How to protect yourself from doxxing
Living in an age that is re-embracing mass shaming
The sweet, but naive, view of history clings to the rainbows-and-puppies hope of moral arcs bending and of people getting better and better and better. Somehow, we tell ourselves, we’ve evolved beyond the innate evil that lies deep within each human heart and history has only one direction: forward. The Salem witch trials were just nightmarish lore of a darker past. Puritanical stocks and taunts were just temporary blemishes on our otherwise bright and shining march into the sunlight of progress.
Yet, if the twenty-first century internet has taught us anything, it is that mass shaming never really went away with the stocks, it just vanished underground and bade its time until now, with the right technology, it can gush forth like Old Faithful.
The internet has done much good, yet also fed many pathologies, the chief of which is the geyser of public shaming that it spews forth. Some of that energy looks like society’s natural immune system kicking in (see Nazis, Charlottesville), but other cases look more like a self-destructive turn toward an autoimmune disease, sweeping up do-gooding victims with a goofy sense of humor like Lindsey Stone or someone suffering the wrath of an angry ex, like Helen Andrews.
China’s near-totalitarian regime has deployed high-tech public shaming to create an Orwellian culture where Big Brother is always watching, even when you cross the street. In Xiangyang:
[T]he police put up cameras [near a major intersection] linked to facial recognition technology and a big, outdoor screen. Photos of [jaywalkers] were displayed alongside their names and government I.D. numbers.…“If you are captured by the system and you don’t see it, your neighbors or colleagues will, and they will gossip about it,” [Guan Yue] said. “That’s too embarrassing for people to take.”
Doxxing: The match to the woodpile
The practice of doxxing, or digging up and broadcasting personally-identifiable information about a person, sparks the bonfire of public shaming by giving tormenters the matches they need. With PII, they can target harassment campaigns intended to reduce the victim’s relationships with her job, family, and friends into piles of smouldering ash. As Jack Dorsey, CEO of Twitter, admitted within the context of an interview that tackled doxxing, there is a link between it and “real life danger to people.” Reflecting on the use of Reddit to doxx the wrong suspect in the Boston Marathon bombing, its General Manager characterized the platform as “fuel[ing] online witch hunts.”
If you’re active in public business, political, or entertainment life, you probably face the very real threat of being doxxed for something you may or may not have said. What can you do to avoid the digital woodpiles of New Salem?
Fay Archip and A. J. Butt are skilled Austin sysadmins / security pros who schooled attendees in some preventative steps they could take at the February 2019 meetup of the Electronic Frontier Foundation-Austin. Here is some of the practical advice they offered. (Any omissions or mischaracterizations are my fault, and corrections are appreciated. Reporting is largely from their presentations, but I bear responsibility for its editing and for my contemplation alone.)
Authentication
The most important step you can take is to secure the authentication you use to login to your social, financial, and email accounts. Authentication is the process by which you prove that you are the legit owner of the account. You authenticate yourself in most cases by knowing a username and password, which more than likely have already been hacked and are freely available on the web. Here are some steps, in order of power, to take back your authentication from the doxxer working diligently to crack it.
Multi-Factor Authentication
To secure your authentication, the most powerful step you can take is to enable Multi-Factor Authentication (a/k/a: MFA, or a variant called 2FA or two-factor authentication). Most of MFA is built around the concept that you authenticate your identity with something you know and something you have. You know your username and passwords, but without exaggeration, it is quite easy for someone who doesn’t like you to learn them quickly. So you supplement them with another verification method that you keep on your person.
MFA is like accessing a prohibition-era speakeasy. You know the secret knock pattern to prove you should have access, but the bouncer still needs to slide open the panel to see your face (something you have) to prove that you are who you claim to be.
Most of your key accounts will provide you an MFA bouncer of your very own, just for the asking. If someone cracks your username and password, your bouncer will still be working 24/7 to make sure that you alone hold the keys to your kingdoms.
Your bouncer will add one small step at the end of your login to enter a unique security code sent by a text message or generated by an app (try Duo or Authy) on your phone. You can put your bouncer to work instantly for your accounts with Google, Microsoft, Facebook, and Twitter.
Upgrade your passwording
Still using your pet’s name as your password for every single account you own?
Ninety-one percent (!!) of people choose a password that is found on the list of 1,000 of the most commonly-used passwords, including “Rover” and “Fluffy”. If you’re not using MFA, any doxxer with some tech savvy will be able to crack your authentication rapidly. The good news is that you can choose to join the elite 9% with two simple steps.
First, arm your critical accounts with strong passwords. For better or worse, the crucial element here is length. Each additional character you add shields your password from brute force attempts by a computer to guess it over and over and over. But don’t freak out about trying to remember, let alone correctly type, something like this several times a week:
$^CCk6XF5#tRt83Rq5!!m0nBHV3Qh0%TFay pointed to xkcd, which offers an easy-to-remember method to use a long password by creating a simple combination of four random words, typed out in their entirely. It hacks your visual memory to make it much simpler to remember than you think. Check it out.
