Doxing as an Attack

Those of you unfamiliar with hacker culture might need an explanation of “doxing.”

The word refers to the practice of publishing personal information about people without their consent. Usually it’s things like an address and phone number, but it can also be credit card details, medical information, private e-mails—­pretty much anything an assailant can get his hands on.

Doxing is not new; the term dates back to 2001 and the hacker group Anonymous. But it can be incredibly offensive. In 2014, several women were doxed by male gamers trying to intimidate them into keeping silent about sexism in computer games.

Companies can be doxed, too. In 2011, Anonymous doxed the technology firm HBGary Federal. In the past few weeks we’ve witnessed the ongoing doxing of Sony.

Everyone from political activists to hackers to government leaders has now learned how effective this attack is. Everyone from common individuals to corporate executives to government leaders now fears this will happen to them. And I believe this will change how we think about computing and the Internet.

This essay previously appeared on BetaBoston, who asked about a trend for 2015.

EDITED TO ADD (1/3): Slashdot thread.

Tags: , , , ,

Posted on January 2, 2015 at 7:21 AM78 Comments

Comments

Random832 January 2, 2015 8:00 AM

Often, the term also extends to connecting an online pseudonym (and thus statements made with it) to the user’s real identity (with just the name, or the name plus enough information to disambiguate from other people with the same name, such as a photo, general location, facebook page, or employer’s name), without anything like an address or phone number included. How do you regard this case? Do people have a right to anonymous speech?

I wonder January 2, 2015 8:39 AM

Is there a way to grasp the magnitude of the problem already, a % of people who have been silenced this way?
(Might need to distinguish between silencing in a public forum, and in “private” like email)
Where is the discussion happening about how, as a society, we deal with it? (Or is it something we can’t counter?)

Anonymous0010 January 2, 2015 8:46 AM

Keep identities on sites distinct and separate – don’t cross streams!

Anonymity is important to avoid being doxxed for a different opinion.

AlanS January 2, 2015 8:52 AM

@Bruce

“Everyone from common individuals to corporate executives to government leaders now fears this will happen to them. And I believe this will change how we think about computing and the Internet.”

As you note, this isn’t new. In fact, the practice is as old as the hills. The Internet just makes it a easier.  The increased threat might change the way we think but will it result in meaningful protections or significant changes in behavior?  

Your comments made me think of Joel Reidenberg’s law class exercise involving the compilation of a 15 page dossier of public information on Justice Scalia in response to his dismissive comments about privacy protections for information on the Internet. This was previously discussed here at Googling Justice Scalia. My earlier comments here, after Eric Schmidt made comments similar to Scalia’s. We did get some privacy protections after the ‘doxing’ of a candidate for the Supreme Court in the 1980s–but that’s a while back and that seems to be an exception. (No prizes for guessing what type of videos congressmen like to watch.)

Coyne Tibbets January 2, 2015 9:16 AM

@I wonder: Is there a way to grasp the magnitude of the problem already, a % of people who have been silenced this way?

I’m not sure it matters exactly. The censorship potential for doxing surely extends far beyond its direct consequences. Consider the gaming dispute: When one woman was doxed, how did that affect any other women involved?

As such, it seems to me that doxing should be treated as an invocation of Godwin’s law; that is, immediate termination of the entire discussion thread.

JRD January 2, 2015 9:22 AM

It definitely has a chilling effect. I am much quieter on the Internet than I used to be precisely because a group of anonymous hackers were gearing up to doxx me for the dumbest of reasons.
I don’t have the fortitude to deal with that so I just shut up.

Mark January 2, 2015 9:51 AM

franc:

Smooth move, linking to a “non-biased” wiki at gamergate.me. Talk about parroting hearsay.

Henry January 2, 2015 10:16 AM

@ Random832:

Often, the term also extends to connecting an online pseudonym (and thus statements made with it) to the user’s real identity (with just the name, or the name plus enough information to disambiguate from other people with the same name, such as a photo, general location, facebook page, or employer’s name), without anything like an address or phone number included. How do you regard this case? Do people have a right to anonymous speech?

This is another one of those ‘it depends…’ moments.

I think most are comfortable with it if used for targeted advertisements provided that they can opt out. So I posted about needing a new lawn mower on my social media page, then I see these lawn mower deals wherever I websurf, that’s fine by me, but if someone from home depot calls me about lawn mower deals, I’d freak out.

vas pup January 2, 2015 10:41 AM

@Random832:”Do people have a right to anonymous speech?” The 1st Amendment is vague, and you should be a Constitutional Law geek to know bounds of your free speech before you actually use it in some cases. Political correctness changed the balance and creates kind of ‘Newspeak’ (see 1984) with bunch of euphemisms to avoid legal/political/employment/etc problems. Looks like anonymous speech should protect your free speech genuine right to call things their real names, not ‘labels’ assigned by political correctness. My guess is that source of anonymous speech should disclosed if and and only if it promotes actual and immediate violence, property damage, riots and other illegal activities (in CRIMINAL) sense only. Otherwise, you may still promote the idea that the Earth is flat (based on common accepted ideas). That is my view.

Al January 2, 2015 11:30 AM

Franc was correct to link to that wiki, as the repository at gamergate.me is actually a very in-depth analysis of the GamerGate “culture war” by the people who are at the very heart of it, and so are best positioned to know.

It should likewise be noted that while several female celebrities were perhaps the highest-profile instances of doxing, the vast majority of the doxing – and other threats – are being wielded against GamerGate supporters by anti-GamerGate supporters; apparently, horrible things aren’t horrible so long as they’re done against “the bad people.”

That’s nothing new, of course. Many people will say, with no cognitive dissonance, things like “murder is awful; all killers should be put to death instantly, with no appeals,” but it still makes me leery that the people who proudly trumpet such statements with regards to GamerGate supporters can then claim to be the guardians of society’s morals.

Mark January 2, 2015 11:55 AM

Al:

“It should likewise be noted that while several female celebrities were perhaps the highest-profile instances of doxing, the vast majority of the doxing – and other threats – are being wielded against GamerGate supporters by anti-GamerGate supporters; apparently, horrible things aren’t horrible so long as they’re done against “the bad people.””

Stats pls. Or links to stats.

