This week in digital trust » Episode 98

#98 Droppin’ docs – A primer on doxing

28 February 2024

We go deep on doxing, the practice of “dropping docs” on someone in order to expose their information to a hostile digital audience.

Our conversation is triggered by some recent doxing examples in the Australian media, which has prompted the Federal Government to propose a new law against dxxing as part of its privacy reform agenda.

We discuss the origins of doxxng, prominent examples, the potential harms, and the merits of various public policy approaches.

Listen now


This is an automatically generated transcript. We make our best efforts to check that it is an accurate reflection of the episode, but it may contain some errors and unedited content.

Welcome to this week in Digital Trust, elevenM’s regular conversation about all things tech policy, privacy, AI and cybersecurity. I’m Arj joining you today from Awabakal country.

And I’m Jordan joining you from Wirandjuri country in Melbourne.
And Arj, I’m pumped to unpack some 90s hacker slang with you.

Yes, I’m excited about that. I’m someone who on a far too frequent basis still has to like go to things like Urban Dictionary to understand what the young’uns are talking about online. So I’m excited at all times to be schooled on urban slang and internet slang.

Yeah, I feel like this is like from back in the day slang though. This is like proper early internet, you know, hacker culture slang.

You would be surprised how far back my gaps in literacy have gone. So let’s take it back. Let’s go back to the 90s.

The attorney general would be discussing doxing. Yeah, that would have been a good time.
So yeah, we’re talking about doxing. Doxing? It’s been all over the news, a new term for some of us, but the Albanese government is proposing a new criminal offence for doxing after chat logs of a pro-Israeli WhatsApp group in Australia were released online last week. The attorney general said he’s going to bring it forward in connection with some of the broader reforms to the Privacy Act.
Doxing is essentially refers to the publication of ID of someone, usually without consent and usually with a malicious intent. The criminal offence that they’re proposing would involve a malicious intent. But yeah, that doxing word’s all over the news.

It is all over the news. It’s one that I’ve heard used over the years. I think, you know, admittedly the first probably half a dozen times I heard it, I didn’t know what the hell people were talking about. So I’m excited to talk about it.
But I guess before we get into it, one quick caveat, like doxing has been talked about and even laws against doxing we talked about for some time for some years, but the current context and the current announcement by the government ties to this, as you said, this kind of incident where there was a WhatsApp group involving kind of pro-Israeli Australians and their information there’s been sort of a lot of back and forth on the specifics of that particular group and the merits of the people in the group and the people on the other side of the group.
We’re not weighing into either side of that specific debate or expressing any opinion about the groups and you know, the merits of their actions. We just want to talk about doxing in general. And so, you know, for avoidance of doubt, if we sort of talk about, you know, the fact that doxing is bad because it can lead to harms, we’re not talking about anyone involved in that specific case. Or if we talk about, Hey, Maybe you don’t have an expectation of privacy in certain contexts or doxing can be used for good, we’re not taking a position again on that specific case. This is about, you know, upskilling me about internet slang and nothing else.

So what’s the slang? What would the law do? What are some examples? You know, when’s it good? When’s it bad? That kind of thing.
So getting right into it, what is doxing? Right? The publication of personal information with malicious intent are the kind of words that the. attorney generals put around it.

Yeah, I think that’s a good definition. There was another definition I saw, which was actually a few years ago on ABC news, which specifically talked about like the releasing of information to a hostile digital audience. And I liked that because I think that brings it into that kind of internet digital realm of like, if you, we all, we know that there are some crazy things out there and you put information out, which might otherwise seem harmless or might even be out there already, but you specifically put it out to a hostile digital audience and suddenly the context changes.

