chevron-down Created with Sketch Beta.
    March 18, 2021 Articles

    Doxing and Online Harassment: Considerations, Precautions, and Mitigation

    Learn how to protect yourself against exposure of personal information in our increasingly virtual world.

    By David L. Hecht, Antonio Rega, and Patricia Rodriguez

    The sharing of personal information has become increasingly pervasive and, in many instances, incentivized for a variety of purposes. In particular, since the advent and prevalence of social media platforms, sharing recent life events with friends and family, enhancing one’s “personal brand,” or broadcasting various viewpoints, among other activities, have become commonplace. Along similar lines, the internet offers nearly limitless potential for various forms of retribution by those with grievances (be it with a certain person or entity).

    Many have heard, for example, about unlawful dissemination or publication of intimate images, more crudely termed “revenge porn,” in which sexually explicit images or videos of individuals are posted without their consent, typically by people who have had a relationship with the victim. In other cases, users with a more limited relationship (or none whatsoever) can nonetheless wreak havoc on the reputation of a person or entity. It has become increasingly common for those hoping to hurt others to engage in “doxing,” (also spelled “doxxing”), the definition of which appears to be expanding, along with its prevalence. Doxing is currently defined as “[p]ublicly identify[ing] or publish[ing] private information about (someone) especially as a form of punishment or revenge.” Doxing, Merriam-Webster Online Dictionary.

    Traditionally, doxing involves the distribution of someone’s personal information across the internet against that person’s will. This sometimes takes the form of revealing a person’s concealed identity (such as when an author or blogger operates under a pen name or anonymous handle) without consent. See, e.g., Scott Alexander, “NYT Is Threatening My Safety By Revealing My Real Name, So I Am Deleting The Blog,” Slate Star Codex, June 20, 2020 (describing efforts by the New York Times to reveal the identity of a blogger without his consent). In other instances, doxing involves weaving together disparate facts about a person or organization to paint a certain, often misleading, picture—and then repeating the story with the hope that it will receive attention from others. More recently, sites like Medium.com have expanded the definition of doxing to include not only the distribution of private or obscure personal information but also the aggregation of publicly available information to target, shame, blackmail, harass, intimidate, threaten, or endanger. Medium, Medium Rules, Medium.com (Nov. 2019).

    The methods employed to acquire personal information include searching publicly available databases and social media websites, hacking, and social engineering. Understanding how information has been acquired and the motivation behind the doxing may be important in order to take steps to remove it. Doxing is often motivated by reasons similar to those that motivate revenge porn (e.g., to embarrass the target); however, doxing may also be used in some instances in an attempt to bolster litigation or extract a settlement (or both).

    Vigilant online users may take care to protect personal and private information from exposure, but the risk and threat of doxing-related activities—such as cyberbullying, stalking, social engineering (defined by the Oxford Dictionary as the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes), and related schemes—are a growing concern, particularly as the sharing of personal information online becomes exponentially more prominent.

    Your Life, Exposed

    In the United States, “data brokers” routinely buy and sell personal information to other companies or online databases—housing information (i.e., your address), court and criminal records, automobile details, and more—to people-search websites for a fee. Steven Melendez & Alex Pasternack, “Here are the data brokers quietly buying and selling your personal information,” Fast Company, Mar. 2, 2019. Spokeo, Whitepages, BeenVerified, and MyLife are examples of people-search websites. When searching for yourself or another by name on the internet, it is not uncommon for one of these sites to appear on the first or second page of search results.

    In addition to the information sold to them by states, people-search websites aggregate data from other online and offline sources. These services may link to one’s social media profiles, relationship status, month and year of birth, phone numbers, email addresses, and any online photographs. Anyone can sign up to access a dossier on an individual, which may include the kinds of substantial personal information discussed above.

    People-search websites have been criticized because of the danger caused by listing the personal information and physical addresses of unwitting people openly online and for profiting from the exploitation of personal data. In the hands of an individual who wishes to engage in doxing, or worse, data from people-search websites are extremely dangerous. Essentially, anyone with a web browser and a credit card can access a dossier with a wealth of information about a target.

    Caution Flags: The Misuse of Personal Information

    With the potential wealth of personal information readily available, doxing against almost any person may be possible. While social media sites may have policies forbidding the release of certain personal information, even a short-lived post releasing such information about a person may have deleterious effects.

    In July 2020, New Jersey’s first Hispanic U.S. district court judge, Esther Salas, was targeted by an attorney who was able to find her publicly listed address. The shooter had posted extensive misogynistic writings and ranted against Judge Salas. He visited her home posing as a deliveryman and shot and killed her only son, Daniel Anderl, a young man just 20 years of age, and critically injured her husband, Mark Anderl. Raul A Reyes, “A Latina trailblazer: Esther Salas, federal judge whose son was killed, described as ‘mentor’,” NBC News, July 20, 2020.

    There is no question that private personal information in the wrong hands can lead to physical injury and even death.

    The aggregation of public and private information may be problematic in other ways. For example, assembling embarrassing personal information—such as a recent divorce, private text messages, evictions, and debts—may cause a target to suffer reputationally, personally, and even professionally. Accordingly, sophisticated doxers may launch negative public relations campaigns by stringing together disparate facts to weave a misleading narrative about a person or company.

    Imagine, for example, if an individual attempted to paint a certain litigator as a “hack” attorney by publicly highlighting losses faced on various motions across a wide swath of cases over long periods of time, exposing and underscoring allegations made against this litigator (e.g., content from petty discovery disputes or class action jockeying), and even flagging clerical issues with court filings that might be the unfortunate result of paralegal error. Even seemingly positive results could be spun by the individual: Positive settlements in lieu of trial victories can be misleadingly used to tell a story of an attorney with little to no courtroom experience. Lawyers know that the vast majority of litigations settle, but non-lawyers do not. Depending on the content, frequency of posting (doxers often re-post material across various social media channels and continually re-post the same material), and intention, the example described may well be considering doxing.