Second, use a password manager to generate different passwords for each account. Do not rely on the same password (even the xkcd-generated one) for each of your accounts. Let a password manager do the work of generating and remembering unique entries for each of them. LastPass is the prime contender, and updated mobile operating systems (iOS, Android) now integrate third-party password managers for use in all your apps to remove one more layer of friction.
If you only have time to secure a few accounts, secure the email accounts you’ve used to register for other accounts. Not only are they the holy grail for a doxxer mining your personal information, but gaining access to them allows her to access to your other accounts by resetting your password (also, thereby locking you out).
Know your OSINT vulnerabilities
Your largest threat vector for doxxing lies not in some secret database, but in the variety of public tools and governmental sources which publish information about you for anyone who wants it. This is referred to as OSINT (Open Source INTelligence), and you’d be surprised at how much of it is exposed. Getting a handle on everything out there is your first step.
If you’re sharp enough to know privacy is something to pay attention to, you’ve probably already tweaked your social account settings to keep them close to the breast. But you would be surprised how many folks leave their accounts unlocked and open for the public to waltz through at any moment. Start with Google or direct searches on the social service itself. Once you’ve got a username, you can quickly establish probable linkage to other social accounts by checking to see if the same name is in use on Namech_k.com.
Public records are also an Everglades-like biosphere of diverse and interesting information. In Texas, for example, you can search for anyone who has filed an LLC or registered as an athlete agent, a notary public, or a debt collector, all from the convenience of the Secretary of State’s homepage. County appraisal districts offer a quick path to match a particular home address with a name. Work for a state or local government? Your salary is probably a matter of public record. Fun fact: in Texas, the three highest paid public officials do not include the Governor, but are athletic coaches for two of our flagship universities.
Several sources have already done your future doxxer the favor of cobbling as much OSINT as they can together. Find out what they’d get their hands on by looking it up yourself first. Got enough chump change between the couch cushions to see what a future employer might see on a consolidated report? Try Intellius. Want a free dive deep into a frighteningly-large web of all your potential vulnerabilities? Visit the OSINT Framework.
If you’ve got the buckage and the time to understand how a real professional might quickly doxx you, consider Maltego. But note that it’s a tool for the sharp knives with the time and dedication to handle its steep learning curve. Professional journalists and private investigators may invest the time to learn it, but they only really want to locate you, and aren’t as interested in tracking down your indiscrete photos. For that, you’ve only got to worry about tabloids or the revenge-motivated stalker.
But if your bank account is on the lean side, A. J. noted that his favorite sources are freely-available on GitHub. For instance, if you’re comfortable with APIs and Python 3, check out the Harvester. If you work on Linux, (particularly the Kali distro) or know someone who does, try out tools like Skiptracer and Namechk.sh in action and be prepared to pick your jaw up off the floor.
Practicing the best OSINT hygene you can
Though may feel yourself falling into complete despair over the breadth of OSINT, there are a few practical things you can do to limit the OSINT available about you.
- Register any domain name or public entity (like LLCs) with a proxy or a shell snailmail forwarding service.
- Register multiple email accounts and use different ones for different social accounts. “Google is great for your privacy,” offered A. J. “For everyone else besides themselves, that is.” He recommended anything-but-Yahoo! and ProtonMail.
- All your social accounts register to the same email and/or username? Register them under different email addresses. If you need a unified inbox view across all your mail accounts, use an email client that handles multiple accounts.
- One attendee suggested that if you were looking to buy a home, you should avoid buying it personally, but through a generically-named trust.
- Close old, unused social accounts.
- Do some social housekeeping and delete posts that are older than your dog.
- Don’t post pictures that provide risky location matches in your social accounts. “Hey, I just bought this new house!” “Hey, we’re off on vacation for two weeks!” “Hey, here’s today’s latte from the coffee shop I visit every morning at 8am!”
- If you’re team needs to communicate privately in strict confidence that it can’t be tied to OSINT, consider working with The Operator Foundation to create an airtight-as-it-gets bespoke messaging solution particular to your team, and your team alone. If that’s not within your budget, you can consider working with secure public messaging tools like Keybase.
- If you’re working in a public-facing role or just genuinely intrigued, consider diving deeper. Check out Michael Bazzell’s book Hiding from the Internet and his free .pdf workbook packed with a treasure trove of resources. Journalist Elliot Higgins operates the keen globally-focused site bellingcat, which will astound you with the depth of OSINT information available from foreign sources. The EFF-Austin site also collects some helpful resources.
If this brief exposure to how doxxers might use OSINT horrifies you, know that like just almost any tool, it can also be redeemed as a force for good. Tracelabs, for instance, is an effort to crowdsource OSINT to aid police in the search for missing persons.