Yeah. Hostile digital audience is a good turn of phrase, but yeah, that malicious intent, I think is key, right? It’s not intended to capture any publication of someone’s identity or similar. It’s intended to capture that malicious identification of someone, you know, with an anticipation that they’re going to be harmed or there’s going to be some kind of blowback as a result.
So. The term originates in like 90s hacker culture. It’s kind of short for, or a combination of dropping docs, um, or documents about someone online. So it, you know, in, in kind of 90s hacker culture, it was this like revenge tactic or way of kind of getting back or harming someone you didn’t like right when, you know, we’re imagining a, a 90s hacker with their CRT monitor and doing their, you know, green and black text hacking and they’ve got a pseudonym or something that they’re operating under and it’s totally separate from their real life.
If you wanted to cause harm to that person, you would publish their information with the assumption that either other hackers or their mom or law enforcement would see that and there would be real world consequences for them. That’s the idea.
You know, it’s evolved into like a much more complicated, much more involved, much more common thing that, that affects all aspects of modern life.

Yeah, it does get used now quite, quite liberally. And I mean, a good example is Elon Musk just a couple of years ago, using the phrase doxing to talk about when journalists were reporting on this, uh, Twitter account that was essentially a flight tracker, like a tracker of his private jet.
And you know, journalists reporting on what this Twitter account was basically publishing, which was the location of his jet. He was saying, look, you’re basically doxing me and you know, describing that this was his, you know, his assassination coordinates. And so he is sort of talked about doxing, you know, being applied to him just by journalists doing their job reporting a Twitter account.

Taylor Swift picked up that same criticism of the private jet trackers, a much more sympathetic audience, I think. But you know, the same concern, right? Same concept. Yeah.
And there’s all sorts of other examples of this. You know, there’s in the US, there’s been databases of like the home addresses of abortion providers, for example, on the assumption that, you know, people might act. And even if they don’t act right, it’s like creates this sense of threat or sense of concern for those people.
Another internet term, but Gamergate was a group of male video game players doxing female developers and journalists and people in the industry that they didn’t like and again exposing them to this wave of the hostile online audience. Exposing them to a hostile digital audience, exposing them to, you know, sexist abuse and criticism and singling out online.

It just sort of shines a light on also like how important anonymity is in certain contexts for like online behavior as well. Like this whole sort of trend or series of like people that are known for their anonymous handle and then this kind of concerted effort to dox them. So in this case that you’re talking about, like gamers, you know, who are using some sort of gaming handle. But I was thinking about even just a couple of years ago, the, um, in Australia, the PR guy 17, who was this kind of Twitter account based in Melbourne, who was very pro the Dan Andrews government and therefore attracted a lot of attention from the, you know, the right wing kind of online community and this kind of concerted effort to docs and that out out him or them or him as it turned out, but it does go pre internet. Yeah.
The funny thing is we were looking into this and like doc this idea of doxing of like revealing someone’s identity or parts of their identity is not just a modern internet phenomena. There’s this great article in Wired that talks about the case of Oliver Sipple, who was a former Marine who did this heroic act in public and then was sort of essentially outed by a gay rights activist Harvey Milk as being gay.
This was in the seventies and you know, the outing was done, you know, with positive intent, I guess it was sort of, you know, Harvey Mook was a gay rights activist and was sort of, you know, in that climate in the seventies saying, look, this individual that has done this heroic act is actually a gay man.
But you know, Oliver Sippel was not out and it led to all sorts of negative consequences for him and, you know, reputational issues for him. predates the modern internet culture.

Yeah, Dude foiled an assassination attempt on US President Gerald Ford. The President. Yeah, former Marine, Vietnam War veteran, American hero. He didn’t want his private life to be a part of the gay rights movement, but was drawn into it with disastrous effect as well.
It ruined the Dude’s life. It’s quite a sad story. There’s a really good radio lab podcast on him actually that we’ll chuck in the show notes, but yeah, it’s really interesting story.
But it’s such a good example of like how that just publication of someone’s information or someone’s details can just be really damaging. And only an aspect of your life as well. So it’s not just doxing is not just, you know, you’re an anonymous and then someone reveals who you are, you know, by name. It’s someone who’s known, whose name is known, but doxing as a part of their life.
And it’s also, I think, a really good example of some of the complexities that we’re going to get to, right? Because when we’re talking about that criminal offense that the attorney general’s discussing, publication of ID with malicious intent, that’s easy. That’s this kind of extreme case. But there’s all sorts of other publication of identity with not malicious intent.
So journalism is rife with examples of publicizing stuff about people whether it’s their identity or a detail of their life without that person’s consent consent, because it’s in the public interest for some reason. And so there’s kind of this gray line in the middle gray area in the middle, where there is maybe a public interest. And certainly this Harvey Milk guy in the Sipple case, you know, would argue that. So yeah, there’s a spectrum, right.

