Untitled

DEFENSE AGAINST DOXING - IT'S EVERYBODY'S BUSINESS, by QUINTUPLICATE, 2022.
Second edition, 2024.
Also by the author:
IRC Made Easy (https://pastebin.com/LHFUkyhF)
CONTENTS
Introduction to the Second Edition
Preface to the First Edition
Part I. What Is Doxing
Part II. Prevention
Part III. Damage Control
INTRODUCTION TO THE SECOND EDITION
I've kept the original preface because it holds even truer today than it did when I wrote it. Multiple high-profile incidents of doxing have well illustrated the old adage that "the only thing we learn from history is that we do not learn from history."

This edition is a revision of the 2022 edition. New information has been added, existing matter corrected, and language changed to make it easier to read. You should note that paragraph numbers may have changed from the 2022 edition.

I don't discuss this in the main content of this guide, but I wonder if AI has made doxing easier or harder than it was in 2022. The large flood of AI-generated content threatens to inundate human-created content, but that's no bar to attackers who adopt a "better safe than sorry" approach - for their harassment campaigns, that is, not for their victims.

Also, in many countries which we regard as democracies, political polarization has deepened. I reckon this will reduce the stigmatization of doxing so long as it is done in service of a cause which is considered just. This shows the importance of defense against doxing for all; beyond that, I won't put any more words between you and what you came for.

Defense against doxing - it's everybody's business!
THE AUTHOR.
PREFACE TO THE FIRST EDITION
If you're reading this, you were probably taught not to share personal details with random people on the Internet.

This has become all the more important of late. Too many people didn't take this advice to heart. As a result, they lost jobs, homes, friends - everything.

Those people don't just hurt themselves by disregarding this advice. When you've found out the personal information of one person, it's much easier to do the same to their friends and associates. They become a door into the lives of everyone they share a community with.

That's why I am writing this guide - to protect you and the communities you are a part of.

