![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
beyondthescreentoday, we're going to talk about privacy, security and maintaining digital hygiene (also known as privacy hygiene or online privacy and safety).
this guide isn't comprehensive and is mostly to give folks an idea of exactly how doxxing works, who does it and how to mitigate damage that is caused by it in the event that this happens to you or someone you know. this is also to clear up some misconceptions around it, as it is boogeyman'd into seeming a lot more serious than it is in a lot of cases.
this is not going to be victim blaming anyone who has been doxxed in the past, but moreso to give power back to the average user and give you ways to protect yourself preemptively. being online is kind of like driving: way too many folks do it when they outta learn how to do it properly first, and the safest driver is a defensive driver!
with this disclaimer in place, let's start off with some background info about doxxing.
- what is doxxing?
per wikipedia: doxing or doxxing is the act of publicly providing personally identifiable information about an individual or organization, usually via the Internet and without their consent.
as a completely fictitious example:
CuteCoconut1123, or Coco to her fans on YouTube, is doxxed by a user when she lifts up a Starbucks cup with her real name on it, which is Megan S. She uses her real face and not an avatar in her videos, so searches on Facebook uncover an account with her photo attached to a Megan Smith. Users who analyze the backdrop of her videos narrow down her location to somewhere in the United States, and Facebook helps confirm her location as Spindle, NE.
Checking sites like Spokeo or Whitepages, users find an address for Megan Smith under 123 Maple St, then use housing sites like Zillow to cross-check internal and external photos of the house against the backgrounds of CC's videos. Further confirmation is established by going to Google Maps and looking at the stores, restaurants and other locations as shown in her videos.
After only 1 day of research, CuteCoconut1123 is confirmed to be Megan Smith, born December 31st, 1988, working as Customer Service Support at Purple Posie Designs who lives at 123 Maple St, in Spindle, NE. Her email address is revealed to be pretty_pisces_chica@hotmail.com and her phone number is (801) 111-2734. In the process, her family is confirmed to be husband of Kenneth Davis and a daughter named Brynn Smith-Davis...
this is just one way a user can be doxxed in ways they may not anticipate; in this example, CC never willfully admitted to a real name or a real location and simply filmed her life as it was. this is how elaborate a rabbit hole people go down when attempting to tie online identities to real ones, and how even seemingly minor or obscure information can be used to identify you.
doxxing isn't always used maliciously: there are cases where it has been used to put child predators and animal abusers in jail by providing this identifying information to the authorities, who were able to conduct official investigations and bring these people to justice.
while your average user is likely not a baby-grabbing puppy-kicking darkweb-posting psychopath, this is an example where doxxing has been used for the forces of good, even if it's most often used by trolls and bad actors. for the sake of simplicity, we're going to use the term doxxing as a shorthand for this kind of information collection from here on out, despite its less than savory reputation.
- OMG! but that's stalking and is definitely 100% illegal!
the act of collecting the data itself is often perfectly legal; names, addresses and other public records are sometimes known as Open Source INTelligence, or OSINT and are used by national security and law enforcement. sites used in the process of doxxing are not inherently illegal in their existence and count as OSINT, such as Facebook, Instagram and other social media platforms; "online phone books" (sites that aggregate names, addresses and phone numbers in one place using personal records) are another common tool in doxxing and OSINT. the part where it's collected and then provided publicly on social media is where things get a little more complicated.
some countries do have laws against doxxing, but many do not, and even then, in many situations what is collected is not really illegal to share because frequently, people who are doxxed have - at one point - posted the information themselves publicly in ways that were easy to find. what's usually the illegal part is the real-world harassment that follows, so if you're in a position where this has happened to you, you may be able to seek legal counsel depending on laws in your area.
- when you put it like that, this almost sounds like victim blaming...
no one is at fault for being doxxed, nor are they "asking for it" by posting their information online in the first place, so don't be gon on wit all that lol. with that said, this is something that can happen if you're not careful with your information online.
a lot of people nowadays (especially zoomers and gen alphas) aren't aware of just how many little things connect them here and there to their online identities and it can be difficult to figure out how best to protect yourself. this guide is here to help you, not blame you!