What’s the, I guess, what’s the harms? What can happen as a result of doxing is probably worth kind of stepping into that. And, you know, I think the, one of the first or obvious ones is that idea of some level of physical safety risk, you know, particularly in some of the examples we’ve been talking about, if it’s highly contentious sort of political debate and you’re otherwise anonymous and then suddenly you’re, you know, named and you’re, or some other personal details of yours are named as being associated with a highly fracturous toxic debate.
The, those details of yours are directed to the digital hostile audience that’s on the other side of that debate. Then physical safety becomes an immediate risk.

Yeah, absolutely. And that, that hostile physical audience is just such a good element of this, right? Cause it’s, it usually is that publication in knowledge that some audience is going to give you a hard time. Yep. And sometimes it’s, you know, in the original hacker context, it was like law enforcement usually, but in the kind of modern shaming online environment, it’s usually either a bunch of angry people online or sometimes it’s your workplace.
You know, there’s this kind of tradition of sending people, when people are misbehaving online or social media, you kind of send screenshots of, well, people do this, not you, but like people send screenshots of, you know, their racist or horrible or, you know, unpleasant online posting to their employer. And that’s often just their posting on an account that’s connected to their work or something. But, you know, there’s this whole emerging kind of tradition almost of reporting people back who are like linking people’s misbehavior online or back to people who you anticipate will generate consequences for them.

There’s a great write-up by Osman Farooqi, who’s like an Australian journalist kind of blogger commentator, where he was essentially doxed a few years ago over, I think, something reasonably trivial, like he was sort of making a comment about the Coles decision to either bring or pay for you’re bringing your own shopping bags and he made some comment and then there was a reaction against it. His phone number was posted online and the level of kind of toxic abuse and threatening abuse that he started to receive on his phone and he talked about how it’s bad enough seeing that stuff posted by non-honest people on your Twitter feed that in itself can be quite damaging, but then to receive phone calls and direct test messages, the level of harassment, the level of menace is at another level and that’s what kind of doxing makes possible.

Yeah, for sure. So, so that’s, that’s kind of the core harm. There’s, there’s kind of a more theoretical way of thinking about this, which I think is just worthwhile mentioning. We’ve talked before on the podcast about the thing called contextual integrity is kind of a way of understanding privacy, but it’s, it’s this idea basically that we think we should think about privacy as contextual integrity about my ability to maintain contexts for my identity and maintain them separately. I have a work context, I have a family context, I have a Saturday night context, I have an online self-context, I might have had a 90s hacker identity context.
One of the roles of privacy is keeping that separate so that if someone turns up at work, they talking about my Saturday night self for some intimate detail of my family self, that feels bad. That’s an invasion of privacy because it’s mixing stuff between contexts. With that in mind, doxing is really about a collapsing of contexts. It’s taking someone’s, like attaching someone’s real world identity to an online posting account or something. you know, connecting someone’s misbehaviour online to their work self or to their family self. It’s most effective in these contexts where people have been engaging on this assumption that it’s pseudonymous or it’s a particular audience or something.
And then the doxing kind of collapses that and exposes that behaviour to the rest of their life. So, like, I think it’s a really interesting just way of thinking about it.

