This post is part of a series of Safety and Advocacy posts by the Community Resilience and Sustainability team. This post was authored by staff from the Human Rights team.
The first part of the post covered what doxing is and why you should care about it. This second part encourages you to think like a doxer and use some of the same online tools that doxers may use to surface your personal information.
Doxing yourself is sort of like getting a vaccination: it is one highly-effective step you can take to protect yourself. Doxing yourself does not mean you will not get doxed, but it will make it more difficult for a doxer to find information about you and reduce the damage doxing can cause.
As you go about the next steps in finding and attempting to remove information, it is important to note that chances of success are unpredictable. Ultimately, it is good practice to think of the Internet as a permanent space where removing information is extremely difficult, and be more careful about what you are sharing online.
Let’s start with Wikimedia projects:
Are you using your real name? Or a nickname that can be traced back to you? Perhaps a username you have used elsewhere? A doxer’s first step will likely be an online search of your Wikimedia username, so do the same. What did you find? If you would like to change your username submit a request at Wikipedia:Changing username, but remember renames do appear in the user rename log and global rename log. If you want to be extra safe, create a new account. Read more about username privacy best practices by reading another post in this Safety and Advocacy series.
Chances are, your real name or username alone will not be enough to identify you, so a doxer will likely dig deeper by going through your userpage, including scanning earlier versions of it, to find any other personal details to add to the search query. If you do find information that you would like suppressed, send a request to the oversight team.
As contributors, we often start editing on Wikipedia on topics or places which are familiar, such as schools or uploading images to Commons from the vicinity such as a landmark or favorite cultural place. These are all data points a doxer can use to create a better picture of you. The global account information allows you (and anyone else) to look up every contribution you ever made, across projects, in all languages, from the first to the latest edit. Think about where else on the platform you may have shared revealing details such as introductions on talk pages, sign-ups for events or article discussions. A request from oversight to get contributions suppressed might come in handy here too.
Images of you and images you have uploaded
If there are images of you on Commons, try a reverse image search (also available on Bing and Yandex and other search platforms) to see where else those images have been used on the Internet. Using a reverse image search can help you get an idea of where and how your images are being used around the Internet and to get a sense of how much exposure you or your account have outside of Wikipedia. For images that you have uploaded, check if and what EXIF data may have been shared as that can include time, date and location data. Contact Oversight to remove images or associated information from Wikimedia projects. If an image has been used on another website try to contact the site owner – the person who owns the site that has the image. Removing the image from the source is the most effective way to remove it from search results. Search engines will remove links to the images only in limited cases, like when the image contains personally identifying information (PII) or non-consensual explicit or intimate personal images.
Here you will find a list of all mailing lists hosted by the Wikimedia Foundation. Go to the ones you are or may have been part of, make use of the search functionality to see if at any time you have revealed any personal information. Please reach out to firstname.lastname@example.org and clearly explain what information you want removed and why.
Meetups and other events
By partaking in community events, information is often shared and photos from the events uploaded to Commons. Go through reports that have been published or images that have been uploaded to see if you find yourself anywhere, both on Wikimedia as well as any other external website or social media platforms. You might ask the organizers or individuals who have published such information to have it removed if deemed necessary.
The ultimate goal here is to gather as much information about you as possible from public sources so that you can find and address vulnerabilities. The more thorough you are with your search, the better for your online safety. This can also be a fun exercise to do with people you trust. You could even add a prize for the person who finds the most amount of information to make it more interesting.
The internet is an interconnected space. As such, expand your search to include your online activities beyond Wikimedia projects.
Search for yourself
Search engines are usually the starting point of any doxer. Therefore, use Google, Bing, Yandex or DuckDuckGo (the more the better) and give yourself a thorough search. You can start with your name. Combine that with other data points such as emails, cities, home addresses, schools, companies you’ve worked at and events you have participated in. Make use of these Google search tips and be sure to do all that in private browsing mode. While the implementation varies from browser to browser, private browsing mode provides some protection against cookie-based tracking and doesn’t store your session history. Additionally, leverage these search operators to find more nuanced results that might not show up as part of a typical query. Remember, the goal is to get as much information about yourself as possible, so get creative.
Check your social media
Privacy is often the last thing on the minds of social media companies. Remember, the more the companies share about users, the higher their revenue. This means, although many now have privacy features one can activate, they’re often deactivated by default thus helping not only data-brokers who benefit from loose privacy settings but doxers too. Make sure to do this, both when signed in and out; that way you see what your ‘friends’ and the larger public can capture from your profile. Here are the links to the privacy settings from Google, Facebook, Instagram, Twitter and LinkedIn. Also, look at this guide by the New York Times for a deeper dive.
Keep an eye out for data breaches
Data breaches occur almost on a daily basis, so there is a likelihood of your data (from email addresses to full names to IP addresses) ending up in the hands of hackers or public data dumps. You can check to see if your email or phone numbers have been part of a breach, set up alerts to find out if you are part of any future breaches, and follow the security tips to secure your accounts. Additionally, Google Alerts is useful to keep tabs on your data as it surfaces online and gets indexed. Some password managers also alert users to sites that may have been involved in data breaches. This is why reusing passwords is discouraged – one data breach can reveal your password to other parts of your life.
Be wary of third-party apps and services
There are so many cool things on the internet and often marketed as ‘free’, except they are not. You are paying for them with your personal and usage data. Checkout this chilling article regarding TrueCaller, for instance. Also, while these sign-up options are convenient, avoid Google or Facebook sign-ups on apps and websites because by using them you are not only creating more interconnections about yourself online but potentially giving companies a backdoor to your account and data inside.
The internet was not designed with anonymity in mind. Much like Wikimedia projects, all your activity is traceable. As such, one way to keep your identity safer is to compartmentalize and work in silos by having separate personal, professional, online shopping and spam email accounts. Also, try services such as Fire Relay to mask your email from public view.
A corresponding conversation hour organized by the Human Rights team is on May 26th at 2:00 PM UTC (in English, Arabic and Russian). The theme, you guessed it, is doxing. Please email email@example.com to receive the link.
If you think something was missed, please email so this post can be updated accordingly. Do not hesitate to contact Human Rights if you have any comments, questions, concerns or suggestions for the next blog post. You can reach Human Rights at firstname.lastname@example.org.
See additional posts in this Safety and Advocacy series:
Links and resources:
- Wikipedia: Oversight
- Wikipedia: Changing username
- Wikipedia: Personal security practices
- Wikipedia: How not to get outed on Wikipedia
- Right to Vanish
- Totem Project’s free online class on How to protect your identity online?
- EFF’s Tips To Protect Yourself Online & How to Minimize Harm
- AccessNow’s Self-Doxing Guide
Incase you have been doxed: I’ve been doxed: What to do in the first 24 hours by Liz Lee from Online SOS
Can you help us translate this article?
In order for this article to reach as many people as possible we would like your help. Can you translate this article to get the message out?Start translation