Level up your mom
Tried-and-true social engineering is one of the best ways to verify or stitch together disparate identities. A. J. played out a scenario where a doxxer might call his mother, anteing up enough credible information to make a can’t-refuse enticement to reveal more.
“Hi, this is David Doxx. I’m one of A.J.’s friends who used to work with him back at that ShipMeBarbeque startup out of Capital Factory. I’ve moved on to Indeed and we’re hiring for a position that’s a great fit for him. I want to get him on the inside track to land it, but I can’t reach him and don’t have his current contact information. Could you {verify for/tell} me where he’s currently living and how I can reach him by email?”
How could any decent mother refuse to help her son, particularly if it’s an offer of gainful employment? You need to intervene long before she rushes over to her refrigerator for that 3" x 5" index card which has your personally-identifiable information (PII) printed in neat cursive. Teach your family and friends that they should never to give out your PII to anyone, but instead offer to pass the inquirer’s name and contact information along to you.
If remotely possible, you should also invest your time to work with friends and family to adopt practices from this article. In addition to being a loving thing to do for them, they also hold the keys to pathways to your information which a hungry doxxer can exploit. If she hacks your mother’s accounts, she can find your email address and account names, allowing her to send you a pretty convincing message that looks and sounds just like your mom to get you to cough up more information. In the new era of public shaming, security is a social, not merely an individual, responsibility.
Can you already hear the rattling of the shame-mob’s pitchforks?
Maybe you’ve done your very best to secure your privacy, but someone has whipped a mob into fever pitch over something you probably shouldn’t have texted or Tweeted at 3am this morning. Both A. J.’s advice and that of unfortunate victims is the same: if it’s annoying, do your best to ignore it, as your attention is the kerosene that fuels the shame-mob’s citronella tiki torches. However, if it’s a physical threat to you or any kind of threat to members of your family, report it to law enforcement immediately.
You can block Twitter troll armies en masse with tools like Chrome plugin Twitter Block Chain or by relying on benevolent tweeps who have compiled public block lists.
If you yearn for solace in your suffering, pick up a copy of Jon Ronson’s So You’ve Been Publicly Shamed to read stories and wisdom from others who have endured the same and yet lived to tell about it.
Judging You Judging Me
If you are an individually-expressive Westerner, you may feel set back upon your heels by the re-emergence of a public shame culture buttressed by angry doxxers. It’s as if someone has vacuumed up all your privacy and left everything you say and do as fodder for others to pass judgment upon.
Andy Crouch wrote an excellent piece noting that the internet has produced a version of shame much different from earlier honor-shame cultures in both the West and East. Rather than building up “face” through the routine practice of honor and duty toward the culture’s norms, it has amplified instead contemporary notions of celebrity and fame. Not only does the hipster internally shame you for your trashy plastic bags, but his innate desire to be a Good Person is rewarded by letting as many people as he can know that he is shaming you.
Doxxers can come in all shapes and sizes, with many different motivations for wanting to hurt you. But often, an internet-driven hunger for moral celebrity is the reinforcement the doxxer yearns for as she piles dry kindling around your feet. She will be the one known for taking you down, and her sense of virtue will be reinforced with each like and retweet from members of her tribe.
In “Law, Like Love,” the poet W. H. Auden points to the external, given reality of the law, just like the rays of the sun or the wisdom of the aged or the words of the priest. But he notes that the harder a culture struggles against living in harmony with the very fabric of the universe itself, the more it fuels the furious contention of mobs. They now need to self-discover and defend their morality by use of force, searching for scapegoats who illuminate their moral quest as a shameful inverse shadow.
And always the loud angry crowd,
Very angry and very loud,
Law is We,
And always the soft idiot softly Me.
Doxxing is unlikely to vanish any time soon, but there are practical steps you can take to shield yourself. As Faye and A.J. taught us, you can enable MFA, upgrade your passwording, learn your OSINT vulnerabilities, and work to inoculate friends and family against social engineering. But you cannot shield yourself from others’ anger, a fact which makes each of us feel exposed and vulnerable in a socially-defined, shame-driven battle for Right and Wrong. For we all transgress. We all fall down. We all cultivate perennial regrets.
Examining the law’s dark revelations about those truths within each of us individually might be our only step toward peace. For we all burn with a latent hunger for grace and a new chance to live at peace again.
Perhaps that grace can be found? Perhaps our lives can be freed for a less rigid, yet more harmonious, purpose: love.
Instead of anxiously struggling to reinforce our Rightness before others, in the humility of forgiveness, we could seek instead to learn to know others well, to carry part of their burdens, to share in their joys and sorrows. In short, to love them as imperfectly as we can. As Auden contrasts it with the law:
Like love we don’t know where or why,
Like love we can’t compel or fly,
Like love we often weep,
Like love we seldom keep.
Perhaps our hearts could be transformed by grace to even love imperfectly those who would seek to doxx us.
