Wikimedia Foundation/Legal/Community Resilience and Sustainability/Human Rights/Doxing and what you can do about it

Doxxing is a form of digital abuse where someone collects and publishes your personal information online with the intent to cause harm. This information can include your real name, phone number, email address, social media accounts, photos, date of birth, and home or work addresses.

People who do this use many different methods to gather information, from simple internet searches to looking through social media profiles to using data broker services. They often start with one small piece of information and use it to find more, building a complete picture of who you are, where you live, where you work, and how to contact you.

There is a lot of personal information available online that many people don't realise is publicly accessible. Doxxing requires little skill and often has very limited legal consequences, especially when the information shared was already publicly available somewhere. When personal information is shared in the doxing context, it can lead to harassment, threats, or worse. That’s why it’s important to take it seriously, and why the next section focuses on steps you can take to better protect yourself.

The best defence against doxxing is realising that this can happen to anyone, including you, and taking proactive steps to reduce the harm that it can cause. This includes being more mindful about the information you share about yourself, finding information about yourself so you know what is out there, and removing information if deemed necessary.

Keep in mind that removing information from the internet is extremely difficult and success is unpredictable. It's best to think of the internet as permanent and be more careful about what you share online going forward. These steps won’t guarantee that you won’t be doxxed, but they can make it much harder and help reduce potential damage.

Are you using your real name? Or a nickname that can be traced back to you? Perhaps a username you have used elsewhere? A doxer’s first step will likely be an online search of your Wikimedia username, so do the same. What did you find? If you would like to change your username submit a request at Wikipedia:Changing username, but remember renames do appear in the user rename log and global rename log. If you want to be extra safe, create a new account.

Chances are, your real name or username alone will not be enough to identify you, so a doxer will likely dig deeper by going through your userpage, including scanning earlier versions of it, to find any other personal details to add to the search query. If you do find information that you would like suppressed, send a request to the oversight team.

As contributors, we often start editing on Wikipedia on topics or places which are familiar, such as schools or uploading images to Commons from the vicinity such as a landmark or favorite cultural place. These are all data points a doxer can use to create a better picture of you such as what you like, where you travel, or where you live. The global account information allows you (and anyone else) to look up every contribution you ever made, across projects, in all languages, from the first to the latest edit. Think about where else on the platform you may have shared revealing details such as introductions on talk pages, sign-ups for events or article discussions. A request from oversight to get contributions suppressed might come in handy here too.

If there are images of you on Wikimedia Commons, try a reverse image search to see where else those images have been used on the Internet. Using a reverse image search can help you get an idea of where and how your images are being used around the Internet and to get a sense of how much exposure you or your account have outside of Wikipedia. For images that you have uploaded, check if and what Exif data may have been shared as that can include time, date and location data. Contact Oversight to remove images or associated information from Wikimedia projects. If an image has been used on another website try to contact the site owner - the person who owns the site that has the image. Removing the image from the source is the most effective way to remove it from search results. Search engines will remove links to the images only in limited cases, like when the image contains personally identifying information (PII) or non-consensual explicit or intimate personal images.

Here you will find a list of all mailing lists hosted by the Wikimedia Foundation. Go to the ones you are or may have been part of, make use of the search functionality to see if at any time you have revealed any personal information. Please reach out to lists-archives-deletion-requests@lists.wikimedia.org and clearly explain what information you want removed and why.

By partaking in community events, information is often shared and photos from the events uploaded to Wikimedia Commons. Go through reports that have been published or images that have been uploaded to see if you find yourself anywhere, both on Wikimedia websites as well as any other external website or social media platforms. You might ask the organizers or individuals who have published such information to have it removed if deemed necessary.

The internet is an interconnected space. As such, expand your search to include your online activities beyond Wikimedia projects.

