There are few more toxic practices online than doxing, the distribution of someone's personal information across the internet against their will. It’s all too common, though, deployed regularly and devastatingly as a means to harass and intimidate. The practice is not limited to public—or briefly internet famous—figures either. Anyone can be a victim, at any time.
Doxing is an effective tool for bad actors, because the internet can cough up a shocking amount of publicly available information about practically anyone. And while there's no perfect defense against it, there are ways you can prepare for it—and help mitigate the fallout. WIRED spoke with Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, a prominent digital rights group, about what the average person can do to deal with doxing.
WIRED: Who should be concerned about doxing? Does everyone need to be prepared, even if they don't think they're at specific risk?
Eva Galperin: Generally people don’t think about this stuff until it’s too late, so it’s good for everyone to have some sort of privacy and security posture set up before things go wrong. Especially if you are about to do something that’s going to attract you some attention, but even if you are just a woman on the internet.
What I tell people is: Google yourself, lock yourself down, make it harder to access information about you. People should definitely be aware of their public records, like their public tax records. And when you post your photos to Instagram, or you make posts to Facebook, or you tweet something about your location, people can take that stuff, put it into another context, and suddenly you have been doxed. What people can really give away about you is the stuff that you’ve already given away about yourself.
So think about the possibility in advance, and to have a plan, in the same way that you have a plan for all kinds of other emergencies.
WIRED: What does a doxing preparedness plan look like?
EG: See what’s already available about you. Be familiar with the Terms of Service of the various platforms you use. Learn how to properly file a takedown for when your information does get up there. Remove your name from people-search lists, take down information about yourself, make sure that your number is unlisted. Equality Labs has a great, thorough doxing guide that includes a number of opt-out links.
And in addition to doxing, you should be also concerned about the security of your accounts. If you have earned the attention of people who think it is worthwhile to dox you, they may also think it’s worthwhile to compromise your security and post things as you, or get more information about you by logging in as you to your accounts.
Definitely have long, strong, unique passwords. Use a password manager. Use two-factor authentication, and set it up when possible with a security key or an authentication app rather than text messages. I would also recommend calling up your cell company and telling them to lock down your account, giving them a password to use so that nobody can hijack your SIM.
WIRED: If you’re ever being actively doxed, how should you collect yourself? What are the most important first steps?
EG: The first thing you should do is to assess how much mental bandwidth you have for this. Everyone has a different breaking point, a different amount of tolerance for harassment, and different feelings about what constitutes a threat. And your tolerance for risk can change over time.
For example, you might have a relatively thick skin about threats one day, but then maybe you have kids and suddenly your tolerance for threats to your home goes down considerably.
If you’re being targeted, I recommend basically locking down all of your accounts for a while. Maybe even appoint someone else to watch the situation for you so that you don’t have to. Let somebody else do all of the emotional labor of dealing with these threats, and tracking them and reporting them to the platforms, because it can be really, really hard on a person mentally. You don’t have to do this alone. You have a network of support.
WIRED: How responsive are platforms like Facebook and Twitter to takedown requests during an attack?
EG: The good news is that doxing is against the Terms of Service of just about every web platform I can think of. So you can report the doxing to the platform, they'll usually suspend the person’s account, or force them to take the post down or delete the post in question. But if you’re facing really coordinated harassment, sometimes by that time it’s too late, because they can amass a troll army at that point. They can keep changing platforms.
That's why it's good to have a plan, and a backup person who will be your right hand in an emergency. If you’re being doxed, it can sometimes be in conjunction with something else terrible that’s happening to you. So you want to be able to get some distance from the whole situation.
This interview has been lightly edited for clarity.
More Tips for Civilians: Stay safe from phishers, lock down your smartphone, master password tips, and, if you have kids, keep them safe online.
Activist? Journalist? Politician? Consider Yourself a Target: Start by encrypting everything, sign up for Google Advanced Protection, take a tour of Tor, and deploy physical measures to increase your digital security.
Professionals Are After You. Time to Get Serious: If you think they’re onto you, remove the mic from your devices, find bugs, and (worst case scenario) dive down the paranoia rabbithole.