Defense against doxing - it's everybody's business!
THE AUTHOR.
PART I. WHAT IS DOXING
	1. Definition of doxing
	2. Doxing is legal
	3. Doxing is not fatal
	4. Doxing can be harmful
1. Doxing is the gathering and exposure of information about a person which can cause undesirable consequences to the person. This guide does not spell it "doxx" because the second X contributes nothing to its pronunciation.
2. Doxing is not illegal, nor need it be done illegally. See Division 6 of Part II for the information that is available to any member of the public.
3. Doxing is not fatal or irresistible. There are things you can do today to protect against it. Even if you are doxed, there are things you can do to control the damage.
4. Doxing is not harmless either. Most people have some skeletons in their closets; even if your history seems "clean" today, 10 or 20 years down the line it may be enough to get you fired. If you've spent enough time online to need this guide, you don't need examples.
PART II. PREVENTION
	5. Ways to prevent doxing
	6. Do both ways
	7. Courses of action
		Div. 1. Angering People
		Div. 2. Oversharing
		Div. 3. Leaking Metadata
		Div. 4. Reusing Usernames
		Div. 5. Writing Style
		Div. 6. Dox Yourself First
5. There are two ways to prevent doxing:
First, by reducing the reasons people will want to dox you.
Second, by making it hard for someone who wants to dox you to do so.
6. Effective prevention requires doing both.
7. Each way demands a separate course of action:
First, making it unlikelier for attackers to want to dox you means taking down compromising things about you that are online. You know what this encompasses more than I do.
Second, making it harder for attackers to be able to dox you means identifying what connects you and your personas to these compromising things. This part will describe the reasons why, and methods how, people get doxed, so you can protect against them.
Div. 1. Angering People
	8. Real name means real life
	9. You shouldn't use real name
	10. When you're pseudonymous, imagine your real name
	11. Anonymity doesn't mean safety
8. Any platform where you use your real name is part of your family, social and work life. Don't post anything under your real name you wouldn't want everyone who knows about you to read.
9. You should not use or mention your real name in any Internet community.
10. Before you press enter, imagine what your message would look like if it were under your real name. Maybe your username can't be linked to your real life identity, but most usernames can be if the attacker is determined enough. Don't believe me? Read on!
11. You're only fully free on an anonymous community, but you're not completely safe. Whoever owns the server the community is hosted on has your IP (see paragraph 27), and you can inadvertently leak information in other ways.
Div. 2. Oversharing
	12. You're an info leak
	13. You reveal info you don't wish to expose
	14. You can't trust anyone perfectly
	15. Personal details are broader than you think
	16. Don't talk about your birthday
	17. Or where you study or work
	18. If you have to
	19. Don't post your picture
	20. Or your area
	21. Think before you speak
	22. Lying might not work
	23. Don't post your house
	24. Legal matters
12. You leak information in many ways. Sometimes you don't know you're leaking information; other times you know what you're sharing, but not the consequences of your doing so.
13. When you talk to someone in real life, you're saying more than what comes out of your mouth. Your listener can use your tone of voice, body language, eye contact, etc. to decide if you really mean what you're saying. It's similar, but different, online. When you communicate anything through the Internet, you're also saying things that reveal more or less of who you really are. This division will help you find out what those things are.
14. The difference between virtual and real communication is that these unspoken cues don't go through. You have no way to know if someone is trustworthy just by chatting with them, whether through text or voice. It's a lot easier for a bad person to gain your trust online. Think about that before you privately message anyone your personal details. Remember that online, "paranoid" is a compliment.
15. But what are "personal details"? You probably know not to tell anyone your national identity document or social security number, your bank account details, and your home address. But most victims of doxing don't do that. They don't drop their phone number, address, real name, and occupation, all in one go ready for attackers to find. Instead, attackers pick up bits of the information they leak, and piece them together.
16. Is your date of birth personal details? Let's do some ballpark math here. The current world population exceeds 8 billion. Assuming that births are evenly distributed in the year, about 20 million people share your birthday. Assuming that people live for 75 years, your birthday and year of birth are shared by LESS THAN 300,000 PEOPLE - the size of a small city. That, by itself, wouldn't be enough to uniquely identify you; but if you've leaked your date of birth are you sure you haven't leaked anything else about you? That's why you shouldn't say how old you are anywhere public when it's your birthday.
17. Is the place you work or study personal details? If the company or university is large enough, maybe not by itself. But, if an attacker knows other things about you, they can now look for you in a much smaller group than everyone that speaks the language you socialize in.
18. Often, you need your professional expertise or local knowledge to settle an online argument. In that case, it's best to be as nonspecific as possible: "I have some experience in the transportation industry" is much better than "I've been working as an associate engineer for the Department of Highways for 5 years.", and "I used to live about an hour from where this happened" beats a play-by-play of how you learned what you know about the incident and all the personages involved. Is winning the argument worth losing your privacy?