- OK, so how do we protect ourselves against this kinda bull mess?
that's what i'm here to assist with! follow me, and make sure you bring a fluffy towel and plenty of soap!
π΅οΈβοΈ PART ONE - HAVE I BEEN PWNED?
(in reference to the site where you can check if your email has been compromised in data leaks.)
when assessing your own potential for being doxxed, you must look at yourself the way a stranger would: if a very dedicated individual combed through your entire internet footprint, what could they learn about you that you posted of your own volition or from those you have willingly associated with?
people with long digital histories who have used the same username consistently are the most likely to be vulnerable to this strategy of data collection. while sites that have become defunct can protect you in some measures, you must think of any site at all that you've used and posted to that could be used. searching for your own username, especially if it's distinctive, on a search engine can lead you to an idea of just how many places can be used to corroborate your info.
demonstration time!
let's say you're pretty careful about ever posting selfies on your twitter which you established august 2020. that's all well and good, but you're still active on tumblr, which goes back to 2015, and you use the same username there. back in the old days, you posted a couple of times in a #gpoy tag. eh, not so bad, because you've always used an alias on tumblr and never posted about your real name online.
... unfortunately, you did, but it was aaaall the way back on a livejournal account you forgot the password to that got abandoned in 2009, and even though it's a different username from your tumblr, you shared your old livejournal name so your LJ peeps could find you again. without much effort, a user in pursuit finds you on livejournal with your real name and where you used to live in public entries.
but you've moved a billion times since then! plus you changed your name, and you look radically different - how are they gonna sniff you out?
well, when taking apart the contents of your personal tag on tumblr, they've identified that you started dating another tumblr user and so far, you haven't split up. on a whim, they see that this tumblr user lives in a different state according to their profile and your honey ain't so careful with their name and their pics, so they find your tumblr beau on facebook by looking up the name they go by and double checking the state they live in. and - lo and behold - you're partnered with them on there! and wouldn't you know it, your state matches their state. suddenly, you're thinking about every time you talked about cooking dinner together IRL...
to throw a wrench into things, despite using a psuedonym on facebook with a picture that isn't yours, your posts (when cross-checked against your tumblr, twitter and livejournal) make it clear that it's you through typing style and interests. since you befriended a lot of family on your facebook, it's merely a matter of trial and error before they narrow down which facebook relative posted a picture of you when you were younger, and they carelessly used your real name to boot. and the final nail in the coffin? they tagged you in it!
for many, that's enough to confirm identification, but some will go deeper and use this to go further in an attempt to identify where precisely you live and work.
again, this is to showcase how deeply many of these people will sift and just how little information they need to go off of. kinda spooky, isn't it? it really does not take much for many users to be found out, and even a lack of photos won't necessarily protect you.
when you think of all the usernames and places you've been and what you've exposed, be honest with yourself: just how easy is it to paint a picture of you, with all the publicly-facing info that you have? have you always used a pseudonym? have you been careful to never name your company, your industry (especially if it's tiny), anything that could link you to others? even photos of pets could lead to your downfall! do not underestimate what can be used against you.
when you analyze your content, you must be painfully aware of what could be used to link you to things, and remember that you aren't an idiot if you're easy to find, so don't blame yourself!
π΅οΈβοΈ PART TWO - OH, JEEZ, I'VE BEEN PWNED. WHAT NOW?
so you're easy to find! OK, don't panic, there are ways to fix this!
π get your ass off of Facebook, Instagram, LinkedIn or anything that generally expects people to use their real identities. if you can't be off these platforms for whatever reason (which is OK, no judgment there), privatize the hell of out of them.
change URLs/usernames to something completely disconnected from your online presence, change your picture and banner where applicable to something that is NOT YOU OR ANYTHING IDENTIFIABLE (such as pets or your artwork), and scrub all mentions of any real names or faces that could be used to connect anything. if possible, have conversations with friends and family about your concerns regarding online privacy; at the very least, have them delete or privatize any mentions of you.
