What the hell is doxxing?


Many of you are probably a bit puzzled by the title. I’m going to be a bit pedantic here about terminology, but there’s a reason. You see, the point of a language is for us to have a common set of agreed-upon “words” that have “meanings”. As EVE players I know much of the community will simply repeat a word they like ad nauseum (see: pubbie) without knowing the meaning or really even understanding what they’re talking about, so here’s a fun lesson in the ridiculously miniscule details of the language we use to describe bad activity related to people’s personal data. I am NOT going to be calling out individual examples from EVE as much as some people deserve a very public stoning. The purpose of this piece is education. I know a thing or two about the subject because my background is that of an investigator. If you’re going to sling mud you will be able to do so when we are done here with the conviction of a mudslinger who KNOWS THINGS!

create some risk or implied risk to you personally

In order to help explain what I’m going to discuss here I guess we should start at the beginning. The whole point of what a “doxxer” is trying to do is create some risk or implied risk to you personally by stripping away the anonymity provided to you by the internet. The typical personal information, but not all of it, includes the following:

  • Full real name
  • Physical address
  • Demographic information (married, kids, sports teams, job, etc)
  • Social security information
  • Social media profile information
  • Email addresses
  • Physical phone numbers
  • Any of the above about your family

That’s not an exhaustive list. I think we can all grasp numerous additions to this list for blackmail value such as OK Cupid accounts. The bottom line is that these items are the typical target of a potential “doxxer” but the important difference to note here is that having knowledge of any of the above or seeking it out is not actually “doxxing”. To help with understanding that we can assume there are three basic ways for people to obtain said information:

  • They may know you personally
  • They may have access to this information from a service provider or government entity
  • They may use Open Source Intelligence or OSINT to assert the information

The first two may seem pretty common sense but they’re pretty rare. Something about being creeps to people on the internet for kicks tends to create more separation between the pursuers and their victims. The damage done is not as attractive to all but the most ridiculously socially damaged person in an up-close-and-personal context. Creeps tend to want distance between themselves and the damage they’ve done for a number of reasons, including the fact that, like most people, they are hypocrites. Let’s discuss some of the above before we get into doxxing itself.

Having someone who personally knows you release your details may seem obvious at first but you’re thinking too linearly. It’s not going to be your mom who dishes your dirt but it’s also not necessarily going to be someone you know all that well either. Talk too loud at dinner about EVE? That waiter may very well also be a player. I’ve personally had experiences just wandering around downtown Reykjavik and being recognized. It’s also one of the reasons that I insist we use codewords to discuss projects in the places I’ve worked. Everyone is out to steal your shit all of the time, but more often than not, you’re just giving it to them anyway. Being even mildly mindful of who could be listening to you is as much as most can ask for here.


Specifically videogame companies and media are often targets

Someone having access to a data repository you’ve given your information to is much more common. Many people don’t know this for some reason, but for years hackers were inside major data broker’s environments. This access gave them the ability to obtain and sell a ridiculous amount of personal information. In many cases keeping this quiet would be the most profitable course of action, but if we’re all being honest here, most of you don’t really have anything of value for these folks to sell except maybe your credit. I’ve never studied the creditworthiness of your average EVE player, so for all I know you are some hot commodities, but as it stands in a data dump like these it would be hard for you to be found. That’s not the case with everything however. Many many major providers who have your information have been compromised. Specifically videogame companies and media are often targets, and guess what I have if I have a list of game-related usernames and passwords? Access to potentially a bunch of videogame nerds personal data. Same password and email on your email as that cumlordthegame.com website? Well now we all have it and you’re just sitting there waiting to be important enough to get owned.

It’s important to note with the above that this isn’t restricted to your real life information. EVE data has its own delicious value. There have been EVE groups in the past who have not hesitated to stoop to using known vulnerabilities in forum packages and other things in order to obtain database dumps of the forums. There is a wealth of personal data in those dumps in the form of emails, passwords, private messages, private posts and IP addresses. Yet even when the salacious details of a person’s personal relationships are ripped wholesale from these private messages and made public (“doxxing” but we’ll get to that) we still laugh it up because it’s EVE. It isn’t. I am all too guilty of this particular transgression myself.

Lastly, we have the most common of the creepy arts, Open Source Intelligence. Wikipedia defines Open Source Intelligence the following way:

Opensource intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to opensource software or public intelligence.

