“Doxxing”: A Primer
I learned a new term today: doxxing (also spelled doxing). In short, doxxing involves the spreading of personally-identifiable information (documents, of “dox”) on the internet.
I noticed that some usage of the term presumes inappropriate “dropping” of personal “docs.” However, it seems that the perceived appropriateness of doxxing can sometimes be difficult to determine and seems to be tied to the motivations of the one “dropping the docs.” In his On the Media article dated March 10, 2014, producer Alex Goldman captures the complexity in determining such appropriateness (and, indeed, of defining doxxing):
The word “Dox,” for years an internet term of art for revealing personal information online, suddenly entered the popular lexicon last week when Newsweek published a story about a man named Satoshi Nakamoto who the author claims is the founder of Bitcoin. But I have to say that I think the term is not being very well applied in this case, and before we can decide whether the outing of Satoshi Nakamoto is, in fact, doxxing, we should have a better idea of what doxxing actually means. …
Back in the pre-world wide web universe, doxxing, or “dropping dox,” as it was known then, was basically a petty, retributive act meant to shame or embarrass rivals, and to establish supremacy as a hacker. A good example of the classic variety of doxxing occurred last week at Duke University. First, a student named Thomas Bagley outed a woman who goes to his school that he recognized as appearing in pornograpy to some of his friends (in itself a sort of analogue version of doxxing). Bagley, in turn, was doxxed by the CEO of a porn company for having a pretty healthy online pornography budget.
In the case of Newsweek’s article, however, it’s more complicated than doxxing as I define it. Generally, doxxing is perpetrated against private individuals without any relationship to newsworthiness or the public interest. The same can’t be said about the identity of Bitcoin’s creator. A guy who invented a crypto currency that has an (albeit miniscule) chance of destabalizing the online payments industry is certainly newsworthy. At the same time, the article ran with a picture of Nakamoto’s house and license plate, easily allowing reporters to discern its location, which, as a journalist, makes me pretty uncomfortable. The article’s impact is complicated by the fact that the man himself denies any relationship to Bitcoin, and Newsweek’s article, while building a pretty excellent circumstantial case that Nakamoto is Bitcoin’s founder, is conspicuously absent any smoking guns. …
So what are my conclusions? Well, I think that whether or not Newsweek’s Bitcoin article is actually doxxing kind of rests on whether the author was correct about Satoshi Nakamoto’s identity. In the larger context, I feel like it’s only doxxing when revealing a person’s information has no news value whatsoever. But what determines news value is, of course a gray area. In the end, I hate to get all Potter Stewart on you, but when it comes to doxxing, I know it when I see it.
Thus, the motive of the writer as intending to serve the public interest via newsworthiness of publishing personal information is (for Goldman, and for me, as well) a key issue in determining what actually constitutes negatively-connoted “doxxing.”
Not all view the term doxxing as negative. But it’s complicated.
If one takes the term doxxing at its most general, it simply involves “dropping documents.” Yet the definition has nuances. Some refer to “doxxing” the as the publicizing of personal information not otherwise publicized. Yet others maintain that it is “doxxing” for one to even draw attention to publicly-available, personally-identifiable information.
To some, doxxing is always negative. To others, it is not. Again, I think motive plays an important role. If I assemble a dossier of publicly-available personal information on an individual and disseminate it as a means of revenge, I think most would agree that my actions would fit the term “doxxing” in a clear, negative sense. However, if I reference information available on a nonprofit tax form in order to establish that the leader of Los Angeles Parent Revolution actually lives not in Los Angeles but in Beverly Hills (which I did in chapter 20 of my book, A Chronicle of Echoes), then my motive as intending to inform the public is pretty clear. Note that in the text of my book, I do not print the specific Beverly Hills address of the individual in question; however, as a competent researcher, I do provide reference information so that the public might view the tax form and see the specific address.
Another interesting issue regarding doxxing is whether the personally-identifiable “docs” that are “dropped” aid in revealing concealed identities of those violating the rights of others via cyber threats. It is in such situations that doxxing appears to not carry a negative connotation. For example, Boston Red Sox pitcher Curt Schilling doxxed in order to identify (to both himself and to their schools/employers) individuals sending violent messages about his daughter via social media:
…Former Boston Red Sox pitcher and game studio founder Curt Schilling enacted some online vigilante justice against Twitter users who had posted violent and sexual comments about his daughter—by doxing them. …
The former Red Sox hurler… us[ed] publicly available information to attach identities to these two users. One was a DJ at a community college radio station and the other was the vice president of a fraternity. “Worse yet, no less than seven of the clowns who sent vile or worse tweets are athletes playing college sports,” Schilling added. “I knew every name and school, sport and position, of every one of them in less than an hour. The ones that didn’t play sports were just as easy to locate.”