    Now imagine that in addition to the lawyer’s litigation “track record,” a doxer releases public information about that attorney’s real estate and even information about the victim’s spouse. What if the doxer then repeatedly posted such content across social media, on a near-daily basis, and even tagged or otherwise attempted to add (legal) news media social media accounts, and even the target’s colleagues and clients? This sort of doxing poses more than a mere annoyance; it could be severely damaging to the victim in a multitude of ways and demonstrates the potential misuse of social media. It may also be illegal.

    Unfortunately, the above example is a real one. Despite their own policies purporting to forbid such conduct, social media sites ranging from Twitter to LinkedIn may be slow to respond to takedown requests of such content or requests to ban doxers. Each day that passes with such negative personal information reverberating across the internet results in more damage to the target.

    Doxing and the Law

    As a court in the Northern District of Mississippi recently put it, “[w]hile the Court does not condone publishing publicly available personal information, like a person’s address, there is simply no existing framework in the United States, currently, which criminalizes the act of ‘doxing’ or ‘doxxing’ private citizens.” United States v. Cook, 472 F. Supp. 3d 326, 339 (N.D. Miss. 2020).

    Indeed, we are not familiar with any law on the books, at either the state or federal level, that specifically addresses doxing. However, depending on the factual circumstances, doxing may qualify as (cyber) harassment, cyberbullying, stalking, or a combination of these under state law. For example, New York harassment laws prohibit a wide array of activities intended to harass, annoy, threaten, or alarm people. In New York, if the acts are meant to seriously annoy the victim but do not place the victim in fear of actual harm, a doxer may be charged with harassment in the second degree. 40 N.Y. Consol. Laws Ann. § 240.26. However, if the acts are meant to put the victim in reasonable fear of physical injury, the crime may fall into the more serious category of harassment in the first degree. 40 N.Y. Consol. Laws Ann. § 240.25.

    The phrase “doxing” has been mentioned in very few court decisions to date. Two of these cases appear noteworthy. In a case of first impression in the Eastern District of Michigan, the court found that it had personal jurisdiction over a California internet user who disclosed the plaintiff’s home address on Twitter in a defamation action. Vangheluwe v. Got News, LLC, 365 F. Supp. 3d 850, 852 (E.D. Mich. 2019) (finding disclosure of a home address on the internet was the type of doxing that creates minimum contacts with the plaintiff’s home state).

    In a different case, the California Court of Appeal found that “[t]here was simply no good reason” to disclose the plaintiff’s home address, images of his house, and a close-up picture of his face in a communication aimed at explaining the status of ongoing litigation and soliciting financial support. Dziubla v. Piazza, No. D076183, 2020 WL 7706276, at *9 (Cal. Ct. App. 4th Dist. Dec. 29, 2020). For that reason, the court found that these “doxing disclosures” did not find shelter in the litigation privilege.

    While there may be some relief under existing laws, given the expansion of doxing across social media, additional legislation may be necessary, particularly where state laws do not adequately protect the victims of harassment.

    Protecting Yourself and Your Clients: Mitigating the Risk of, and Combating, Doxing

    Although it is likely impossible to completely remove the entirety of your “online presence,” there are a number of proactive, and reactive, recommended steps that can be taken to mitigate your exposure and risk, minimizing the available information that may be subject to doxing-related tactics. The following are non-exhaustive recommendations and tips for securing content.

    As initial technical measures, you can

    • change existing passwords and enable 2FA (two-factor authentication) across all of your accounts;
    • change all social media accounts to “private”/nonpublic mode, and use separate “usernames” per social media site to minimize traceability;
    • search for your full name and any aliases, including online handles, for publicly available information about you; and
    • scrub such records to the extent you can or otherwise request to optout or have your personal information removed from public database records and data collection sites, such as Whitepages.com, Spokeo, PeopleFinder, etc.

    Because this process may be time-consuming, you may want to consider services such as DeleteMe to perform these actions on your behalf. Also consider using VPNs (virtual private networks), which will hide your internet protocol (IP) address from third parties on the web.

    In more extreme scenarios, you may need to contact your credit card companies, mobile phone provider, bank, and utilities to add additional layers of security and protection to your accounts, temporarily, until the threat subsides. Where doxing has already occurred, you can flag the content on many social media platforms or enlist the help of volunteer organizations. For example, the HONR Network is a nonprofit organization focused on protecting individuals from online abuse.

    As policy and legislation evolves, it is important to monitor developments related to doxing to understand how best to combat this affront to personal and private information. Individuals (or entities), regardless of profession or affiliation, are increasingly becoming doxing targets of adversaries, ex-clients, and even disgruntled former colleagues. If you (or a client) have been the victim of doxing, you should consult an expert who addresses these privacy and security-related issues and consider engaging an attorney with experience in this area. There are specialized experts and attorneys well versed in this arena who can help you navigate the ever-evolving “online world” of publicly available personal data.

    David L. Hecht, MBA, JD, BSEE, is the founding partner of Hecht Partners LLP, a commercial litigation law firm. David is also a certified information & privacy professional (CIPP/US) and has assisted victims of doxing. Antonio Rega, CFE, CCE, EnCE, CIPM (pending), is a managing director at Ankura and leads Ankura’s digital forensics practice, which includes matters involving data privacy and security. Patricia Rodriguez, JD, LLM, is a senior director of data and technology and e-discovery counsel at Ankura.

    Entity:
    Topic:
    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

    Copyright © 2021, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).