Al January 2, 2015 12:21 PM

Mark,

You can find logged examples of harassment directed towards GamerGate supporters over on the aforementioned wiki. Each instance has a link that archives the harassment in question (note also the references for “Bullying” and “Cyberattacks” pages at the bottom):

http://wiki.gamergate.me/index.php?title=Harassment

There’s also an archive of harassment against GamerGate supporters listed at the end of this Medium article:

https://medium.com/@cainejw/a-narrative-of-gamergate-and-examination-of-claims-of-collusion-with-4chan-5cf6c1a52a60

I should mention that neither archive is complete. For example, neither mentions how Gawker’s Sam Biddle publicly called for increased bullying against GamerGate supporters:

http://blogjob.com/oneangrygamer/2014/10/bring-back-bullying-says-gawker-journalist-gamergate-donates-to-anti-bully-charity/

Or how James Desborough’s satirical #GamerGate card game (which satirized both sides, though perhaps not completely evenly) was pulled from distribution on the major pay-for-download stores after other companies implied they’d drop those venues unless the stores banned the game:

http://postmortemstudios.wordpress.com/2014/12/07/gamergate-the-card-game-update/

Or the woman of color who came out in favor of GamerGate (via NotYourShield) and subsequently had her boss doxed, forcing her to resign from her job:

https://www.youtube.com/watch?v=Doe6omL08bY

My comment about statistics was largely based upon having seen many, many of instances similar to these, whereas the vast majority of claims about pro-GamerGate harassment are either unverifiable (e.g. third- or fourth-hand) or are instances of harassment that, in fact, have nothing to do with GamerGate, but are asserted to be part of it by its detractors.

Catherine Jefferson January 2, 2015 12:26 PM

Doxing has been around since before 2001. I was doxed in 1997 by a former member of a religious cult who thought I supported his cult’s leader. Fortunately I had some resources that enabled me to identify the perp and deal with the problem, but even so before it was over I had to change my phone number and deal with some unpleasant confrontations online.

I don’t agree with David Brin, who thinks that we should accept that privacy is dead. He is absolutely right, though, that we should assume that anything we do or say might become public at some point. If you want something to stay private, it’s wisest to keep it in your own skull and nowhere else. (sigh)

Daniel January 2, 2015 1:04 PM

I’m not sure it was wise Bruce to step into the Gamers Gate controversy, you could have made your point without it, as that topic rises some very passionate feelings on both sides that have nothing to do with the point you want to make.

a b January 2, 2015 1:10 PM

the internet is a snake pit. don’t use it for anything serious.

if someone tells you it’s secure, they are a knave or a fool.

terkas January 2, 2015 1:23 PM

It’s also hard what constitutionals doxing, in Sweden home addresses, phone numbers and how much you paid in tax is all public information. We also have access to court decision which you had to go through the government to get information but last year a company called Lexbase popped up that gathered all information from the government and is now selling it to anybody.
You enter the person you want to and search, and if they have a criminal record you can get it and access to the ruling and lots of information.
http://en.wikipedia.org/wiki/Lexbase

The site is still operating but they want to bring it to EU court to see what they can do.

But public information is now address, phone numbers, tax records, criminal records, grades from school and maybe even material they submitted and probably a lot I’m not even aware of.

But yes we have zero privacy today as citizens, even from other citizens. Personally I don’t like the idea of having such things as public information to begin with.

So this whole doxing for me at least is most about doing it towards people who are anonymous of some form. Because is it really doxing when everybody already have access to the information if they take the time to get it?

I have been doxed and it’s not fun, even if they couldn’t get to me they got to people around me and their computers which revealed more or less everything. So even if I can take care of my computer and such it doesn’t do much if I have friends who can’t.

Daniel January 2, 2015 1:23 PM

The real loser from doxing, from a business perspective, is Google. Google is essentially an advertising business and in order for those ads to be effective they must be targeted to some degree. The more people keep information out of their unencrypted e-mails, the more they search via Tor, the less effective its ads are and thus the more difficult it becomes to sell ads. Combined with the fact that when it comes to buying products many people are going directly to Amazon to search and the 1-2 punch could put a real hurt into Google over the long-term.

Incredulous January 2, 2015 1:36 PM

It would take a lot of parsing of he said and she said for me to draw any real conclusions about gamergate. We live in a society where almost everyone is pushing their own propaganda to the point where the truth is pretty much buried. (I’ll prove this on the wiki I am publishing: iamrightandyouarewrong.org. Please don’t hold your breathe.)

Even if the gamers behind gamergate are as over the top as they appear at first glance, I doubt the solution is censorship. I am a liberal and I think sexism is a pretty dumb, embarrassing thing. But if liberals put their stamp on censorship the next round of censorship will end up targeting our speech. There is a certain risk to living your life in a public forum. There is a certain risk to militating against things other people like or do to make money. I’d rather have a rowdy argument than have acceptable positions be imposed on me. And if I didn’t want to get into these arguments, I wouldn’t put my positions on public forums.

In a world where the government and corporations already have most of our private information, releasing information is one way for the relatively powerless to fight back. It IS a two edged sword, certainly. But can I really abhor that a person whose position I support is doxed when I am pleased to see the outing of proponents of positions I strongly disagree with?

For example, the US and its media trumpets its purity and valor in the protection of freedom and democracy. But what really lets you see what is going on are the Manning/Snowden leaks. I am afraid that leaks are most of today’s unbiased news, at least until the image makers catch up and start phoneying them wholesale.

B. D. Johnson January 2, 2015 2:57 PM

Just for reference, the practice dates back to before 2001 and so does a form of the term (it was just “doccing” then). I know there was a thing in the early 90s where personal details and messages between members of the group who ran the Foundation BBS network were published to encourage people to contact them directly to change practices that were disagreed with. Amusing enough, one of the big things people objected to was linking the BBSs to the Internet.

Random832 January 2, 2015 3:00 PM

I think most are comfortable with it if used for targeted advertisements provided that they can opt out.

I’m talking about someone who doesn’t like something you say publishing your name in connection with it so that your family/friends/boss can find it if they google your name.

Henry January 2, 2015 6:58 PM

@ Daniel

Google is essentially an advertising business and in order for those ads to be effective they must be targeted to some degree. The more people keep information out of their unencrypted e-mails, the more they search via Tor, the less effective its ads are and thus the more difficult it becomes to sell ads.

