The Doxing Guide: What it is, Statistics, Legality, and Prevention
The term “doxing”, also commonly known as “doxxing”, first emerged among online hackers in the 1990s. While the practice of revealing one’s private information has existed for a long time, the term originated from rival hackers “dropping docs” on each other, then led to “docs” becoming “dox”, and finally becoming a verb by itself, that is, without the prefix “drop”.
What is doxing?
According to Kaspersky, doxing is “the act of revealing identifying information about someone online, such as their real name, home address, workplace, phone, financial, and other personal information, which is then circulated to the public without the victim’s permission”.
The feat is usually perpetrated by intimate partners, “friends” (both online and offline), internet strangers, media publications, companies, hackers, or anyone who may possess animosity towards you. One of the most well-known and earliest instances of doxing was when anti-abortion activists secured abortion providers' personal information, such as home addresses, phone numbers, and photographs, and posted them as a hit list.
The process of getting doxed starts small; this could be anywhere from social media snooping, as well as finding names, emails, or phone numbers. Because of how easy it is for individuals to have their private information relayed to the public, including through people search sites, Garbo does not provide access to an individual’s full name, address, or other personal identifying information.
These relatively minor pieces of information can lead to bigger stunts, such as examining file metadata, which can also impart individuals with personal information, as files such as Word documents have sections that reveal who set the document up and edited it, as well as when and where it was created. IP logging occurs when hackers slip an invisible piece of code called the IP logger into one’s device via texts or email, which allows them to track down one’s IP address. Wi-Fi Sniffing, another tactic to begin the doxing process, is when a hacker intercepts one’s internet connection, obtains real-time data, and steals sensitive details from a public Wi-Fi network.
Doxing is a relatively new phenomenon that has ramped up in the ever increasing digital age.
More and more studies are being conducted to study the impacts and effects of doxing.
- Researchers in a 2017 NYU study identified and analyzed more than 5,500 files associated with doxing and reported that:
- More than 90% of the doxed files included the victim's address, 61% included a phone number, and 53% included an email address.
- 40% of victims' online user names were made public, and the same percentage revealed a victim's IP address.
- While less common, sensitive information such as credit card numbers (4.3%), Social Security numbers (2.6%), or other financial information (8.8%) was also revealed.
- 32% of doxing victims closed or changed the privacy settings on their Instagram account and 25% adjusted the settings on a Facebook account after an attack.
- 10% of doxing victims altered their Instagram account and 3% changed their settings on Facebook once anti-abuse measures were in place.
- In a representative sample of 2120 Hong Kong secondary school students, researchers found that:
- 12% of the students acknowledged their engagement in doxing.
- These students tended to be younger than those who had not doxed others.
- Significantly more girls than boys reported having conducted doxing
- Social and hostile doxing were the two most common forms of doxing.
- Girls were significantly more likely to conduct social doxing, where their target was to obtain social information.
- Boys were more likely to engage in hostile doxing aimed at obtaining personally identifiable information and information on others’ current living situations
- The students who perpetrated doxing acts were more likely to have experienced information disclosure as victims, perpetrators, or bystanders.
- Intentions of doxing were as follows:
- 53.2% of students admitted to doxing people they liked.
- 62% of this sample size were girls and 38% were boys.
- The doxing girls (96.3%) were significantly more interested than their male counterparts (88.8%) in social data and trying to ascertain an individuals’ relationship status and obtain his or her personal photos/videos.
- More girls (86.7%) than boys (66.8%) chose social networking services (SNS) as their doxing platform.
- Significantly more boys than girls reported having obtained personally identifiable information (16.3%; e.g., ID card numbers, passport numbers) and information on the current living situation (49.9%; e.g., home address, parents’ names) of their victims through doxing.
- 50% of the doxing perpetrators chose targets whom they disliked.
- Those who specifically targeted individuals they disliked were more interested in obtaining personally identifiable information (22.1%), current living situation information (58.1%), and private information (77.3%).
How to help protect yourself from being doxed
So how can you protect yourself from being doxed in a technology-dominated world?
1. Remove yourself from “Stalking-as-a-Service” sites
Traditional online background checks, you know, the ones you see ads and posts saying things like “Search Public Records. Phone, Address, Social, Marriage & Crime Records. Criminal Record Report” or “Anonymous Searching - See Anyone's Public Records. Enter Any Name To Reveal Records!”, are notoriously dangerous.
They provide easy access to information like your home address, phone numbers, email addresses, social media accounts, and more.
In our testing, we found that many of these types of sites had ZERO criminal records - even though they say they do! That’s why Garbo set out to revolutionize the online background check industry by focusing only on the reporting of violence.
You can request to remove your information from these sites one by one or use a service like DeleteMe.
2. Use a VPN
A VPN, or a Virtual Private Network, can be easily found online. VPNs are useful as they secure your network and help to hide your private information by stopping applications or websites from keeping track of your activity online.
They’re not a silver bullet for online safety, but they are a good start to securing your personal information online.
3. Remove photo metadata
Photo metadata is a set of data describing and providing information about the rights and administration of an image. This metadata, although beneficial for organizational purposes, also contains information such as the date and time the photograph was taken, camera settings, manufacturer make and model, and in the case of smartphones, the GPS coordinates of where the photo was taken. Removing photo metadata prior to sending an image to someone can be done by a quick Google Search, or you can check out the link here.
4. Use strong passwords and a password manager
Strong passwords usually consist of at least ten characters, a combination of letters (upper and lowercase), numbers, and symbols, and have no relation to information about yourself (i.e. your birthday, name, pet’s name, etc) Password managers allow users to store, generate, and manage passwords for local applications and online services.
