Doxing, or doxxing (from "dox", abbreviation of documents), is the Internet-based practice of researching and publicly broadcasting private or identifying information (especially personally identifying information) about an individual or organization. The methods employed to acquire this information include searching publicly available databases and social media websites (like Facebook), hacking, and social engineering. It is closely related to Internet vigilantism and hacktivism.
Doxing may be carried out for various reasons, including inflicting harm, harassment, online shaming, extortion, coercion, business analysis, risk analytics, aiding law enforcement or vigilante versions of justice.
Doxing may be carried out for various reasons, including inflicting harm, harassment, online shaming, extortion, coercion, business analysis, risk analytics, aiding law enforcement or vigilante versions of justice.
Etymology
"Doxing" is a neologism
that has evolved over its brief history. It comes from a spelling
alteration of the abbreviation "docs" (for "documents") and refers to
"compiling and releasing a dossier of personal information on someone".
Essentially, doxing is revealing and publicizing records of an
individual, which were previously private or difficult to obtain.
The term dox derives from the slang "dropping dox" which, according to Wired
writer Mat Honan, was "an old-school revenge tactic that emerged from
hacker culture in 1990s". Hackers operating outside the law in that era
used the breach of an opponent's anonymity as a means to expose opponents to harassment or legal repercussions.
Consequently, doxing often comes with a negative connotation,
because it can be a vehicle for revenge via the violation of privacy.
History
Initial efforts around doxing were largely related to internet discussion forums on Usenet. One of the first documented doxing events was the publication of a "Blacklist of Net.Nazis and Sandlot Bullies" which listed names, email addresses, phone numbers, and mailing addresses of individuals the author objected to.
Doxware is a cryptovirology attack invented by Adam Young and further developed with Moti Yung that carries out doxing extortion via malware. It was first presented at West Point in 2003. The attack is rooted in game theory and was originally dubbed "non-zero sum games and survivable malware".
The attack is summarized in the book Malicious Cryptography as follows:
The attack differs from the extortion attack in the following way. In the extortion attack, the victim is denied access to its own valuable information and has to pay to get it back, where in the attack that is presented here the victim retains access to the information but its disclosure is at the discretion of the computer virus.
Doxware is the converse of ransomware.
In a ransomware attack (originally called cryptoviral extortion), the
malware encrypts the victim's data and demands payment to provide the
needed decryption key. In the doxware cryptovirology attack, the
attacker or malware steals the victim's data and threatens to publish it
unless a fee is paid.
Common techniques
Once
people have been exposed through doxing, they may be targeted for
harassment through methods such as harassment in person, fake signups
for mail and pizza deliveries, or through swatting (dispatching armed police to their house through spoofed tips).
A hacker may obtain an individual's dox without making the
information public. A hacker may look for this information in order to
extort or coerce a known or unknown target. Also, a hacker may harvest a
victim's information in order to break into their Internet accounts, or
to take over their social media accounts.
The victim may also be shown their details as proof that they
have been doxed in order to intimidate. The perpetrator may use this
fear and intimidation to gain power over the victim in order to extort
or coerce. Doxing is therefore a standard tactic of online harassment
and has been used by people associated with 4chan and in the Gamergate and vaccine controversies.
The ethics of doxing by journalists, on matters that they assert are issues of public interest,
is an area of much controversy. Many authors have argued that doxing in
journalism blurs the line between revealing information in the interest
of the public and releasing information about an individual's private
life against their wishes.
Examples
Hit lists of abortion providers
In
the 1990s anti-abortion activists secured abortion providers' personal
information, such as their home addresses, phone numbers, and
photographs, and posted them as a hit list, ruled by the courts to be an
immediate incitement to violence. The site's legend explained: "Black
font (working); Greyed-out Name (wounded); Strikethrough (fatality)."
The website included blood-dripping graphics, celebrated providers'
deaths and incited others to kill or injure the remaining providers on
the list. Between 1993 and 2016, eight abortion providers were killed by
anti-abortion activists, along with at least four police officers.
Human flesh search engine
Starting in March 2006, the Chinese Internet phenomenon of the "Human
flesh search engine"(人肉搜索)shares much in common with doxing.
Specifically, it refers to distributed, sometimes deliberately crowdsourced searches for similar kinds of information through use of digital media.
