Close Close Comment Creative Commons Donate Email Add Email Facebook Instagram Mastodon Facebook Messenger Mobile Nav Menu Podcast Print RSS Search Secure Twitter WhatsApp YouTube
Keep Them Honest Support fearless, independent journalism that gets results.
Donate Now

So What the Hell Is Doxxing?

What doxxing really is, plus advice on how to protect yourself from unwanted exposure of personal and private information online.

From left: Brianna Wu, a software engineer and game company founder, was targeted for abuse during Gamergate; an animal rights protest in the Netherlands in 2015 following the death of Cecil the lion; runners during the Boston Marathon in 2017 (Joanne Rathe/The Boston Globe via Getty Images; Getty Images Europe; Suzanne Kreiter/The Boston Globe via Getty Images)

This post originally appeared in our weekly newsletter. Sign up here.

Remember Gamergate?

Or when the identity of that dentist who killed Cecil the Lion was posted?

Or that man who was wrongly identified as the Boston Marathon bomber?

These were all examples of how making someone’s personal, and sometimes private, information public on the internet led to intense harassment.

Today, each of the cases could easily be termed a form of doxxing — short for “dropping documents.” In the last few years, doxxing has increasingly been used as an online weapon to attack people. People’s “documents” — records of their addresses, relatives, finances — get posted online with the implicit or explicit invitation for others to shame or hector them.

But while doxxing may seem both creepy and dangerous, there is no single federal law against the practice. Such behavior has to be part of a wider campaign of harassment or stalking for it to be against the law.

This week I wrote about “doxxing” among the more extreme elements of the country’s political left and right, a world of zealotry and paranoia and anger and worry. Over the course of my reporting, the subject of my article got doxxed herself.

It was all fascinating and disturbing, and I think leaves people, myself included, with a lot to think about concerning doxxing, its effectiveness and appropriateness both. Reporters, after all, have been doing a form of doxxing for decades.

But to hope of thinking clearly about doxxing, it always helps to better understand it and its practitioners.

So, how do doxxers dox? They use public records, like property records, tax documents, voter registration databases; they scour social media, real estate websites and even do real-life surveillance to gather information. Then, they publish the information online.

For some, doxxing is morally troubling. Law professor Danielle Citron is one. “It provides a permission structure to go outside the law and punish each other,” she says. “It’s like shaming in cyber-mobs.”

Then, there is the matter of doxxing the wrong person.

Here’s an example: After the infamous “Unite the Right” protest in Charlottesville, an attendee wearing an “Arkansas engineering” shirt was identified as Kyle Quinn, a professor at the University of Arkansas. Except Kyle Quinn wasn’t in Charlottesville. That didn’t stop the internet, and so when “Kyle Quinn” was doxxed as one of those torch — bearing protesters in Charlottesville, Quinn spent a weekend in hiding due to the amount of online abuse he subsequently received. The real protester, a former engineering student named Andrew M. Dodson, later apologized.

In some cases, people doxxed after taking part in white supremacist marches have been arrested, lost their jobs or allegedly been disowned by their families.

Other experts question whether doxxing white supremacists is a useful tactic. “Is this an effective means of challenging racist views?” ask Ajay Sandhu and Daniel Marciniak, researchers at the University of Essex in the United Kingdom. They argue that doxxing simply isolates people, forcing them into smaller parts of the internet. “You don’t really challenge them, you allow them to exist in those isolated spaces,” Sandhu says.

Some tips on how to protect yourself from doxxing

The short answer is: You probably can’t fully. But we have a few tips that will help make the information you want kept private more secure.

Two-factor authentication

Two-factor authentication adds another level of security for online accounts. You should set this up for your social media, online banking, and any account connected to your credit cards (Venmo, PayPal, Amazon), and things with recurring payments that have credit card info like Netflix. For social media, here’s a how-to from Facebook on enabling two-factor authentication for your Facebook account, and here’s one from Twitter.

