Doxing and Online Harassment: Considerations, Precautions, and Mitigation

There are a number of proactive, and reactive, recommended steps that can be taken to mitigate your exposure and risk, minimizing the available information that may be subject to doxing-related tactics.

Originally released in the Spring 2020 (Vol. 28, Issue 3) edition of the ABA Journal: Doxing and Online Harassment: Considerations, Precautions, and Mitigation (americanbar.org)

By David L. Hecht, Antonio Rega, and Patricia Rodriguez[i]

I.     Introduction

Sharing of personal information has become increasingly pervasive, and in many instances, incentivized for a variety of purposes. In particular, since the advent and prevalence of social media platforms, sharing recent life events with friends and family, enhancing one’s “personal brand,” or broadcasting various viewpoints, among other activities, has become commonplace. Along similar lines, the internet offers nearly limitless potential for various forms of retribution by those with grievances (be it with a certain person or entity). 

Many have heard, for example, about unlawful dissemination or publication of intimate images, more crudely termed “revenge porn,” in which sexually explicit images or videos of individuals are posted without their consent, typically by people who have had a relationship with the victim. In other cases, users with a more limited relationship (or none whatsoever) can nonetheless wreak havoc on the reputation of a person or entity. It has become increasingly common for those hoping to hurt others to engage in “doxing,” (also spelled “doxxing”), the definition of which appears to be expanding, along with its prevalence. Doxing is currently defined as “[p]ublicly identify[ing] or publish[ing] private information about (someone) especially as a form of punishment or revenge.”[ii]

Traditionally, doxing involves the distribution of someone's personal information across the internet against their will. This sometimes takes the form of revealing a person’s concealed identity (such as when an author or blogger operates under a pen name or anonymous handle) without consent. [iii] In other instances, doxing involves weaving together disparate facts about a person and organization to paint a certain, often misleading, picture—and then repeating the story with the hope that it will receive attention from others. More recently, sites like Medium.com have expanded the definition of doxing to include not only the distribution of private or obscure personal information but also the aggregation of publicly available information to target, shame, blackmail, harass, intimidate, threaten, or endanger.[iv]

The methods employed to acquire personal information includes searching publicly-available databases and social media websites, hacking, and social engineering. Understanding how information has been acquired and the motivation behind the doxing may be important in order to take steps to remove it. Doxing is often motivated by reasons similar to revenge porn – e.g., to embarrass the target; however, doxing may also be used in some instances in an attempt to bolster litigation and/or extract a settlement.

Vigilant online users may take care to protect personal and private information from exposure, but the risk and threat of doxing-related activities, such as cyberbullying, stalking, social engineering[v]and related schemes, are a growing concern, particularly as sharing of personal information online becomes exponentially more prominent. 

II.  Your Life, Exposed

In the United States, ‘data brokers’ routinely buy and sell personal information to other companies/online databases, which includes housing information (i.e., your address), court and criminal records, automobile details, and more, to people-search websites for a fee.[vi] These sites include, for example, Spokeo, WhitePages, BeenVerified, and MyLife. When searching for yourself or another by name on the internet, it is not uncommon for one of these sites to appear on the first or second page of search results.

In addition to the information sold to people-search websites by states, they aggregate data from other online and offline sources. These services may link to one’s social media profiles, relationship status, month/year of birth, phone number(s), email address(es), and any online photographs. Anyone can sign up to access a dossier on an individual, which may include the kinds of substantial personal information discussed above. 

People-search websites have been criticized because of the danger caused by listing the personal information and physical addresses of unwitting people openly online and for profiting from the exploitation of personal data. In the hands of an individual who wishes to engage in doxing, or worse, data from people-search websites is extremely dangerous. Essentially anyone with a web browser and a credit card can access a dossier with a wealth of information about a target.

III. Caution Flags: The Misuse of Personal Information

With the potential wealth of personal information readily available, doxing against almost any person may be possible. While social media sites may have policies forbidding the release of certain personal information, even a short-lived post releasing such information about a person may have deleterious effects.