Schilling didn’t publicly disclose the identities of the other seven people, but he did hint that he might share that information with relevant parties …
Other news agencies have confirmed that both outed men have already suffered public consequences; one was suspended from his community college, while the other was fired from his part-time job as a ticket seller for the New York Yankees.
Instead of “dropping” his “docs” about these perpetrators on the internet in general, Schilling doxxed their schools and employers. And I am hard pressed to think of anyone who would reprimand Schilling for doing so.
In the past year, I have had an angry commenter on my blog “drop” a detail of publicly-available, personal information about me in such a manner that sent a message, “I know how to find you.” I deleted the comment and discontinued communications with the commenter. Such creepy “hinting” appears to be on the fringes of negatively-connoted doxxing; moreover, the message did qualify as a thinly-veiled cyber threat.
In another instance, I had an anonymous commenter write a disparaging comment (which I did not publish) and then write a second comment, a challenge for me to “disclose my funding” (which I did publish in this March 2015 post). I am not sure whether my anonymous commenter realized it, but via the internet, I was able to locate the exact home address from which the comments originated. I did not “drop” that home address “doc,” but I could have. I could have even shown up on that person’s doorstep had I the inclination (which I did not).
Anonymous commenters: Take a lesson.
In my case, “dropping” the mean, anonymous commenter’s home address “doc” would have been wrong because my motive would have been one of revenge. However, “dropping” a public “doc” that involves a home address can serve the public good. Consider New Jersey blogger Bob Braun’s exposure of a glaring conflict of interest between New Jersey commissioner of education Bari Anhalt Erlichson and her husband, Andrew Erlichson, whose employer, MongoDB, has a fiscal connection to PARCC vendor, Pearson. Braun writes,
Bari Anhalt Erlichson, an assistant New Jersey education commissioner and chief testing officer who supervises PARCC testing throughout the state, has a personal connection of sorts to PARCC’s developer, the British publishing giant Pearson. Anhalt Erlichson is married to Andrew Erlichson, a vice president of a company named MongoDB. MongoDB (the name comes from humongous database) is a subcontractor to Pearson, developing its national student database that provides the larger company with access to student records in New Jersey and the nation.
Anhalt Erlichson wrote a memorandum to New Jersey educators March 17 defending the actions of her department and Pearson in monitoring the social media of New Jersey students while they took the PARCC tests. She blamed the uproar caused by the revelation of the cyber-spying on the failure of parents and educators to understand social media.
She did not mention her personal ties to a company that profits from the business relationship to Pearson which, in turn, has a contract with the state education department. Bari Anhalt Erlichson and Andrew Erlichson own a home in Princeton valued at $2.9 million, according to property records.
Braun is establishing the fact of a conflict of interest when it comes to the Erlichsons’ ties to Pearson. In his original post, to support his assertion of the value of the Erlichson home, Braun linked to the publicly-available, New Jersey property tax records that one might locate using this search engine from the State of New Jersey Transparency Center.
As a result, Braun removed the link that he provided as evidence for his statement that the Erlichsons can afford a home worth almost $3 million.
What I notice from the indignant “doxxing” tweet linked above is that there was no comment about Braun’s conflict of interest charge being wrong. There was simply the deflecting of the weight of Braun’s charge by aiming at Ravitch and Braun (particularly Ravitch) for “doxxing” publicly available information on adults– and, as it happens, for “doxxing” information also readily available on whitepages.com for anyone who knows that Bari Erlichson is married to Andrew Erlichson.
I know. I just doxxed. For the purposes of this post, call it a teaching tool.
The tweeter also asks Ravitch how she “reconciles doxxing and privacy.” Let’s do some word substitution: How does one “reconcile linking to a public record in order to support concern for a conflict of interest between a public employee and a private company with which the public employee does business in the capacity as a public servant but who also benefits privately from the same company’s fiscal well being and privacy”?
And the question crumbles.
I do, however, have a closing proposition for our doxxed-indignant tweeter:
When the families of the New Jersey students who are being regularly (and until recently, secretly) monitored on social media by NJDOE and Pearson also collect money from either Pearson or NJDOE for taking the PARCC tests, then we can talk “victimized” NJDOE employee for having her easily-discovered home address “doxxed.”
Let me know when NJDOE and/or Pearson plan to cut those PARCC-testing-completer checks.
Ready for more? Doxxing: The Sequel