Targeted advertising is akin to doxing, if you have expectancy of anonymity while websurfing with default browser prior to login (e.g. entering a user name and password). The websites magically knows about something you wrote to your social media page on a separate session and then serve you personalized ads (e.g. your data was acquired, analyzed, and action taken). The process involved taking random web session, link that to a set of identifiers, and return specific data to the target web session as result of analysis.

@ Random832

I’m talking about someone who doesn’t like something you say publishing your name in connection with it so that your family/friends/boss can find it if they google your name.

Thanks for the explanation. I’m aware of what it means. I’m just saying there are different degrees of doxing, some are acceptable, some are not acceptable or criminal, but basically it involves taking random data, run some analysis on it against previously identified data, and link that to specific personalization.

conrad January 2, 2015 10:01 PM

Bruce,

Please do some background investigation before presuming the guilty (gamers are DOXING!! Anti gamers are feminist virgin truth sayers, RAPE @ UVA!! ALAR on apples is going to kill us all, etc.).

Also doxing, counter-doxing, counter-counter doxing. When will it ever end.

This is a necessary part of free speech. As in speech has power, but also consequences. If you mouth off to hurt or damage someone, you should expect a proportionate or multi-proportionate response. Maybe within the legal system, maybe not.

Your captca may work for a week, but no longer.

Happy New Year!

John January 2, 2015 10:35 PM

Bruce, the GamerGate controversy was a messy affair with a complex timeline. There were instances of both anti-GamerGate and pro-GamerGate people being doxxed. Due to the anonymous nature of the internet, is has been difficult to establish who perpetrated these attacks and why. By assuming that it must have been “gamers” behind these attacks without any evidence and only speculation from online news sites, you are behaving exactly like the commentators who recently assumed North Korea to be behind the Sony hack simply because “the US Government said so”.

Posting links to sites that support only one side of the discussion is at best lazy, at worst misleading. I would recommend that you do some further research on this tangential issue, which you have unnecessarily thrown your blog into.

marion nihilsvile January 3, 2015 12:00 AM

Hey i know about the gamergate controversy but can you fuckers give bruce a break? Unlile stupid commentors bruce knows what hes ralking about. Bad reflections on bruce but still hes a competent enough person unlike certain journalists we know. Will expand when i get home as my break is almost over.

Aflam January 3, 2015 2:11 AM

The GamerGate controversy is a fascinating expose on institutional trust failures on a scale not often seen before on the Internet. Hell, the shit that’s happened even broke Wikipedia’s trust model.

Dirk Praet January 3, 2015 9:16 AM

IMHO the only thing new about doxing is the word itself and the way the internets are being leveraged both as a source of information and a means of publication. Digging up dirt about opponents – and subsequently bringing it out in the open or using it for blackmail purposes – has been a well-established practice since the dawn of times, and not only in political campaigns.

Kristine January 3, 2015 9:26 AM

Doxxing against racism (from the Wikipedia article Bruce linked): http://techcrunch.com/2014/11/29/thoughts-on-cybervigilantism/?ncid=tcdaily

On RacistsGettingFired.tumblr.com, sequences of screenshots show racist
comments posted by people in response to the Michael Brown case, then other
citizens reporting the commenters to their employers, and finally evidence
that the commenters had been fired.

Including faking screenshots to dox non-racists and get them fired:

This week, a woman’s ex-boyfriend faked screenshots to frame her as saying racist things, and posted them to Racists Getting Fired,

Someone has been fighting monsters for too long, it seems (to paraphrase Nietzsche).

Dox January 3, 2015 9:48 AM

In 2014, several women were doxed by male gamers trying to intimidate them into keeping silent about sexism in computer games.

Bruce please

Test January 3, 2015 10:33 AM

Doxing is not poublishing personal info.

Doxing is collegting it (by performing advanced serch, hacking, using social engineering etc.).

Publishing is a motive for doxing. And even not always.

Bruce Schneier January 3, 2015 11:38 AM

“The Gamergate stuff is surely from 2014, not 2013?”

Fixed. I temporarily forgot what year it was.

Wael January 3, 2015 12:42 PM

@Dirk Praet,

the only thing new about doxing […] has been a well-established practice since the dawn of times, and not only in political campaigns.

Yes! Except back then, they sometimes did the reverse! They De-doxed one another. Just like Thutmose III allegedly did to Hatshepsut

Akhenaten to Amon In his new capital in Amarna, Akhenaten retired from the world and devoted himself to his new religion. In rebellion against the old religion and the powerful priests of Amun, Akhenaten ordered the eradication of all of Egypt’s traditional gods. He sent royal officials to chisel out and destroy every reference to Amun and the names of other deities on tombs, temple walls, and cartouches to instill in the people that the Aten was the one true god.

And the priests of Amun to Akhenaten…

As was done at the command of Akhenaten years before, the new kings attempted to erase all traces of the heretical religion. Akhenaten’s name and images of the Aten sun disk were ordered removed from monuments and official king lists. His temples were dismantled and the stone reused. Amarna was left to crumble in the desert. The very memory of Akhenaten and his one god was lost after only a few generations, and inscriptions referred to him only as the heretic pharaoh of Akhetaten.

mordib January 3, 2015 1:17 PM

Why parrot lies on gamergate? If you don’t want to spend time researching the issue, just don’t mention it.

Rex Rollman January 3, 2015 1:43 PM

I know Bruce started it but can I make a request that we NOT discuss Gamergate here? Everywhere I have seen it discussed it becomes a fucking cancer.

epitemology January 3, 2015 3:04 PM

GamerGate started when Zoe Quinn tried to blow up The Fine Young Capitalists’ Indiegogo game jam for women only because she said they were transphobic for requiring applicants to have identified as women before the start of the contest. She attacked first, and 4chan responded. TFYC’s Matthew Rappard claims (http://apgnation.com/archives/2014/09/09/6977/truth-gaming-interview-fine-young-capitalists) to have been doxxed and threatened BEFORE Sarkeesian or Zoe were. The media are too lazy to investigate as it would step on the narrative of women not being treated well in the gaming community. I do not disagree that this is true, but this is just not evidence of it. Zoe started this it looks like. Someone interview her and Matthew Rappard and let the chips fall where they may. Am I wrong?

epistemology January 3, 2015 3:07 PM

GamerGate started when Zoe Quinn tried to blow up The Fine Young Capitalists’ Indiegogo game jam for women only because she said they were transphobic for requiring applicants to have identified as women before the start of the contest. She attacked first, and 4chan responded. TFYC’s Matthew Rappard claims (http://apgnation.com/archives/2014/09/09/6977/truth-gaming-interview-fine-young-capitalists) to have been doxxed and threatened BEFORE Sarkeesian or Zoe were. The media are too lazy to investigate as it would step on the narrative of women not being treated well in the gaming community. I do not disagree that this is true, but this is just not evidence of it. Zoe started this it looks like. Someone interview her and Matthew Rappard and let the chips fall where they may. Am I wrong?