19. Is your picture personal details? Facial recognition has advanced greatly in recent years. Google is already better at faces than many people. And the technology will only continue to improve until every picture can be linked to a name, and thence to everything else about that person.
20. Are landmarks in your area personal details? If you say "no", you're forgetting that there has been a database of the view from every road in the developed world for over a decade - Google Street View. Anyone in the world can "know your area", or at least what it looks like, as well as someone who was born and raised there.
21. The moral of the story is that things which are widely believed not to be revealing, and even encouraged to be shared, can strip you of your anonymity. If you want to talk about yourself, talk about things that can't be recorded in a database, like your personality or hobbies.
22. Will lying to throw people off work? Well, only if your lies are consistent. An attacker can easily distinguish what's true just by seeing what stays constant from day to day.
23. Even if you wipe the EXIF data from a picture of your house (see paragraph 26), other people are unlikely to arrange their furniture the same way, or have the same view from their windows, as you. If you post photos of your house from two separate accounts, an attacker can connect the two.
24. Publicly discussing any legal matters you may be involved in is inadvisable, for many reasons, most of which are beyond the scope of this work; but all court records are public, and most are digitized, so with corroborating information any attacker will be able to look you up if you mention that you got a speeding ticket.
Div. 3. Leaking Metadata
	25. You might leak info unknowingly
	26. Pictures
	27. Office documents
	28. IP address
	29. VPNs
	30. Google Docs
	31. LinkedIn
	32. Screenshots
	33. Waiting may not help
	34. Nor may cropping
	35. One persona, one screenshot
25. Sometimes you leak information because you don't really know what the consequences of leaking it will be. Other times you leak information without knowing you're doing it. A big part of unknowing leaking of information is metadata - data about data. Would you put a return address on an anonymous letter? Why would you let a computer do that for you?
26. Every picture you take includes information about where you took it and the device you took it with. This is known as EXIF metadata. It is easy to view, and it's easy to find software that will scrub it.
Note. Even if you don't mind people knowing where the picture was taken, you still have to deal with information about what took it, which can indicate that two or more photos were taken by the same device and thus most likely by the same person.
27. Use Microsoft Office? Next time you send any of your work products, take the time to go to the "File" tab, click "Info" along the left, and hit "Check for Issues". What is there may surprise you. Luckily for you, you can remove it with the Document Inspector.
28. When you access a website, you give its server the address of your router - called an IP address - so it knows where to send the data you want. THIS CAN SHOW YOUR APPROXIMATE GEOGRAPHICAL LOCATION. Clicking on links you don't recognize is bad for many reasons, most of which are beyond the scope of this work; but for our purposes, it can help identify you from a small group of other people who share your description.
29. A virtual private network (VPN) gives websites another IP address which forwards the data they send there to you. You should use one you trust to access a website run by anyone who would have a reason to dox you.
30. You should view a Google Doc in a private or incognito tab if you have a Google account (including one you have as part of your school or workplace) that is tied to your real name.
31. Likewise, if you view a LinkedIn profile, the holder knows who viewed it. By enticing you to view a fake LinkedIn profile with your actual account, an attacker can dox you.
32. If you screenshot content on your phone and do not crop it, you'll reveal your current time and battery level. This will indicate your time zone if you post the screenshot right after.
33. If you wait awhile after posting the screenshot, you've removed that factor, but if you still post the screenshot to multiple sites, an observant attacker may connect the two postings together. After all, it's unlikely for two people to screenshot the same content with the same battery level at the same time.
34. You can crop the screenshot to stop people from seeing the time and battery level, but again, two people are unlikely to crop a screenshot with the same length and width.
35. So the best bet is simply to do a separate screenshot for each site you're posting to.
Note. You still must worry about whether or not your interest in that content is out of step with the general interest on those sites.
Div. 4. Reusing Usernames
	36. You should have many separate identities
	37. Why you should
	38. The less unique your username the safer
	39. If password is different, so should email
	40. Don't talk about other sites you use
	41. Throwaway accounts
36. Why do companies give many different products the same name? Because they want consumers to link those things together. This is the opposite of what you want.
37. You do not want to use the same username on different sites, especially sites without much overlap, because:
First, if you say something embarrassing or compromising on any one of the sites you use the common username on, everyone in any other of those sites can see and know that you said it.
Second, anything you say about yourself on any one of the sites you use the common username on can be combined and crosschecked with what you say on any other of those sites.
Third, by searching a username used on one site, attackers can and do find other accounts of the same person on other sites.
