On March 5, as part of the Free Speech Project, Future Tense, PEN America, and the Freedom of the Press Foundation will host an event in Washington called How to Protect Yourself Online. For more information and to RSVP, visit the New America website.
When your home address or the name of your child’s school starts circulating on social media amid an onslaught of threats, the absurdity of distinguishing between harassment “online” and “in the real world” becomes crystal clear. Doxing, or dropping docs, is the public posting of private information, and it’s more than just online nastiness—it’s outright abuse. Someone who has your address can locate you or your family. Someone with your cellphone number or email can bombard you with messages that disrupt your ability to communicate with your support network. And someone with your name, birthday, and Social Security number is one step closer to being able to hack into your accounts or steal your identity.
For the past 18 months, I’ve been traveling the country to equip writers and journalists with strategies and resources to defend against online abuse. I’ve met people who have experienced hateful slurs, death threats, hacking, and impersonation, all of which can be traumatic. Harassers use doxing and other abusive tactics to silence self-expression online—and women, people of color, and members of the LGBTQ communities are disproportionately targeted. To empower writers, journalists, and others active online to continue speaking freely, PEN America has developed an Online Harassment Field Manual with comprehensive guidance on preparation, response, support, and self-care.
Doxing is possible because it’s surprisingly easy to find your personal information, which can then be broadcast to make you feel unsafe. An abuser could Google you, or punch your name into a data broker’s website like Spokeo.com, and potentially discover your home address, your mother’s maiden name, where you went to school, or where your parents live. They could also find photos of you, which they can then share—sometimes after manipulating them—to identify, humiliate, or impersonate you. And they could even try to track down your usernames and passwords, especially if they’ve been stolen and distributed through data breaches. This information is available for free—or for pennies.
The best defense is to make it harder for abusers to track down your private information. That’s why newsrooms, including the New York Times, are starting to train their own journalists to “dox” themselves. Not literally, of course—I’m not talking about posting all your information on Twitter. Rather, put yourself in the position of someone trying to mine your personal information to attack you.
Here are some steps you can take that mirror what a doxer would do:
Google yourself. Start simple. Google different variations of your name, your phone number, your home address, and your online handles. (If you once used your Twitter handle as a LiveJournal account name, for instance, a doxer will find it.) Try searching on Bing and DuckDuckGo, too. Take advantage of these Google search tips. What kind of info are you seeing floating around? And where is it cropping up? Social media accounts, staff bios, company webpages?
See what data brokers have on you. Data brokers—like Spokeo, Intelius, AnyWho, Whitepages, etc.—scan the web to collect your private info and sell it to companies, individuals, or other data brokers. If you’re John Smith, you might be OK (anonymity amid a sea of John Smiths), but many of us (with names like “Viktorya,” for example) are not as lucky.
Audit your social media. Abusers comb through social media accounts looking for private information they can leverage against you—an embarrassing tweet you long ago forgot about, a photograph that gives away geographic information. Plus, social media platforms want you to share as much of your personal information as possible, so they often bury the privacy settings on your accounts and default those settings to “public.” Data brokers benefit from loosey-goosey privacy settings, which make it easier to scoop up your info.
Try a reverse image search. Google yourself to find which images of you are available online. Right-click on each image and “search Google for image” to see where else your photos are circulating and how they’re being used. You can also upload your profile photos from Twitter, Facebook, Instagram, and LinkedIn and try a reverse image search using a platform like Yandex or TinEye. Just don’t upload images that are sensitive or private!
Monitor data breaches. When there’s a catastrophic data breach (here’s looking at you, Equifax, LinkedIn, Dropbox … I could go on), your private info can be compromised. You can check to see if any of your email accounts were part of a major data breach here: Haveibeenpwned.com. For any affected account, change the password ASAP and don’t use it again. You can also set up an alert on the aforementioned site to find out if any of your accounts are part of data breaches in the future. (Just use the site’s “Notify me” tab.)
