In the Future, Everyone Will Be Doxed for 15 Minutes
Long before the Internet of Things, Web 2.0, or a dozen other buzzwords we’ve already forgotten, Peter Steiner created a New Yorker cartoon that was captioned, “On the internet, nobody knows you’re a dog.” Steiner’s joke had been around for about a decade by the time the blogosphere appeared in 2000, but it took on new life with the spread of blogging. If they could write well, anonymous voices could be given equal footing alongside famous experts. The internet would be a massive leveling force for greater democracy and social responsibility.
Or so the theory went.
Some twenty-three years after Steiner’s cartoon, others online can not only find out if you’re a dog, they can tell people where your doghouse is and send the dogcatcher after you. (Dogs have no business posting online, right?) The erosion of the anonymous and pseudo-anonymous internet is due in large part to Facebook, location-based-services, and the ubiquity of smartphones. We have paid for “free services” with our privacy, and so most of our previously private information is out there for the rest of the internet to see. But even information that isn’t out there—the stuff we think is hidden — is vulnerable to an attack called doxing.
“Doxing” is internet slang most Americans are unfamiliar with, but together with internet shaming, it represents one of the greatest threats to online privacy and democracy coming from nonstate actors. The exact method of doxing varies, but the core element of doxing is to move online disputes offline, to invite verbal and even physical harassment of your online target. Associates and families are considered fair game. In China, for instance, the families of dissidents, celebrities, and accused criminals have been subject to dox attacks by netizens. Doxers may self-identify as social justice warriors, vigilantes, or hackers, but most doxers are simply internet trolls who abuse others for the fun of it.
Proponents of doxing claim that it ensures speech has consequences or that it can allow a journalist to “speak truth to power” by revealing hidden hands and conspiracies. However, the information exposed in doxing is often hard to verify, and a doxer is likely to target innocent people with the same name as the intended victim. When a group claiming to be inspired by the hacker collective Anonymous posted the alleged membership records of the Ku Klux Klan, the list of names included highly improbable KKK members like minorities and gay politicians. In a recent controversy in Beijing over allowing more minority students into Beijing universities, netizens doxed the students’ parents. More commonly, doxing is used to get people fired or to pressure them to leave a position, especially when paired with a shaming campaign, such as the one that targeted Justine Sacco for making a tasteless joke on Twitter.
Doxing was central to the so-called “GamerGate” controversy in 2014, remains a favorite tool of Anonymous, and has figured prominently in the 2016 presidential campaign. Many of the GamerGate trolls allegedly went on to support the Trump and Sanders campaigns, and even if there’s no direct overlap between the three groups, the tactics are the same, with Trump and Sanders critics reportedly receiving dox-fueled threats of racial and sexual violence. While Senator Sanders has remained above the fray, Donald Trump doxed another candidate personally by handing out Senator Lindsey Graham’s personal cell phone number on live TV. No matter who uses the tactic, doxing makes the internet — and public life — a more dangerous place.
One might ask, is the election the reason why I’m paying so much attention to the subject of doxing?
No, I’m writing about doxing because last month someone doxed me.
The first email I received in May was bizarre, but it set the tone for a month of stress. With the subject line “Request for comment re: English teachers in China,” the email went:
We are a newsmagazine researching an article on English teachers in China. We have recently discovered that you are active on a forum “ccj2” and wanted to understand why you endorse the following:
1. Sexual assault of your female students
2. Subverting the Chinese government
3. Referring to Chinese children with racial epithets while you are their teacher
4. Encouraging foreigners in China to subvert Chinese law as it relates to capital controls
We will be publishing a Chinese and English-language version of this article within the next few months and look forward to your reply. Advance copies of our article and supporting documentation have been sent to members of the education, tax, and public security departments of Tianjin municipality and your employer.
Richard (a pseudonym)
The first question you ask yourself after receiving an email like this is simply, “Who?” Who would write this sort of thing and make these kinds of threats? Do I have any enemies? And what is CCJ2?
I looked up the Richard’s email address and it seemed to be a ghost Gmail account created for the sake of harassing me. In any case, “Richard” was certainly not a journalist, so I reported him to Google for Gmail abuse. (I also decided this was a good time to kill my Google Plus profile once and for all.) I never replied to the email.