Increase privacy on your social media accounts

There may be, and probably is, personal information that is viewable by the public on your social media accounts. Or your social media accounts are completely public. It’s worth looking at the privacy of those. Here are a few things to do to button those up:

For Facebook, you can adjust your privacy settings here. Some boxes to check:

  • Set your profile so it can’t be searched.
  • Set your friends list to private.
  • Set any older content to private, which you can do in bulk.
  • Set all past profile pictures to private.

Also helpful to reduce personal information in your public profile:

  • Remove your header image.
  • Remove any featured photos.
  • Consider removing your profile picture, or making sure it’s something professional/benign in case it gets copied and pasted elsewhere.

For the other accounts — Twitter, Instagram, Pinterest, Quora, etc. — here are some basic measures to take:

  • Check profile pictures and remove or update these images to make sure it’s something professional/benign in case it gets copied and pasted elsewhere.
  • Check who can follow you and/or see your posts.
  • Check account security settings; like Facebook, each platform has privacy/security settings.
  • Consider making Instagram feeds private, as even un-geotagged photos can provide a lot of useful location information.

How strong are your passwords?

Computer-generated passwords are best. Services like 1Password can help you create strong passwords. Some accounts will show you if your password is strong or weak. If it’s “weak,” don’t use it. Here are some more detailed practices for creating strong passwords.

Protect your email accounts

Where is your email address located out on the internet? Do you want it there? If not, remove your personal email address from personal websites, social media accounts or wherever else it might be.

Remove yourself from people search sites

Here’s how to remove yourself from many popular people search sites. These sites can reveal relatives, phone numbers, addresses (old and new), etc., that can be used by angry internet trolls to harass you and your family. Some of these sites are more obnoxious than others to opt out of, but if you go through all of them, it will take you out of most of the common online search services. Also, never provide sensitive information like your credit card number or Social Security number while opting out. Each of the links below will take you to the current opt-out page or instructions on how to opt out:

  • PeopleFinders: Search yourself in any states you’ve lived in and click “This is me” to have it removed.
  • Intelius: You need to scan your ID and scratch out your photo and DL number. Within a few days, they should remove you.
  • Whitepages (non-Premium): Search your name on and copy the URL. Then go to the address linked here and paste it in. You’ll need to give them a phone number and then they call and read you a code.
  • Whitepages Premium: Frustratingly, Whitepages Premium results will still show up for you if you remove yourself from You’ll need to file a ticket with their support staff, but in our experience they’re pretty quick to remove you. Just search for your name in Whitepages Premium, copy the link, and fill out this form.
  • Spokeo: Much like, search yourself on Spokeo and copy the profile URL. Then paste it into the opt-out form here.
  • BeenVerified: This site is very particular about the spelling and form of names. For example, a search result came up for Kenneth Schwencke but not Ken Schwencke. But once you’ve located your name, or versions of your name, opt out here.
  • Other sites: Once you've scrubbed the above listings, it's a good idea to Google your name and the words “address” or “phone number” and see what comes up. If something does, find a way to manually opt out of each one of those sites.

Worth remembering here: Due to the nature of these services, your name might pop back up on them again. It’s worth it to re-check every few months to see if you’re still listed.

A step further: Data brokers

The sites above often get your information from data brokers. To ensure that your data doesn’t pop back up in other types of “PeopleFinders,” you have to go directly to the data brokers. This, however, can take time and sometimes be complicated. Here’s a list of some of the biggest data brokers and their opt-out pages:

A note on voter files

Voter files are public records in nearly every state, but some states block the release of information for certain people. For example, Florida conceals voter registration information for individuals participating in the state’s Address Confidentiality Program for victims of domestic violence and stalking. It’s worth checking with your local or state election authority to see how your state operates.

If you want more, here are some guides we are particularly fond of:

Tips and advice compiled by: Mike Tigas, Ken Schwencke, Jeff Larson, Derek Willis, Julia Angwin, Lauren Kirchner and Terry Parris Jr.

Do you have any tips, advice or guides not listed here? Email [email protected].

Latest Stories from ProPublica

Current site Current page