(for estranged friends and family, it may be best to completely wipe your presence on their social media and start fresh, if you still wish to be on these platforms.)
furthermore, you can contact sites like spokeo, whitepages and other "phone book" websites and request for data removal, and it's usually quite easy - at least in the USA. these sites are a big source of finding your real life address, so it's worth searching yourself and seeing if you can be found easily. i'm not sure how it works in other countries but it's always something to investigate as an option in your neck of the woods.
π wipe anything relating to your IRL identity off your platform(s) of choice, and privatize your account without warning - if possible - before doing so. and i mean anything. selfies, pictures of pets, old videos of a loved one where you play the guitar and they sing along and it's super sentimental so that's why it stays up - if it can be used to identify you, it should go down. save everything offline; the goal isn't to destroy memories, but to privatize them. again, this is still applicable for ancient posts where people have deactivated and vanished from the internet and all you have left of them is funny asks they sent you because you're trying to anonymize, and these are things that can be used to figure you out. it is always a safer a bet to go underground with it, especially if you were much freer with info than you are now.
your goal here is just to pick apart your history and see what can be used to connect any dots about you, and if you've got a long history, it may take you a while. also, you might not be able to get everything because you can't control other people, so just do what you can on your part!
π DO NOT DRAW ATTENTION TO YOUR WIPE, especially if you are embroiled in a current conflict on platforms where there are more trollish, dark-hearted folks lurking; if you feel you are currently being watched, do not say anything. this will incentivize them to claw deeper and harder into your past under the assumption that you're likely hiding something suspicious. just make a point when times are calm to do some housekeeping.
π remember your PAPS: peas and potatoes separate! this is a shorthand term i coined myself, but it's in reference to how many kids keep their peas and potatoes separate on their plates because they don't want them intermingling. what this means is if you are going to have online accounts associated with your IRL identity and accounts where you let loose more, you should keep these accounts as separate as possible. and i mean separate: separate emails ideally from separate providers, separate phone numbers (if possible), pseudonyms, carefully edited photos to obscure tattoos or backgrounds if you're intending to post anything photographic - the works.
consider it like being a secret agent where you want to be as 'undercover' as possible. if that feels a bit like living a double life to you, that's kind of the idea: you don't want people trailing these things back to you unless you are comfortable with whoever you are giving this information to.
an easy way to do this is to not repeat usernames, icons, themes and other such things that, when pattern recognition is applied, could be used to identify you. if necessary, you may want to delete or deactivate old accounts you no longer use. get in the habit of having multiple names across multiple platforms or at least making 2 accounts (if you namesquat on platforms to avoid impersonation). whatever you're comfortable doing, do it.
π finally, ask yourself before you post: would i want my parents to see me posting this? not in the literal sense of your parents seeing what you post coz you a grown mf, but in the sense of how comfortable are you with your family, friends and peers seeing what you post online?
if this is a big concern for you, remember that you can never, ever un-post something, so make sure that when you post something that either A) you have done EVERYTHING possible to protect yourself from identification, and B) if the cat's out of the bag, you are not afraid of the consequences of it. i'm not trying to scare you into eternal lurkerdom, i'm trying to encourage you to think before you post for the sole reason that it cannot be undone. if you're confident in yourself, please, post away!
this will go triple for any photos of you, loved ones - and it goes quadruple if you're posting nudie pics online. if, say, you have an incredibly elaborate hexagonal tattoo sleeve and want to post dirty pics, you need to consider what you'd do if your brother went "dude have you been posting pictures of yourself sucking toes online?" i mean this as no shade to the toe suckers, but let's be real, a lot of us dont want to have that convo! and one way to stop these convos in their tracks is to be super careful about what you share, who you share it with and where you share it.
