Doxing—the public posting of private or sensitive information—is a tactic used by online harassers who wish to intimidate targets and make them vulnerable to additional attacks.
Abusive trolls can track down and publish a target’s home address, phone number, place of work, the name of their child’s elementary school, or any other personal information they’re able to find. While some of this information may be publicly available through online databases or websites, it’s usually an online harasser’s intention to broadcast this information to a larger audience in order to threaten, intimidate, or escalate abuse against a target.
Writers and journalists who write about controversial political topics are particularly vulnerable to doxing. Luckily, there are steps you can take to protect yourself:
Google variations of your name, your phone number, your home address, and your online handles. Make sure you’re not logged into Google (which could skew your results). You can also try different search engines, like Bing and DuckDuckGo. Take advantage of these Google search tips. What kind of info are you seeing floating around? And where is it cropping up? Social media accounts, staff bios, company webpages?
See what data brokers have on you.
Data brokers—like Spokeo, Intelius, AnyWho, Whitepages, etc.—scan the web to collect your private info and sell it to companies, individuals, or other data brokers. If you’re John Smith, you might be OK (anonymity amid a sea of John Smiths), but many of us are not so lucky.
Try a reverse image search.
Google yourself to find which images of you are available online. Right-click on each image and “search Google for image” to see where else your photos are circulating and how they’re being used. You can also upload your profile photos from Twitter, Facebook, Instagram, and LinkedIn and try a reverse image search using a platform like Yandex or TinEye. Just don’t upload images that are sensitive or private!
Monitor data breaches.
When there’s a catastrophic data breach, your private info can be compromised. You can check to see if any of your email accounts were part of a major data breach via Haveibeenpwned.com or Firefox Monitor. For any affected account, change the password ASAP and don’t use it again. You can also set up an alert on the aforementioned site to find out if any of your accounts are part of data breaches in the future—just use the site’s “Notify me” tab.
Audit your social media.
Abusers comb through social media accounts looking for private information they can leverage against you—an embarrassing tweet you forgot about, a photograph that gives away location information. Social media platforms also want you to share as much of your personal information as possible, so they often bury the privacy settings on your accounts and default those settings to “public.” Data brokers benefit from lax privacy settings, which make it easier to scoop up your info.
Review your bios, CVs, and personal websites.
Take a look at the personal information available via your professional online presence. To see if you’ve got PDFs of résumés or CVs floating around the web, try Googling the following: “[First Name] [Last Name]” filetype:pdf. (Those kinds of sophisticated searches are called “Google dorking” and, while dorky indeed, they’re very useful.) For any résumés or CVs you discover, be sure to get rid of your home address, private email, and private cell number (or replace them with public-facing versions of that info).
So you’ve discovered what’s out there and you might be feeling unsettled. Now what? The good news is there are steps you can take to remove existing private information and reduce the chances of it cropping back up. While there’s no silver bullet to safeguarding your privacy and your safety online, the goal is to make it harder for an abusive troll to cause you harm.
Set up Google alerts
For your full name, your phone number, your home address, or other private data you’re concerned about so you know if it suddenly pops up online, which may mean you’ve been doxed.
Scrub your data.
While it’s nearly impossible to prevent data broker sites from collecting your personal info in the first place, at least you can get a lot of it taken down. You can do it yourself for free, but that’s labor-intensive. Check out the Big Ass Data Broker Opt-Out List for a comprehensive list of data broker sites, with directions for how to remove your info. If you have limited time, start with the three major wholesalers: Epsilon, Oracle, and Acxiom. You’ll have to get into the habit of checking these databases twice a year, because your information can be republished even after it has been removed. You can also pay a service like DeleteMe or Reputation Defender to do those things for you. To learn what to expect when you use one of these services, check out this helpful review from OnlineSOS. And for more in depth guidance on how to get your data scrubbed from data broker sites, check out this helpful article from Consumer Reports.
Establish separate email accounts for separate purposes.
