This is another in a series of articles by the Reporters Committee for Freedom of the Press covering legal issues that affect journalists. RCFP’s First Look Media Technology Fellow Jenn Henrichsen wrote this article.
Doxxing – named for docs or documents and also called doxing or d0xing – starts with publishing someone’s personal information in an environment that implies or encourages intimidation. Typically done online, the information then is used by others in a campaign of harassment, threats and pranks.
Journalists targeted by doxxing attacks, which are usually based on something they’ve written, find their personal and professional lives disrupted and sometimes turned completely upside down.
Doxxing is not unique to journalists. It has been a source of controversy for many years, including the well-known Gamergate debacle, where several female gamers were doxxed and still suffer significant, repeated online harassment and abuse.
The concept of doxxing is fluid, but it often starts with a slew of abusive phone calls and text messages from random numbers, sometimes in conjunction with a series of harassing tweets and emails. These can range from relatively benign messages to rape and death threats, such as those received by Slate journalist Amanda Hess.
In her January 2014 article for The Pacific Standard, Why Women Aren’t Welcome on the Internet, Hess describes how disoriented and terrified she felt when reading a series of tweets that threatened her with rape and death. Although Hess went to the police, little was done to effectively address the threat, and she still receives threatening messages.
The doxxing leads to attacks on multiple levels including the old order-pizzas-to-your-house prank.
Jezebel journalist Anna Merlan, recounted her experience in a recent article noting the food delivery was nothing “anyone with functioning taste buds would order.” It included “two large pies, one with triple cheese, triple sausage, triple salami, triple barbecue, hot sauce, half onions and half pineapple, the other with no cheese and triple sausage, plus a large bottle of Coke.” What spurred the abuse? She had written a blog post earlier that day calling out the 4Chan group out for engaging in a ballot-stuffing effort in a Time magazine poll of words to ban – the word “feminist” was leading the poll.
But the pranks get a lot more dangerous, including “Swatting.” Here, doxxers call in a false emergency or threat at your address requiring SWAT team response. Information security journalist Brian Krebs was swatted and the target of a Distributed Denial of Service (DDoS) attack on his website – all within 24 hours. The attacks were apparently in response to an article Krebs wrote about a service that can be hired to knock websites offline more than 6 months earlier.
Even media organizations which cover doxxing are not immune from attack. Shortly after Ars Technica wrote about the doxxing and the swatting attack against Krebs, it became a victim of a DDoS attack that used in part the same attack tool and user credentials that were leveraged in the DDoS attack against Krebs.
Some claim that journalists have committed their own form of “doxxing” by posting personal information about people online. These cases include, among others, Newsweek’s story which revealed the identity of the presumed Bitcoin inventor and the New York Times article thatpublished the street where Darren Wilson, the police officer who shot 18-year-old Michael Brown in Ferguson, Missouri lived.
But the motivation for journalists to reveal investigative information in the public interest is different from the harassment of doxxing and typically faces a more stringent litmus test before publication.
For example, when determining whether to publish personal details, such as an address or a name in a story, editors will likely consider whether the information had been previously reported or is widely available and whether it is important for the public to know. If it is, editors are more likely to publish. The New York Times faced these questions before publishing the names of undercover CIA agents in an April 2015 story on the drone program.
Ongoing online harassment can take a toll on journalists’ lives. Hess records every threatening message so she has evidence of the abuse to show police. She also reportedly lugs her protection order and case files around when she travels to be prepared should something negative happen. Others who have experienced online harassment have left the profession altogether – a significant and sad victory for those seeking to silence other voices.
Unfortunately, security researchers like Bruce Schneier predict doxxing will continue to increase, afflicting journalists and others who may express views perceived as controversial. Indeed, online harassment in general appears to be rising. Although hard data is difficult to gather, onlineharassmentdata.org found that more than 1 in 4 Americans has experienced online harassment – and anecdotal accounts continue to pile up.
Without a comprehensive solution involving the technical, political, and legal sectors, what can be done now for journalists to better protect themselves?
The first step is limiting the amount of personally identifying information on the Internet. Obviously, journalists need to keep some information public (work email address, Twitter profile, PGP key, etc.) so sources can contact them, but other information doesn’t need to be public.
Here are some simple actions journalists can take to help mitigate their risk of a doxxing attack:
- Protect your domain WHOIS information. If you have a personal blog or website, protect your domain WHOIS information by using a service that obfuscates personal information such as your address, phone number, and email address.
- Use two-factor authentication and strong passwords. Add two-factor authentication to your online accounts and beef up your passwords to limit the likelihood that your accounts will be successfully hacked. Many activists and some journalists now use Yubikeys, which are small devices registered with a service that supports two-factor authentication and only require a simple tap or touch to ensure your login is secure.
- Set up alerts in your name. Keep tabs on when your name shows up online. Set up alerts on Pastebin where a lot of hacked material is published, and also on Mention or Google.
- Opt out. Periodically search your name online and remove personally identifiable information from data aggregators like Spokeo, Pipl, Intelius, etc. or pay a service which will do it for you. Also install services, such as EFF’s Privacy Badger, Ghostery or Abine, which can help to prevent some of the online tracking and data collection in the first place.
These are just a few steps that journalists can take to help protect their information and mitigate the threat of doxxing.
Additional resources to help prevent or mitigate doxxing include: gamer Zoe Quinn’s anti-online hate task force, Crash Override Network; a three-part series by Ken Gagne of Computerworld; and reporting by Ars Technica staff editor Nathan Mattise about his experiences and suggestions to mitigate exposure to doxxing.
Doxxing isn’t a fad that is likely to burn out soon. It invokes serious intimidation, harassment and threats against journalists that could interfere with their reporting, place them in real danger and, ultimately, drive them from the work they love. By educating themselves about the practice and taking steps to mitigate doxxing attacks, however, journalists can stand up against those who seek to shut down a free press.