But don’t believe me, I can’t even spell my name. Fixed.

TG January 3, 2015 3:39 PM

Might help people take Gamergater claims of “we don’t dox” a little more seriously if they didn’t have a Doxing school guide on the 8chan board they named /gamergate/ after they were kicked off 4chan for their boundless assholery.

Carlos January 3, 2015 3:49 PM

@holisterman
“Another nice Woman who was doxed and raided by 4chan /b/ and handled it all with epic grace.
https://encyclopediadramatica.se/Kimmy

yes kimmy! she is a legend in the chans, great girl and a real woman, even after leaked and all the crap she got from 4chan when doxed and raided she was chill and nice instead of becoming crazy bit@hes like some of these other feminist nut jobs. kim went to /b/ and showed anon who she was and chatted with the masses and gained respect. she is just an average wife and mother and no one talks about her story in the media but really a great lady, total respect for this girl.

Anonymyyy January 3, 2015 7:03 PM

@TG: Anyone can make a board on 8chan, 99% of the content on 8chan is not GG related. 8chan existed before Gamergate. You are falsely conflating the two. Also,bot Rebecca Watson and Devin Faraci, who are notably anti-gamergate, have said explicitly that they are OK with doxing, depending on the definition of the word. I have not seen any notable person in GG explicitly defend doxing (though it’s been done, it hasn’t been defended as “morally righteous”.)

Also, a fundamental problem with both sides is that anyone can do any rotten thing and then claim they are pro- or anti- gamergate. There’s strong evidence that third-party agitators have been doing this to both sides.

To bring it back to Schneier’s topic, doxing is used by everyone because it’s cheap and effective and is extremely amenable to being crowdsourced.

Sexist Pigs January 3, 2015 7:40 PM

Ya, I not surpised by the sexist pig on this blog. Kimmy was raped. Fact she is cool about being raped doedn’t make it less rape. The gaming commuity is all about demeaing, destroying women. It’s like the entire tech industry: sexist jerks. The fact is the boys can’t handle it when a girl stand up for herself so they do everything to shit on her. Wimps.

Punished Gamer January 3, 2015 8:24 PM

In 2014, several women were doxed by male gamers trying to intimidate them into keeping silent about sexism in computer games.

Mr. Schneier,

If you’ve based your opinions on the mainstream media coverage of this, then I probably can’t change your mind.

All I ask is that you take the time to a timeline of what happened to gamers during the latter half of last year, on Aug 28th in particular — the “Gamers are Dead” articles : http://wiki.gamergate.me/index.php?title=Timeline

What happened to gamers has more implications for the future of the internet. The web has not democratized the media, and gamers are the (happily still living) proof that there is no guarantee of free assembly anywhere on the web.

GSchultz January 3, 2015 9:57 PM

Response to being doxed:

1) Tell everyone that the information is false, made up. Nude pics leaked? Hey, you can do anything with Photoshop today! Embarrassing comments tied to your name? Someone stole my creds on that site!

2) Dox yourself by putting out false information as fast as you can: fake addresses, fake phone numbers, invalid cc numbers, etc. Dilute the real information as much as possible.

And then start a new set of on-line identities.

Thoughts?

Coyne Tibbets January 3, 2015 11:53 PM

@holisterman: “Another nice Woman [Kimmy] who was doxed and raided by 4chan /b/ and handled it all with epic grace.

@GSchultz: “Response to being doxed: […] And then start a new set of on-line identities.

In one sense, this is true enough: When an anti-social act is performed against a person, that person needs to take steps to get on with their lives. We could offer similar advice for other anti-social acts:

  • Robbed? Be cool about it, file insurance, buy new stuff, get on with your life.
  • Attempted murder: Be cool about it, hire a bodyguard, get on with your life.
  • House burned down by your angry neighbor? Be cool about it, build a new one that is fire resistant, get on with your life.

None of these things address the anti-social act; though I don’t meean to minimize the people who are heroes and get on with their lives (Kimmy).

But we’re considering the problems of one type of anti-social act and what response should be directed at the victimizers, so as to discourage/prevent such acts in the future.

Clive Robinson January 4, 2015 2:17 AM

!!! WARNING !!!

There are links given by some of the commenters above that have “explicit adult content” depending on where and who you work for clicking on the links could terminate your job and future prospects.

To those posting such links, please take a bit of responsability and say that the links contain explicit adult material in future, it’s polite to do so.

young neckbeard January 4, 2015 2:45 AM

I grew up hearing “never give people online your email address!” and now I’m looking at this blog, kind of appalled, and feeling kind of old.

You have to realize the the info most commonly released as “dox” is inherently public and that you not only have no reasonable expectation for it to ever be private, but that you have to post or link to to a sufficient portion of it in the first place for ANYONE to be able to find it without resorting to illegal methods that would get anyone “v&” faster than you can say “captain picard”. That’s right, you have to violate some decades old net safety rules on the common sense level of “don’t dress up as hitler and scream at a synagogue” to be doxed in the first place.

I’m not saying that harassment is okay, but doxing isn’t harassment. If it were, people would be harassing themselves every time they said “hi, I’m jane smith from new york and i work at scarfsnob’s coffee shop”. It’s what people do with any contact info – angry tweets, letters, free pizzas – that is wrong.

