Infosec 101 - Preventing Doxxing

Infosec 101 - Preventing Doxxing

Steps for Protecting Yourself from Doxxing

Intro

What is doxxing?

Doxxing is a technique of tracing someone or gathering information about an individual using sources on the internet. Its name is derived from “Documents” or “Docx”.

Why doxx?

Doxxing is a method of intimidation often intended to threaten or silence someone.

People can use leaked information to harrass, not just the targetted individual, but their friends and family as well. Sometimes employers are contacted in hopes that those doxxed will be fired for their beliefs.

With so much information publically available on the internet--posted by either companies or ourselves--both fascists and anti-fascists use this tactic against their opponents.

Strategy

Relative privacy via maintaining distinct spheres

This part of the guide assumes you have one or many online presences. This could be social networks, message boards, job sites--anything you need to log into.

Often in doxxes, information is not collected in one single place but triangulated from many sources. Do you spend your time on r/politics or your loose Facebook aquaintence's wall debating? Do you frequently like or repost statuses from radical Instagram or Twitter accounts? Do you have images or personal information on job boards?

Each on their own may not be a problem, but together they can be dangerous. Ask yourself:

How separate are each of these accounts/identites?
What is public? What is private?
What does public and private mean in the context of each site?

Take a moment to think about the way in which all of these spheres overlap IRL.

Does your job allow you to be your political self?
Do you filter some or all of your social media content from relatives?

And futher still....

Are there any references to illegal activies?
Do you filter some or all of your social media content from relatives?

What follows are a few examples of someone's online presence across sites. While the examples use six different categories, there could always be more.

Relatives - How open is the relationship between you and your blood/legal relatives? What could a stranger, having information on just one person in this network, discover about the others?
Politics - Do you discuss or post about your political beliefs online? If so, on which platforms?
Friends and Community - If you have social media, who are your friends? your followers? In what ways do your online communities reflect your IRL communities?
Hobbies - What hobbies do you have? Do you have friends and community through them? Are you a part of any internet communities dedicated to those hobbies?
Legal - Who are you on paper? What names, phone numbers, and addresses are you tied to? Do any of your accounts have this information? Any other sites (probably without your permission)?
Career - Does your job require an online presence, a website, or a social media account? Would there be a problem if your politics overlapped with your career or is your career in some way tied to your political identity?

These are just a few examples. Maybe they overlap in ways making some redundant, or maybe there are some these categories don't take into account. However, given that many people are present online with different goals, it can be useful to think about how you're represented in each.

Let's examine a few examples:

Dangerous online presence

This person's online presence isn't very safe because there is far too much overlap. Even if their Facebook and Instagram are private, from a Twitter or message board post, one can get their username from other sites.

Or perhaps their legal name is known. With enough digging on various snoop sites, it'll be possible to find relatives and perhaps even their contact. Snoop sites will often link to social media accounts as well. While the younger generation tends to be better at keeping their accounts on lock, their older relatives generally aren't. One simply has to search the relatives' public accounts for pictures, friends, or other details and all your security would be rendered useless.

Somewhat safer online presence

What makes this one safer? The most significant difference is now one essentially has two selves: one legal and professional, the other radical.

This is okay, but still poses many risks. First, it requires that one be extremely careful about not letting the two identies overlap. No shared emails. No adding relatives on Facebook. No way of tying the legal you to your hobbies or politics.

A minor but significant difference is separating one's politics from one's hobbies (I'm assuming here one has hobbies outside of politics). This doesn't mean you have to IRL, but there isn't a good reason for the same account to debate politics on Reddit one moment and asking for motorcycle help the next.

Another somewhat safer online presence

The key difference here is that one's source of income is no longer tied to one's legal self. This approach may be better for artists and craftmakers, but it does rely on a clean split, never having used one's legal name tied to one's work.