I soon learned that CCJ2 was a Reddit forum — what Reddit users call a “subreddit” — for expats in Asia called “China Circle Jerk 2.” I’ve never been a Reddit user because the noise (read: trolling) to signal ratio is too great, though I acknowledge how many stories and memes shared on Facebook get their start on Reddit.
As I read through it I quickly decided CCJ2 was not my cup of tea. It reminded me of a drama-prone LiveJournal group from the early 2000s — the same dumb jokes, the same vaguely racist language, pretend or otherwise. In any case, I couldn’t find my name anywhere on Reddit, not in CCJ2 nor the China subreddit. Reddit had nothing to do with me and I had nothing to do with it.
A few days later I received another email. The subject was “Global Times” and it read:
We will be shortly publishing our article on you in the Global Times and Beijing Youth Daily and would like to inquire as to your following beliefs:
1. Why do you believe Chinese people should be targeted with racially-incited violence while traveling abroad?
2. Why do you sexually harass your students?
3. Why do you want to stay in China if you hate Chinese people?
Notice the shift in Richard’s supposed background here and his new allegations against me. By now I had decided he was a native English speaker or a Chinese who had lived abroad for a long time, but I couldn’t tell whether he knew me or not.
I continued to ignore Richard and reported him to Google — again. Moreover, just for peace of mind, I got in touch with friends currently and formerly at the Global Times and asked if Richard sounded like anyone working for them. They shot that down right away but promised they’d help me out if anyone came to them shopping a story about racist foreign teachers on Reddit and/or throwing my name around.
As one might expect, Richard was starting to get on my nerves. But so was Google. Google’s abuse reporting system has no confirmation and minimal follow-up. (To this day Google has never contacted me about Richard’s harassment.) Even recommended steps like examining my harasser’s email headers proved to be useless. While some other email services allow you to look up a harasser’s IP address in email headers, Google will only tell you the IP address of Gmail itself.
How … thoughtful?
One week later, the story took a new and more serious turn. Two of my supervisors called me in and said that my company’s corporate headquarters received an email from a self-identified “journalist” who said that I was a racist and that he was going to write about me in a newspaper article. This email was written directly to top managers of my company and addressed them by name. It arrived in the middle of May, about a week before I got the first email.
[names redacted] -
I write for an international newsmagazine, and we are currently composing an article on English teachers in China.
While researching this article, I came across a forum where English teachers congregate (https://www.reddit.com/r/ccj2/) and I was shocked by the level of racism on display.
It seems one of the key posters within that site, “[user name redacted]”, is actually Matthew Stinson, a veteran teacher with [company name redacted].
In his online writing, Stinson is a horrific racist and seems to genuinely hate Chinese people. He regularly calls Chinese “nongs” (like calling black people “niggers”) and Chinese women “rainies”, and brags about sleeping with his students. I have attached screenshots of his writings.
We are prepared to finish the article, and the article will focus on Stinson and a few other teachers.
Our article will be published next month. We have not contacted Stinson over this article yet, but want [company name redacted] to clarify your relationship with him. On Stinson’s LinkedIn, he says he is a “[position redacted]” for [company name redacted]. Does your firm intend to take any action regarding Mr. Stinson in the near future?
Richard (a pseudonym)
I explained to my supervisors that my harasser had also sent me two emails and that I had chosen to ignore him rather than engage. The school made a promise to stand by me, and they understood rather easily that Richard wasn’t a journalist. What kind of journalists won’t name their publication and use pseudonyms to interview people?
From this point forward I’m going to refer to the Reddit user I was accused of being as “Mr. X.” The school didn’t believe that Mr. X was me for a number of reasons, not the least of which was that his stories on CCJ2 didn’t match up with my life. The puzzle for us was still: “Who?” Was it an angry student? No, the writing was too good for an ESL student. Was it an angry coworker? I doubt it.