π΅οΈβοΈ PART THREE - POST-PWNAGE FAQ
- i've wiped myself front to back (digitally) but i'm still really nervous. what more can i do to keep myself safe? is there anything aside from totally abandoning the internet?
you don't have to go totally offline! remember that ultimately being doxxed isn't the issue, the harassment that may or may not follow is. if you endure any kind of harassment via email, through postage, through phone or even at your home/work place/residency of those you know and are affiliated with, consult your local authorities about what your options are. some places may think your hands are tied depending on degree of harassment and level of threat while others may be able to assist you further. if you are legitimately concerned about your safety and well-being, always contact the authorities and keep all of the evidence of it so they can pursue things further if necessary.
otherwise, people simply knowing your address or your real name is not usually cause for concern and, for the most part, there isn't much to be done with it unless someone is prepared to break the law and seek you out in person. still, stay vigilant and know what your options are, and if you live with others, discuss things openly and honestly so that everyone is aware of what to do if anything escalates. you must always prioritize safety and it's always better to be safe than sorry.
- i'm an online salesperson, so branding is everything to me - and so is having an established online history! do i really need to do all of this to protect myself when i'm just trying to peddle my wares?
not necessarily! you can still analyze your old archives and see if you can craft any kind of a paper trail for it. if you do any kind of IRL work where you interact with clientele both IRL and online, people may take pictures of you and upload them of their own volition - there is little to be done about that, so depending on the kind of shop you keep, you may want to establish a rule of 'no photos' and making sure your money-handling stuff is decently separated from your irl stuff where possible. most will be aware if you have privacy concerns but don't be afraid to blacklist people from working with you if they don't take you seriously or even expose you themselves.
when it comes to money, you'll often see legal names and addresses, so try to figure out ways you can safely transfer money between you and clientele without risking identification. overall, as a subject matter, this is something where it may be helpful to seek legal counsel as a business owner, especially depending on your country and the nature of what you sell.
- i'm not really a very interesting person; am i really at risk of being doxxed?
only by sheer virtue of the fact that really, everyone is. when not showcasing it for the world to see, casual OSINT isn't always about targeting "interesting" or "problematic" people; many simply view OSINT in a more sherlockian, puzzle-solving way. for a lot of folks, the thrill is in the hunt, and they have no purpose in using your information for anything aside from sating their own curiosity.
with that said, this guide was written under the presumption you may find yourself in the sights of people with nasty ideas on what to do with your info, so it's something to consider in regards to your personal comfort levels and what you're risking if you were to be exposed.
- influencers, streamers and other super high profile internet folks can post stuff with their real names/faces/locations/etc and they never seem to get doxxed! how do they avoid it?
they don't lmao and they are a perfect example of why it's better to be more private rather than less, because they are often victims of stalking and harassment IRL because they are so easy to track down the info of.
again, this isn't to blame them or anyone who is a victim of it, but i would definitely look at these people and ask yourself just how comfortable you might be of having AI deepfakes made of yourself and then sent to family (just as an example) because this is the price of fame. that doesn't mean anyone deserves it, but when you maintan a lower profile, you're also able to maintain a stronger degree of privacy. with internet recognition comes great responsibility and all that jazz, i think that's what uncle ben said?
- i got a question your silly little FAQ didn't answer.
please feel free to ask away! as a disclaimer, i do not work professionally in OSINT or any form of intelligence collection nor am i trained in it in any way, shape or form, BUT i'm familiar with the strategies used to collect OSINT by amateurs and laymen! though anything regarding more in-depth advice regarding legal protections and options, please seek legal counsel cuz i'm just some binch on tha intranets.
i believe in empowering others, and the best way to empower others is to teach them because knowledge is power! and part of my motivation in writing this guide is to try and protect very vulnerable people, who often have the most to lose when they are doxxed. if i can give advice on how to do damage control, that's all i'm here to do.
if you don't follow this guide, that isn't to say you're asking to be doxxed. risk assessment is all about making our own choices, and it's up to you whether or not you wish to be so private about yourself. this guide isn't to assume that there's "smart people" and "careless people," but to give those who want privacy an idea of what steps they can take to protect themselves. if you're happy where you're at, don't feel like you gotta change on my account - just know that this is something to consider if you haven't before.
with alla that, happy scrubbing - and don't forget to moisturize once you're all dried off!