Digital security is a form of harm reduction. In this training we share tips and tools on how to lock down social media to make any revealing or personal information more difficult for malicious actors to find. If you get doxxed, it is NOT your fault.
As we discuss in the training, everyone’s threat models look different. What works for some people, may not work for you! No one knows you, or your needs better than you. Please take what actions and advice work for you! What follows is information and SUGGESTIONS based upon our experiences and research.
What is Doxxing?
Doxxing or Doxing is typically a cyber attack in which someone with malicious intent releases personal, private, or stigmatized information about someone without their consent, knowledge or control. Doxxing is a form of abuse and harassment in which information is collected and shared through a combination of web searches, reverse image searches, combing through social media, use of the way back machine, publicly available databases, hacking and social engineering. Doxxing rarely takes place because of information found on a single website. It is most often piecing together bits of information from all sorts of open source information found online.
Doxxing can often leave an individual feeling fearful, vulnerable and alone. So we want to share some concrete tips on how you can take action to protect your private information online! All of this is covered more in depth in the training, but below are a few tips and resources if you are just browsing quickly. For more information on digital security practices, you can check out our other training where we go more in depth on threat modeling here.
How can I prevent Doxxing?
Consider the following to prevent doxxing. Again, whatever works best for you and the threat model you’ve devised!
- Setting your profile to private
- Using an alias on public social media
- Using an avatar that is not a face pic
- Turning off location data and metadata on social media, your camera and your phone.
- Disable tagging in photos
- Cover face, tattoos, and scars when protesting (or in photos used for advertisements)
- Turn your phone off or don’t bring it to protests.
- Google your search. Reverse google search your images. See what a malicious actor might be able to find, and work on making it harder to find.
Tips On Attending a Protest
- Turn off your phone (stingrays are absolutely present) if you must bring it.
- There is evidence that phones can still be tracked if they are off
- Use cash
- Cover your face, hair, tattoos
- Only write phone numbers of trusted peoples on unexposed skin
Locking down Social Media
- opt for higher privacy and security settings
- they often use the same language and icons to display those options, get used to recognizing them for what they are on all your social media accounts
- Turn off location services
- Avoid cross contamination of data between apps
- Separate registry email addresses
- Compartmentalize how you access them (diff browser sessions, switching VPN location, scrubbing exif metadata from images you share)
- Enable two-factor authentication
- Avoid using one time sms codes, intelligent targeted attacks can find ways to intercept that
- Get a password manager to create and remember complex passwords
Again, these are all suggestions. Not all of these suggestions are possible for everyone. You know what works best for you!
Doxxing Prevention Harm Reduction
In this training we talk about what doxxing is, how you can protect yourselves at protests or as sex working folks. We talk about how digital security is both a form of self care and community care (much like safer sex practices). This training focuses on locking down your security settings on Twitter and Instagram.
What To Do if You’ve Been Doxxed?
- lock all your accounts / turn them private / deactivate them (your discretion which to do)
- notify your trusted network – remember that they may be implicated
- they can assist in monitoring your affected accounts
- they can review their own threat model and practices
- they can help you develop shared strategies
- create an incident log (a log featuring date, time, description, and result of each incident. This will inform how you restructure your own threat model, compare with others who have been similarly attacked.)
- Take a fine tooth comb to all your accounts:
- Change passwords for all, each is unique and random and long
- Review the privacy and security settings, raise the bar
- Notify their support staff
Community Data Hygiene Guidelines:
- Establish a secure, end to end encrypted platform for group communication
- We recommend Keybase for larger groups and file sharing, signal for ease of use
- Set rules for how media can be shared online: always check with the group first, always scrub the metadata, don’t use real names
- Do a group threat modeling exercise
- Look on eff.org/sec for a handy guide
- Set up an incident response plan
Sometimes the least technical practices can have the biggest impact.
Chaff – polluting data pools by filling them with useless bits.
Steganography – hiding data in plain sight. secret messages hidden within plain speech, code words hidden in metadata of images
Resources on Doxxing mentioned in the training
- PRIDEFALL Pridefall Twitter Thread by kohseremite
- HARM REDUCTION Hacking//Hustling – Digital Security Harm Reduction Training
- REMOTE META AND LOCATION DATA How to Remove Location Data from iPhone Photos in iOS 13Absolute Easiest Way to Remove Metadata from PhotosTurn Off Location Tracking on Instagram (iPhone)
- PASSWORD GENERATOR Strong Random Password GeneratorEFF Guide to creating strong passwords
- PHOTO TAGGING Turn Off Photo Tagging on InstagramFree tool to blur parts of images and scrub exif data
- 2FA2 Factor Auth for TwitterAuthy
- TWITTER Change Email on TwitterAccessing Your Twitter DataDelete your tweets en masse
Plugins for privacy
Professional Support for Doxxing Self Defense
If the attacks are overwhelming, massively orchestrated, potentially very dangerous, seek professional help.
- https://www.minclaw.com/
- https://www.abine.com/deleteme/
- https://www.reputationdefender.com/
- https://what-is-privacy.com/
- https://www.deseat.me/
- https://www.privacyduck.com/
- https://www.internetlawcentre.co.uk/
Opt Out Links
https://www.beenverified.com/faq/opt-out/
http://www.checkpeople.com/optout
https://www.instantcheckmate.com/optout/
https://www.intelius.com/optout.php
http://www.peekyou.com/about/contact/optout/index.php
http://www.peoplefinders.com/manage/
https://www.peoplesmart.com/optout-signup
https://pipl.com/directory/remove/
http://secure.privateeye.com/help/default.aspx#26
http://www.publicrecords360.com/optout.html
http://radaris.com/page/how-to-remove
http://www.spokeo.com/opt_out/new
http://www.usa-people-search.com/manage/default.aspx
https://www.truthfinder.com/opt-out/
https://nuwber.com/removal/link
https://onerep.com/optout
http://www.familytreenow.com/contact
INSTRUCTOR CONTACTS
Milcah Halili code@milcah.dev @milcahhalili Twitter/Instagram
Daly daly@eff.org