Doxing — another online danger for women

Why it’s important to think about what data you share online, how to prevent being doxed, and what to do if you fail.

My data was published online — what to do?

Tech-abuse continues to be a growing problem for many people. Cyberbullying and online stalking remain a widespread issue among internet users — particularly women — and they’re forced to think about it on a day-to-day basis.

One issue women often face is doxing — the collection and publication of personal information without the owner’s consent. And like many other tech-abuse problems, it might even move over from the digital world to the physical one.

To help fight this problem, Kaspersky recently partnered with the Singapore Council of Women’s Organizations (SCWO) for a collaborative workshop. You can watch the recording of this workshop here, or read the rest of this post to learn how to avoid becoming a victim of doxing.

What is doxing and how does it harm women?

Basically, the aim of the doxer is to build up a detailed dossier about a user and then post it online or threaten to do it. To do this, a person needs no professional tools. Pretty much anyone can gather personal information with just search engines. Doxers do this for a whole bunch of reasons: to intimidate, humiliate, extort money, punish — you name it.

Consequences of such actions can vary a lot too — and can become quite brutal. Some women were even forced to move house. For example, recently a popular Twitch streamer, Wolfabelle, was blackmailed for for sexual favors by an online doxer. The attacker identified where she lived and threatened to publish her address and other private information unless she submits to his sexual demands. The doxer even went so far as to prowl around her home and take pictures of it, which he then sent her.

In other cases, doxing may harm not only the person whose information was collected. Sometimes doxers use a person’s dossier for catfishing — creation of a fake identity on social networking sites or dating apps. A victim of catfishing believes that they’re communicating with a person whose personal information (primarily — photos) was used to create a profile on a social network. However, in most cases catfishers don’t really fake the identity of a real person — they just upload someone else’s portrait as an avatar.

Doxing is an inclusive malicious activity

Doxing doesn’t discriminate — you don’t have to be a popular streamer, a celebrity or even an activist to get doxed. Often users who end up being victims of tech-enabled abuse lead rather quiet lives, and may even have private accounts on social networking sites.

Sometimes victims are folks who were misidentified and wrongly accused of something they didn’t do. This happened to Lucy from Canberra, who was misidentified as a person in a video containing racist statements. Within hours, Lucy’s personal data was spread online. After that, Lucy and her family received numerous death threats online and didn’t feel safe for weeks.

Check it for yourself

You can test how easy it is to dox a person by trying to build a portfolio about yourself or your close ones (with their consent, of course) — and see how much you can find. To do this, google the person and explore what you can find using their nickname and/or actual name on social media and other websites. You may be surprised by how much you discover.

What should I do to protect myself?

The best way to avoid doxing is to prepare for it. We’ve compiled some simple pieces of advice that will help you to do that:

Make your profile private, and check who follows you

This way at the very least you’ll be able to control who sees your posts. Just making your profile private isn’t enough though. Consider who follows you — do you know all of them? Do you trust them? Remember, any one of them can take a screenshot of what you’ve posted, and that screenshot will no longer be limited to your “private” space online.

Think for 30 seconds before you post or share

Nothing on the internet is temporary — a post you made on Instagram and later deleted could have been saved on some website that mirrors the social network. Edits to posts can also be tracked. And, of course, the audience of your post can save it too.

So, before posting anything online or agreeing to share your information with any online platform, think twice — or even thrice if we are talking about especially sensitive data (more about that later). And remember, something you might deem useless (like which websites you visited) may be exploited by doxers and used to profile you.

Reconsider your understanding of personal data

Once you’ve been doxed, the harm is hardly reversible (but we’ll talk about the ways you can minimize the damage later). The first thing any user should do is reconsider their attitude toward personal data — and what is understood by the term.

Personal data is any data that can identify you in a direct or indirect way. For instance, your photo and surname identify you directly, but your email address, phone number, and even the location of your workplace can also identify you.

Some personal data might be more sensitive than others. For example, exposure of religious beliefs, ethnicity, or health data can cause serious problems under certain circumstances. That’s why the decision on publishing this data anywhere requires extra thought.

Of course, there are laws in place that are meant to protect your personal data. In the EU it’s a pretty harsh law called the GDPR. GDPR forces organizations to take better care of personal data. Yet this doesn’t stop individuals from simply gathering personal information about somebody they’ve published themselves, consciously or not.

Do not share your location

Information about places you often visit or where you live might be the most sensitive because it may be easily exploited by an offline stalker. So it’s crucial to restrict access to this data as much as possible. In this spirit, rethinking your geotagging policy would be a good idea too. But social media is not the only source of geolocation data.

Sometimes our location can be revealed by the apps we use. One of our researchers used a jogging app that allows to track running exercises. Soon it turned out that other users of this app could see the exact running routе of our researcher. This information, along with photo and username was shared by the app online.

The conclusion is simple: check all your apps and make sure your location is not shared unnecessarily. Apple devices actually help with this and will notify you about your geolocation settings when you start using a new app. But in case of already installed applications, or if you are using other platforms, you’ll have to check settings manually.

I’ve been doxed. What to do?

If you or your close ones have been doxed, there are still some things you can do to minimize the damage:

  • Report all the posts that are spreading your personal information.. Social media platforms usually deem the spread of such information as a violation, so chances are you’ll be able to take the posts down. Also asking your friends to report them might help speed up the process.
  • Gather the evidence. Save all threatening emails, posts by other users, phone calls, and any other related interactions. Document everything in detail — this will help when you report abuse not only to social media, but also to the police.
  • Contact law enforcement. Your local police station may not know what doxing is, but hopefully they’ll understand the danger from online abuse and threats. Share with them all you know and seek action.
  • Get support. Get in touch with your friends and family to get their support. Also, don’t hesitate to reach out to your local NGO that helps victims of online abuse; for example, in Singapore, that would be SCWO.