In July 2020, New Jersey’s first Hispanic U.S. District judge, Esther Salas, was targeted by an attorney who was able to find her publicly listed address. The shooter had posted extensive misogynistic writings and ranted against Judge Salas. He visited her home posing as a deliveryman and shot and killed her only son, Daniel Anderl, a young man just 20 years of age, and her husband, Mark Anderl.[vii]

There is no question that private personal information in the wrong hands can lead to physical injury and even death.

The aggregation of public and private information may be problematic in other ways. For example, assembling embarrassing personal information such as a recent divorce, private text messages, evictions, and debts, may cause a target to suffer reputationally, personally, and even professionally. Accordingly, sophisticated doxers may launch negative public relations campaigns by stringing together disparate facts to weave a misleading narrative about a person or company. 

Imagine, for example, if an individual attempted to paint a certain litigator as a “hack” attorney by publicly highlighting losses faced on various motions across a wide swath of cases over long periods of time, exposing and underscoring allegations made against this litigator (e.g., content from petty discovery disputes or class action jockeying), and even flagging clerical issues with court filings that might be the unfortunate result of paralegal error. Even seemingly positive results could be spun by the individual: positive settlements in lieu of trial victories can be misleadingly used to tell a story of an attorney with little to no courtroom experience. Lawyers know that the vast majority of litigations settle, but non-lawyers do not. Depending on the content, frequency of posting (often, doxers re-post material across various social media channels and continually re-post the same material), and intention, the example described may well be considering doxing.

Now imagine that in addition to the lawyer’s litigation “track record,” a doxer releases public information about that attorney’s real estate and even information about the victim’s spouse. What if the doxer then repeatedly posted such content across social media, on a near-daily basis, and even tagged or otherwise attempted to add (legal) news media social media accounts, and even the target’s colleagues and clients? This sort of doxing poses more than a mere annoyance; it could be severely damaging to the victim in a multitude of ways and demonstrates the potential misuse of social media. It may also be illegal.

Unfortunately, the above example is a real one. Despite their own policies purporting to forbid such conduct, social media sites ranging from Twitter to LinkedIn may be slow to respond to takedown requests of such content or requests to ban doxers. Each day that passes with such negative personal information reverberating across the internet, the more damage to the target will result.

IV. Doxing and the Law

As a court in the Northern District of Mississippi recently put it, “[w]hile the Court does not condone publishing publicly available personal information, like a person's address, there is simply no existing framework in the United States, currently, which criminalizes the act of “doxing” or “doxxing” private citizens.”[viii] 

Indeed, we are not familiar with any law on the books, at either the state or federal level, which specifically addresses doxing. However, depending on the factual circumstances, doxing may qualify as (cyber) harassment, cyberbullying, and/or stalking under state law. For example, New York harassment laws prohibit a wide array of activities intended to harass, annoy, threaten, or alarm people. In New York, if the acts are meant to seriously annoy the victim, but do not place the victim in fear of actual harm, a doxer may be charged with harassment in the second degree.[ix] However, if the acts are meant to put the victim in reasonable fear of physical injury, the crime may fall into the more serious category of harassment in the first degree.[x]

The phrase “doxing” has been mentioned in very few court decisions to date. Two of these cases appear noteworthy. In a case of the first impression in the Eastern District of Michigan, the court in Vangheluwe v. Got News, LLC found that it had personal jurisdiction over a California internet user who disclosed of the plaintiff’s home address on Twitter in a defamation action.[xi]  

In a different case in the Court of Appeals for the Fourth District of the State of California, the court found that “[t]here was simply no good reason” to disclose the plaintiff’s home address, images of his house, and a close-up picture of his face in a communication aimed at explaining the status of ongoing litigation and soliciting financial support.[xii] As such, the court found that these “doxing disclosures” did not find shelter in the litigation privilege. 

While the law may provide for some relief under existing laws, given the expansion of doxing across social media, additional legislation may be necessary, particularly where state laws do not adequately protect the victims of harassment.

V.   Protecting Yourself and Your Clients: Mitigating the Risk of, and Combating, Doxing

While it is likely impossible to completely remove the entirety of your “online presence,” there are a number of proactive, and reactive, recommended steps that can be taken to mitigate your exposure and risk, minimizing the available information that may be subject to doxing-related tactics. The following are non-exhaustive recommendations and tips in securing content.