It is. And I found it really interesting because We talk about this concept a lot, this kind of contextual integrity and like the idea of having some sense of agency on being able to control the whole of your image and what you want to expose to different audiences.
But that is driven, I think often, like our conversations in the past have been driven by a sense that that is sometimes overlooked. Like people think about privacy very simplistically as, you know, well, I don’t know who you are and you know. if I, you know, or if I put your name out there, that’s the true kind of, um, you know, risk or harm of privacy harm to you. And so we’re often talking about trying to kind of raise that awareness of contextual integrity.
And it’s interesting to me that like, when you look at the conversation around doxing, it actually spotlights that intuitively we do understand that because it’s exactly what’s being weaponized is that sense that we understand that it can breach your privacy, not just to reveal who you are, but just to add an aspect of your persona out into the public domain. It really does show that we, there is implicitly an understanding there.
And so even Mark Dreyfus, the attorney general in sort of introducing the idea about an anti-doxing bill, he talks about the fact that personal information that’s gonna be covered here could include publicly available information. And this was a quote, he says, It may be that some of the information was publicly available, but it’s the combination of that information with private and personal information and assembling it in a single set of information published for what appeared to be malicious reasons.
So it’s a really interesting kind of evolved understanding of like how privacy harms come together. Like the information could be 100% public. Like it’s not hard to find some of these details about people that, you know, that you’re, you know, belong to an, a certain association or that you are, you know, of a particular political persuasion or whatever, but pulling it together, putting it into a particular audience, into a particular context, it’s all of that, that breaches the privacy.

I really think it is the collapsing of contexts, right? It’s yeah, it’s, it’s, it’s putting, bringing things together, things that were previously separate.
So the proposed law, I mean, we don’t know text of that law, but there’s been a bit of discussion about whether or not this is already illegal in Australia. And I think the short answer is that probably it’s not. There’s a law in the Australian Criminal Code, we’ve actually talked about it before. It’s a criminal offence to use a telecommunications service or a carriage service, so phone or internet.
in a way that a reasonable person would regard as menacing, harassing, or offensive. That’s sometimes leaned on in the context of non-consensual sharing of intimate images. If you’re menacing or harassing someone by sharing images of them, you might fall off out of this code. There’s a potential argument that you could make that doxing someone could amount to menacing, harassing, or being offensive.
My personal view is that that’s a pretty high bar and also honestly, with offenses like this, it’s a federal crime. So getting the AFP to investigate and prosecute it is pretty unlikely unless someone died or something.

I mentioned that Osman Farooqi case, but he talks about how he tried to get the police to act on the case of his doxxing and it was kind of like, took it to the local police, they didn’t know what to do with it. They said, I think there’s a federal law, but the AFP weren’t stepping in. So it does seem to fall under the…
Like, oh, the other question I guess I have around that, you know, the, this, like a distinction between like the person who does the doxing. So I go and publish, you know, someone’s personal information, whether that covers, whether that kind of covers that act, probably covers somebody who, you know, uses the phone number and then contacts the target and menaces them and harasses them, but the act of publishing the information, you know, that, that’s kind of what we’re talking about here. And it’s.
It’s interesting to see like, well, does it really cover this? You know, does it really cover that case?

Yeah, exactly. Right. And depending on the exact terminology, right? Like if you’re publishing it information and, you know, alongside that menacing someone or like encouraging people to harass them or whatever, maybe you could rise to that standard, but yeah, a reasonable person regards it as menacing, harassing or offensive. Yeah. It’s, it’s a pretty high high bar.
I think there is a gap there. I think most, not being a criminal lawyer, but most of the circumstances of publishing information, especially if it’s purportedly for say a public interest purpose or there’s other reasons involved, I don’t think you’d clear the hurdle for the AFP to even look at it, let alone you know, have any real chance of that being successful. So I think there’s a kind of gap there that these new proposed criminal laws would address.
The other thing that people have been talking about in connection with this is a proposed kind of tort of privacy. A tort is fancy legal language for wrong or like reason that you can sue someone. And so part of the Proposed Privacy Act reforms is that, you know, they’re there should be a right to sue people if they’ve kind of significantly interfered with your privacy, which currently there isn’t such a right.
So it’s not clear from what the attorney general said, if that’s part of what they’re proposing to bring forward to deal with this doxing issue, but like, it might be, it was recommended that there should be such a tort, such a right to sue for invasion of privacy as part of the Privacy Act review and the government’s accepted that in principle, I believe.
So, you know, it’s government policy to introduce that, whether they’re going to introduce it quite yet is another, another matter.

