Tech Insight : What Is ‘Doxing’?

In this article we look at what doxing is, the legality of it, some examples of doxing, and we consider what we can do to protect ourselves and our businesses from attack.

What Is Doxing?

Doxing is a term meaning for dropping (personal) dox where ‘dox’ is a slang term for documents. Doxing is a malicious act where a person/persons use a variety of methods to find previously private personal information about an individual or organisation, and then publicly reveal/expose that information to all, usually over the Internet. The type of information released could be anything from simple personal details (real name, home address, workplace), to much more personal embarrassing and damaging information.  Doxing is actually an old term that pre-dates the modern Web, and dates back to the online hackers in the 1990s.

Is It Illegal?

Although doxing is malicious and can be very harmful, it is generally not illegal because much of the information is gathered from what is considered as the public domain. However, the legality also depends upon whether details were obtained using legal methods, and doxing treads a fine line between and sometimes into the illegal worlds of stalking, harassment, and more. If the threat of doxing is used to extort money this is, of course, blackmail. In many cases, at the very least, doxing often violates many websites’ terms of service.

Proposed Anti-Doxing Law in Hong Kong

Hong Kong has proposed a new anti-doxing law, mainly to prevent details of members of the authorities from being posted online and, perhaps, to crack down on criticism. Unfortunately, the power that this law would hand to Hong Kong’s privacy watchdog has led to complaints from an industry group that represents big tech companies like Amazon, Apple, Google, and Facebook.

How Doxing Works – Information Gathering

Ways that information is gathered about a person by ‘doxers’ for use in doxing includes:

– Tracking usernames to build up a picture of a target’s interest.

– Using WHOIS searches of domain names.

– Using social engineering on a target’s ISP to discover the target’s IP address, which is linked to their physical location.

– Reverse mobile phone lookup.

– Piecing together bits of information that has been sold across the Web by data brokers.

– Packet sniffing (intercepting a target’s Internet data) – passwords, credit card numbers, bank account information, email messages and more.

High Profile Examples of Doxing

Just some of the many examples of doxing that have made the news include:

– December 2011 – the hacking group Anonymous exposed detailed information online about 7,000 law enforcement as revenge for investigations into hacking activities.

– In 2013, hackers posted Kim Kardashian’s Social Security number, credit report, address (+ six previous addresses) online.

– In 2016, while Donald Trump was campaigning for the US presidency, Anonymous posted his Social Security number and phone number, as well as the contact information for his agent and lawyer online.

– In 2017, the Russian (Moscow) hacker group Turla hacked the Instagram account of Britney Spears, and used it to post secret, cryptic comments.

How To Protect Yourself From Doxing

Some of the measures you can take to help protect yourself/your business from falling victim to doxing include:

– Using a VPN to protect your IP address.

– Using strong passwords, avoiding password sharing, and using 2FA or multi factor authentication where possible.

– Setting up different email addresses for different uses e.g., professional, personal, and spam.

– Maximising your social media privacy settings.

– Hiding domain registration information from WHOIS.

– Asking Google to remove any personal information that you are concerned about.

– Keeping up with good general online security practices and be careful what information you share via social media.

What Does This Mean For Your Business?

The main motives for doxing appear to be revenge, control, or even as a way to blackmail someone.  Following good online security practices and policies anyway is the best way to avoid giving e.g., disgruntled former employees/customers, hackers, and others the fuel and the openings they need to build their campaigns.  Sadly, much of our data ends up being shared around the Web, perhaps to places we wouldn’t expect to go and determined doxers may be able to find some things despite our best efforts to maintain our privacy.