Doxing. This term is increasingly heard of in a number of news reports or the timelines of social media. Ordinarily, doxing is attached to the act of spreading personal data. It can be a photo, home address or cell phone number. The term “doxing” (short for “dropping documents”) first became popular about a decade ago as a verb, referring to hackers’ actions in gathering personal and private information, including home addresses and national ID numbers. Not only does it disclose someone’s personal data and share them in public spaces such as online / social media, doxing is moreover touted as the latest threat of crime facilitated by digital technology.
How are doxing activities happening in Indonesia and why does it pose as a new threat in the digital realm?
On July 31, 2020, the Facebook photo profiles of two Tempo fact-checking journalists, Zainal Ishaq and Ika Ningtyas were shared by the account of a veterinarian, Moh. Indro Cahyono without their approval. In addition to photos, there were three posts that were distributed by the account labelling them as fear-spreading journalists and plague terrorists.
The photos of Zainal and Ika were shared on social media after they wrote four fact-checking articles verifying the vet’s claims regarding Covid-19. The fact check results show that the vet’s claims that went viral are not 100 percent accurate after being verified with experts and the existing data.
Long before what happened to Zainal and Ika, doxing in Indonesia actually started to become an issue when it was widely used in the persecution of the Ahok Effect that occurred in 2017. The victims were those who were considered to have opposing political views with groups that identified themselves as Defenders of Religion and Ulema. Three cases occurred during 2017-2018, which happened to Zulfikar Akbar, TopSkor journalist and Kartika Prabarini, Kumparan.com journalist and Rolando Fransiscus, photojournalist of Detik.com.
The case faced by TopSkor journalist Zulfikar Akbar started from the expulsion of Abdul Somad to Hong Kong. Commenting on the news, Zulfikar wrote a tweet on his @zoelfick twitter account. “There is a religious leader who is chaotic being rejected in Hong Kong. Instead of looking in the mirror, they blame people’s nation. If you are a guest and the host refuses, that’s the right of the host. There is no need to scream everywhere that you are rejected. As long as you are believed to be good, the rejection will not happen. ” The post caused pressure and attacks on Zulfikar on social media in the form of doxing and attempts of persecution. The climax was with the emergence of the hashtag #BoikotTopSkor and it became a trending topic on Twitter. The case ended with TopSkor Management calling Zulfikar and dismissing him on December 26, 2017.
A similar case also happened to Kumparan.com journalist, Kartika Prabarini. She received a threat on his Instagram account after the media where he worked at took down a special coverage entitled “Taming Rizieq”. Supporters of Rizieq Shihab thought that the special report made by Kumparan.com did not respect their leader. This was because the report did not include the word ‘Habib’ when writing Rizieq Shihab’s name. The @mastermeme.id account was identified to have done a doxing, namely loading Kartika’s identity on social media with the aim of profiling. As a result, Kartika received threats from the followers of the @mastermeme.id account, then she was attacked with inappropriate comments because of her gender identity and appearance. Even Kartika and Kumparan.com were threatened that they would be reported to the police if they did not apologize.
In the third case that occurred on November 2, 2018, a Detik.com photojournalist Rolando Fransiscus experienced doxing while covering a rally called “the Action to Defend Tauhid (Bela Tauhid or Islamic Belief)”. Then a Facebook account Tryas Ramandest and Instagram @jasmevisback uploaded the personal data of the journalist’s ID and press card.
Then in 2019, doxing happened again. On May 11, 2019, Ulin Yusron, a sympathizer of Jokowi’s supporters, also spread doxing against a man who said he would ‘behead Jokowi’ on social media during the 2019 Presidential Election. Ulin shared the complete personal data of Cep Yanto and Dheva Suprayoga with a photo, full name, place and date of birth, National Identity Number, status and address. After Dheva posted a video statement saying that it was not him and Ulin’s action was criticized by the public, then he deleted the post. Then after the police arrested a man named Hermawan Susanto, on May 12, 2019, Ulin posted an apology for the misinformation he had spread.
Doxing also happened to human rights defenders and journalists related to sensitive issues in Papua. On October 9, 2019, Twitter account @digeeembok carried out doxing against Papuan human rights defender Veronica Koman by telling the location where Veronica Koman currently lived. This doxing attempt was accompanied by intimidation that Veronica Koman had been monitored by the account.
In addition, three journalists covering the Papua issue experienced doxing. In August 2019, the Twitter account @antilalat conducted doxing to 3 journalists through the following posts:
Supplier of negative information and propaganda for Veronica Koman is @victorcmambor who is editor in chief of https://jubi.co.id/ and @ArnoldBelau editor in chief of https://suarapapua.com/
@victorcmambor is also the liaison between the OPM wing overseas and the OPM wing operating in the inland area.
