Derived from dox or docs, short for documents, the Internet-based practice of doxing involves compiling and publicizing personally identifiable information about a person or organization. These records were previously private or difficult to obtain. This does not, however, imply the information cannot be uncovered, made public and used by those with questionable motives.
There are a number of ways to mine this information, including
- searching the Web and publicly available databases
- scouring social media sites such as Facebook, Twitter or LinkedIn
- social engineering, in which information is extracted from governments and phone companies
Although doxing can aid in law enforcement and business analysis, people can also have less than honourable reasons to engage in doxing. These may include
- extortion or coercion
- harassment or online shaming
- vigilante justice
Because it implies violating an individual’s privacy to seek revenge, harass, coerce or control, doxing carries a negative connotation. The fact that doxing is often achieved through malicious software—malware—adds to this perception.
Doesn’t this then make doxing synonymous with ransomware? Especially if, as stated above, doxing can be used for extortion or coercion?
Doxing can be considered the opposite of ransomware. In ransomware—or extortion—victims are denied access to their own data, which is encrypted and held for ransom. Victims then have to pay to have the data decrypted.
In doxing, on the other hand, victims retain access to their information, but disclosure and dissemination of this data is at the discretion of the virus behind it. Once they have your information, doxers may not necessarily make it public. Instead, they may use it to hack your online or social media accounts. Doxers may show you your information in an effort to intimidate you.
There a number of steps you can take to minimize your chances of being doxed. For starters, avoid sharing commonly doxed details such as
- full name
- date and location of birth
- email address(es)
- phone number
Consider what you share on social networks such as Facebook, Twitter or LinkedIn: if you share photos, your place of work, your phone number or your address, share only with friends and increase your privacy settings. Better yet, make your social media accounts private.
Consider using separate usernames and email addresses for different purposes (e.g., social media sites, online forums or gaming channels, banking and paying bills). Use strong passwords that include letters, numbers and symbols, and change them on a regular basis.
Bear in mind that doxers may search your information by domain name or your location based on your IP address. If you host or manage a website, invest in WHOIS protection. Doing this keeps your registration and personal information private and protects it from being published.
If your information does get doxed, you could argue that it was obtained in a less than ethical way. Although not usually illegal, doxing does violate many sites’ terms of service. However, if those doxing you are doing so for shady reasons (e.g., stalking, coercion) and if their motives are proven, they may be guilty of a crime.