5. Clean up your Google results
This can be anything from personal images to private information. If you find something on your Google results you can email the website to have them remove it. In the case that a website doesn’t respond or is unwilling to cooperate, you can try contacting them directly using either of these links:
6. Don't trust online quizzes and app permissions.
Kaspersky writes that although online quizzes may appear harmless, you may unknowingly provide a rich source of personal information, which could come in the form of questions that serve as security questions or access to your social media accounts.
7. Review your device permissions and apps.
If you download a lot of new apps, you want to keep checking the permission settings you give them. If someone else has access to your device (a partner, a child, a family member) make sure you check your app permissions for unknown applications you did not download.
If you’re worried about being stalked or doxxed, make sure seemingly harmless apps don’t have your location turned on (like the friends feature on iPhones). Also make sure they didn’t give themselves access to your calendar.
This point is particularly relevant if you are in an abusive relationship or if you are afraid someone who has accessed your device might dox you. Learn more about digital stalking in one of our recent blog posts.
8. Avoid sharing personal details, especially online
Unless absolutely necessary, avoid disclosing confidential information, such as home address, driver’s license number, Social Security Number, or any credit card or bank account information. This includes information sharing through emails, text messages, or phone calls. You never know who you're interacting with and they could be using tactics of love bombing to get you to share personal identifying information (PII).
9. Never open or click on any emails that seem suspicious
Even opening an email can reveal your address to someone via IP trackers.
Never open or click on an email unless you:
- Know the sender
- You can determine that the context of the message and the link align
- You have hovered over the link to validate where it will take you
10. Find out how easy it is to dox yourself
The best way to make it more difficult for attackers to track your private information is to dox yourself. Slate shows that this can be done by:
- Googling yourself
- Carrying out a reverse image search
- Auditing your social media profiles, including privacy settings
- Check to see if any of your email accounts were part of a major data breach by using a site such as Haveibeenpwned.com.
- Check CVs, bios, and personal websites to see what personal information your professional presence conveys. If you have PDFs of CVs online, be sure to exclude details like your home address, personal email, and mobile phone number (or replace them with public-facing versions of that information).
Is doxing illegal?
As doxing is an act that reveals personal information of an individual online, doxing tends not to be illegal, specifically if the obtained details were exposed in a public domain and found using legal methods. However, doxing can also fall under laws in place to combat stalking, harassment, and threats.
Making doxing illegal also depends on the particular information shared by the perpetrator, as well as the doxing victim. For instance, disclosing an individual’s name on the internet would not be as serious as exposing home addresses, credit card numbers, or Social Security numbers. As for the victim, if they are a government employee, the perpetrator would be subject to breaking federal conspiracy laws and will have committed a federal offense. Because doxing is a relatively recent offense, as it began with the use of technology, laws are not set in place and not as flushed out. Regardless of whether doxing is legal, on many websites, doxing is seen as a violation of their terms of service, and the perpetrator can be banned.
Although there have not been any direct doxing laws written in the United States, efforts have been made in states such as California, which has a specific cybercrime law and other stalking laws that can apply to doxing.
Doxing legal action must first be divided into civil law and criminal law.
Here is some additional information about Doxing Criminal Cases.
State and federal laws relating to doxing in California include:
California Penal Code § 653.2 PC - Electronic Cyber Harassment
This is a state law for California that specifically targets cyber harassment, such as doxing. It makes it illegal for any person to use an electronic device, such as a computer, phone, or tablet to:
- Intentionally cause another person to fear for their safety
- Harass, torment, terrorize, or cause injury to another person with no legitimate purpose
- Make personal and identifying information or electronic messages of a harassing nature available to view or download
Violating this law can result in up to one year in county jail, and/or a fine of up to $1,000.
18 U.S. Code § 2261A (2015) – Stalking
This law runs through the federal courts and was originally written to target stalking. But the wording allows it to apply to cyberstalking and doxing.
It allows charges to be filed against anyone:
- Intending to injure, intimidate, harass, surveil, or worse, uses a computer or electronic communication service or system to:
- Place another person in reasonable fear of death or serious bodily injury, or;
- Cause, attempt to cause, or would reasonably expect to cause substantial emotional distress to a person.
Learn more about what we recommend doing if you’ve been doxed.
What to do if you’ve been doxed
In the case that you have been doxed, we recommend that you follow these steps:
- Call someone you trust
- Document everything
- Take screenshots where the date/time is visible
- Create a log of every place the information was posted
- Report it to the platform
- Report to the authorities
- This is a personal decision and we know how difficult reporting can be. They may not want to listen, but you can force them to take a police report
- Lock down all accounts
- Change passwords, privacy settings, etc.
- You may even want to think about creating new private accounts, changing your number, etc. We know this is victim-blaming, but it can also be the safest thing
- Know that you will be okay
Being doxed can lead to immense fear and panic. It’s completely normal to feel vulnerable and scared. Doxing is purposely made to inhibit your sense of security and trigger panic attacks, lash outs, or shut downs.
If you are a victim of doxing, here are some additional resources that may be of assistance:
The Victims of Crime VictimConnect Hotline is available 24/7 via:
For more information, consult:
- I’ve been doxed: What to do in the first 24 hours
- The U.S. Department of Homeland Security's Guidance on How to Prevent Online Harassment from Doxxing
- Doxxing Can Ruin Your life. Here’s How (You Can Avoid It)
- How to protect yourself from doxing
- What to Do if You’re Being Doxed
- How Do I Avoid Getting Doxxed?
- Protecting from Doxing