By Kristen Kozinski and Neena Kapur Source: New York Times Open Team
Doxxing (also sometimes called “doxing”) is a low-level tactic with a high-impact outcome: it often does not require much time or many resources, but it can cause significant damage to the person targeted.
No one wants their home address on the internet. That is personal information we typically only give out to friends, family and maybe our favorite online stores. Yet, for many of us, that information is available and accessible to anyone with an internet connection. And increasingly for journalists, public figures and activists, this kind of information is dug up and posted to online forums as a form of harassment, or doxxing.
Doxxing (also sometimes called “doxing”) is a low-level tactic with a high-impact outcome: it often does not require much time or many resources, but it can cause significant damage to the person targeted. Once sensitive information — such as home address, phone number, names of family members or email addresses — about a targeted individual is posted to public forums, it can be used by others for further targeting.
Doxing, or doxxing, is the Internet-based practice of researching and broadcasting private or identifying information about an individual or organization. The methods employed to acquire this information include searching publicly available databases and social media websites, hacking, and social engineering. Wikipedia
The tactic is typically used to intimidate and silence, to prove a point or to discredit someone’s work. In 2019, a far-right group that disagreed with news coverage posted the personal information for three dozen journalists from news organizations in the United States, including The New York Times, on a site run by the group. After Christine Blasey Ford testified before the Senate Judiciary Committee in 2018, her personal phone number, home address and more were posted on Twitter and she soon started receiving death threats and harassment. During the Hong Kong protests in 2019, doxxing was a tactic used by both sides to expose personal information of protestors, police officers, journalists and social workers.
These attacks demonstrate that people dox — and are doxxed — for a variety of reasons. But regardless of the motive, an attack can be dangerous.
With that in mind, it is particularly important to take proactive digital security measures. Protecting personal information is more than just securing data, it guards against further digital attacks or event the possibility of physical harm.
Think like a doxxer
In 2017, the New York Times Information Security team began exploring the numerous ways personal information spreads through the internet. We wanted to understand how this information surfaces and how to clean up an online footprint — which includes everything from personal information like phone numbers, to what you like and who you follow on social media — in order to decrease the threat and impact of doxxing.
Doxxing itself relies on open-source data as well as data that may be circulating in spaces like the dark web. While we cannot control all the information about ourselves on the internet, we can take steps to make data more difficult to find.
When our team begins looking into the personal information that is available online for a colleague, we think like doxxers and use some of the same readily available online resources that doxxers may use to surface personal information:
Search engines: This is where we start. A search with a journalist’s name and the words, “phone number” or “address” might bring up a people-search site or the journalist’s social media accounts. Targeted searches can lead to sites that reveal a lot of information about someone and their behavior online.
Data broker and people-search sites: Targeted searches on search engines often lead to data broker or people-search sites, which provide holistic profiles of individuals and package sensitive information into a single report that is usually available for free or for a minimal cost. These sites collect the personal and behavioral information of consumers from public records, open-source information and other data brokers, and sell that information to other companies and individuals.
Social media: A doxxer might scroll through a journalist’s social media sites to gather more intimate details about their life, such as insights into their relationships, habits, personal photos, emotional state, and their likes and dislikes.
While doxxers use these tools to do harm, journalists can use them to control the amount of personal information that is available online. From locking down social media profiles to opting out of major data broker websites, there are concrete mitigation strategies that anyone with an internet connection can do. It just takes a little time.
It’s impossible to control all the personal information that is out there, but we can take steps to make it more difficult to find. If a doxxer can’t find a journalist’s information in a few hours, then that may discourage them from pursuing the journalist as a target for doxxing.
You can do it, too
To help our Times colleagues think like doxxers, we developed a formal program that consists of a series of repeatable steps that can be taken to clean up an online footprint. Our goal with this program is to empower people to control the information they share, and to provide them with tools and resources to have a better awareness around the information they intentionally and unintentionally share online.
We are now publicly releasing the content of this program for anyone to access. We think it is important for freelancers, activists, other newsrooms or people who want to take control of their own security online.
Whether you run through this process once or twice a year, or take these steps before publishing an article that may cause a stir on social media, incorporating this digital cleaning practice should be a part of general online hygiene.
Of course, we can’t completely erase ourselves from the internet, but we can make it harder for people with ill intent to find our personal information.
The resources we are publishing are for anyone to use and share. The materials can be accessed here and include:
- Doxxing Guide: This guide details steps that you can walk through on your own or with a group to begin cleaning up your online footprint. It includes a list of data broker websites that offer opt-out options, targeted techniques for search engines and tips for locking down your social media accounts.
- Social Media Security and Privacy Checklist: This guide includes checklists of recommended security and privacy settings for several popular social media websites that will ensure your profiles are locked down and that you’re only sharing information that you’re comfortable sharing.
- Doxxing Curriculum Outline: A high-level overview of the curriculum we used when running doxxing workshops at The New York Times. If you’d like to bring a version of this program to your newsroom or organization, or to a group you work with, this resource will help you build out a formal training session.
We hope you find these resources helpful. Today’s information security threats against journalists are dynamic and ever-evolving, which means that the best way to improve the safety and security of journalists today is to share and collaborate on best practices and resources.
Kristen Kozinski is the Information Security Training Manager at The New York Times. She focuses on providing educational resources and training about digital security for our newsroom and business operations. @dontclickonthat
Neena Kapur is the Security Intelligence Manager at The New York Times, where she focuses on proactively understanding and defending against digital security threats targeting The New York Times and the media industry. @neenahyena
Floyd Muir, Information Security Trainer, and Yulini Persaud, Information Security Intern, also contributed to the resources associated with our Doxxing program.