That’s a lot of words to say basically that the way it’s applied here is that people use the data they have about you in order to determine your personal identity by using the clues you leave strewn about the internet. I happen to have used this as a professional tool in the past, so I’ll break down a bit of my method so you understand. It’s typically gone like this:

  • I focus on the data I know. If it’s a reddit or forum account I look at the user’s posting history. I read every single post they’ve ever made and I take notes. “Mentions a kid”, “Kid is 6”, “Commutes from X but lives in Y”. You get the point.
  • This isn’t set in stone because sometimes it’s quicker just to follow the online identities. A verified email for instance can lead to a number of different social media accounts. The point here is to collect as many of the user’s online accounts as possible and then do the same as the above. You go where the investigation takes you not the other way around.
  • The above notes now become more important because once I have social media accounts and some personal details I can usually suss the person out and those notes provide me with varying degrees of confidence in my information.
  • In addition, in the course of the above, I may end up with material sensitive enough to be embarrassing. Criminal convictions for instance are public information in many places. It’s not always knowing who you are that matters so much as knowing there’s information that can be used to manipulate you. I don’t have a need to blackmail people, but any information I have in advance during an investigation allows me to build a profile that can help determine a course of action.

At the end of the day the point is to stalk you on the internet like a creep in order to find something you don’t want them to find. No matter how much they creep on you on the internet however, that’s still not doxxing. That’s just being a creep.


Doxxing strictly speaking is taking the information gathered above by being a creep and crossing the threshold by making that data publicly available. As far as I know, this started as a game among computer criminals in order to embarrass each other. Hacker A would be mad at hacker B, sort out who he thought he was and publish his details on the internet. Had the hacker merely threatened them directly he would have HAD their dox but he would not have doxxed. You do not dox someone by googling their name or being a super wicked master of running Maltego transforms. There are many cases in which that behavior is considered unsavory but at the end of the day, distasteful as it may be, that’s NOT doxxing.

I only say this because it comes up a lot in the press and if we’re going to be hurling accusations at people we should know what we’re accusing them of. The act of looking someone’s shit up on the internet is just being a creep. YOU put the data there for them to leetly google up. That doesn’t make it right but it’s not doxxing. Doxxing does not occur until they take that information and share it with others and that’s the mildly misleading part here. You see, even if that data is only shared in your creepy space chatroom, as long as it’s shared, it’s doxxing. No ifs, no ands, no buts, no but-I-only-gave-it-to-my-friends’s. If it wasn’t yours to share and you shared it, that’s doxxing.

So the next time you’re writing an angry forum or reddit post, especially when you’re making an accusation, you might want to take a good look at what the words you’re using mean. Telling someone you know where they live is creepy, but unless you’re publishing their address, you’re still just a creep. Asking someone for their FB profile is creepy but unless you’re sharing it with others you’re just a creep. That doesn’t mean creeps shouldn’t be shunned or looked down upon if that makes you feel morally righteous, but rather that it’s just not doxxing – which by the way they could very well do, so there’s at least some restraint being shown here. Let’s all do our best to keep that in mind the next time we go racing out to rage at someone because, if we’re being honest, when someone accuses someone else of doxxing for having the temerity to do a google search, they sound pretty silly to someone who knows what the word means and when we use words incorrectly, people stop listening because we aren’t making any sense.

Make sense.


Tags: Darius Johnson, doxxing

About the author


Darius JOHNSON is the former two-time CEO of Goonfleet / Goonswarm Federation, a former CCP developer (CCP Sreegs) and former CSM 1 & 2 member.

  • Dirk MacGirk

    Well-written article. I’m not sure it does much to curb the behavior (or the varying degrees of tolerance of it) but the article itself was informative and on point.

    BTW – I’m not sure where Niden got that picture of me from 1984, but I must have posted it somewhere. Why you googling me Niden?

    • Rob Kaichin

      I suspect that the tolerance of it would go way, way down if CCP treated it like they did RMTing. Banning a guy presumptively because he and his friends are party to it would eliminate the practise almost entirely.

      (And if it was driven deeper underground, well, all you need is one guy to leak it and they’ll all go down.)

      • Dirk MacGirk

        you want to see bans based on leaks? I sure as hell don’t. Because leaks can be created out of whole cloth or altered. CCP isn’t going to start slapping bans on anyone for things they can’t adequately authenticate. Which is why nobody gets banned because someone casts an accusation of RMT. No matter how elaborately detailed the story or the evidence of chat logs and hearsay.

        On a slightly different note, its always interesting to see the outcry related to doxxing and other forms of cyber wrongdoing, yet so many think entities like Anonymous and Wikileaks are just A-OK. So long as they’re giving it to “the man.” None of it is OK and creates an incredibly slippery slope to where individuals think its all fun and games.

        • Darius JOHNSON

          So I’m clear my intention with this article isn’t to gauge or even discuss morality. It’s to provide explanation of some subject matter that is currently relevant. RE: wikileaks and anon, well anyone who knows me knows my opinion on those subjects.

          • Dirk MacGirk

            I thought the article was spot on with regard to your clearly stated intention. As I said in my first post, “the article itself was informative and on point.” Anything outside of that was general commentary.

