Please consider the date when this article was last updated by looking at the bottom right corner of the page when evaluating the accuracy and security of the following guide.
Access Now Digital Security Helpline
Doxing (also “doxxing”, or “d0xing”, a word derived from “documents”, or “docs”) consists in tracing and gathering information about someone using sources that are freely available on the internet (called OSINT, or Open Source INTelligence).
Doxing is premised on the idea that “The more you know about your target, the easier it will be to find their flaws”. A malicious actor may use this method to identify valuable information about their target. Once they have found sensitive information, they may publish this information for defamation, blackmail the target person, or use it for other goals.
Self-Doxing to Prevent Doxing
Harassers and stalkers use several tools and techniques to gather information about their targets, but since these tools and techniques are mostly public and easy to use, we can also use them ourselves, on ourselves, as a preventative measure. “Self-doxing” can help us make informed decisions about what we share online, and how. (Of course, these same instruments can also be used to learn more than is immediately obvious about someone we have met online before we give them our full trust - for example to decide if we want to admit them to a private mailing list or group on social networking platforms.)
Methods used for doxing (and self-doxing!) include exploring archives, yellow pages, phone directories and other publicly available information; querying common search engines like Google or DuckDuckGo; looking for a person’s profile in specific services; searching for information in public forums and mailing lists; or looking for images that the person has shared (and for instance may have also published in another, more personal, account). But it can also simply consist in looking up the public information on the owner of a website, through a “whois search” (see below, in the “Search engines and more” section).
Warning: when practicing self-doxing, there is a risk of getting exposed to results that you may find disturbing. If you think you may need support, make sure you have close friends around when you do your research.
Before we start exploring these web services and looking for our digital self, it’s a good idea to use anonymisation tools like the Tor Browser.
What to search for
To decide what to search for, you should try to understand what activities expose you to a higher risk of being attacked by trolls or other malicious actors. Why would someone want to spend hours of their time to track information on you in the internet?
This kind of attacks often affects minorities or people who support controversial opinions online, and the attack starts from the information that the malicious actor will find immediately available - like the nickname and profile used by the target in the platform where the attack has started, or the pictures the target has published in their page.
So if you think that someone might want to harm you by looking for personal information on you, start asking yourself how they got to know you. If you use your name and surname or a picture of your face on the platform where they learned about your existence, then this is what they will start from, and what you should start from for your self-doxing exercise.
If, on the other hand, a potential attacker knows you by a pseudonym (like the nickname or handle you use on that platform), your search efforts should focus on any connection that there might be between that pseudonym and your physical life (your name and surname, the place where you work, your home address, etc.).
If you are using a unique handle in the platform where your sensitive activity is happening, and have never used it for anything else, some traces might still be public, for example your IP address or your geolocation data. Check the properties of the pictures you’ve uploaded and the posts you’ve published: do they contain any identifying details, like your IP address or your location? If so, you might want to edit them so as to delete any sensitive information they may contain. Read more on how to control the information you share online in this guide on secure identity management.
Search engines and more
Once you have identified all the names and nicknames you want to look for, as well as pictures and other personal data (web domains you own, birth date, city where you live, etc.) you may have posted in your most exposed online profiles and web pages, you can start your search.
What follows is a list of search engines and other online services that you can use.
When you do your search, use a different browser than usual so that you aren’t logged into your online accounts. In alternative, you can delete the history and cookies, and clear the cache.
- The most obvious place to start a search is Google. Before you start your search there, please note that on your usual browser Google may give you customized results that might not match with what an adversary would find. It’s better to use a different browser to do this search (for example if you usually use Firefox, use Chrome for this search, or, even better, the Tor Browser).
- Remember that if you are looking for more than one word, like your name and surname, you can refine your search by putting quotation marks (“) around the words, as in: “Name Surname”.
Look for your name or nickname in the most common social networking platforms: are other people trying to impersonate you?
- Your name might be in the White Pages, together with your home address. The good news is that in some countries (like Mexico) there might not be a phone registry available online.
- In Germany, you can check on DasTelefonbuch.
- In Germany, there are other search engines for persons. Try to find out if you get more results on them:
If you have a website, check what information it reveals: go to a website that offers Whois domain lookup, for example Whois.com, and enter the domain of your website there: make sure that your personal details, like your home address, are not included there. If they are, you can request your domain name provider to anonymize this information. If they don’t offer this service, consider moving your domain to a different provider. Access Now Digital Security Helpline is happy to provide help in identifying the most suitable providers for your needs.
- Many people have hobbies. Some are members of driver clubs, others are dog breeders, photographers, hikers, computer game fans, etc., and each of them have their own places for communication. When sharing on these platforms, some might believe that these exchanges have no relation to their jobs or other life domains, so they often publish more information about themselves there. Do you have a hobby? Visit your platform/s, check your profile/s, and review what you’ve published there.
If you have a photo, icon, or avatar, do a TinEye or Google reverse image search. With these search engines you can look for all the pages that contain the image you are searching for.
For example, if you use your portrait for your Facebook profile, you can check that this picture hasn’t been used in other web pages by looking for the URL of your icon. To find out what the URL of your icon is, right-click the image and click “Copy Image Location”, then paste the URL in the search engine bar.
- TinEyE image search
- For a Google reverse image search, go to Google Images and click on the camera icon on the right end of the search bar, then paste the URL of the image in the search box.
Check if your online account has been previously compromised
Over the years, many company and platform databases have been breached, and the user names, email addresses, and passwords in those databases published online. You can find out if any of your accounts’ credentials are included in these leaked databases by looking for your email on ’;–have i been pwned?.
If you find an account of yours was compromised, and you are using that same password for other accounts, you should immediately change that password. This could also be a good moment to set new strong and unique passwords and multi-factor authentication for all your accounts. The Access Now Digital Security Helpline team is happy to guide you in this process.
How to delete your traces
If you find sensitive information that you need to delete, in the European Union you can often rely on the right to be forgotten.
Access Now Digital Security Helpline is ready to guide you through the necessary steps.
Facebook: Request removal of photo or video because it violates your rights here
Instagram: Controlling Your Visibility
Twitter: Report doxing or posting of private information here
Snapchat: Help Center - Click on “Report a Safety Concern”.
- Tumblr: How to report a privacy violation
- If the public form cannot help, abuse can be reported by email following these instructions
Das Telefonbuch: If you want to delete your entry, follow these instructions.
If the personal information is on a website, you will need to contact the administrators and/or the host provider. Access Now Digital Security Helpline can help you identify the contact point.
- If someone is impersonating you on a social networking platform, Access Now Digital Security Helpline is ready to guide you through the necessary steps to report and take down that profile.
- How to manage your online identities in a secure way
Liz Henry, Investigation Online: Gathering Information to Assess Risk , Model View Culture, April 28th, 2014
School of Privacy, Self-Dox
MyShadow, Exploring your visible data traces
Recommendations on What to Do if You’ve Been Doxed, by EFF Director of Cybersecurity Eva Galperin.
Crash Override Network, Preventing Doxing
Crash Override Network, So You’ve Been Doxed: A Guide to Best Practices
- Hiding from the Internet - Eliminating Personal Online Information - Personal Data Removal Workbook & Credit Freeze Guide - a detailed guide for personal data removal, addressed especially at US residents.