And probably just briefly worth mentioning that, you know, we’re not the only country looking at this. There are, you know, anti-doxing laws in other countries. Um, I think the Netherlands have recently introduced something. Hong Kong introduced an anti-doxing law in 2021. That was kind of on the back of the protests that were happening there. And Motivation’s probably different there. Like there was a sort of a concern about the doxing of police officers, you know, by the protesters. And so the government was very much looking to protect police and kind of the officers of the law. So it’s a slightly different context.
The US, some of the states have doxing laws. So it’s something that governments are kind of looking at as this sort of practice becomes more common.

Yep. And then like, yeah, last thing I wanted to note on the law is just to make crystal clear because I think a lot of people find this confusing, but there’s a difference between a criminal offense, which is what the proposed doxing law is, which is like the state saying something is bad and the police will come and punish you for doing it, and a tort, which is like a private law kind of right to go to the courts and seek compensation from someone for interfering with your privacy. It make sense to me that you might pursue both, right? That there’s an individual right to, you know, I can sue you if you publish my details and it harms me, but then also the police might come after you as a criminal offence as well.

I think the, where does that leave us? I mean, I think there’s a lot of uncertainty and what it seems clear is that it’s quite a complex thing to craft a law around, but even just to sort of discuss and form like what are our kind of, you know, our expectations and our values, because even the cases that we’ve talked about, you get this sense that sort of doxing is very much representing a kind of contest of values.
There’s the sort of the right to privacy of the people who are being doxed, but often it’s the case that the people who are doing the doxing, you know, the defenders of the doxing are saying it’s for a cause, it’s for public interest. So at the Most extreme level of that, that’s journalism, right? Look, I’m going to name this person, you know, as doing X, Y, and Z, because it’s in the public interest for me to do that. That activity is corrupt or, or borderline criminal or inappropriate. And there are victims and we need to expose that.
But, but even in the cases we’ve been hearing about, you know, the arguments are that this action, this doxing is in the service of a cause. The Harvey Milk example we talked about with Oliver Sipple, the line is ultimately that for Harvey Milk, the social good of using his story outweighed the cost for him personally abouting him.
That was the sort of rationale and a similar argument around this WhatsApp group. The arguments would be that there was a cause around defending the right of pro-Palestinian advocates to make those concerns heard. That was the motivator. So there’s a real contest of values in this whole doxing kind of conversation I don’t know we have fully resolved and that the law probably won’t resolve.

Yeah, no, for sure. Right. And where that line sits and what’s malicious and, you know, can it be 5% malicious, but like mostly in the public interest or something, who knows? Right. But I think there’s value for, again, I think the law plays an important kind of role in signaling values. Right. And I think, I think there is, even if this thing never gets, you know, gets on the books and never gets enforced. I think there is a kind of case for marking out that territory to say, look, if you’re publishing identifiable information about someone and the only motivator you have is to hurt them, then yeah, that’s something that like law enforcement should get involved with, right? Like we don’t accept that as a society. Like that’s, that is bad.
And I think you can say there’s value in that without actually, I mean, this is such a cop out, but you can say there’s value in that without actually being able to delineate exactly which situations there might be a, you know, a legitimate case for doxing someone and which not.

Yeah, I think I would agree with that. I mean, at least it draws attention to the fact that there are harms that can occur from these breaches and, you know, these breaches of personal information. And if there’s a deliberate and malicious intent behind it, well, then we can draw a line in the sand around that.
I think there are lots of challenges around like, you know, the thresholds around like what level of publication brings a law like this into the frame. Like, you know, often when we talk about doxing, it’s like publishing in the mass media or on social media platforms with large audiences.
But some of the examples, you know, that you and I both mentioned, it’s like, you know, you put someone’s details into a closed Facebook group or their workplace, which is a closed community, but it’s meaningful and significant for that person and for them to feel some sort of negative consequence. So interesting to see how all of that gets navigated as well.

Yeah, yeah, no, a lot of, a lot of detail to navigate. It’s, it’s a tough one. I’m glad I’m not writing that long.

Yeah, it was likewise.
Okay, well, thank you for brushing me up on 90s internet slang. It’s always welcome. I look forward to doing more of that. So I can talk to the cool kids.

I’m gonna go watch Hacker or something. I’ve reignited my passion for 90s internet stuff.

Yeah. Good one. All right, well, I’ll leave you to it. Thanks, Jordan.

All right, cheers. See you.