And not to be a jerk (read: being a jerk), but if you don’t want to deal with faceless jerks on the internet, you should probably adopt a more anonymous form of expression and avoid letting personal details and contact info slip. I’m not even very active anywhere but people have still scraped up a few snippets of contact info just to call me some nasty names or solicit weird furry-related adult chats. The internet puts you in direct contact with the entire planet, and that includes the bad people. You may expect them to be good people and liken bad things to really terrible crimes while talking about victim shaming, but they usually won’t be good people, and the victim shaming is there to encourage safe practices in the meantime while the whole of humanity figures out how to make bad people less bad. Be careful out there, not bold and entitled. Don’t link opinions you know are controversial to your real name if you are not ready to deal with backlash, and don’t put your contact info anywhere a socially inept nerd can find it, much like you would never, ever want to post your home address and photo on serialkillers.net.

Look, meatspace dwellers before the age of the internet either lived in abject fear of public ridicule and kept quiet about their controversial opinions or acted in total pride. The internet now allows you to do neither and just talk, granted you do not drag it into your real life.

We, as a people, seem to have forgotten this wall of common sense. And now a bunch of antisocial nerds are bringing back and reminding everyone why their parents were so concerned with net safety. Blessed are their rotten souls, huh?

Clive Robinson January 4, 2015 3:07 AM

@ Coyne Tibbets,

None of these things address the anti-social act; though I don’t meean to minimize the people who are heroes and get on with their lives (Kimmy). But we’re considering

Firstly there is the aspect of “get on with their lives”, whist some can many cannot and in all cases the way they live their life is changed irrevocably in thought, deed, cost and action. Ask any victim of crime this and if they trust you then yes they will tell you this.

The second problem is not specifically the anti-social act, but the lack of inhibitors which make people think it’s either OK or their won’t be any comeback on them.

Part of the problem is what the law does and does not regard as a private act, and what is and is not “in the public interest”.

For instance, let’s say you have a video of you at a party where you make the mistake of “singing” a song in a way that would make even the deaf wince.

If I got hold of the tape some how and posted it on the internet what law would I be breaking… the simple answer boils down to copyright in many western jurisdictions, because the actual act was at a party, where there were enough people to indicate no expectation of privacy. Depending on who argues the case and who listens, it has been argued that just making a record of an event by any means removes an expectation of privacy.

Some shall we say more enlightened cultures have privacy laws which raise the bar considerably on privacy rights.

However, they can in some cases be removed in cases where “public interest” can be argued, such as politicos or others –supposedly– voluntarily “in the public eye” do things that the public might have an interest in. Original this would have been where they said or did things “in private” significantly counter to the public image they present. However the press have watered this down to such an extent that even things that would be private like the illness of a public persons child is “open season” irrespective of if that child is in the public eye or not.

The worse sort of place for privacy is where there is “a right of free speech” people will for their own perverse reasons push it as far as they can to satisfy their needs. This is almost certainly not the reason that the framers of the constitution would have wanted, however in the US in particular you are stuck with the issue, unless you are sufficiently wealthy so as to abuse the legal system in another country (like the UK).

One problem with the internet is “where is the crime committed”, if I use the US “freedom of speech” to breach sombodies privacy and put it up on a US server have I committed a crime, because people in a country with strong privacy legislation can read it?

It’s sorting out these legal problems which needs to be done first if you are to stop the abuse to people inflicted by doxers.

Pinger January 4, 2015 5:42 AM

“In 2014, several women were doxed by male gamers trying to intimidate them into keeping silent about sexism in computer games.”

I’m not sure how gender factors into this. Would it have been more acceptable if the victims had been men?

(I see there’s been a lot of discussion of “Gamergate” in the comments already. For the record, I know next to nothing about the whole thing, and neither do I wish to. The above is a general question, not related to any specific “gates”.)

Kristine January 4, 2015 8:42 AM

@Sexist Pigs:

Kimmy was raped

From what I could gather, nude pictures of her were leaked. Let’s not trivialize rape by conflating it with violation of privacy.

It’s like the entire tech industry: sexist jerks

Hyperbole much? The entire tech industry? In all countries of earth?

@Carlos: Today I learned that women are only acceptable when they endear themselves to their abusers.

@young neckbeard: You sure spent a lot of text on victim blaming.

@Pinger:

I’m not sure how gender factors into this.

What’s wrong with mentioning the gender of the (female) victims when the context is sexism against women?

Would it have been more acceptable if the victims had been men?

No, of course not.

Sexist Pigs January 4, 2015 11:26 AM

@Kristine

The rape was the doxxing, not the leaking. Mental health is as important as physical health. Let’s not trivialize mental health by conflating it with rape.

“Hyperbole much? The entire tech industry? In all countries of earth?”

Yes, without exceptions. If you have exceptions you can post the evidence here. Marissa Mayer is not an exception, she’s the female version of an Uncle Tom.

Kristine January 4, 2015 12:20 PM

@Sexist Pigs:

Let’s not trivialize mental health by conflating it with rape.

My words exactly. It was doxxing, not rape.

Yes, without exceptions

Massive citation needed.

Clive Robinson January 4, 2015 12:56 PM

Readers of this Blog,

For the sake of sanity, can we please assume that when talking about discrimination over the sex of individuals or their chosen orientation, that it applies equally to all genders and orientations.

Likewise when talking about specific events the identification of gender or orientation pertains to that event not the mental outlook of the poster or general case unless specified as such.

Otherwise we are just going to bounce backwards and forwards wasting valuable time arguing about how someone perceived somebody elses probably innocent comment, rather than discussing the relevent issue of the page, which in this case is Doxing.

Also on a more general note can people stop using offensive or derogatory names to post by, it’s not a trait that is likely to get you treated sympathetically by other readers, and any valid points you may be trying to raise will probably get passed over or ignored.

Nick P January 4, 2015 1:07 PM

@ Sexist Pigs

I’ve talked to both victims of intrusion and rape victims. Also looked at empirical studies when I taught women self-defense. One’s pics being out there can make them feel embarrassed, violated, angry, etc. It’s a horrible feeling but he or she overcomes it same as most negative experiences. Rape, on the other hand, has that plus a physical aspect and extra intensity. Often leads to a PTSD-type response where the experience is cemented into the person’s mind so strongly that it might be activated months to years later by a sight, touch, etc even slightly similar to the experience. People get over embarrassing episodes sometimes in months. Rape victims can many take years to be able to remember or discuss the event without shivering and losing breath involuntarily.