One's work likely relates to one's hobbies, and if one creates things that are political in nature, it becomes hard to separate--especially from one's friends and communities. Here, separate social media with clear distinctions is an absolute must, and while a private personal account could promote one's work, accounts relating to one's work must completely avoid anything personal.

It's important to note that these are only suggestions for how to craft one's digital presences and not a set of rules. Strictly adhering to them may not protect your identity, and one may luck out and fly under the radar without thinking through their presence to such an extent.

And yes having absolutely no online presence is perhaps the safest, but people have grown accustomed to having a digital presence and should not need to give it up if they find it fullfilling.

The original article has a useful tool at this point which you can use to map your own online presence - please refer to the original to use this.

Tactics

Managing your online presence on a site-by-site basis

Now that you have a fuller picture of where different parts of you exist online, you can start to unravel the pieces you want to keep separate. Start by creating new accounts and usernames. Go back and delete content that doesn't fit with with what you want each persona to be.

Put everything on lock. If it's personal, opt for the strictest privacy settings. If it's political and public, make it untraceable to you. Perhaps create new identities entirely.

Delete everyone you cannot personally verify and unfollow any radical account you're not entirely certain of. On and outside of social media be wary of honeypots.

(Honeypots are fake profiles or pages fascists and anti-fascists create to collect and network profiles of the other.)

Social Media

Social media is often a starting point for being doxxed. What information is public? What accounts are linked? What information can be gained about someone's network?

Facebook - Facebook is pretty awful when it comes to privacy defaults, but fortunately, there is an up-to-date guide to setting privacy settings.
Instagram - Is your Instagram private? If not, is there any political content? Are there photos of you or your loved ones? Could you vouch for every one of your followers?
Twitter - Twitter is a bit of an outlier because people often use it as a platform to be public, which is fine if it is separated entirely from all other accounds. If it's linked in any way, however, you'll want to set it as private.

Online Networking

To quote one private investigator, LinkedIn is the worst thing to happen for privacy and yet the best thing to happen for people who make a career of finding others.

Are you actively looking for a job and would benefit from having a public LinkedIn? In that case, it may be an unfortunate necessity, and your best option is to separate your legal online presence from all others. Even still, ask yourself what information is necessary. Do you want your address and phone number accessible to anyone who downloads your résumé? How close could someone get to your other identities by weeding through your high school's or university's graduating class with the years you have listed?

People tracking sites

Numerous sites exists for tracking people and publish personal details without their consent. Sometimes, a little work will get you removed. Other times, what they have is there for anyone who puts the time and effort into finding it out.

Finding all of these sites and navigating their policies can be the biggest headache of this process, but the more you remove, the deeper someone will have to dig. Hopefully too, if your legal identity is separate enough from others, people won't have a starting point. Instead of going through each of these sites, here is a list of links that will hopefully remain up-to-date:

Motherboard's list of sites to opt out of with links
A guide to for opting out of the most popular search sites.
Privacy Broker's list of 3rd party data collection sites.
Another massive list of sites to remove yourself from with rating about how easy each are.

Hacks, etc.

Despite maintaining a crafted and innocuous online presence, you could still fall victim to being doxxed. Up until now, this guide has focused on the legal means anyone with time and energy can use to find information about you, but there are other ways of obtaining data. Your account could be hacked. Though it's not likely someone will crack you gmail password, data breaches are fairly common. Even if someone isn't a hacker, they can by hacked data.

This is why, when separating online personas, different usernames and circles may not be enough. Think back to the graph and ven diagrams. Each self should rely on a different email account with a different password. A password vault will keep you from having to remember dozens of passwords. Two-factor authentication may be annoying, but it could prevent someone from logging into your account.

haveibeenpwned.com tracks data breaches. Enter your email and test it out. If any accounts have been breached, change everything that shares and email or password.
Remember when Equifax got hacked with all that personal data? Here you can see if you were affected.

questions || concerns || innacuracies || more info -- reach out to smilingfacecollective@protonmail.com