Bolster Your Digital Security: How to Protect Yourself from Doxxing
Doxxing. Death threats. Violent, sexualized, abusive language.
Unfortunately, this has become the norm for many experts, spokespeople, and journalists who dare to speak out, tweet, or publish their thoughts, opinions—or even facts.
It’s much easier to put our opinions, expertise, and experience out there if we aren’t worried about the backlash we might face for it. Only then will we feel comfortable asserting ourselves publicly, which in turn helps our communities get heard.
To protect ourselves and our loved ones, it is essential that we all bolster our digital security to help prevent our information from being shared in doxxing attacks.
WHAT EXACTLY IS DOXXING?
Doxxing is a low-level tactic commonly used by malicious actors online to expose the personal information of public figures. This information is about a targeted individual and is posted to public forums to encourage further intimidation.
Doxxing is a low-level tactic, but it has a high impact. It often does not require much time or many resources, but it can cause significant damage to the person targeted.
What data is being shared?
- Phone number(s)
- Current home address(es)
- Past home address(es)
- Hometown
- Email address(es)
- Names of family members
- Birth date
- Location of work
- Vehicle information
- Embarrassing info/pictures
DOX YOURSELF BEFORE YOU GET DOXXED
This post will focus on how to dox yourself – and discover what data is already out there about you.
You do not have to erase your online footprint entirely, but you should identify and decrease your online footprint to reduce the opportunity for doxxing or other malicious targeting.
Search engines
Start by looking yourself up on search engines. Think about whenever you want to know something. You go to Google. Well, it’s the same for the doxxers. Whenever they want basic info about someone, they start with search engines. The data that they find on search engines is then used to find additional data about you.
How to effectively search using search operators
These operators work on both Google and Bing, which is where most of us are looking things up.
Quotes “Neda Ali”
When you put something in quotes in a search engine, it means you are looking for an exact match. In this case, let’s say I’m looking for Neda Ali. I’m not looking for a Neda with an I, or any other variation of this name. I’m looking for this exact spelling. I’d search “Neda Ali” in quotes.
AND/OR Operators “Neda Ali” AND (Arlington OR Alexandria)
Now, Neda might be a common name. If I know Neda is from northern Virginia, but not where exactly, this is a search I could try.
The AND operator is used to return results containing both terms. The OR operator is used to return results that contain either one or the other term.
Site site:linkedin.com “Neda Ali”
This is used to find results on a specific domain. In this example, we are trying to find Neda’s LinkedIn. LinkedIn’s search function is pretty shoddy, so the best way to find it is to use a search engine. You can use this search term to limit results to any webpage.
File Type filetype:
Let’s say I want to find if Neda is on any spreadsheets. I would search filetype:xls. This one really creeps me out, to think that someone could be adding me on a spreadsheet and circulating it around.
Other common file types you can search:
- DOC/DOCX
- XLS/XLXS
- PPT/PPTX
- TXT
- JPG/JPEG/PNG (Image files)
Hyphen “Neda Ali” -site:foxnews.com
The hyphen operator allows you to exclude the text immediately following it. Let’s say I work at Fox News, and we are always publishing stuff about Neda, and I don’t need those results in my Google search. I would use the above search to exclude anything from Fox News. This way, I’m only going to find new results.
Asterisk “Neda * Ali”
Google treats the asterisk as a placeholder for a word or words in a search string. If Neda has a middle name, or two last names, I would use the asterisk to find all possible results.
Use these operators to see what information shows up when someone searches for you.
Data Brokers
After searching for yourself on a search engine, you will likely have found results pointing you to a website run by a data broker.
These sites can identify your relationships, addresses, email addresses, phone numbers, and more. They’re often used by doxxers to correlate data and to confirm targets.
Data broker websites get their data from public record sites. There are many public record sites, but they are often poorly maintained and difficult to search. Data broker websites aggregate the data on public record sites in easily searchable ways.
Data broker websites collect your data and, oftentimes, sell it! Some claim to remove your profile—but won’t actually do it. Often, they request sensitive personal data to remove yourself from their database, and they may then sell that data.
