Doxing: What It Is and How to Fight It

Think you're anonymous online? Think again

what is doxing
Credit: Getty Images

The web is an amazing invention that has changed the way we live our lives. One of the benefits of being online is the ability to communicate with people all around the world without revealing our personally identifying information, anonymously posting our thoughts, opinions, and reactions online without fear.

The ability to be completely anonymous online is one of the key benefits of the internet, but this benefit can be exploited by other people, especially since there's a vast repository of information available for free for anyone who has the time, motivation, and interest to put together clues and take away that anonymity.

What Is Doxing? 

The word doxing, or doxxing, originated out of "documents," or "dropping docs," eventually shortened simply to dox.

Doxing refers to the practice of searching, sharing, and publicizing the personal information of people on the web on a website, forum, or other publicly accessible venue. This could include full names, home addresses, work addresses, phone numbers (both personal and professional), images, relatives, usernames, everything they’ve posted online (even things that were once thought private), etc. 

Doxxing is most often aimed at regular people who are using websites anonymously who aren’t necessarily in the public eye, as well as anyone those people might be associated with: friends, relatives, professional associates, and so on.

This information can be revealed privately or it can be posted publicly. 

Doxing Examples

Consider the following situations that violate privacy and tear down anonymity:

  • You receive a message from someone named RedDog14 on YouTube. They don't like the comment you just posted on their video, and threaten to tell your place of employment that you once donated to a politically controversial campaign.
  • A local college is hosting a fitness workshop. The person leading the workshop has a popular Instagram channel with hundreds of thousands of followers. One of the people attending the workshop takes offense at something this personality says, so posts her real name, home address, and phone number on all of her social media platforms. 
  • A high school drama teacher chooses the lead for the school play. Some students in the class don't agree with this decision, so they pretend to be this young man's friend, getting him to share personal information and then sharing this information — complete with images — on the school website. 

What Kind of Information Can Be Found From Doxing? 

In addition to names, address, and phone numbers, doxxing attempts can also reveal network details, email information, organizational structures, and other hidden data — anything from embarrassing photos to unfortunate political viewpoints. 

It’s important to understand that all of this information — such as an address, phone number, or images — is already online and publicly available. Doxing simply brings all of it from different sources into one place, therefore making it conveniently accessible to anyone.

Are There Different Kinds of Doxing? 

At its core, doxxing is an invasion of privacy. While there are many different ways that people can be doxed, the most common doxing situations fall into one or more of the following:

  • Releasing an individual's private, personally identifying information online.
  • Releasing previously unknown information of a private person online.
  • Releasing information of a private person online that could be damaging to not only their reputation, but to those of their personal and/or professional associates.

Why Do People Dox Other People?

Doxing is usually done with the intent to maliciously harm someone else, for whatever reason. Doxxing can also be seen as a way to right perceived wrongs, bring someone to justice in the public eye, or reveal an agenda that had previously not been publicly disclosed. 

Intentionally releasing personal information about an individual online usually comes with the intent to somehow punish, intimidate, or humiliate the party in question.

Doxing also gives perceived power over the targeted individual by demonstrating how much personal information is available within just a few minutes of searching. 

However, the core purpose of doxing is to violate privacy. 

What Kind of Harm Can Be Done by Doxing? 

While the motive behind doxing missions can sometimes definitely fall on the side of good, the purpose behind doxing most often is to do harm of some kind.

In the situation of attempting to bring someone to justice in the public eye by doxxing them, significant harm can be done by well-meaning people who go after a doxing target who's not related to the issue at hand, revealing an innocent bystander’s personally identifying information online. 

Revealing someone else's information online without their knowledge or consent can be incredibly intrusive. It also can cause real damage: damage to both personal and professional reputations, potential financial implications, and social backlash. 

Real World Examples of Doxing

As doxing has become more mainstream, situations including doxing have increasingly emerged into the public eye. Here are a few of the more well-known examples of doxxing:

  • The Ashley Madison scandal: Ashley Madison was an online dating site that catered towards people interested in dating outside of committed relationships. A hacker group made demands of the management behind Ashley Madison; when those demands weren't met, the group released sensitive user data, thereby doxing millions of people in the process and causing humiliation, public embarrassment, and the potential for harm to both personal and professional reputations. 
  • Cecil the Lion: A dentist from Minnesota illegally hunted and killed a lion living in a protected game preserve in Zimbabwe. Some of his identifying information was released, which resulted in even more personal information publicly posted online by people who were upset about his actions and wanted to see him publicly punished. 
  • The Boston Marathon bombing: During the manhunt for the perpetrators of the Boston Marathon bombing, thousands of users in the Reddit community collectively pored through news and information about the event and subsequent investigation. The intent was good: provide information to law enforcement that they could then use to seek justice. Instead, innocent people who weren't actually involved in the crimes were outed, resulting in a misguided witch hunt. 

