Reading Time: .
In Germany, the first judgment for doxing was recently handed down. A 22-year-old had collected the private data of numerous celebrities and published them online. This case demonstrates the importance of protecting our confidential data and digital identities.
Politicians, artists, and journalists are used to being in the public eye. It is an entirely different matter, however, when their private data are suddenly made available to everyone on the internet, which is what happened almost two years ago.
A man from the small town of Homberg in Hessen had collected the personal data, including the home addresses, phone numbers, credit card numbers, as well as correspondence, of many public figures, and he then proceeded to gradually publish them in a kind of “Advent calendar” on Twitter at the end of 2018. The more than 1,000 victims included the leader of the Green Party, Robert Habeck, as well as the satirist and TV host Jan Böhmermann. It is the most extensive known case of doxing in Germany to date, which resulted in the 22-year-old being given a nine-month suspended juvenile sentence at the end of September.
What is Doxing?
Doxing or doxxing is the practice of collecting personal data on the internet and then subsequently publishing it, usually with malicious intent towards those affected. The term is derived from the word “docs” (or “documents”), and it is short for “document tracing.” The perpetrators themselves are known as “doxers.”
Data of interest to doxers includes, for example, names, phone numbers, physical addresses, e-mail addresses, contact information, copies of ID cards, invoices, account statements, social media content, and private and professional conversations in the form of chat histories or e-mails.
How do doxers obtain data?
Unlike hacking, doxing does not require technical know-how, only time and patience. It is more like meticulous detective work combined with thorough research. In order to collect as much information as possible about their victims, doxers seek out a variety of online sources, including:
- Publicly accessible databases, such as phone, address, and member directories
- The legal notices of websites containing address and contact information
- Social media platforms, which frequently contain personal information, photos, contact information, and details about group memberships
As a general rule, all of this information is freely available. Sometimes, however, doxers also utilize attack strategies such as social engineering, phishing, or hacking to gain access to personal data. By masquerading as a trusted friend, they try, for example, to get people to reveal confidential information about themselves. After attackers are able to steal, guess, or hack the passwords of others, they then gain access to their victims’ e-mail, social media, or cloud storage accounts. In addition, doxers are able to buy entire data sets with personal information from data leaks or database hacks on the darknet.
What are the consequences that doxing victims have to face?
When the collected data of victims are publicized in the most wide-reaching way possible, those affected can suffer enormous damage, including psychological harm and physical violence. Victims usually only find out after the fact that their very personal data has been published where anyone can view it online. By this point, they have often already received numerous insults and threats via e-mail, messenger, or social media comments.
As a result, doxing victims are often forced to change their phone numbers, e-mail addresses, and social media accounts in order to avoid further hostility. Depending on the level of threat that they face, they sometimes have no other option but to change their place of residence.
What is the motive behind doxing?
As a rule, doxers want to expose, intimidate, or silence those who think differently. The spectrum of attackers ranges from young people trying to show off to those fighting focused campaigns against political opponents. Doxing campaigns are often directed against politicians, journalists, or well-known personalities who have publicly voiced an opinion that is contrary to that of the doxer. They hope to unsettle or discredit their victims by encroaching on their privacy.
In some cases, the data are published together with an incitement to like-minded people to send hate messages to the published private e-mail addresses and cell phone numbers of the victims. In some instances, victims are even threatened with physical violence. Every now and then there are also attempts to extort money.
In addition to hatred, revenge, and vigilante justice, the simple desire to deanonymize someone is one of the most common motives. In the past, human rights activists who campaigned on behalf of minorities were repeatedly subjected to personal smear campaigns after being named in a doxing attack. Many doxers who mask their own identity behind a pseudonym also desire attention and recognition for themselves, which is why they like to boast about their deeds.
How can you protect yourself against doxing?
The sheer magnitude of the doxing case from late 2018 underlines how important it is to protect your digital identity. Once private data have been published on the internet, it is almost impossible to completely delete them. Therefore, users should pay close attention from the outset to what information they publish on the internet and share with others online. Minimizing the amount of data you expose is always the best defense. It is not for nothing that the principles of data avoidance and data minimization are a central pillar of the General Data Protection Regulation (GDPR), and also play a role in the “Security by Design” approach.
In addition, the following best practices are recommended to make identity and data theft more difficult:
- Use complex passwords that are unique to individual accounts, ideally with the help of a password manager
- Enable multi-factor authentication, especially for your bank, online shopping, social media, and e-mail accounts
- Avoid logging in to services using Google or Facebook
- Always keep your software up-to-date
- Encrypt your hard drives
Companies should use doxing incidents as an opportunity to review their security precautions to protect against data theft and, if necessary, to improve them. Technical measures alone are not enough to ward off phishing or social engineering attacks. Awareness training for employees is particularly important in order to make them aware of fraud attempts and to convey to them how crucial it is to consistently comply with all security requirements. Cyber risks can only be minimized by the seamless interaction of man and machine, as has been practiced for decades in the aerospace industry.