Most public data broker sites have opt-out procedures that you can follow to remove your information. Find profiles of yourself on these sites and take steps to opt out.
Here are some popular data brokers where you want to opt out:
- BeenVerified
- CheckPeople
- FamilyTreeNow
- Instant Checkmate
- Intelius
- Nuwber
- OneRep
- PeekYou
- PeopleFinders
- Pipl
- PrivateEye
- Radaris
- Spokeo
- US Search for People
- USA People Search
- White Pages
Two caveats: First, this is, unfortunately, not a comprehensive list. This is just a starting point. If you want a fuller list of data broker sites, check out this amazing list compiled by journalist Yael Grauer.
Second, this is a list of sites that primarily query individuals who currently live, or have lived at one point, in the United States.
Tips for opting out safely
- Don’t provide any new information to these sites. Only provide a site with the data they already have about you. If you see that they have an old home address, do not provide them with a current address; just provide them with the address they already have listed.
- Set up a separate “burner” email. Nearly every data broker website that I have checked asks for an email. They’ll then send you a link to confirm you really do want to opt out, and you have to click on that to be actually removed from their database. Set up a fake email; don’t give them your information. Guerilla Mail is a great tool you can use for this.
- Set up a virtual phone number. If a data broker website does not ask for your email, they will ask for a phone number. Don’t give them your real phone number. You can set up virtual phone numbers on Google Voice or Sudo.
- Do not provide a copy of identification information. If one of these sites is trying to get your passport or driver’s license, just … stop. Don’t do it.
This part of the process is the most time consuming. I don’t know how long it took me to delist myself. I tried to time it, and I had to keep stepping away because I couldn’t do it in one sitting.
Break up the delisting process out into manageable chunks and set up a schedule to remove your information, and the information of your family members and anyone you live with.
You should also know that your data may show up again. These sites pull data from public records, so if you move, get married, or make another life change, it is possible that your data will repopulate on these sites.
Review your information at least once a year (consider it spring cleaning!) and remove any new records that may have appeared. Share this list of data broker sites with your family and friends. Like I said, if your address isn’t online, but your partner’s or child’s is, that doesn’t help you very much.
If you cannot be bothered to manually remove everything, there are paid services that can do that for you. A lot of journalists recommend DeleteMe. Regardless of the paid tool you go with (and there are many options), sign up before you’re in a state of emergency. DeleteMe, for example, will send you your full Privacy Report within seven days, which is a lifetime when you are being doxxed.
A couple things to know about paid services in general:
Because data brokers continually scrape public records and repopulate their data, these services are most effective with ongoing subscriptions.
These services also cannot (and do not) promise comprehensive data minimization across all possible sources. You should conduct your own research and consider whether these kinds of services can successfully target the data sources you are most concerned about.
Social media
Social media is used to gather specifics about relationships, hobbies, travels. Information found here is also used by malicious individuals and groups for phishing and password/security question guessing.
In general, for any social media platform, ensure that you are using multifactor authentication. And if you have a public profile, be aware of geotagging and the repercussions of people knowing your exact location.
The New York Times has a step-by-step guide for improving your digital security on Facebook, Instagram, Twitter, LinkedIn, and Reddit. Take 10 minutes to see if your privacy settings match what is recommended.
Also, use namecheckr.com to make sure you know what accounts you actually have.
Doxxers can use namecheckr in two ways. First, they can see what accounts you don’t have and set up fake profiles in your name and impersonate you. Second, doxxers can use this site to look up all the accounts you have and try to determine which one they can hack into. Maybe you forgot you had a WordPress account, because you set it up years ago and then forgot about it. As a result, you didn’t set up multifactor authentication. Years later, a doxxer discovers it and hacks into it quite easily.
Use this tool in the same ways doxxers do. Check to see what accounts you have, under all of your handles. That includes your professional handle, but it also includes your old AIM username. If you have any old accounts you forgot about, either close them or make them more secure. Also, check to see if anyone is impersonating you on another platform, because that does still harm your online reputation, and thus, your security.
GENERAL BEST PRACTICES
Monitor your general data leaks. Have I Been Pwned is a great site that shows you not just if you’ve been impacted, but what kind of information is at risk. If the password for one account has been compromised, make sure to also change it for every other account that uses the same password.