Anonymous
The term "dox" entered mainstream public awareness through media attention attracted by Anonymous, the Internet-based group of hacktivists and pranksters who make frequent use of doxing, as well as related groups like AntiSec and LulzSec. The Washington Post has described the consequences for innocent people incorrectly accused of wrongdoing and doxed as "nightmarish".
In December 2011, Anonymous exposed detailed information of 7,000
members of law enforcement in response to investigations into hacking
activities.
In November 2014, Anonymous began releasing the identities of members of the Ku Klux Klan. This was in relation to local Klan members in Ferguson, Missouri, making threats to shoot anyone who provoked them while protesting the shooting of Michael Brown.
Anonymous also hijacked the group's Twitter page, and this resulted in
veiled threats of violence against members of Anonymous.
In November 2015, a major release of information about the KKK was
planned. Discredited information was released prematurely and Anonymous
denied involvement. On November 5, 2015 (Guy Fawkes Night), Anonymous released an official list of supposed but currently unverified KKK members and sympathizers.
Boston Marathon
Following the 2013 Boston Marathon bombing, vigilantes on Reddit wrongly identified a number of people as suspects. Notable among misidentified bombing suspects was Sunil Tripathi,
a student reported missing before the bombings took place. A body
reported to be Tripathi's was found in Rhode Island's Providence River
on April 25, 2013, as reported by the Rhode Island Health Department. The cause of death was not immediately known, but authorities said they did not suspect foul play. The family later confirmed Tripathi's death was a result of suicide.
Reddit general manager Erik Martin later issued an apology for this
behavior, criticizing the "online witch hunts and dangerous speculation"
that took place on the website.
Journalists
Journalists with The Journal News of Westchester County, New York, were accused of doxing gun owners in the region in a story the paper published in December 2012.
Newsweek came under fire when writer Leah McGrath Goodman claimed to have revealed the identity of the anonymous creator of Bitcoin, Satoshi Nakamoto.
Though the source of her sleuthing was primarily the public record, she
was heavily criticized for her doxing by users on Reddit.
The Satoshi Nakamoto
case brought doxing to greater attention, particularly on platforms
such as Twitter, where users questioned the ethics of doxing in
journalism. Many Twitter users condemned doxing in journalism, wherein
they argued that the practice was seemingly acceptable for professional
journalists but wrong for anyone else. Other users discussed the effect
the popularization that the concept of doxing could have on journalism
in public interest, raising questions over journalism concerning public
and private figures. Many users have argued that doxing in journalism
blurs the line between revealing information in the interest of the
public and releasing information about an individual's private life
against their wishes.
After The Des Moines Register published racist tweets made by a 24-year-old Iowa man whose beer sign on ESPN College GameDay
resulted in over $1 million in contributions to a children's hospital,
readers retaliated by sharing social media comments previously made by
the reporter, Aaron Calvin, which contained racial slurs and
condemnation of law enforcement. The newspaper later announced that Calvin was no longer an employee.
Curt Schilling
In March 2015, former Major League Baseball (MLB) pitcher Curt Schilling
used doxing to identify several people responsible for "Twitter troll"
posts with obscene, sexually explicit comments about his teenaged
daughter. One person was suspended from his community college, and another lost a part-time job with the New York Yankees.
Alondra Cano
In
December 2015, Minneapolis city council member Alondra Cano used her
Twitter account to publish private cellphone numbers and e-mail
addresses of critics who wrote about her involvement in a Black Lives
Matter rally.
Lou Dobbs
In 2016, Fox Business news anchor Lou Dobbs revealed the address and phone number of Jessica Leeds, one of the women who accused American presidential candidate Donald Trump of inappropriate sexual advances; Dobbs later apologized.
Erdoğan emails
In July 2016, WikiLeaks released 300,000 e-mails called the Erdoğan emails, initially thought to be damaging to Turkish President Recep Tayyip Erdoğan.
Included in the leak was Michael Best, who uploaded Turkish citizens'
personal information databases that WikiLeaks promoted, who came forward
to say that doing so was a mistake after the site where he uploaded the
information took it down. The files were removed due to privacy
concerns, as they included spreadsheets of private, sensitive
information of what appears to be every female voter in 79 out of 81
provinces in Turkey, including their home addresses and other private
information, sometimes including their cellphone numbers.