You want to have at least three email accounts: professional, personal, and “spammy.” Your personal email address is for private correspondence with close friends, family, and other trusted contacts—best not to list this address publicly. Your “spammy” email is used to sign up for accounts, services, and promotions. The email you use for work (whether you’re a freelancer or affiliated with a particular organization) is what you can list publicly. As with public-facing social media accounts, you may want to be sparing in how much identifying information you include in your email handle (eg, full name, ethnicity, birthday, religion, location, etc).
Tighten your settings on social media.
Be strategic about which platforms you use for which purposes. If you’re using a platform for personal reasons (like sharing photos with friends and family on Facebook or Instagram), tighten your privacy settings. If you’re using a platform for professional purposes (such as tracking breaking news on Twitter and tweeting links to your work), you may decide to leave some of the settings public—in which case, avoid including sensitive personal info and images (your birthday, cell number, location, home address, family member’s names and photos, etc.). Below are links to the privacy settings for several major platforms. For a deeper dive, check out the New York Times’ Social Media Security and Privacy Checklists.
Review your location settings.
Start by restricting location-tracking on as many apps as possible by checking the settings for each app on your phone; otherwise, your location data can be sold by shady apps to even shadier data brokers. To ensure that your posts, photos, and status updates on social media are not sharing your location in real time, check the settings for each platform and turn off location services. You might also consider scrubbing the metadata on all photos you post online; metadata can include the time, date, and location of a photo’s creation, which others may be able to access. You can check an image’s metadata using EXIF Data Viewer (available as an app or browser extension). To scrub metadata from photos, you can use a tool like ImageOptim or you can use this PRO TIP: download the Signal messaging app, text photos to yourself (which automatically scrubs their metadata), and then save the photos back to your phone.
Be conscious about third-party apps and services.
When you’re prompted to create a username and password for a new software or service, have you ever selected the option to “sign in” automatically via Google or Facebook? By doing this, you may be giving this third-party software or platform a back door to track your email or social media account or to try to access permission to view your contacts, photos, location, etc. It’s generally best to avoid creating accounts directly via Google or Facebook and use a password manager instead.
Be your own personal content editor.
Consider when and where you give out personal information online. Keep in mind that when you sign an online petition, the website owner could potentially choose to publish your information. Review all text in your tweets, Facebook messages, Instagram posts, etc. before you publish. Is there any personally identifying information about your location? Your contact information? Your loved ones? If you feel vulnerable to an online attack, it’s worth editing the text. Pro Tips: 1) To see what’s publicly available, be sure to log out of your account; 2) to see what’s visible to friends, ask a friend to pull up your account and screenshot it; and 3) if you’re worried about old tweets being weaponized against you, you can set up an autodeleter that will remove old tweets.
Consider using a pseudonym.
For many writers and journalists, this may not be an option—your name may well be your bread and butter, or you may take pride in associating your name with your published writing (as you should!). But if you have the flexibility or desire to use a pseudonym when publishing an article you know could be subjected to hateful online backlash—especially if you’re a writer just starting out in your career or undertaking a project unrelated to your everyday professional life—a nom de plume can save you from being targeted by more severe forms of online harassment while still ensuring that the public has access to your writing. This Gender and Tech Resources Manual, a project of the Tactical Technology Collective, offers additional guidance on this subject.
Remember: Your family and friends may be at risk of doxing as well.
If you believe you’re at risk for becoming a target of doxing, it can help to have a conversation with loved ones about their internet usage and what information they reveal about themselves online. You may also want to respectfully ask them to be careful about what they post about you and whether they tag you. High-profile targets of doxing can end up inadvertently exposing family members, especially if they’re a writer who covers a particularly controversial beat. (Reporters who cover white supremacy, for example, have increasingly found their families vulnerable to online abuse.)
The guidance above is adapted from the article Why You Should Dox Yourself (Sort Of), published on Slate.com in February 2020 and was developed in consultation with cybersecurity experts at Freedom of the Press Foundation.
If you need help implementing any of the guidance above or want to delve a little deeper, check out these fantastic, interactive, and user-friendly toolkits: Security Planner from Consumer Reports and Cybersecurity Toolkit for Journalists from the Global Cyber Alliance.