As initial technical measures, change existing passwords and enable 2FA (two-factor authentication) across all of your accounts; change all social media accounts to “private”/non-public mode, and use separate ‘usernames’ per social media site to minimize traceability; search for your full name and/or any aliases, including online handles, for publicly available information about you; scrub such records to the extent you can, or otherwise request to opt-out/have your personal information removed from public database records and/or data collection sites, such as Whitepages.com, Spokeo, PeopleFinder, etc.; as this process may be time-consuming, services such as DeleteMe may be considered to perform these actions on your behalf. Also consider utilizing VPNs (Virtual Private Networks), which will hide your IP address from third parties on the web.

In more extreme scenarios, you may need to contact your credit card companies, mobile phone provider, bank, and/or utilities to add additional layers of security/protection to your accounts, temporarily, until the threat subsides. Where doxing has already occurred, you can flag the content on many social media platforms or enlist the help of volunteer organizations. For example, the HONR Network is a non-profit organization focused on protecting individuals from online abuse.

As policy and legislation evolves, it is important to monitor developments in this area to understand how best to combat this affront to personal and private information.  Individuals (or entities), regardless of profession or affiliation, are increasingly becoming doxing targets from adversaries, ex-clients, and even disgruntled former colleagues. If you (or a client) have been the victim of doxing, you should consult an expert that addresses these privacy and security-related issues and consider engaging an attorney with experience in this area. There are specialized experts and attorneys well versed in this arena who can help you navigate through the ever-evolving “online world” of publicly available personal data.

[i] David L. Hecht, M.B.A., J.D., B.S.E.E., is the founding partner of Hecht Partners LLP, a commercial litigation law firm. David is also a Certified Information & Privacy Professional (CIPP/US) and has assisted victims of doxing. 

Antonio Rega, CFE, CCE, EnCE, CIPM (pending) is a managing director at Ankura and leads Ankura’s digital forensics practice, which include matters involving data privacy and security.

Patricia Rodriguez, J.D., L.L.M. is a senior director of data and technology and e-discovery counsel at Ankura.  

[ii] Doxing, MERRIAM-WEBSTER DICTIONARY, https://www.merriam-webster.com/dictionary/dox (last viewed on Jan. 20, 2021).

[iii] See e.g. Scott Alexander, NYT Is Threatening My Safety By Revealing My Real Name, So I Am Deleting The Blog, Slate Star Codex (June 20, 2020), https://slatestarcodex.com/2020/06/22/nyt-is-threatening-my-safety-by-revealing-my-real-name-so-i-am-deleting-the-blog/ (describing efforts by the N.Y. Times to reveal the identity of a blogger without his consent).

[iv] Medium, Medium Rules, Medium.com (November 2019), https://policy.medium.com/medium-rules-30e5502c4eb4.

[v] Per Oxford Dictionary, (In the context of information security): the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.

[vi] Steven Melendez, Alex Pasternack, Here are the data brokers quietly buying and selling your personal information (March 2, 2019), https://www.fastcompany.com/90310803/here-are-the-data-brokers-quietly-buying-and-selling-your-personal-information.

[vii] Raul A Reyes, A Latina trailblazer: Esther Salas, federal judge whose son was killed, described as 'mentor’, NBC News (July 20, 2020 12:58pm), https://www.nbcnews.com/news/latino/latina-trailblazer-esther-salas-federal-judge-whose-son-was-killed-n1234361.

[viii] U.S. v. Cook, 472 F. Supp. 3d 326, 339 (N.D. Miss. 2020)

[ix] 40 N.Y. Con. Laws Ann. § 240.26.

[x] 40 N.Y. Con. Laws Ann. § 240.25.

[xi] 365 F. Supp. 3d 850, 852 (E.D. Mich. 2019) (finding disclosure of a home address on the internet was the type of doxing that creates minimum contacts with the plaintiff's home state). 

[xii] Dziubla v. Piazza, D076183, 2020 WL 7706276, at *9 (Cal. App. 4th Dist. Dec. 29, 2020).