamed can lead to job loss, potential issues when seeking future employment, or having to move home. Doxing is fundamentally cyberbullying which can lead to a variety of mental health issues e.g. anxiety, low self-esteem, depression, self-harm or suicidal behaviour.
At the extreme end of the scale it has led to fatalities. In the US, doxing’ is often linked to ‘Swatting’, a form of harassment where someone makes a hoax call to the emergency services, claiming that the innocent victim requires an emergency response to their address. Often this involves falsely telling the police that the victim has a bomb or there is an armed hostage situation at the address. The term swatting is coined from the deployment of police SWAT (Special Weapons and Tactics) units. Whilst most hoax calls made to UK emergency services don’t generally involve doxing, if it happens in the US, it can happen here. Imagine the pizza scenario we described above, but instead of a Dominoes driver standing at your front door, you find multiple police officers kicking your door down, responding to a false call of domestic abuse at your home. The doxer may not even know you, but some get their kicks from making these types prank and mischievous calls.
In the USA in December 2017, Shane Gaskill allegedly fell out with fellow gamer Casey Viner whilst playing the online game ‘Call of Duty World War II’. A feud started, and Viner apparently threatened to ‘SWAT’ Gaskil, meaning he would make a hoax call, and get an armed police SWAT (Special Weapons & Tactics) team to call on Viner. Gaskill allegedly dared Viner to go through with it and gave Viner an address which he claimed was his home address. It was in fact a house he had rented out to a family. Viner then involved a third man, a Tyler Barriss who phoned the police in Wichita, Kansas, claiming to be a man who had just shot his father, and whom was holding his mother and brother at gunpoint. Barriss gave the police the address which had come from Gaskill. The whole thing was a hoax, but police went to the address where they confronted the occupier, an innocent man by the name of Andrew Finch. When Finch opened the door, unsure of what was going on, he made some sudden movements that police mistakenly believed were attempts to reach for a weapon. With the false information from Barriss in their minds, they shot the innocent Andrew Finch dead. Barriss has since pleaded guilty to charges of making a false report resulting in death, cyberstalking, and conspiracy. Viner and Gaskill are still awaiting trial for various offences.
How does doxing work?
Doxers start with minimal clues and then begin to unpick their victim’s online life. Typically, they might start with your email and hack your social media profiles, which for many hold a vast amount of personal information. Even if they don’t hack your account, most people leave a large amount of information accessible to public view. A basic search on the web will yield enough results to get them started - name, relationship status, photo’s, employment status, location of work, area you live in, photos, phone number. These initial clues will allow the doxer to begin building your profile, piecing together your life like a jigsaw puzzle. Some simple methods of beginning to unravel your profile include looking at your:
- name - it may sound obvious, but your full name provides them with a springboard to access your information. If you have exposed your date of birth publicly then it’s a bonus point. However, it takes little to establish your birthday. Recently Barclays produced a tv ad around identity fraud. In the advert they showed a social media shot of a person celebrating their birthday. The photo was posted on the date of the person’s birthday and behind them was a balloon with something like ‘Happy 30th’.
- email – even if you use a nickname on your social media accounts, you may well have used your name in your personal email address e.g. [email protected], particularly if you also use it for business purposes. Email addresses may also identify where you work e.g. [email protected] safeguardinghub.com. If you used your personal email to register for social media sites then a doxer will use various search techniques linked to networking sites to identify your account. Without revealing the link here, it takes seconds to identify the right person on Facebook by simply replacing part of the link with the name of the victim. Obtaining your email address is also a gateway for a hacker to break down your passwords and also access your contacts.
- contacts - once they have your contacts then they can start looking at what information your friends, relatives and associates have about you.
- photographs – hacking your media or email accounts means the doxer now has access to your media files. The next step will be to extract the data from the EXIF (Exchangeable Image File format), which will undoubtedly identify when and where your photos were taken. Most people take photos at home and it isn’t hard to establish that a cluster of photos were taken in the vicinity of where you live.
- GPS - not that they need photographs, because you probably have your GPS enabled smartphone’s geotagging service turned on, so you can tag yourself into a specific place. If you do, then it will take a doxer seconds to access your location history through your account settings. The doxer now knows where you live, where you go and your favourite places.
Techniques will vary depending on the skills of the doxer. Other very basic methods may involve identifying your address through postcodes or the electoral role, if you haven’t asked for your name and address to be excluded from the ‘open register’. They may also use people finding sites such as 192.com which may provide them with your age, address and telephone number. More advanced doxers can use IP addresses or a hacking method known as ‘packet sniffing’ whereby the doxer will use a special program or hardware to intercept your internet data.
What can I do to protect myself?
