What is doxxing

Overview

Doxxing, sometimes spelled doxing, is the act of researching and publicly sharing private personal information about an individual without their consent. The term originated in the late 1990s hacker community and comes from "dropping docs" (documents), referring to the practice of "dropping" someone's personal information onto the internet where anyone can access it. This information typically includes home addresses, phone numbers, email addresses, workplace locations, family member names, social media handles, vehicle information, and other identifying details that can facilitate harassment or harm. Once shared publicly, this information can be accessed by anyone with internet connectivity, creating the potential for harassment, stalking, threats, swatting, and real-world violence.

Doxxing has become increasingly common as social media platforms have made it easier for people to find information about others, and as tensions have increased around political, social, and cultural issues. According to a 2023 Pew Research Center study, 46% of U.S. adults reported either experiencing doxxing or expressing significant concern about becoming a victim of doxxing. The practice is often used as a tool of harassment, intimidation, or punishment against individuals whose opinions, identities, or behavior the perpetrators disagree with. While sometimes framed as "accountability" or "exposing" someone, most doxxing incidents lead to harassment campaigns and threaten the safety and privacy of victims.

How Doxxing Happens: Methods and Platforms

Doxxing typically begins with research, often called "doxing research" or OSINT (Open Source Intelligence), where perpetrators systematically compile publicly available information about a target. This information often starts innocuously—a Twitter handle, a Reddit username, a name found in public records, or a profile photo from social media. From there, doxxers use various techniques to connect these pieces of information and reveal a person's real identity and location. Many techniques are entirely legal in isolation; it's the compilation and public release of the information for purposes of enabling harassment that constitutes doxxing.

The most common methods doxxers use include: (1) reverse image searches on photos someone has posted online to identify them, (2) examining metadata in photos, which can include GPS coordinates and camera information from EXIF data, (3) searching public records databases including property ownership information, birth records, court records, and voter registration data available in most U.S. states, (4) social engineering or calling businesses to extract information from unsuspecting employees, (5) analyzing writing style and patterns to connect anonymous accounts to known individuals, and (6) searching through archived versions of websites using the Wayback Machine to find old information that has since been deleted.

Social media platforms have inadvertently made doxxing easier by connecting different pieces of information scattered across multiple posts. Someone might reveal their city in one post, their employer in another post, their college in a third post, and a family member's name in a fourth post. Doxxers compile this scattered information into a complete picture that can include a home address determined through reverse searches. Twitter/X, Reddit, TikTok, Instagram, Facebook, YouTube, and Discord have all been used as sources for doxxing information. Bad actors sometimes create fake profiles or infiltrate online communities to gather information about targets, then publicly reveal what they've learned in tweets, Reddit threads, or dedicated doxxing forums.

In some cases, doxxing involves paying for data from data brokers—companies that legally compile and sell personal information for marketing and research purposes. These data brokers aggregate information from public records, property transactions, voter registration databases, and other legal sources, then sell this information to marketers, researchers, and unfortunately, to people intending to harass others. It is estimated that there are between 200-300 major data brokers in the United States, each holding information on millions of individuals. While data broker sales are generally legal, the use of this information to facilitate harassment constitutes doxxing.

The Impact and Consequences of Being Doxxed

The consequences of being doxxed range from harassment and privacy violation to serious threats to physical safety. According to a 2023 cybersecurity report, approximately 76% of doxxing victims experience anxiety, depression, or PTSD as a result of the experience. Some victims report that doxxing leads to coordinated harassment campaigns, where perpetrators encourage others to contact the victim's employer demanding they be fired, contact their family members, send threatening messages, leave negative reviews on business pages, or show up at their home.

Doxxing has documented cases of leading to serious real-world harm. In some cases, false reports (called "swatting") have been made to law enforcement about a victim based on their doxxed information, resulting in armed police showing up at someone's home and creating dangerous situations. In other cases, individuals have been physically attacked, assaulted, or threatened after being doxxed. Women, racial and ethnic minorities, LGBTQ+ individuals, political activists, and content creators are statistically more likely to be targeted by doxxing campaigns. A 2021 cybersecurity study found that women were targeted in approximately 67% of reported doxxing incidents, with harassment following doxxing being the most common type of online abuse experienced by women.

Common Misconceptions About Doxxing

Misconception 1: Sharing public information is not doxxing. Some people argue that if information is publicly available, sharing it cannot be doxxing. This is incorrect. Doxxing specifically refers to compiling scattered public information and sharing it with the explicit intent to enable harassment or cause harm. The motivation and context matter significantly. Sharing someone's phone number that appears in a company directory is generally not doxxing, but systematically compiling someone's home address, workplace, family member names, social media accounts, and professional associations and posting them to incite harassment is doxxing, even if each individual piece of information was technically public.

Misconception 2: Doxxing only happens to famous people. Many people believe doxxing primarily affects celebrities or public figures with large social media followings. In reality, ordinary people are doxxed regularly, often due to perceived wrongdoing (real or imagined), political disagreements, posting controversial opinions online, or simply being in the wrong place at the wrong time. Regular individuals with no public profile have been doxxed because they posted an opinion on social media that others disagreed with, or because they were misidentified as someone else who had said something controversial.

Misconception 3: Doxxing is always illegal. While doxxing is often harmful and unethical, it is not always explicitly illegal in all U.S. jurisdictions. In the United States, 12 states including New York, California, Nevada, Washington, and others have enacted specific criminal laws against doxxing. However, in many states, doxxing may fall under other laws such as harassment, stalking, threats, cyberstalking, or cybersecurity laws, but may not be prosecuted as vigorously or specifically labeled as doxxing. The legal status varies significantly by jurisdiction and the specific information shared. Additionally, other countries have different legal frameworks for addressing doxxing.

Legal Consequences and Prevention

In states where doxxing is specifically illegal, perpetrators can face criminal penalties. California's doxxing law, which went into effect in 2023, makes it illegal to maliciously disclose personal identifying information with the intent to cause fear, emotional distress, or injury, and in reckless disregard of the risk. Violators can face fines of up to $1,000 and up to one year in county jail for first offenses. New York's doxxing law similarly makes it a crime to disclose personally identifying information of another person with the intent to encourage or facilitate harassment or violence, with penalties including fines and potential imprisonment.

Federal law may also apply in some cases. The Computer Fraud and Abuse Act can apply if doxxing involves hacking into accounts or systems to obtain information. Stalking and harassment laws at both state and federal levels can apply to doxxing incidents, particularly when they lead to credible threats or systematic patterns of harassment causing substantial emotional distress. The Cyberstalking and Online Harassment statute (18 U.S.C. § 2261A) can apply to doxxing that involves electronic communications and causes substantial emotional distress. The FBI's Internet Crime Complaint Center received over 18,000 reports in 2022 related to doxxing and online harassment combined, though not all are prosecuted.

To prevent doxxing, individuals should regularly audit their social media presence and privacy settings on all platforms, minimize sharing of identifying information online including workplace details and family member names, use different usernames across platforms to prevent cross-linking and identification, be cautious about location sharing and geotagged photos (which may contain GPS metadata), regularly search for their own name and personal information online to see what's publicly available about them, consider using data broker opt-out services like Opt Out Today or Incogni to remove information from commercial databases, monitor credit reports for suspicious activity that might indicate identity theft or fraud, and disable photo metadata sharing on devices. For individuals at higher risk such as activists, journalists, domestic violence survivors, and minority group members, additional precautions such as using VPNs, considering PO boxes instead of home addresses for public registration, maintaining separate social media accounts for personal and professional use, and being extremely careful about online footprints may be necessary.