In fact, doxing attacks from angry customers and former coworkers have become par for the course in China. A former supervisor familiar with my situation told me that he was also doxed by anonymous emails to our corporate headquarters. One Chinese friend I talked to mentioned that her company fired a worker about five years ago and he reacted by smearing the name of every manager online and selling the company contact list to telemarketers and email spammers. Even to this day, my friend’s coworkers get telemarketer phone calls because of that former employee. Similarly, online and real-life friends in charge of some of the biggest expat websites in China have told me that doxing and impersonation attacks happen to them all the time.
Perhaps Richard never expected my employer to send me a copy of the email, but that letter to my employers contained a lot of useful information he had left out the emails he sent to me. Most notably, I learned that he attached a dozen different screenshots of Reddit with my name appearing in a label next to Mr. X’s username. Here’s one of the screenshots, which Richard named “stinson racism 5.PNG.” Note that I’ve obscured Mr. X’s username.
Now, I wasn’t very familiar with Reddit but one thing I did know from reading about earlier efforts to clean up Reddit racism was that the service was anonymous. Richard was probably counting on my employer’s lack of familiarity with the site to get me fired. Notice that this post hardly qualifies as “racist.” (It is bad poetry, though.) I still wondered about the labels. Were they public? Could I find a Reddit user sporting my name next to his username?
Contacting Reddit’s tech support is slightly tricky if you’re not actually a Reddit user, but I asked about the labels and they got back to me promptly:
Jun 3, 11:34 PDT
The label appears to be a user flair that is only visible on their own side. There’s an extension called “RES” that allows users to do so.
Jun 3, 16:44 PDT
Hi, is there any way to know which user was using the RES extension in this case?
Was it the user shown in the graphics, [redacted], or was it some other user? I assume if some other user then no action can be taken.
Jun 4, 18:54 PDT
It would’ve been the user who posted the screenshots.
So there I had it. My harasser was almost certainly a Reddit user — but it would be like looking for a needle in a haystack to find him! At the same time, I was now sure that he didn’t seem to know me at all. I decided to rule out students or coworkers. His entire dox attack was based on leveraging my employer’s ignorance of Reddit and passing off Mr. X’s writing as my own. None of my actual writing (and there’s quite a bit of it on Twitter, Medium, and elsewhere) got mentioned.
But wait, Richard DID talk about my LinkedIn account, didn’t he?
LinkedIn is the social network that everyone has signed up for but almost nobody uses. I’m no exception to that rule. Because few of us actually use LinkedIn day-in and day-out, we probably don’t pay attention to the way privacy works there. By default LinkedIn allows you to know who viewed your profile in the last few days. Upgrade to a “Premium Account” and you can look back 90 days. I knew that my harasser had actually browsed my LinkedIn account to find my job title, so I tried the free upgrade to a Premium Account and tried to hunt down my harasser that way.
It turns out LinkedIn won’t let you do that.
You see, privacy on LinkedIn is backwards from how it is on Twitter and elsewhere. You can anonymously browse others’ profiles and get information for doxing purposes but users cannot block anonymous browsing. LinkedIn explains that anonymous browsing is the benefit of recruiters. In fairness, you can block a specific LinkedIn user but you need to know their name. Thus, bypassing LinkedIn’s only privacy safeguard is as easy as making a fake LinkedIn profile. If you suffer anonymous abuse, your only recourse is to delete your LinkedIn profile or make your it so thin as to make LinkedIn useless.
All I learned from upgrading to a Premium Account was that I had a number of anonymous LinkedIn profile viewers, including one viewer who was listed as “Journalist at Self-Employed.” Was that Richard?
When I brought this issue to the attention of LinkedIn they asked me for my harasser’s name and email address. My response was to delete my LinkedIn account. They really don’t understand how doxing or harassment works, do they?
Since LinkedIn didn’t pan out, I turned my focus to Mr. X himself. (Herself?) From my Reddit research I knew that he was a mod (moderator) on the China subreddit and a frequent poster on a number of Asian subreddits as well as the aforementioned CCJ2. Was he my doxer? That made no sense. But did he have enemies? All mods have enemies.
A quick Google search uncovered a nest of websites attacking Mr. X’s character as a mod and accusing him of being an “illegal ESL recruiter.” These posts range from long and ranty to short and ranty. They all pretty much look the same and make impossible claims like “He sent me recruiter emails just after I joined Reddit.” Like my harasser, the writer of these attacks on Mr. X relied on leveraging ignorance about how Reddit worked. And these posts started just a month before my doxing. The timing fit.