The two are not even in the same ballpark in the effect on victims. So I agree with Kristine that it’s best not to trivialize the act. Even more, throwing the word rape around freely where it doesn’t apply is a hallmark of /b/ culture. So, you’re being inaccurate and more like the perps at the same time.

re tech industry

It’s mostly male dominated and sexist. Not entirely, though. There’s quite a few companies that pride themselves on diversity and judging each other on performance. Some examples. Two of those companies had women better paid and more satisfied than men. So, you’re way off again.

Nick P January 4, 2015 1:16 PM

@ Bruce

“And I believe this will change how we think about computing and the Internet.”

Makes for a catchy conclusion. I think it’s unlikely, though, as this is a side-effect of people putting tons of information in third parties’ hands and the benefits of that are too great for majority to change. More likely, this will add weight to the trend of companies forming with a stronger privacy focus that work for the user rather than snoops. Further, it would be wise for security professionals to learn about the art of doxing, keep active lists of the methods, and develop mitigation techniques.

The simplest is not putting your information in others’ hands and taking steps to reduce the damage from leaks of what you must share.

Sexists Pigs January 4, 2015 4:50 PM

@Nick P

See, you just don’t get it do you. This isn’t the case of one pics being out there! Did you even click through the link and read what happend to Kimmy? If your point is that not every case of doxxing a women is rape well oh hell yeah I agrees with you. That wasn’t my statement. My statement was that what happened to Kimmy was rape and what happened to her was a lot more involved than a few pics and a telephone number.

Rape is about power AND sex. It’s just crazy to say that a woman can be degraded, demeaned, publically humilated, and harrassed by hundreds of people because of her sex and HEY NO ONE LAID A HAND ON HER. Bullshit. It’s just sexist bullshit. What happened to Kimmy was rape by any sane defination of that word. If you think that rape is always physical well we will never see eye to eye.

Nick P January 4, 2015 5:28 PM

@ Sexist Pigs

I read the whole article. They attacked here in all kinds of horrific ways. Much more than merely publishing some nude pics or personal info online like the article is about. Conceivably, she could be traumatized about as much as a rape victim albeit in a different way. So, I read her statements and watched her actions to see if it had that “lasting and unwitting devastation at a subconscious level” effect rapes do. It didn’t. She even enjoyed talking to them, understood their motives, told them she didn’t like the leaks, occasionally did like their “twisted sense of humor,” and posed with birthday presents they sent her. She also indicated she had a stronger marriage that was largely unaffected and the two lived happily ever after.

This isn’t what you see with rape victims. So, you’re making good points about the mental damage that might be done. Yet, the evidence that you’ve brought me shows the opposite of your claim. As do most of them. It’s usually fleeting feelings that, in the moment, might be extremely strong and have superficial similarities. It’s not that leaks and troll attacks can’t mess up someone’s mind: rape, torture, near murder, and certain other things are just on their own level in effect on the mind and body. That’s all I’m arguing.

Good news for Kimmie is that she was clever, understood their mindset/motives, knew lashing out at them would result in worse, just shrugged it off instead, faced them personally, treated them (generously) like human beings, and (mindbogglingly) became an object of worship rather than a target of destruction. Some even apologized a bit. Wise way to handle capable online trolls if you can’t trace and prosecute them. The alternative, which we saw J-Law do after a minor leak, results in them hitting you with everything they have. One still has a choice to risk loosing it all for an abstract principle, put many resources into tracking anonymous leakers, do a compromise like Kimmie, ignore it altogether, or a combination. Just know and be ready for the consequences.

All that said, I think the people that attacked Kimmie deserve no less than five years in a prison where they’d be treated with the same morality. The attack was cruel, damaging, and could’ve been psychologically devastating to a lesser woman. Such attacks should be deterred with strong consequences. Anonymity complicates that, though…

moz January 4, 2015 7:24 PM

@Nick P
@Sexists Pigs

“rape”; the four letters you see; is just a label. It doesn’t mean anything in particular without context. The context here is normally English language on a blog and that means a dictionary:

unlawful sexual intercourse or any other sexual penetration of the vagina, anus, or mouth of another person, with or without force, by a sex organ, other body part, or foreign object, without the consent of the victim.

That definitely would not match Kimmy’s situation. Perhaps “sexual intimidation” would be a standard way? It’s okay if you want to use a different definition. Please just make it clear from the start that you want to do that. Give a reason (“it’s all a part of rape culture” or something) and help Nick and the rest of us understand what you are trying to say. Arguing about your different definitions of rape doesn’t advance anything unless you clearly explainwhat you are doing and why you think the definition of the word is important.

The only trouble with changing the meaning of words like this is that we will still need the original word. If you want to discuss “is physical rape worse than mental rape” with Nick P it will be easier if you just agree words you can both use.

N.B. In a legal situation “rape” can mean different things; in some locations it will include forced anal penetration; in others that is a separate offence. Teaching people to use the word “rape” for sexual intimidation is likely to lead to confusion up to and including having the wrong people go free or the wrong people get jailed.

Coyne Tibbets January 4, 2015 7:39 PM

@Clive Robinson: The worse sort of place for privacy is where there is “a right of free speech” people will for their own perverse reasons push it as far as they can to satisfy their needs. This is almost certainly not the reason that the framers of the constitution would have wanted, however in the US in particular you are stuck with the issue, unless you are sufficiently wealthy so as to abuse the legal system in another country (like the UK).

Yet, it has been established that your right of free speech is not unlimited: The canonical example is shouting fire in a crowded theater. Incitement is another exception.

So, something I haven’t done before: Why doxing, anyway? The short answer is that it is psychological abuse. Wikipedia defines that as:

Psychological abuse, also referred to as emotional abuse or mental abuse, is a form of abuse characterized by a person subjecting or exposing another to behavior that may result in psychological trauma, including anxiety, chronic depression, or post-traumatic stress disorder. Such abuse is often associated with situations of power imbalance, such as abusive relationships, bullying, and abuse in the workplace.

Rape and psychological abuse (while not equivalent in violence) both have similar effects for the aggressor: They enforce control on the victim that the aggressor cannot easily obtain by other means. In the case of doxing, for example, the victim is saying things that make the aggressor uncomfortable, but they have no valid counter argument. So they counter by doxing, by calling the victim names of the type that would fall afoul of Godwin’s law, by threatening rape or death, or even by carrying out a violent attack.