Michael Hirsh
In November 2016, Politico editor Michael Hirsh resigned after publishing the home address of white nationalist Richard B. Spencer on Facebook.
U.S. Presidential Advisory Commission on Election Integrity
In July 2017, the United States' Presidential Advisory Commission on Election Integrity, which was established in May 2017 by U.S. President Donald Trump to investigate his controversial allegation of voter fraud,
published a 112-page document of unredacted emails of public comment on
its work, which included both critics and some supporters of the
Commission. The Commission included the personal details of those
critics, such as names, emails, phone numbers and home addresses. Most
of the commenters who wrote to the White House expressed concern about
publication of their personal information, with one person writing, "DO
NOT RELEASE ANY OF MY VOTER DATA PERIOD." Despite this, that person's
name and email address were published by the commission.
This act drew criticism from Theresa Lee, a staff attorney for the American Civil Liberties Union's
Voting Rights Project, who stated, "This cavalier attitude toward the
public's personal information is especially concerning given the
commission's request for sensitive data on every registered voter in the
country."
The White House defended the publication of the personal information,
noting that everyone was warned that might happen. However, former
Deputy Secretary of Labor Chris Lu stated that regardless of the
legality, the White House has a moral obligation to protect sensitive
data, saying, "Whether or not it's legal to disclose this personal
information, it's clearly improper, and no responsible White House would
do this."
Federal agencies often solicit and release public comments on
proposed legislation. Regulations.gov, which is designated for public
comments, includes a detailed set of guidelines explaining how to submit
comments, what type of personal information is collected and how that
information may be used, stating, "Some agencies may require that you
include personal information, such as your name and email address, on
the comment form. The Securities and Exchange Commission, for instance,
warns commenters to 'submit only information that you wish to make
available publicly.'" Another agency, the Federal Trade Commission,
tells commenters that "published comments include the commenter's last
name and state/country as well as the entire text of the comment. Please
do not include any sensitive or confidential information." However, The
White House does not appear to have issued any such public guidelines
or warnings before many of the emails were sent. Marc Lotter, Press
Secretary to Mike Pence, stated, "These are public comments, similar to
individuals appearing before commission to make comments and providing
name before making comments. The Commission’s Federal Register notice
asking for public comments and its website make clear that information
'including names and contact information' sent to this email address may
be released."
Democratic U.S. House of Representatives intern
On October 3, 2018, Jackson Cosko, a House fellow for the Democratic party, was arrested by the U.S. Capitol Police
(USCP). He allegedly posted private, identifying information of several
Senators to Wikipedia. According to the USCP, the personal information
of Republican Senators Lindsey Graham, Mike Lee and Orrin Hatch was anonymously posted to Wikipedia
the week before on Thursday September 27, 2018. The information
included home addresses and phone numbers. All three lawmakers are with
the Senate Judiciary Committee. The alleged doxing occurred during the hearing of Supreme Court nominee Judge Brett Kavanaugh.
Cosko was initially charged with witness tampering, threats in
interstate communications, unauthorized access of a government computer,
identity theft, second degree burglary and unlawful entry. Cosko was
fired after his arrest. He worked with Democratic Rep. Sheila Jackson Lee (D-TX), Sen. Dianne Feinstein (D-Calif), Sen. Maggie Hassan (D-N.H.), and former Sen. Barbara Boxer (D-Calif). If convicted of all six charges Cosko faces up to 20 years in prison. In June 2019, he was sentenced by Judge Thomas F. Hogan to four years in prison.
Legal remedies
There are currently few legal remedies for the victims of doxing. There are currently two federal laws
that could potentially address the problem of doxing: the Interstate
Communications Statute and the Interstate Stalking Statute.
However, as one scholar has argued, "[t]hese statutes...are woefully
inadequate to prevent doxing because their terms are underinclusive and
they are rarely enforced." The Interstate Communications Statute, for example, "only criminalizes explicit threats to kidnap or injure a person."
But in many instances of doxing, an doxer may never convey an explicit
threat to kidnap or injure, but the victim could still have good reason
to be terrified. And the Interstate Stalking Statute "is rarely enforced and it serves only as a hollow protection from online harassment."
To illustrate, over three million people are stalked over the internet
each year, yet only three people are charged under the Interstate
Stalking Statute. Accordingly, "[t]his lack of federal enforcement means that the States must step in if doxing is to be reduced."