A couple trips to The Beijinger led me to believe that the posts attacking Mr. X were the work of a scam outfit by a wanted scammer and bona fide internet wacko named Bruce Dimarco. But Bruce and company were a bit long in the tooth to be going after me. And besides, I’d only just heard of the guy yesterday. The only thing that kept Bruce et al. under my magnifying glass was that Richard’s email address sounded like one of Bruce’s aliases. Still, the language was wrong.
My research eventually brought me back to Reddit, where I looked for users who had recently had negative interactions with Mr. X, especially people who had been banned. That’s when I came across a comment by a user named chilltenor which had almost the same language about CCJ2 as the email to my employer.
Here’s chilltenor on Reddit:
Oh there’s plenty wrong with ccj2, a sub that calls Chinese women “rainies”, Chinese people niggers “nongs”, and Chinese children niglets “nonglets”, and implicitly endorses axe murdering, anally raping, and burning to death people because they are Chinese.
And here’s the email that my corporate managers received:
In his online writing, Stinson is a horrific racist and seems to genuinely hate Chinese people. He regularly calls Chinese “nongs” (like calling black people “niggers”) and Chinese women “rainies”, and brags about sleeping with his students.
That seemed like a match to me. But what was the motive?
In late April, the China mods banned chilltenor from the China subreddit. That timing fit too. In his Reddit profile and writings, chilltenor claims to be a Singaporean Chinese with a background in finance or business. His postings on Reddit were almost identical to the style of pro-Beijing nationalists on overseas blogs like Hidden Harmonies. In at least a few posts — which I won’t link to — chilltenor attempted to dox others on Reddit by calling them by their real names. He had a clear grudge against expat-dominated fora and a history of trolling. Basically, chilltenor and the CCJ2 crowd were destined to clash.
So it looked like I had stumbled into a stupid Reddit fight — or more precisely, that stupid fight had stumbled into me. But why? Consider this piece of “evidence” from Richard, which had the file name “Mr. X is stinson.PNG”:
First, notice that file name again. Not “stinson is Mr. X,” but “Mr. X is stinson.” The focus is, was, and perhaps has always been on Mr X. Next, notice Forbes. Like many expat writers, I used to write for the now-defunct Forbes China Tracker blog. Here’s Mr. X joking about doing the same. My thesis is that Richard took what he knew about Mr. X …
- long-term expat in north China
- apparent teaching background
- may have written for Forbes
…and then went trolling on LinkedIn for profiles that fit his sketch of Mr. X. At least one of those profiles was my own. In fact, I’m probably not the only person he doxed in an attempt to get revenge on Mr. X, so I decided to talk to Richard’s intended victim.
I registered for Reddit with the purpose of sending Mr. X a private message explaining the situation. At first, he was suspicious that my queries about doxing might actually be a dox attempt in progress. That was understandable. As a moderator on an anonymous forum, the threat of doxing is something he has to take seriously. I assuaged his fears by presenting as much information as I could about the situation without identifying myself or my employer. I was also suspicious about putting information out there for a Reddit users I didn’t know. “Trust, but verify,” as Reagan liked to say.
I suggested to Mr. X that either Bruce Dimarco’s outfit or chilltenor was behind my attempted doxing. From what I’ve learned, Dimarco’s people are predatory and spread stories about expats in trouble for visa violations, offering the promise of “protection” to the young and inexperienced. Meanwhile, individuals or companies that don’t play along with Dimarco get outed or blacklisted. Still, chilltenor was the one whose language matched up, and he was the one who wrote like a troll rather than a scammer. All three of the emails were written with apparent glee, and the writer made no effort to blackmail me or gain my confidence the way a scammer would.
After a bit of back and forth, Mr. X defended the style of posting on CCJ2 and told me, “My point is that even if you were me, you have nothing to worry about, I’m not a racist and the things you/I’ve been accused of don’t hold water.” He offered to contact my employer to prove my innocence. Thankfully I haven’t needed to take him up on that, but I know that many people in my situation wouldn’t be as lucky.