How Easy Is It to Dox Someone? 

One small piece of information can be used as a key to find much more data online. Simply plugging one piece of information into a variety of search tools can reveal an amazing amount of information. 

There are several commonly used channels people use to dox somebody:

  • Track a username. Many people use the same username across a wide variety of services. This makes it simple for the would-be doxer to find what their potential victim is interested in, where they spend their time, and pick up other bits of information that can be used to build a complete profile. 
  • Run a WHOIS search on a domain name. Anyone who owns a domain name has their information stored in a registry that's often publicly available via a WHOIS search. If the person who bought the domain name didn’t obscure their private information at the time of purchase, their personally identifying information (name, address, phone number, business, email address) is available online for anyone who cares to search for it.
  • Obtain private emails through phishing or hacking. If the person uses an insecure email account or falls victim to a phishing scam, the hacker can unload sensitive emails and post them online.
  • Search on social media. The amount of personally identifying information shared on social media sites is a dream come true to doxers. Profiles including full names, birth dates, email addresses, images, and much more can be easily found and accessed. 
  • Sift through government records. While most personal records aren't available online, there's still quite a bit of information that can be gleaned here.
  • Leverage multiple search engines. Simply using a variety of search tools can yield a rich harvest of data. In some cases, you don't need much to do a search for someone's information; a phone number is often enough.
  • Track their IP address. When an attacker has an IP address, they can do a little bit of digging to see which ISP it belongs to, and then do things like file complaints about the owner of the IP address, attempt to hack into the network, and even send police to their door through swatting.

How do people extract information using these publicly accessible channels? Simply by taking one or more pieces of information that they already have and slowly building on that foundation, taking combinations of data and experimenting on various sites and services to see what kind of results are possible.

Anyone who has determination, time, and access to the internet — along with motivation — will be able to put together a profile of someone. If the target of this doxing effort has made their information fairly easy to access online, this is made even easier. 

Should I Be Concerned About Getting Doxed? 

This really depends on your past, the situation you're in now, and the your digital footprint. Maybe you’re not that concerned about having your address posted for everyone to see; after all, it’s public information if anyone really wants to dig for it.

However, maybe you did something embarrassing and are afraid of it being stored in digital records. Perhaps there was an exploration into illegal substances in your college days, or humiliating poetry attempts during a first love affair, or video footage of something you said you didn’t say but the proof is out there for all to see. 

We all probably have something in our past or present that we’re not that proud of, and would prefer to keep private.

Is Doxxing Illegal? 

Doxing isn't illegal. Most online services and platforms have anti-doxing policies to keep their communities safe, but doxing itself isn't against the law.

That being said, posting restricted or previously undisclosed personal information in order to threaten, intimidate, or harass could definitely be considered illegal under the law in your country or local area.

How Can I Prevent Getting Doxed? 

While there are specific steps everyone can take to guard their privacy online, the stark reality is that anyone can be a victim of doxing, especially with the vast variety of search tools and information easily available online. 

If you’ve ever bought a house, posted in an online forum, participated in a social media site, or signed an online petition, your information is publicly available. In addition, there are masses of data easily available to anyone who cares to look it up in public databases, county records, state records, search engines, and other repositories. 

However, while this information is available to those who really want to look for it, that doesn’t mean that there isn’t something you can do to prevent being doxed.

There are a few common sense online behaviors everyone should cultivate in order to protect their information:

  • Be aware of how much personal information you are sharing. Small details can be pieced together over time to create a completely identifying profile. For example, simply selecting someone's username on a site like Reddit, Pinterest, or Twitter will disclose every single time they've contributed to a discussion, shared images, or posted an opinion.
  • Never share personally identifying information. If you've posted your address, phone number, or other information that could be used to identify you, take that information down.
  • Review your privacy settings on a regular basis. Websites like Facebook and Google receive and store an incredible amount of personal information about their users; anything from browsing habits to pinpointed geolocations. Review the privacy settings of the sites that you visit the most, and make sure that you’re comfortable with the amount of information being shared. 
  • Check your domain registrations. If you own a domain name, make sure the registration information is obscured. Most domain registrars offer privacy services at the time of domain registration that will mask this information.
  • Review how many sites actually have your information. While sites like MySpace might be out of vogue nowadays, profiles that were put up a decade ago are still there and publicly accessible. This applies to any site that you might have formerly been active on. 
  • Use multiple usernames. Rather than using the same username across all of your online platforms, use something different for each situation. For example, use one username for online forums, another for social media, yet another one for gaming, and so on. This practice will make it much more difficult for people to track your movements across multiple sites.
  • Browse the web anonymously through web proxies or VPN providers so as to hide your real IP address.
  • Opt for a secure email service and use a strong password. However, even the most secure email provider can't protect you from doxxing if you're not careful what you download or open in your emails. Avoid social engineering attempts at your emails by always testing suspicious links before opening them.