38. The risk of username reuse facilitating your doxing is somewhat less if your username is a word (even an uncommon one); but this doesn't apply to combinations of words (unless the combination is itself commonly used), or if any community you use the common username on has a problem with any other of those communities.
39. Take note that if the username is different, the password and email address (for password reset) should be different as well. While most sites do a decent job of keeping passwords and emails secret, just one leak might be the bridge the attacker needs to connect one of your personas to another or compromise your accounts using both personas.
40. Don't say you use a site on another one. If you do, don't say the username you use.
41. If you are posting something which you do not want to be linked to your real identity or to any of your online identities, you should create a throwaway account, which you immediately dispose of after use. Note that all the other precautions in the guide still apply.
Div. 5. Writing Style
	42. Writing style is unique for each person
	43. Use correct spelling and grammar
	44. Use commonly used idioms
	45. Don't self-plagiarize
	46. Software can analyze your writing even if a human can't
42. Remember when you passed your friend a note in school and how you were caught when the class snitch recognized your handwriting? It's similar online. We all have our own writing style, and since online our writings are preserved indefinitely, anybody can analyze what you write, and in doing so, connect your personas.
43. To start off, if you always make a spelling or grammar mistake, this can be used to spot you. Two people are unlikely to break the same rule the same way. That doesn't mean always making sure your sentences don't start with "and" or "but" or end with a preposition, but it does mean taking care that you write mostly like everyone else on the site. If your distinctive mistake is one native speakers often commit (can't distinguish between "it's" and "its", for example), or frequently occurs (have no idea how many Rs "embarrassing" has? you're not alone), you may be safer.
44. If you have any idioms you like to use, this can be used to spot you, especially if they are not in a pocket dictionary. Your English teacher might not have wanted you to use cliches, but they are safer than coming up with your own expressions.
45. Copying and pasting the same thing (longer than a set phrase) between different websites is basically saying that your accounts on those sites belong to the same person. Especially since ChatGPT exists now, why do it? If your idea is truly original, then you can say it differently.
46. Writing style analysis software has improved greatly in recent years. Often, a machine can tell if two text samples are written by the same person, even if a human can't.
Div. 6. Dox Yourself First
	47. Put yourself in an attacker's shoes
	48. Google your name
	49. Search databases
	50. Removing content
	51. Graduation
47. It is helpful to put yourself at the standpoint of an attacker and dox yourself first so you know what information about you is online.
48. Start, of course, by Googling your full legal name and nicknames (if any). Try to trace it back to your username(s). The information that is available about you online may surprise you.
49. Much information is in dynamically generated databases which no search engine can pick up. You should therefore also search:
First, your local voter registration database. If voting is mandatory where you live, you may have been enrolled without your knowledge.
Second, your local newspaper. If it talks about you, 19, one week, and you, 20, the next, an attacker can narrow down your birthday. A newspapers.com subscription is worth its (metaphorical) weight in gold here.
Third, your local court records. As discussed above, most courts record and publicize even minor infractions.
Fourth, your school yearbooks. Many yearbooks are scanned, and many school and college newspapers are online. Again an ancestry.com subscription is worth its (metaphorical) weight in gold here.
Note. "Local" may encompass any place you have lived in since you turned 18 and in some cases before.
50. Many sites will remove private content on request; some sites will not and will mock those who ask for it. The DMCA (or equivalent) may be used to remove content created by you from sites hosted in certain countries.
51. If you are really paranoid you can check if your high school or college graduation video is online. There's probably little you can do to take it down, but it will remind you that sometimes you must reduce the reasons people might dox you.
PART III. DAMAGE CONTROL
	101. Don't panic
	102. Treat incorrect dox as if they were correct
	103. Delete everything
	104. You're not beat until you think you are
	105. Don't point out false dox
101. The first rule of being doxed is to remember that NO REAL LIFE SITUATION IS IMPROVED BY PANIC.
102. The second rule of being doxed is to TREAT INCORRECT DOX THE SAME AS CORRECT ONES.
103. Whenever any personal information about you is revealed, you should DELETE EVERYTHING ABOUT YOURSELF THAT IS ONLINE. "Everything" includes information that would not suffice to identify you normally, because the attacker may have narrowed you down to a small group and that information may be all they need to separate you from the herd. The faster you do so, the better. Just because the attacker knows something about you doesn't mean they know everything else.
104. If any one of your address, real name, or workplace has been revealed - the attacker is now in the home stretch. But remember that YOU'RE NEVER BEAT UNTIL YOU THINK YOU ARE. If you do all you can to prevent your attacker from finding the other two, you still have a chance.
105. It goes without saying that YOU SHOULD NOT TELL SOMEONE WHO POSTS FALSE DOX THAT THEY ARE FALSE - this includes mocking them or interacting them in any way. Many a person has been doxed because they interrupted their attackers while they were making a mistake. You should instead treat it as a drill. The attacker has given you time to conceal true information about yourself - do not waste it.
THE END.