How cops can protect themselves from doxxing
Protecting your personal information in an online world is a necessary process for officer and family safety
October is National Cyber Security Awareness Month. Throughout the month, PoliceOne will provide serial coverage of cyber issues that impact law enforcement.
By Todd Drake, PoliceOne Contributor
The term “Dox” or “Doxxing” is derived from the word “document.” It originates from the practice of researching information about an individual. Doxxing is often defined as an internet-based practice of researching and broadcasting personally identifiable information (such as names, addresses, phone numbers, spouse, children, relatives, financial history and much more) about an individual. The practice of doxxing is not new. It actually dates back to the 1990s and was often used for constructive purposes such as helping law enforcement locate suspects and dangerous criminals, in business analysis, and the legitimate vetting of individuals. Doxxing, however, strays into a very dark area when it is used for other purposes. In last 12 months, we have seen a huge spike in doxxing activity specifically related to individuals in the public safety arena.
The current trend we are seeing in the area of doxxing is mainly focused on confrontational interactions in high-profile cases. It is often a situation in which an individual is videotaping an incident and there is a specific interest in capturing the police as much as possible. You will often see that the individual recording the video will interact with police in an attempt to get a name. Once they have that name, they are off to the races (more on this later).
When it comes to privacy issues, much of the press focuses on companies like Facebook, Twitter and Google. Unfortunately, that focus often ends up being a distraction from the real offenders. For the most part, data pulled from Facebook and similar platforms for malicious purposes is a self-inflicted wound since the data is typically posted by the victims themselves. We all know (or should know) not to post personal and private information online. These sources feed the practice of doxxing and can lead to many different types of assaults.
Unfortunately, the reality is that this information is already out there and readily available for the taking.
Some companies compiling this vast collection of public record information and selling it are names you have probably never heard of before, such as Intelius, BeenVerified, and PeopleFinder. These websites gather information from a wide array of sources and make the information available for purchase to anyone. While there are over 200 companies out there doing this kind of activity, you need to be mostly concerned with 20 to 30 of them. I say this because there are plenty of companies that collect this detailed information for the sole purpose of sending you a coupon in the mail or displaying a pop-up advertisement on your computer screen. You could argue that this is creepy, but the good news is that these companies do not sell this information to individuals.
Doxxing by online vigilantes
There are countless recent examples of doxxing that millions of Americans read about every day, often without realizing that doxxing is at the heart of what they are reading. In the last three years, First Lady Michelle Obama’s social security number, Beyoncé’s home address, Aston Kutcher's personal phone number and the credit report of Los Angeles PD Chief Charlie Beck were all posted online following acts of doxxing. While these events were troubling enough to the individuals involved, the more recent use of doxxing has taken an even darker turn. Following recent events in Ferguson, the hacktivist group known as Anonymous acquired the sensitive personal information of Colonel Ronald Replogle, posted it on the internet and then tweeted the location of this information to thousands of people.
Literally anyone — an ill-intended individual, gang member, escapee, former arrestee or protestor — can follow the provided link to acquire a home address, phone number, email address and much more. These acts put the individual involved and their family at immediate risk.
Erica Garner, the daughter of Eric Garner, tweeted out the address of one of the NYPD officers present at the time of Eric’s death (Justin D’Amico). Her tweet linked to a web page with addresses for D’Amico and five possible relatives. Garner has more than 5,000 Twitter followers and her post was retweeted about 500 times.
Following the fatal shooting of a homeless man on Skid Row in Los Angeles in early March, the LAPD confirmed that at least two police officers were the victims of doxxing. An unknown individual or group posted the officers’ names, addresses and details about their kids’ schools on the internet.
Risks and threats to police
Police are often in high-risk situations. It comes with the profession. Doxxing, however, is a new kind of threat and one that can manifest itself in many dimensions and extend the risk beyond the officer involved to include family members and relatives.
The bigger problem here, of course, is the availability of sensitive personal information on the internet to feed the practice of doxxing. More than 50 entities, loosely defined as people finder websites or data brokers, have compiled comprehensive information profiles about most of us. This information is then made easily available for anyone to acquire on the internet. These sources feed the practice of doxxing and can lead to many different types of assault, including the following – which do not need to be life threatening to be debilitating:
• Physical stalking
• Cyber stalking
• Identity theft
Today, anyone with a phone, computer or tablet can get almost immediate access to an officer’s personal and private information. We all know there are thousands of companies out there databasing everything we buy, where we live and where we like to go. These same companies then take all this detailed information and create detailed reports on virtually every individual in the U.S.
Protection and risk management
With respect to protecting yourself against doxxing, and other misuses of your personal information, there is a lot of good advice out there regarding the use of the internet:
• Never give out personal information like phone numbers or physical addresses.
• Refrain from providing your first name. It makes it much harder to find the individual online with only a last name.
• Run your own name on these sites and see how easy it is for you to be found.
• Use a P.O. Box as a mailing address whenever possible.
• Contact each data broker and request your information be removed from their site.
At the end of the day, while all of this is useful and well-intended, the only practical solution is to remove your personal information from these sites. But, this task is easier said than done.
The unfortunate reality is that removing personal information from these sites is intentionally convoluted and difficult. While it is technically possible, most people do not have the time or patience to execute each of the following steps:
Step #1: Identify all of the more than 200 sites that compile, maintain and sell personal information, and then zero in on the 50 that can really hurt you.
Step #2: Dig through each of the sites to locate the particular set of instructions for opting out of that site.
Step #3: Follow each of the required processes, prepare and submit the necessary form or forms, and provide the additional information necessary (including a photo ID in some cases) to complete the opt-out request.
Step #4: After the full set of opt-out instructions have been submitted, revisit each of the sites to verify they have complied with the opt-out request.
Step #5: More than a step, this is an on-going process. Even after many of these sites have complied with the initial removal instructions, they will repopulate personal information over time. So, periodically (at least every 30 days), it is necessary to return to Step 1 and repeat the entire process. Protecting your personal information in an online world is a never ending and time consuming, but necessary process for officer and family safety.
The important take away is that virtually anyone can find just about everything they might want to know about you on the internet for any purpose — targeting, stalking, bullying, revenge, embarrassment, identity theft and much more.
Activities like doxxing are not going away. If anything, the problem is getting worse. From solo criminals to organized gangs, the data vigilantes are everywhere, operating throughout the world. The best way to deal with this growing problem is to protect yourself by removing your information online either manually or through services offered by data privacy companies. Do this for yourself and your family before doxxing happens to you.
About the author
Todd Drake is the founder of ManageURiD. ManageURiD is a personal privacy protection company with decades of information security and proper management of sensitive consumer data experience. The company is headquartered in Northern Virginia. Additionally, ManageURiD has partnered with the International Public Safety Association to offer public safety officials and their families a significant discount off the subscription rate of the service.
Todd has more than 25 years of experience in building and running technology companies in the advanced analytics and data mining software industry and extensive data privacy experience.
In the past, he ran the data group for Choicepoint, providing the government investigative solutions that enabled agencies to locate people, detect fraud, uncover assets, verify identity, perform due diligence and visualize complex relationships; solutions that were used by more than 3,000 agencies to help enforce laws and regulations, fight fraud, waste and abuse and provide essential citizen services.
Todd has also worked in senior capacities with organizations and major federal agencies with data-intensive mandates in areas such as intelligence, security, finance, health care, homeland security, crime and fraud prevention; and he served as a senior systems consultant for the Department of Defense and the U.S. Navy, with deployments to the Persian Gulf in support of intelligence analysis operations.
Contact Todd Drake