Review your bios, CVs, and personal websites. Take a look at the personal information available within your professional online presence. To see if you’ve got PDFs of résumés or CVs floating around the web, try Googling the following: “[First Name] [Last Name]” filetype:pdf. (Those kinds of sophisticated searches are called “Google dorking” and, while dorky indeed, they’re also very useful.) For any résumés or CVs you discover, be sure to get rid of your home address, private email, and private cell number (or replace them with public-facing versions of that info).
So you’ve discovered what’s out there and you’re probably terrified. Now what? The good news is there are steps you can take to remove existing private information and reduce the chances of it cropping back up. While there’s no silver bullet to safeguarding your privacy and your safety online, the goal is to make it harder for an abusive troll to cause you harm.
Set up Google alerts for your full name, your phone number, your home address, or other private data you’re concerned about so you know if it suddenly pops up online, which may mean you’ve been doxed.
Scrub your data. You can get your info taken down from data broker sites. But, as with so many things in life, if you want to do it yourself for free, it’s labor-intensive. If you have limited time, start with the three major wholesalers: Epsilon, Oracle, and Acxiom. Check the Big Ass Data Broker Opt-Out List for a comprehensive list of data broker sites, with directions for how to remove your info. You’ll have to get into the habit of checking these databases regularly, because your information can be republished even after it has been removed (think whack-a-mole .. but with your personal data). You can also pay a service like DeleteMe, PrivacyDuck, or Reputation Defender to do those things for you. It’s not cheap, though: Costs range from several hundred to several thousand dollars a year. To learn what to expect when you use one of these services, check out this helpful review from OnlineSOS.
Tighten your settings on social. Be strategic about which platforms you use for which purposes. If you’re using a platform for personal reasons (like sharing photos with friends and family on Facebook or Instagram), tighten your privacy settings. If you’re using a platform for professional purposes (such as tracking breaking news on Twitter and tweeting links to your work), you may decide to leave some of the settings public—in which case, avoid including sensitive personal info and images (your birthday, cell number, location, home address, family member’s names and photos, etc.). Here are links to the privacy settings for:
For a deeper dive, check out the New York Times’ Social Media Security and Privacy Checklists. And if you’re worried about old tweets being weaponized against you, you can set up an autodeleter that will remove tweets that are older than, say, a year.
Be conscious about third-party apps and services. When you’re prompted to create a username and password for a new software or service, have you ever selected the option to “sign in” automatically via Google or Facebook? By doing this, you’re giving the software or platform a back door to your email or social media account. You want to avoid creating accounts via Google or Facebook.
Create separate email accounts for separate purposes. You want to have at least three email accounts: professional, personal, and “spammy.” Your personal email address is for private correspondence with close friends, family, and other trusted contacts—don’t list this address publicly. Your “spammy” email is used to sign up for accounts, services, and promotions. And your professional email address (whether you’re a freelancer or affiliated with a particular organization) is what you list publicly. As with public-facing social media accounts, you may want to refrain from including too much identifying information in your email handle (in other words, steer clear of firstname.lastname@example.org).
Get a virtual cell number. Once, long ago, in a land far away, we used multiple phone numbers: home, office, cell … now, we often use one SIM-based cell number for everything. But if that number gets doxed and you start receiving harassing calls or texts, it can be very cumbersome to get it replaced—and it disrupts contact with friends and family just when you need it most. You can set up a virtual cell number through Google Voice (free) or potentially through your cell service provider. (For an example, see Verizon’s My Numbers, which costs $15 monthly for each additional number.) Your virtual cell number will work just like your SIM-based cell number (calling, texting, voicemails, etc.). Whenever you need to list your cell number publicly or use it to sign up for services, accounts, or promotions, list your virtual number. Use your SIM-based number only to communicate with contacts you know and trust.
Rinse and repeat the above for close family members. Your spouse, kids, parents, and siblings may be at risk of doxing as well—and they may include some of your private info on their accounts. If you’re a journalist who covers a particularly controversial beat (say, white supremacy), you will need to be especially proactive about your family members’ privacy.