This is how hackers can ruin your life — and how you can protect yourself

For years, cyber bullying was defined as being targeted by hateful commenters. Today, doxxing–hackers finding or stealing your private information and publishing it online, sometimes with threats of violence–is a clear and present risk to activists and campaigners. Doxxing protection and prevention may help protect you from digital mobs and even hostile government authorities.

In the summer of 2014, hackers tried to destroy the life of game designer Zoe Quinn. They stole and published online photos of her in the nude, as well as her home address, her cell phone numbers and her father’s contact information. This unauthorised publication of personal information is called “doxxing,” and it is becoming an increasingly common hazard of 21st century online life.

Quinn, a rising star in the gaming world, was the victim of an orchestrated harassment campaign carried out by a hateful mob. The widely-publicised incident, known as Gamergate, began when her ex-boyfriend, Eron Gjoni, published a long online screed of over 9,000 words; in it he accused her, among other things, of having slept with a game reviewer in exchange for a positive review. According to Quinn, who details the experience of being doxxed in her new memoir, Gjoni “optimised” and marketed the copy to incite the hatred of its members. Many of the ensuing attacks against her were coordinated in online forums and in chat rooms.

This is what being doxxed meant for Zoe Quinn:

• Her social and email accounts were flooded with rape and death threats;
• Anonymous harassers made obscene and threatening phone calls to her and her father;
• Some of her online stalkers appeared at her home; she ended up having to move away, out of fear;
• Other online stalkers sent obscene and doctored images to her friends and supporters on social media;
• Someone edited her Wikipedia entry so that it showed her time of death;
• Former employers called her to ask if she had used them to obtain references for a new job. The calls turned out to be random people trying to squeeze more personal information about her from her former bosses.

As a consequence of these attacks, Quinn starting experiencing panic attacks, anxiety and violent nightmares. At one point, she was on the same dosage of medication that combat veterans take for PTSD. She is also in therapy.

Hazards of digital life

Once seen as an extreme case of online harassment, this kind of mob action and weaponisation of personal information is emerging as a hazard of 21st century life online. People who engage in advocacy need to acknowledge this and learn how to protect themselves.

In May, 2017, Buzzfeed News reported that Trump supporters created a massive dossier on thousands of people who had signed an online petition against the president. The dossier contained the names, ages, addresses, phone numbers, religious and sexual orientations and social media accounts of the petition signers.

“One of the things that I see is threats to reveal personal information,” she said in an interview. “I think it’s a very common practice because it’s an intimidation technique.”
–Samantha Silverberg, a therapist and a co-founder of Online SOS

On 6 September, The Intercept published a detailed story on the infiltration of a group of neo-Naziswho were using chat rooms on a text and voice platform for gamers called Discord. The neo-Nazis had vacuumed up private information on more than 50 anti-fascist activists in 14 states from California to North Carolina; and they also discussed the need to doxx anyone who opposed their agenda — e.g., the leaders of the Southern Poverty Law Centre, leaders of any “activist groups,” and journalists.

Not all doxxers are Nazis or misogynists

There are doxxers on the left of the political spectrum, too. Anti-fascists doxxed several of the neo-Nazis photographed marching at the August 2017 white supremacist rally in Charlottesville, Virginia. Some feminists and anti-fascist activists not only approve of doxxing but engage in it themselves.

And doxxing as a form of vigilante justice need not be political. Earlier this year, Anonymous published the home address of the family of provocateur Roosh V, the self-styled “pickup artist” whose views on women caused an uproar.

According to a national survey of 4,248 adults in the United States by the Pew Research Centerreleased in July, 41 percent of Americans have been harassed online; in addition, 66 percent have seen others harassed. Pew characterises harassment as offensive name-calling, purposeful embarrassment, physical threats, sustained harassment, stalking, and sexual harassment. Fourteen percent of those surveyed report that they’ve been harassed for their politics, and about one in 10 have been targeted as a result of their appearance, race, ethnicity or gender.

Samantha Silverberg, a therapist and co-founder of Online SOS, a new non-profit dedicated to supporting victims of online harassment and stalking, says that even if targets don’t get doxxed, perpetrators often wield the threat of online harassment as a cudgel of psychological intimidation.

“One of the things that I see is threats to reveal personal information,” she said in an interview. “I think it’s a very common practice because it’s an intimidation technique. If someone has their personal information revealed on the internet, that’s a very scary thought for a variety of different reasons. The possibilities of the repercussions of that are so varied that I think it becomes a very easy threat for someone to make when they’re feeling angry at someone else, or they want a resolution.”

Three factors enable doxxers:

• the wealth of personal information about individuals that’s legally trafficked online by data brokers (mostly in the United States);
• the digital trails we leave about ourselves through our uses of social media and other online services (see petition signing, above);
• our own poor security practices.

Zoe Quinn’s story illustrates the point: She knew she should have used hard-to-guess passwords with, as she puts it “uppercase letters, numbers, symbols, the painted nails emoji, two numbers that haven’t been invented yet and one terrible secret,” but it was too bothersome, so she used “funkyfresh” for most of her accounts instead. This made it easy for hackers to gain access to her online accounts, which acted as stepping stones to discover even more information about her. For example, they accessed her long-forgotten eBay account, which included her shipping address.

“The evidence shows, and the experts agree, that the best means of protecting oneself from digital attacks is to implement best practices when it comes to security, and to align oneself with a strong online community composed of people who reject and are unafraid of standing up to attackers.”

Doxxing protection tools and next steps

Quinn and her friend Alex Lifschitz have since established a non-profit organisation to help victims of online harassment. Called Crash Override, the site offers a comprehensive range of guides and tools for improving one’s online security and minimising the risk of being hacked.