Second (and relatedly), don’t reuse passwords. Create unique passwords for each account and store them in a password manager. Password managers store all of your passwords across accounts, so you can make your passwords as strong as possible. Most password managers will let you generate random passwords, so it does make your life very easy.
You can also use password managers to create custom answers to security questions for each account. Do not use your mother’s real maiden name as a security answer, when that information is likely readily available on data broker sites. These are three password managers that are pretty popular and well recommended: LastPass, 1Password, and BitWarden. If you can afford to, pay for your password manager. If you can’t, BitWarden is probably your best bet as far as free versions go.
And third, turn on multifactor authentication on everything. You should also be setting it up through an authentication app like Authy or with a physical security key like YubiKey.
SMS verification is the method a lot of people use right now, and it is the least secure option.
In 2016, Deray McKesson, who is a very well-known Black activist, was targeted by doxxers. The doxxers called up Verizon, pretended to be Deray, and got a replacement SIM card. Deray’s phone number stopped working, and the doxxers got access to all of Deray’s accounts that were relying on SMS verification. Then, they were able to log into all of those accounts and change the passwords.
To avoid that situation entirely, use an authenticator app or physical security key. Also, call your phone provider and ask them to set up an extra PIN or password that you will be required to give whenever you want to change something about your service. That way, doxxers will have an additional layer of security that they have to go through, and they won’t get access to your phone number, and thus all of your accounts, as easily.
HELP! I’M BEING DOXXED RIGHT NOW:
- Assess if you are at imminent physical risk. If so, take immediate steps to protect yourself. This may include sheltering in place or evacuating to another safe location (such as a friend’s house or hotel). Remember to listen to your gut, and DO NOT dismiss your instincts as irrational or silly. Regardless if they’re actually required, they won’t hurt and will keep you safe.
- Deactivate, lock, or mute notifications on your accounts. It’s your discretion what you choose to do. If you decide to keep your accounts open, please know that you can still mute someone or block the parties involved. It is typically better to mute an account as a first step, rather than to block them, as they receive no notification that you have taken action. Blocking, on the other hand, may be seen as an invitation to escalate. However, you should block anyone trying to use your personal information to threaten or harass you.
- Create an incident log. It’s a simple file or spreadsheet where you document all the incidents. You will want to include the date, time, description, and result of each incident. Capture the activity with screenshots and URLs. This will help with any legal issues, if you are implicated in litigative cases after the attacks or if you choose to pursue that yourself. If not, this incident log will still help you beef up your preparations for the next time you may be doxxed. You may notice some patterns, such as the time the attacks are happening or the likely source of the attacks. If you are a target in a larger campaign of attacks, you can also compare your incident log to others’ and gather more information that way.
- Change passwords for all of your accounts.
- Report it right away, or as soon as possible, to relevant parties. This may include workplace supervisors, online services you use, legal authorities, etc. You will also want to log the report details (including contact information, time, and date) in your incident log.
Enlist Others’ Help
Enlist others to help with all of this.
It’s your choice to go public with the doxxing attacks or not, but you should have your support network helping you. You can stay with them until things cool off. You can have someone else help documenting in the incident log. You can make someone your point of contact and call them at an appointed time every day.
Build a support network with other people who are doing similar work online, and who are also facing abuse. You can help each other in these scenarios. If nothing else, it also just helps to be able to reaffirm one another in the face of trolls and doxxers.
It is understandable if this post terrifies you. But by taking these steps to bolster your digital security in advance, you can hopefully prevent a doxxing attack from ever occurring. You should feel more confident putting your expertise out there into the world and getting heard.
ADDITIONAL RESOURCES
- The New York Times’ Social Media Security and Privacy Checklist
- Equality Labs’ Anti-Doxing Guide for Activists Facing Attacks
- Harvard Business Review: What to Do When Your Employee is Harassed Online
- Access Now 24/7 Digital Security Helpline
- Big Ass Data Broker Opt-Out List
- Hacking//Hustling Doxing Prevention Harm Reduction Training