Search engines are usually the starting point of any doxer. Try multiple search engines and give yourself a thorough search. You can start with your name. Combine that with other data points such as emails, cities, home addresses, schools, companies you’ve worked at and events you have participated in. Think about how those pieces of information connect to people you know. What could someone learn about you through your network? What have other people shared about you? Make use of these Google search tips and be sure to do all that in private browsing mode. While the implementation varies from browser to browser, it provides some protection against cookie-based tracking and doesn’t store your session history. Additionally, leverage these search operators to find more nuanced results that might not show up as part of a typical query. Remember, the goal is to get as much information about yourself as possible, so get creative. Also, learn about dorking for a more comprehensive self-doxing, by the Tactical Tech Collective.

Privacy is often the last thing on the minds of social media companies. Remember, the more the companies share about users, the higher their revenue. This means, although many now have privacy features one can activate, they’re often deactivated by default thus helping not only data brokers who benefit from loose privacy settings but doxers too. Make sure to do this, both when signed in and out; that way you see what your ‘friends’ and the larger public can capture from your profile. Here are the links to the privacy settings from Google, Facebook, Instagram, and LinkedIn. Also, look at this guide by the New York Times for a deeper dive.

Data breaches occur almost on a daily basis, so there is a likelihood of your data (from email addresses to full names to IP addresses) ending up in the hands of hackers or public data dumps. You can check to see if your email or phone numbers have been part of a breach, set up alerts to find out if you are part of any future breaches, and follow the security tips to secure your accounts. Additionally, Google Alerts is useful to keep tabs on your data as it surfaces online and gets indexed. Some password managers also alert users to sites that may have been involved in data breaches. This is why reusing passwords is discouraged - one data breach can reveal your password to other parts of your life.

There are so many cool things on the internet and often marketed as ‘free’, except they are not. You are paying for them with your personal and usage data. Check out this chilling article regarding TrueCaller, for instance. Also, while these sign-up options are convenient, avoid Google or Facebook sign-ups on apps and websites because by using them, you are not only creating more interconnections about yourself online but potentially giving companies a backdoor to your account and data inside.

Use different email accounts for different purposes - personal, professional, online shopping, and a separate one for things that might generate spam. Consider using email masking services to hide your real email address from public view.

There’s no “right way” or order to go about things. The information is intended to help you develop an action plan that best supports your incident, goals, and needs.

• Contacting local law enforcement: There is no simple rule for when to contact the police. You are the best judge of whether online abuse has made you fear for your safety or the safety of people close to you. Keep in mind that in some countries, contributing to Wikimedia projects can carry risks from the government itself. If that applies to your context, contacting law enforcement may not be a safe or helpful option.

• Wikimedia Foundation Trust & Safety Team: If you believe that you are under imminent threat of harm, you can reach out to emergency@wikimedia.org. Alternatively, please use ca@wikimedia.org to inform the team of your situation.

Avoid engaging with the person who shared the information or any of the communication attempts you may receive. Any response may escalate the situation or give the abuser more attention.

Take screenshots and save links of anything related to the doxxing. This includes messages, posts, emails, and social media activity. Try to record dates and times. Even if the content is deleted later, having a record can help you take legal action, report users to platforms or support investigations in Wikimedia-related Universal Code of Conduct or Terms of Use violations.

Being doxxed can be frightening and isolating. Tell someone you trust. This could be a friend, a fellow Wikimedian, or someone in your community who can support you. You don’t have to go through this alone.

Change your passwords. Turn on two-factor authentication (2FA) wherever possible. Check your privacy settings to make sure you're not sharing more than you want to. Consider enrolling in extra protection programs like Google’s Advanced Protection Program if you feel the situation calls for it.

While platforms are not always responsive or consistent in enforcing their rules, reporting abuse can still be important. It creates a record of the incident and may lead to the removal of harmful content or even an account suspension. See this guide by PEN America for more help with reporting.

• Digital security resources
• Posts about doxing on Diff blog by Human Rights team
  • "Doxing: Have you tried doxing yourself?” (May 1, 2023)
  • "Doxing: Why should you care?” (April 27, 2023)