In all cases, the goal is the same, “Shut up or else I will _______ you!

Although we are still working out the details socially and legally, it is my opinion that such activities are not valid free speech; that we could legally define and punish these activities as the abuses they are.

This is why I suggested application of Godwin’s law: When someone resorts to such a tactic to silence one participant, all participants should be silenced equally by termination of the thread. This doesn’t correct the doxing, but it guarantees that the aggressor–and associates–cannot profit by it; moreover, it embarrasses (or should embarrass) the aggressor, who is now held up as the cause of everyone being silenced.

(It is worth pointing out that, as noted in the Godwin’s law article, a resort to this type of tactic is and should be an automatic vindication for the aggressor’s opponent. Because the aggressor just proved they have no valid counterargument.)

Figureitout January 4, 2015 10:43 PM

Sexist Pigs
–Sexism is not limited to one gender, get that thru your head first lest you be that which you’re against. I’ve been at clubs and had my backside slapped by a couple girls (the kind where you curl your fingers ‘up there’) while I was attempting to dance, it wasn’t welcome. Calling it rape is wrong too, stop trying to change a meaning of a word, it was an attack (likely skiddies running ‘sploits they can’t even read the code, let alone write it), on her computer and her phone and eventually her mind. You cannot rape someone by hacking a computer that can’t touch them, there needs to be physical penetration…If you want to call it something, call it “mental torture”; and let me assure there has been much worse attacks, some we’ve heard of, some not. Also rest assured there’s many honey pots out there and some people laying complicated traps for these people that attack the vulnerable and give them the justice the justice system won’t give them (ie an infected system and little reflected mental torture).

Next, I think the “Fappening” cringe has made it clear to those who are crawling out of a cave and just finding out that putting nude selfies you don’t want seen by others on an internet connected machine is a bad idea. There are many SMS->Internet and Internet->SMS systems too so a text might as well be public info unless you encrypt it (the picture externally). I don’t get it, if I was w/ a girl I loved, I wouldn’t want nude images texted to me. Once you’ve seen one you’ve seen them all pretty much. A friend of mine had like 20 dick pics (which she showed me…) and I asked her if she…yep she did. I chastised her but she probably did it again (she’s much better now I believe). And barely even a friend just showed me a random girl’s tits like “Pretty nice right dude?”. It’s willful “putting yourself out there”.

Anyway Rex Rollman’s right, “gamergate” is a cancer. I could only read so much about it before no. Unbelievably stupid.

Nick P January 4, 2015 10:45 PM

@ moz

I agree definitions are important. The one you gave is similar to what I’m using. Rape is physical with a mental component. It’s effects include both what the victim thinks & feels (physical + mental) in addition to hardwired physiological affects that can last years. “Mental rape” is a stretch: it’s psychological abuse. Unlike rape, psychological abuses effects are all over the place from very minor (stressed a few hours) to major (extreme trauma). Since it’s mental, the person receiving it can often reduce its effect based on how he or she thinks of it. Even simple things like cognitive therapy sometimes benefit people in these situations. Yet, with actual rape, it typically won’t because of that physiological effect that causes emotional memory to override rational brain and even freeze it up if intense enough.

What seems to cause the difference is a combination of these factors: immediate threat activating fight or flight response w/ associated chemicals; feeling of uncertainty as to harm and/or death; feeling of fear; lack of control; feeling violated; physical pain. The rape victim feels all of these at once and intensely*. The impact on certain parts of the brain amounts to an overload of all kinds of agony along with a burn-in affect that causes the feeling to repeat overtime regardless of what the person wants to think. Only time and work weaken it with most saying it never goes away entirely.

Not the same effect at all for most people doxed or trolled on the Internet. Similar feelings and stresses for sure. That it’s mostly in their head gives them a much better chance of controlling, managing, or even straight up overcoming it. The rape victim is typically not so lucky.

  • Except those raped while asleep. Their experience is still horrible, but different. Honestly, I haven’t studied it as much as I advised women to avoid such situations and maintain conscious control of themselves where possible.

Random832 January 5, 2015 7:38 AM

Thanks for the explanation. I’m aware of what it means. I’m just saying there are different degrees of doxing,

I think the key factor is the intent to harm you personally, which is very different from an intent to make money off of as many people as possible. Drawing a connection between doxxing and commercial data-mining just seems nonsensical to me.

Clive Robinson January 5, 2015 9:49 AM

@ Random832,

Drawing a connection between doxxing and commercial data-mining just seems nonsensical to me.

Oh that it were, step back to take a more distant view.

The problem with comercial data mining is it needs raw data, thus they think up ways to make users give it.

In many cases these companies don’t have the security to prevent others getting to the data, or they sell it on to others. They intern may not take the security precautions they should do, and likewise they repackage and sell it on again. Thus for a single service sign up the users personal identifying information could quickly end up on a hundred or so different servers.

But even in the very unlikely event all the data mining companies are carefull with the PII, they desensitize the user into handing over data, thus set them up for phishing and other social attacks.

So yes there is a significant if subtle connection between comercial data mining companies and doxing.

Further the fact that users get “cloud” stuffed down their throats by the likes of Apple effectivly lying to users about data storage. And as seen repeatedly with Apple they fail to have suitable security in place to protect data taken from a phone or pad that they then store in the cloud… and Apple have previous with shipping malware on their products that then gets into a users computer and weakens the security. Apple may blaim it on a “bad apple” in the supply chain, but at the end of the day it was Apple that contracted the work out without due diligence… Then there are the insufficiently vetted, controled and described apps in their store that ET –phone home– with your personal data to the app creator…

Obviously Apple are not alone in this there is Google with Android, Microsoft, Adobe, Oracle, etc etc, the list may not be endless but it sure feels like it.

Henry January 5, 2015 5:50 PM

@Random832, “I think the key factor is the intent to harm you personally, which is very different from an intent to make money off of as many people as possible. Drawing a connection between doxxing and commercial data-mining just seems nonsensical to me.”

