If you know anyone who maintains social media accounts and works in law enforcement, and they don’t use an alias, send them this article. Scratch that. If you know anyone who might be targeted by hackers who has too much real information “out there” (i.e., most people), send this article to them.
It’s no secret that people with high-profile outward facing jobs have long used aliases–actors, media personalities, professional athletes, models, etc. This was a common security protocol long before social media was born. Aliases were used to keep snail mail from going walkabout, addresses private, etc.
Celebrities hold an obvious allure, but there are situations where “bad actors” will work harder than any star-obsessed cyberstalker–whether we’re talking about folks trying to manipulate a criminal trial or steer a particular outcome politically.
During the Dakota Access Pipeline stand-off, Morton County public information issued a release alleging that protesters doxed a Bismarck Police officer, releasing his date of birth and home address. “Doxing” refers to the Internet-based practice of researching and then publishing online private information with the intent to harm a particular individual, or organization, or intimidate them.
During the Ferguson protests, Anonymous doxed that city’s police chief posting photos of his family, home address and phone number, and there are countless examples of celebrity doxing incidents including Beyoncé and Michelle Obama.
The practice always involves sensitive personally identifiable information that can be used to commit identity theft (Social Security number, insurance ID, etc), or personal details such as a home address–often published in doxing scenarios to threaten an individual with harm to themselves, their family or their property as was the case with the Ferguson police chief.
Doxing predates social media, having long been used by law enforcement to track down suspects (mostly minus the publication part with the exception of wanted posters and the like). The M.O. in law enforcement is essentially the same as the criminal variety of doxing: collect as much information about a person as possible in order to find them in real life. That information could be what sort of car the person drives, a spouse name, children’s names, birthdays and ages, pets owned, and really anything that makes it possible to hone in on one unique individual.
Why Law Enforcement?
Doxing is especially dangerous for law enforcement because they are literally on the firing line. There is always a reasonable possibility that any given arrest can transmogrify into a personal vendetta against a particular cop. If there is a grand jury hearing or a trial, the danger of doxing increases since it can be used to intimidate an officer into being a no-show in court or otherwise affect testimony.
That said, doxing can target anyone.
Shortly after Air America Radio was shuttered, Beau Friedlander, its editor in chief, wrote a satirical piece that was published on Huffington Post. It was almost immediately deleted. At issue: Friedlander was trying to crowdsource dirt on then-Fox personality Glenn Beck. It wasn’t doxing per se, but asking for anything that would discredit Beck was in the doxing wheelhouse. Friedlander claimed it was an act of reciprocity for the $100,000 bounty Andrew Breitbart had offered for a copy of the archive of a progressive listserv started by Vox founder Ezra Klein. The “joke” went sideways, and Friedlander was widely excoriated, but that’s not why the post never re-appeared after being scrubbed by Huffington Post.
“I got doxed back,” Friedlander said. “And the threat was crystal clear. ‘Your kids go to P.S. XYZ, and you live a mile away at ____. That’s a long walk’. It scared me.”
Cyber CPR is not about saving a life, or at least not directly. It’s about protecting one’s privacy. CPR stands for Consider, Pause, React.
Consider: What is this? Am I expecting an email or text? Does the person or organization reaching out to me normally connect this way (for instance, the IRS always reaches out via snail mail); should I make sure this is legit before clicking on anything?
Pause: A good rule of thumb: Don’t just do something. Sit there. That’s right. The next thing you should do whenever you receive a communication or want to respond to something posted on social media is NOTHING. Think about it some more. Now you can make your next move.
React: What you do next may be very similar to the Pause part of this protocol. The best course of action is to do nothing: zip, zilch, nada. When you’re passably sure, think again, and proceed with caution.
It is a useful strategy in the war against social engineering, which is basically trickery. Social engineering is the way a hacker gets you to do what s/he needs you to do in order to succeed in hacking you, whether that means getting you to click on a bad link or open an infected attachment. Most hacking exploits are an own-goal, to borrow from soccer terminology.
At the end of the day, what gets people “got” is that quick reaction time. Whether it’s hitting “Ok” on a prompt to accept a cookie or a program update, or receiving an email that promises a good laugh if we click a link–the inability to consider the possibility that whatever option has just been put in front of us is a bad one is the mother of all hacks and personal information compromise.
Are you doxing yourself? If you are, it may be time for a “de-dox.” While it is time-consuming, you will get the fringe benefit of nostalgia as you scroll back in time through your social media posts, making sure there is nothing set to public that you might not want a stranger to see, that there are no photos of your home or any kind of personal identifying information, and that none of your photos have geo-tags enabled, which could allow someone to figure out where you live.
Bottom line: You should act like the bad guys are out to get you, because they are.