What the hell is doxxing?

 

Many of you are probably a bit puzzled by the title. I’m going to be a bit pedantic here about terminology, but there’s a reason. You see, the point of a language is for us to have a common set of agreed-upon “words” that have “meanings”. As EVE players I know much of the community will simply repeat a word they like ad nauseum (see: pubbie) without knowing the meaning or really even understanding what they’re talking about, so here’s a fun lesson in the ridiculously miniscule details of the language we use to describe bad activity related to people’s personal data. I am NOT going to be calling out individual examples from EVE as much as some people deserve a very public stoning. The purpose of this piece is education. I know a thing or two about the subject because my background is that of an investigator. If you’re going to sling mud you will be able to do so when we are done here with the conviction of a mudslinger who KNOWS THINGS!

create some risk or implied risk to you personally

In order to help explain what I’m going to discuss here I guess we should start at the beginning. The whole point of what a “doxxer” is trying to do is create some risk or implied risk to you personally by stripping away the anonymity provided to you by the internet. The typical personal information, but not all of it, includes the following:

  • Full real name
  • Physical address
  • Demographic information (married, kids, sports teams, job, etc)
  • Social security information
  • Social media profile information
  • Email addresses
  • Physical phone numbers
  • Any of the above about your family

That’s not an exhaustive list. I think we can all grasp numerous additions to this list for blackmail value such as OK Cupid accounts. The bottom line is that these items are the typical target of a potential “doxxer” but the important difference to note here is that having knowledge of any of the above or seeking it out is not actually “doxxing”. To help with understanding that we can assume there are three basic ways for people to obtain said information:

  • They may know you personally
  • They may have access to this information from a service provider or government entity
  • They may use Open Source Intelligence or OSINT to assert the information

The first two may seem pretty common sense but they’re pretty rare. Something about being creeps to people on the internet for kicks tends to create more separation between the pursuers and their victims. The damage done is not as attractive to all but the most ridiculously socially damaged person in an up-close-and-personal context. Creeps tend to want distance between themselves and the damage they’ve done for a number of reasons, including the fact that, like most people, they are hypocrites. Let’s discuss some of the above before we get into doxxing itself.

Having someone who personally knows you release your details may seem obvious at first but you’re thinking too linearly. It’s not going to be your mom who dishes your dirt but it’s also not necessarily going to be someone you know all that well either. Talk too loud at dinner about EVE? That waiter may very well also be a player. I’ve personally had experiences just wandering around downtown Reykjavik and being recognized. It’s also one of the reasons that I insist we use codewords to discuss projects in the places I’ve worked. Everyone is out to steal your shit all of the time, but more often than not, you’re just giving it to them anyway. Being even mildly mindful of who could be listening to you is as much as most can ask for here.

NCIS-hacking

Specifically videogame companies and media are often targets

Someone having access to a data repository you’ve given your information to is much more common. Many people don’t know this for some reason, but for years hackers were inside major data broker’s environments. This access gave them the ability to obtain and sell a ridiculous amount of personal information. In many cases keeping this quiet would be the most profitable course of action, but if we’re all being honest here, most of you don’t really have anything of value for these folks to sell except maybe your credit. I’ve never studied the creditworthiness of your average EVE player, so for all I know you are some hot commodities, but as it stands in a data dump like these it would be hard for you to be found. That’s not the case with everything however. Many many major providers who have your information have been compromised. Specifically videogame companies and media are often targets, and guess what I have if I have a list of game-related usernames and passwords? Access to potentially a bunch of videogame nerds personal data. Same password and email on your email as that cumlordthegame.com website? Well now we all have it and you’re just sitting there waiting to be important enough to get owned.

It’s important to note with the above that this isn’t restricted to your real life information. EVE data has its own delicious value. There have been EVE groups in the past who have not hesitated to stoop to using known vulnerabilities in forum packages and other things in order to obtain database dumps of the forums. There is a wealth of personal data in those dumps in the form of emails, passwords, private messages, private posts and IP addresses. Yet even when the salacious details of a person’s personal relationships are ripped wholesale from these private messages and made public (“doxxing” but we’ll get to that) we still laugh it up because it’s EVE. It isn’t. I am all too guilty of this particular transgression myself.