My feeling about CCJ2, a forum which nationalistic Global Times writers have called out for “cruelty,” is that Mr. X and the other users are playing “characters” on the forum, much like a stand-up comedian plays a character on stage. Yes, they say weird and offensive things, but there’s a marked difference in tone between how they write there and how they write in the China subreddit, let alone how they act in public. The posters there are probably not racist, but they’re not paragons of sensitivity, either. That said, CCJ2 is sketchy enough at first glance that some employers in China might punish their foreign employees for posting there. Context simply doesn’t matter when you get doxed.
During the course of the conversations we had, Mr. X let me know that my suspicions about chilltenor being Richard were probably correct, referring to him as a “disgruntled former /r/China-poster who has made multiple doxxing attempts[.]” He added, “[W]e know who it is, as do the Reddit admins who have banned him multiple times, but we don’t know his real-life identity or how to stop him.” Mr X asked me for Richard’s Gmail address to see if it had been used to dox a previous mod, and then confirmed that it was the same email. He lamented that Reddit admins, much like the Google and LinkedIn admins in my story, had not taken more steps against the attacks.
As of this writing, Richard, aka chilltenor, is still posting freely on Reddit. Even if he gets banned, he can always come back. Arguably, he doesn’t care whose lives or livelihoods he injures along the way. True anonymity is a weapon he and other doxers wield against those of us who mix our private and public lives online. Reddit retains the original anonymous ethos of the internet, but it coexists with an increasingly large public internet space that isn’t anonymous. Those of us who use our real names to express our real beliefs have made ourselves vulnerable to those who do neither. In wishing to be heard, we have unexpectedly created new opportunities for ourselves to be hated.
The title of this post is a nod to Andy Warhol, but it’s also a statement of fact. If you haven’t been doxed already, you will probably be doxed sometime in the future. So what can you do to protect yourself from doxing? There’s no easy solution to the problem. Unfortunately, anyone who uses their real name on the internet runs the chance of being doxed. What follows here are some general guidelines for reducing the threat of being doxed and dealing with online abuse.
First, do a privacy checkup. How much of your real self are you exposing online? Consider setting your Twitter account to private. If you like an audience, think before you tweet. Or go anonymous yourself. Use friend filters on Facebook to control the audience who sees your posts. For example, you might want to limit pictures of your children to only your family members on Facebook. Don’t post political rants that your coworkers might see, especially if your views might be unpopular or cause problems in your company. On Instagram and other photo services limit the amount of location data you share. Instead of sharing your lunch photos while you’re in the restaurant, why not wait a few hours or even a few days to post? Lastly, think about dumping LinkedIn. Perhaps new ownership will change the way LinkedIn runs, but for now their privacy settings offer no real protection from doxing.
Second, call on your support network. If you do get doxed, remember that you have a lot of friends and family who can help you out. Some of them can vouch for your character to media figures or an employer. Others can give you advice and information to help find the perpetrator. Most importantly, you have someone who can listen to you. Being doxed is an emotionally draining experience, and if the doxer succeeds in getting their victim fired it becomes exponentially worse. You must not isolate yourself. The doxer’s ultimate weapon is to force loneliness onto his victim. Many victims of doxing commit suicide, but few doxers have come forward to express regret at driving their victims to kill themselves. Like revolutionaries hounding their victims, they see suicide as admission of guilt.
Lastly, build your reputation online and off. This isn’t a call for self-censorship, but if you have a habit of writing offensive or controversial things, understand that it invites doxing. The same goes for behavior. In China, some of the first so-called “human flesh searches” were done against Chinese engaging in animal cruelty or those flaunting their corruption online. Doxing may have seemed like justice in those cases, but the tactic, once unleashed, can be used in both just and unjust ways. That said, even people with strong character can be misrepresented or attacked in cases of mistaken identity. Remember: the doxer chooses the audience and the method of attack. Your support network is key to defend yourself to that audience, but so is your reputation. The old rules of civil society, of giving others the benefit of the doubt, are what allowed Steiner’s dog to pose as a person on the internet. The new rules of internet society afford no such protections. Everyone is prepared to believe the worst, so you must go above and beyond in showing others your best.