By now you are probably thinking what’s the point if it is that easy for someone to get all my information. What can I possibly do to protect myself, if all they need is my name to get started. It’s a fair point and surely the whole point of social media is that you share what is happening in your lives with those closest to you. There is no point in have a social media account if you aren’t going to put photos, memories and current information about yourself, online. Also, if we are realistic, then the chances of being doxed are minimal, given the huge proportion of the planet which have an online presence. This article does not suggest you remove yourself from the internet completely, it is simply to spread awareness of what may happen, and to provide some tips on how to tighten up your online presence:
- data - check what information about you, is already out there online. Start by carrying out a Google search of your name. You might not be there at all, but if you are, then are you happy with the content. How much is personal, and does it need to be there? If you are not happy, then take steps to have it removed. Start by deleting any unused accounts, remove yourself from old forums and messaging boards etc. Removing content from search engines can be difficult, but in the EU the ‘right to be forgotten’ has been made easier following GDPR. There are also plenty of tools and articles online which will show you how to tackle individual sites and engines, and some that provide tips on how to ‘bury’ the content you are not able to erase. There are also companies that for a fee will do this for you, such as DeleteMe
- internet activity – ensure that you regularly delete your internet activity. For Google you can do this in the ‘My Activity’. Depending on the device you use, you won’t just find your internet searches recorded, but pretty much everything else e.g. timelines of your app usage, routes taken using Google maps, use of messaging services and email. They all contain links back to that specific
- app permissions and privacy settings - ensure that you check all the app permissions on your smartphone/tablet. Tighten up your privacy settings and think about what is public. Make posts and images visible only to your friends.
- people finding sites – ensure you remove your information from websites like 192.com or UKphonebook.com. Many of these will show old addresses, current address, date of birth, email phone number, and can be accessed for a small fee. UKphonebook.com also provides consumer data information, Land Registry and Companies House. You can ask for your data to be removed and this usually takes the form of submitting an online form.
- logins – many websites will offer you the convenient function of signing in through Google and Facebook. Never use this method and always enter through the sites own login. It’s not as convenient but it will allow you to manage the data you tell the website. Using the Facebook or Google buttons will automatically give the site access to the data contained in your Google or Facebook account.
- passwords – make sure your passwords are strong and secure. A strong password is one that is long, normally with 10 plus characters and involves a combination of letters, numbers, symbols and upper/lower case. Make them unique and use a different password for each account, ensuring you change them regularly, at least every 90 days. Don’t use the facility that enables you to store or remember passwords on your phone/tablet/computer.
- email – keep a personal email account for yourself and close friends. Create a separate email to register on forums and websites. Many forums have poor security measures and are easy to hack.
- phone numbers – don’t put your number online, unless it is an absolute requirement. Have a look and remove it from sites and databases where it is not necessary.
- contacts – every now and then, review your contacts and remove anyone you no longer need to be friends with, including the ones where you wonder why on earth you added them as friends in the first place.
- finally – be wise around what you put online. Think about what potentially might come back to haunt you before you sign up, post and share.
Is doxing illegal?
Dependent on the circumstances , doxing may constitute an offence under a number of UK laws. It can amount to harassment, malicious communications, computer misuse offences, data protection. It may also include blackmail and assault occasioning actual bodily harm, if the consequences cause “psychological harm that involves more than mere emotions such as fear, distress or panic”.
Section 1 Protection from Harassment Act 1997 – a person must not pursue a course of conduct which amounts to harassment of another, and which he knows or ought to know amounts to harassment of the other. To do so is an offence.
Section 1 Malicious Communications Act 1988 – a person who sends an indecent or grossly offensive letter or article of any description, electronic or otherwise commits an offence. This has been extended to include the increasing number of incidents that are commonly called ‘revenge porn’. It is an offence for a person to disclose a private sexual photograph or film if the disclosure is made without the consent of the individual who appears in the photograph or film and with the intent of causing that individual distress.
Section 127 Communications Act 2003 – A person is guilty of an offence if he sends by means of a public electronic communications network (includes the Internet) a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or causes any such message or matter to be so sent.
Section 1 Computer Misuse Act 1990 – Unauthorised access to computer material. Causing a computer to perform any function with intent to secure access to any program or data held in any computer.
Section 2 Computer Misuse Act 1990 – Unauthorised access with intent to commit or facilitate commission of further offences.
Section 3 Computer Misuse Act 1990 – Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.
Section 4 Computer Misuse Act 1990 – Unauthorised acts causing, or creating risk of, serious damage. The Education Act 20111 also provides a power of search and seizure to teachers who may look at electronic devices and delete inappropriate images or data.
Stalking – a person who pursues a course of conduct which is a breach of under Section 1 (1) of the Protection from Harassment Act (so, a course of conduct that amounts to harassment of another) and the conduct amounts to stalking. For the purposes of doxing this might be ‘publishing any statement or other material relating or purporting to relate to a person; monitoring the use by a person of the internet, email or other form of electric communication.
The Public Order Act 1986 and the Criminal Justice and Public Order Act 1994 also provide offences that cover harassment, alarm and distress, which includes writing, signs or other visible representations.
Thanks for reading