Lastly, we have the most common of the creepy arts, Open Source Intelligence. Wikipedia defines Open Source Intelligence the following way:

Opensource intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to opensource software or public intelligence.

That’s a lot of words to say basically that the way it’s applied here is that people use the data they have about you in order to determine your personal identity by using the clues you leave strewn about the internet. I happen to have used this as a professional tool in the past, so I’ll break down a bit of my method so you understand. It’s typically gone like this:

  • I focus on the data I know. If it’s a reddit or forum account I look at the user’s posting history. I read every single post they’ve ever made and I take notes. “Mentions a kid”, “Kid is 6”, “Commutes from X but lives in Y”. You get the point.
  • This isn’t set in stone because sometimes it’s quicker just to follow the online identities. A verified email for instance can lead to a number of different social media accounts. The point here is to collect as many of the user’s online accounts as possible and then do the same as the above. You go where the investigation takes you not the other way around.
  • The above notes now become more important because once I have social media accounts and some personal details I can usually suss the person out and those notes provide me with varying degrees of confidence in my information.
  • In addition, in the course of the above, I may end up with material sensitive enough to be embarrassing. Criminal convictions for instance are public information in many places. It’s not always knowing who you are that matters so much as knowing there’s information that can be used to manipulate you. I don’t have a need to blackmail people, but any information I have in advance during an investigation allows me to build a profile that can help determine a course of action.

At the end of the day the point is to stalk you on the internet like a creep in order to find something you don’t want them to find. No matter how much they creep on you on the internet however, that’s still not doxxing. That’s just being a creep.

Hacking

Doxxing strictly speaking is taking the information gathered above by being a creep and crossing the threshold by making that data publicly available. As far as I know, this started as a game among computer criminals in order to embarrass each other. Hacker A would be mad at hacker B, sort out who he thought he was and publish his details on the internet. Had the hacker merely threatened them directly he would have HAD their dox but he would not have doxxed. You do not dox someone by googling their name or being a super wicked master of running Maltego transforms. There are many cases in which that behavior is considered unsavory but at the end of the day, distasteful as it may be, that’s NOT doxxing.

I only say this because it comes up a lot in the press and if we’re going to be hurling accusations at people we should know what we’re accusing them of. The act of looking someone’s shit up on the internet is just being a creep. YOU put the data there for them to leetly google up. That doesn’t make it right but it’s not doxxing. Doxxing does not occur until they take that information and share it with others and that’s the mildly misleading part here. You see, even if that data is only shared in your creepy space chatroom, as long as it’s shared, it’s doxxing. No ifs, no ands, no buts, no but-I-only-gave-it-to-my-friends’s. If it wasn’t yours to share and you shared it, that’s doxxing.

So the next time you’re writing an angry forum or reddit post, especially when you’re making an accusation, you might want to take a good look at what the words you’re using mean. Telling someone you know where they live is creepy, but unless you’re publishing their address, you’re still just a creep. Asking someone for their FB profile is creepy but unless you’re sharing it with others you’re just a creep. That doesn’t mean creeps shouldn’t be shunned or looked down upon if that makes you feel morally righteous, but rather that it’s just not doxxing – which by the way they could very well do, so there’s at least some restraint being shown here. Let’s all do our best to keep that in mind the next time we go racing out to rage at someone because, if we’re being honest, when someone accuses someone else of doxxing for having the temerity to do a google search, they sound pretty silly to someone who knows what the word means and when we use words incorrectly, people stop listening because we aren’t making any sense.

Make sense.

 

Tags: Darius Johnson, doxxing

About the author

Darius JOHNSON

Darius JOHNSON is the former two-time CEO of Goonfleet / Goonswarm Federation, a former CCP developer (CCP Sreegs) and former CSM 1 & 2 member.