          • Darius JOHNSON

            It’s cool I’m seeing a lot of morality discussion about it and I think it’s great that it’s thought provoking. Just not my cup of tea.

          • Aderoth Anstian

            Now I’m curious how you feel about wikileaks and anonymous 🙂

      • Fearlesslittletoaster

        Think about this for a moment here. If this idea was implemented as you wrote it you could take down an entire corp just by logging into their services and posting somebody’s personal information. Plus, how is CCP supposed to know the victim is even real? I have a minimal background in security related stuff, but even with that I could create a fairly convincing fake victim with a few hours of effort. You are basically saying CCP should do the job of a real world police force without any of the resources.

        Don’t get me wrong I understand where you are coming from but before you propose a solution to a problem give the implementation a thought or two. Oftentimes the cure would cause more harm than the disease.

    • Fearlesslittletoaster

      You, sir, have just claimed the mantle of Hackerman. Through the unmatched power of 1980s computers and his mustache he can warp time and space itself to his will; you simply do not rate even to call yourself a pale shadow of his glory. Watch this video and be humbled, fool.


      • Niden

        I confess it was I that put the amazing Hackerman up there. Obviously, none of us can compare to his uncanny computer skills. I once saw him hack a toaster into a DeLorian.

    • Niden

      Dirk, do what fearless says, now. You M U S T see Kung Fury. M U S T. It’s the best 30 minutes looking into a screen you will ever have.

      • Jare

        But don’t watch it twice… not good the second time

        • Niden

          I’ve seen it 5 times. Still a masterpiece.

  • The line between: looking up publicly available info AND sharing that info (after compiling it from public available sources), is still not clear for me, however I dont do any of those so… whatever. Maybe I don’t understand something here.

    • Darius JOHNSON

      One is classically referred to as “Using the internet” albeit for the purpose of obtaining information about an individual on the internet for whatever reason. It’s used very often to identify criminals or military targets. There’s a lot of completely good reasons to be using OSINT. Making that data available to others, provided the data is identifiable, meaning that you can identify the person purely from the data that has been shared, rather than keeping it to yourself is what doxxing is.

      • Lets say some dude writes two different posts in eve-forum: 1st he identifies himself as John, and 2nd he calls himself Mr. Smith.
        So in the future if I talk about him and call him John Smith in front of others, am i doxxing?
        I always thought that this involved “obscure” and not “completely legal” ways of acquiring said info. But you say that referring to info given freely and publicly (by someone) that can be used to identify that someone, is doxxing?

  • Loan Wolf

    its also against the tos and can get you banned like number one on the list lol
    1.You may not abuse, harass or threaten another player or authorized
    representative of CCP, including customer service personnel and
    volunteers. This includes, but is not limited to: filing support tickets
    with false information in an attempt to gain from it or have someone
    else suffer from it; sending excessive e-mails, EVE-mails or support
    tickets; obstructing CCP Employees from doing their jobs; refusal to
    follow the instructions of a CCP Employee; or implying favoritism by a
    CCP Employee.

  • Curious Guy

    Just for clarity… if somebody’s information is found on google, and you tell your friend to use google to find it again… is that Doxxing?

    Or is Doxxing = getting information that is NOT publicly available, and sharing it?

  • schwaboy

    Did you know that if you type the word “doxxing” on twitter, a dozen or so angry twitter bots will respond to you and inform you that the correct spelling is “doxing”?

  • Jan Koxsos Kopecky

    Well good to know stuff.
    Someone once told me I should NOT have a link to my facebook profile in my avatar note or goons might come and kill me, is there any truth to this?

  • Dante Daniel Campbell

    That was awesome. Nuff said

  • Saint Michael’s Soul

    I shall leave these phrases here to anyone who has ever doxxed, or has even considered it: “Don’t be a dick”, “It’s only a game” and “Get a life fuckwad”.

  • Canenald

    Thanks for the great clarification. I too am pretty pissed off by people flinging the word doxxing (much like awoxing) around trying to make other people look bad. Can you clarify one more thing though? I’ll take myself as example. I have a twitter account for my character. It’s simply @Canenald. I don’t have a private account. I’ve lately started tweeting about things unrelated to EVE, and I’ve even put my account in my npm profile, along with my private accounts such as email, github account and a RL photo (pull from gravatar automagically and fuck removing that). My question is, if someone “creeps” on me like that and outs my RL identity, is it really doxxing? Sure, it’s a shit thing to do, but I wouldn’t call it doxxing. I’d say for something to be a doxx, you have to at some point use a piece of information that’s not public, for example someone’s email address he or she used to register on your forums or maybe a contact he or she shared of those forums (not public because it’s only visible to other registered members). Please correct me if I’m wrong.