The “Crash Override’s Automated Cybersecurity Helper,” or C.O.A.C.H., is a guide that takes you through the steps toward improving one’s online security.

Through a series of prompts, the guide leads you to take most of the basic actions that any security expert will tell you to take to secure your life online. These steps include:

• Installing a password manager (the tool offers links to LastPass, 1password, and KeePass. Some security professionals prefer 1password because it keeps all your vital information local, rather than in the cloud — where it is theoretically more vulnerable to hackers.)
• Using the password manager to generate unique, secure passwords for each of your online accounts on social media and services such as Paypal, eBay and Amazon.
• Implementing two-factor authentication to verify that you are indeed the owner of your online accounts.
• Checking your security settings on all of your social media services
• Reviewing what third party apps have access to your social media accounts, and limiting access to the ones you really use. The goal here is to reduce the risk getting hacked via a compromised app.
• Deleting old accounts on services that you don’t use any more.

Crash Override includes a frightening list of things that hackers can do to exploit, intimidate and shame you online. They can, for example, break into your bank accounts or your Skype account – from which they can harass contacts associated with that account.

The bigger, more difficult task facing individuals online is deleting their presence from the data brokerage sites, of which there seem to be thousands. For those who can pay, Abine, a startup in Cambridge, Massachusetts offers DeleteMe; it is a service that erases one’s presence from 14 different websites that store one’s home address, age, and information about relatives. Abine requires clients to send them copies of their drivers’ licenses in order to verify to the data brokers that they’ve been authorised to request the removal of an individual’s information. But the service’s reach is limited: they cannot remove all one’s information from every single data broker.

Other useful tools on Crash Override’s site: Statistics-backed talking points for victims of harassmentthat can be used to counter apathy from the police and others who might downplay their situation; thoughts on the pros and cons of contacting law-enforcement authorities; and an explanatory guide for employers of individuals who are being stalked and harassed (useful since many victims report that their employers don’t understand what’s going on and often end up thinking that the victims themselves are crazy.)

But even with all the precautions, it is not possible to reduce one’s online vulnerability to zero. Adam Shostack, a security consultant, game designer and former principal program manager at Microsoft’s Trustworthy Computing team, says. “You can do all of these things, and you should do them, but it’s worth realising that it’s hard.”

Shostack explains that the security professionals’ mantra is: “Protect, Detect, Respond and Recover.” Each organisation has to think through these steps and weigh the costs and benefits of the lengths they will go to to protect yourself both online and off. That means carefully reviewing whether or not any given tool is appropriate for their particular situation.

For example, Signal, the widely-recommended encrypted voice and messaging app, might be a liability for an organisation. “Signal is linked to your phone number. Your phone number is an incredibly useful bit of information,” Shostack says, explaining that if a hacker or a member of a government security service obtains your Signal phone number, that person then has access to all your contacts.

Instead of Signal, activists might find Wickr a safer platform. It is a secure messaging app that does not use your phone number and defaults to all messages disappearing. The tradeoff is that Wickr is not as convenient to use as Signal. Shostack also suggests, if appropriate, delinking your social media name associated with your online activism from your legal identity documents, such as your driver’s license.

Other useful resources for teams that want to review their security risks and procedures together include: Front Line Defenders and Tactical Technology Collective’s  “How To Assess Your Digital Security Risk” guide; and the Electronic Frontier Foundation’s Surveillance Self Defense guide. The latter includes security guides, advice and procedures for numerous different kinds of communities and individuals and situations; Equality Labs has also published an anti-doxxing guide.

Is there such a thing as righteous doxxing?

Doxxing a Nazi might seem like justice, but it is not very good tactics.

Preliminary research conducted by University of Michigan PhD candidate Lindsay Blackwell says that crowdsourcing collective responses to abusers online might be more effective than doxxing  — and ultimately a choice that brings about positive results. “Bystanders who intervene now will play a critical role in shifting those norms for the better,” she said.

In other words, a critical mass of people who publicly defend targets of harassment is a more constructive and effective means of pre-empting future, would-be doxxers. Participating in a positive action of this type, rather than doxxing for revenge, is also good tactics in that it minimises the risk of exposing oneself to being doxxed in return.

Lindsey Blackwell elaborates:

“If 99 people are harassing Justine Sacco, and one person chimes in to condemn them, that could be risky for that one person,” she explains. “But if 10 people are harassing her, and 90 other Twitter users say: ‘Hey, that’s not okay,’ the odds are much better — and i’m hopeful we can start shifting norms in that direction. This won’t work for people who genuinely wish to cause harm, of course, but ongoing research suggests that genuine ‘bad actors’ produce a minority of harassment online (same as offline misbehaviour.)”

Zoe Quinn shares the view that doxxing for justice is a bad idea. The risks, she points out, are high: There are cases of doxxers having disseminated inaccurate information, or of targeting the wrong person. And once the mob has been unleashed, it’s impossible to pull it back. “If mobs of people are known for one thing,” she writes, “It’s for being unable to dial it back once there’s been an error.”

In her book, Quinn’s advice to would-be doxxers is to step back and question their motives, justifications and potential impact before becoming part of a mob.

In other words, doxxing as a means of effecting vigilante justice is problematic for both tactical and ethical reasons. It doesn’t stop the bad guys; and it could very well hurt innocent people.

The evidence shows, and the experts agree, that the best means of protecting oneself from digital attacks is to implement best practices when it comes to security, and to align oneself with a strong online community composed of people who reject and are unafraid of standing up to attackers.