That’s why I mentioned acceptable vs. non-acceptable, which I understand is determined by intent. Consider data-mining is the process of collecting & harvesting personal data. To further take targeted action (e.g. serve you a non-random piece of advert) based on identification is akin to dox’ing (by the ad-pusher).

Andrew_K January 6, 2015 5:43 AM

@ GSchultz — Thought on your doxing-reaction-strategy

It might work until the new account will have delivered enough contents to link it with the former online identity. I’m sure, Google and Facebook will also be able to link old and your new identities. And among them, others.
Why?
Google because they track you everywhere you go online. They literally see you change your identity. They see you abandon the old account and they see you create the new account. Because you probably use their captcha, because you use a gmail-account for validation, because they serve the banner ads on the sites.
Facebook because there is probably a small subset of the social network of the old alias you want to keep and thus share with the old account. And this continuity is easy to detect — not only by algorithms of the service provider but also by stalkers.

Oh, and I did not even touch content analysis. Whoever changes his online identity will probably not change interests, writing style, or online/offline-timing. I also did not mention dangerous mistakes, such as talking about the identity change to the wrong person. Even worse: Having close friends who are careless about it.

The underlying problems are well-known to those involved with witness protection (or other cases of changing identity from one day to another). You will have to replace literally any piece of technology that might give you away (best case: relocate, including change of ISP, leaving your old home abandoned with all IT in it). Worse than that: You will have to give up communication to your personal online community, at least for a rather long period.

Anyhow, I agree that thinning the personal information on the net is a good idea in most cases.

Best case: Be prepared. Have an alternate online identity that already is in the relevant networks, boards, etc. And which is not completely silent. Detecting a change of writing style and correlating it is much harder than detecting a change from no activity to high activity. Of course you should increase the activity of the shadow account slowly, but that’s still better than being cut off.
And yes, this sounds as if you can have whole agencies working on such tasks 😉

Heck, life nowerdays seems as if everyone must be prepared to live the life of an secret agent.

Summing up — no, it’s not that easy to recover from being doxed.
Not every family mother or father is ready to go through all this just because he or she did or said something that crossed an invisible line, probably in a state of less accountablility.

Probably what Kimmy did is the way to go, but it takes strength and self-control only few people I know seem to have.

@ Clive Robinson, All
Altough that AC warning might seem absurd to some, it was too late for me. Had a rather heated discussion on why I downloaded such files. No fun.

@ Nick P
I am much more pessimistic on what will result from the debate. People will stick to putting their private information on the net as long as companies will pay* them for doing it.

  • with money or other comforts

Random832 January 6, 2015 9:19 AM

To further take targeted action (e.g. serve you a non-random piece of advert) based on identification is akin to dox’ing (by the ad-pusher).

As someone else said in relation to a different word in a comment above: The only trouble with changing the meaning of words like this is that we will still need the original word.

What do you propose calling the malicious action of trying to destroy someone’s life by removing their anonymity, if “doxing” just means targeted advertising?

Clive Robinson January 6, 2015 11:36 AM

@ Andrew_K,

Altough that AC warning might seem absurd to some, it was too late for me. Had a rather heated discussion on why I downloaded such files. No fun.

I’m sorry, you got a grilling, the original link posters did not provide a warning which they realy should have done out of common courtesy. Especially as the link it’s self gave no warning, nor did the content of the discussion upto the point of the posts.

Due to a friend getting wrongfully sacked over AC download by a University in North Surrey UK (as the court later recognised, when your job is stopping the stuff coming in then occasionally you do get the stuff on the machines you use to do the unknown news group link checking…). I’ve been a bit paranoid about such things, so I use only my own smart phone for link following even from this site.

To some it appears over cautious, however, try explaining to a new employer that your previous employment was terminated because you accidently downloaded adult content, even if it was as part of your job…

But it can get worse, I actually know some one who is a competitive swimmer, and she was given an official written warning on company headed note paper signed by the HR director, over having a photo of her in a swimsuit being awarded a medal at a competition. The HR department letter said it was “offensive material” that could be “used to harass or offend other employees”…. she left the company fairly shortly there after claiming constructive dismissal and received an out of court settlement, and she now has the letter and the “offending” photo hanging in a double width frame on her wall.

And people wonder why I’ve little time for some types of HR persons…

Nick P January 6, 2015 12:44 PM

@ Andrew_K

I agree with you. It’s why I try to convince people to use services that respect privacy either in nature of company’s operations (WhatsApp) or by design (TextSecure). Privacy-centered services used to be relatively expensive to users. Relative to free. The newer services (eg MyKolab, SpiderOak) are very affordable. The mobile chat apps like Threema and WhatsApp are priced so low it’s almost a ripoff to the firms backing them. Now, even people concerned about price have no excuse for not switching to a private alternative for at least some services.

Yet, the market continues dumping practically their whole life into the hands of companies with financial incentive to sell them out. They also refuse to learn about how to keep stuff private on their systems. They also put private shit on Internet connected systems and apps despite tons of leaks being in the media. I have less pity for those affected every day. They’re making it as easy for attackers as possible.

Henry January 7, 2015 3:35 AM

@ Random832, “if “doxing” just means targeted advertising?”

We could call it ‘violation of privacy’ or ‘publishing personal data without consent’ ? I don’t think I said targeted advertising is dox’ing. The phrase I used was ‘akin to,’ but I could’ve been too sleepy to think about that phrase. My point was of dox’ing is just one of the many techniques used in ‘targeted advertising,’ while someone else also suggested vice versa holds true.

I don’t oppose your using the word the way you did.

Gibby January 9, 2015 1:09 PM

several women were doxed by male gamers trying to intimidate them into keeping silent about sexism in computer games

Bruce, you really should act more like a journalist and research this rather than parroting this tripe. You are better than this (well, I thought you were).

Sara January 21, 2015 10:53 AM

Kim is a very nice and intelligent woman. She handled herself through a very horrible situation gracefully with great patience and calculation. Many do not know but she has made herself available to several young women now who have found themselves in similar situations, I one of them. She is intelligent, patient, kind and very helpful in dealing with the emotions, the chaos and the stress this causes in your life. If anyone finds themselves in a situation like this I suggest you chat with her. If anything to better understand what to expect, how to deal with things, how to respond and reply without lashing out making things worse or how to deal with family and friends. She can be easily found and does reply.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.