Then in September 2019, Febriana Firdaus, a journalist for Al Jazeera, also experienced doxing because of her report regarding the number of victims who died in the riots in Papua.
Meanwhile in 2020, doxing also often occurred aside of what happened to Zainal and Ika, fact-checking journalists in July 2020. Even in the midst of the Covid-19 pandemic, doxing has occurred to journalists and activists.
Starting on January 6, 2020, Kompas.com editor Jessi Carina experienced doxing in relation to the news published the day before on Kompas.com entitled “Anies Working Devotion During the Rains in Makasar Village, Citizen: DKI Governor Feels Like a President”. Photos of Jessi Carina’s wedding reception juxtaposed with the news were disseminated by a number of accounts such as Jokowi supporters @vaiyo, @murthadaone1, @WagimanDeep and others accompanied by the narrative of “there is closeness” between Kompas.com editor with Anies Baswedan and FPI and the hashtag #AniesBeliBeritaMediaOnline or #AniesBuysOnlineMediaNews.
On May 15, 2020, a journalist from Magdalene.co, a media advocate for the rights of women and minority groups, found herself a victim of doxing and bold bullying. Through social media, Magdalene journalists were given manga illustration and comments that demean women.
Then on May 26, 2020, the personal data of a Detik.com journalist was spread on social media accompanied by opinions that attacked the journalist. He experienced this cyber attack after writing about Jokowi’s plan to open a mall in Bekasi amid the Covid-19 pandemic. The Detik.com journalist also received death threats via WhatsApp messages. Even the person concerned was “attacked” by online motorcycle taxi drivers who came with food, even though he did not place an order. One of the accounts that spread the journalist’s personal data is Salman Faris. He uploaded several screenshots of the author’s digital traces to find out what was wrong with him, even though the contents were not related to the news in question. Apart from that, the Seword Site also does the same and spreads opinions that attack writers and the media.
Liputan6.com journalist Cakrayuri Nuralam on September 11, 2020, found himself a victim of doxing when he found a number of accounts on Instagram with links leading to home addresses, family photos, including photos of the journalist’s baby. The doxing incident was preceded on September 10, 2020, when the victim published a fact-check article verifying the claim that said PDI-P politician Arteria Dahlan was the grandson of the founder of the PKI in West Sumatra, Bachtaroeddin. At least four accounts were identified to have conducted doxing, namely the Instagram account cyb3rw0lff99.tm, d34th.5kull, cyb3rw0lff__, and_j4ck__5on___
On October 12, 2020, after a demonstration against Omnibus Law in Jakarta, the personal identity of Mrs. Pramudhi AW and her family in the form of ID number, Family Certificate number, address, was disseminated on social media accompanied by a narrative saying that she was distributing logistics to rioters. Doxing perpetrators are a number of accounts on Twitter that shared the content simultaneously, namely @selooooowww, @ powerxbr88 and @ berkembang_4817
Regarding the Omnibus Law demonstration, a content was spread on October 19, 2020 in the form of photos, videos, locations, student ID numbers, phone numbers accompanied by a narrative framing “the protagonist who drove the demonstration ended rioting in Yogyakarta” to UGM student Azhar Jusardi Putra, a female activist Ernawati, labor activist Ardy Syihab on WhatsApp and uploaded to the @sewordofficial and @ NCI4NKRI Instagram accounts and @demoanarki and @ NCI4NKRI Twitter accounts
The doxing incident on Jusardi, was followed by the takeover of Jusardi’s Whatsapp account and on October 20, 2020, Jusardi’s mother received death threats from the telephone number shared by the @demoanarki account.
From the various cases, it can be seen that doxing can happen to all internet users. However, journalists and activists have a higher vulnerability. This shows that doxing has been used by certain parties to terrorize those who were targeted by attacks. Security and technology expert Bruce Schneier argues that in the future we will see more doxing as an attack. Everyone from political activists to hackers to government leaders has now learned how effective these attacks are. Everyone from ordinary people to corporate executives to government leaders is now worried that this will happen to them. (Schenier, 2015).
Study about Doxing
In general, doxing is often described as the act of collecting and spreading personal data on social media. The Oxford British and World English Dictionary defines doxing as “searching for and publishing personal or identifying information about (a specific individual) on the Internet, usually with malicious intent.” While the Cambridge Dictionary defines doxing as “the act of finding or publishing personal information about someone on the internet without their permission, especially in a way that reveals their name, address, etc.” This definition is not wrong because it refers to the forms of action that the doxing performers take. However, this definition continues to develop among scholars.
Doxing is when someone’s personal information is shared on the Internet without their consent. (Lisa Bei Li, 2018). In the paper “Data Privacy in the Cyber Age: Recommendations for Regulating Doxing and Swatting”, Lisa Bei Li emphasizes the aspect of data owner consent as a form of indicator when this online privacy right violation occurs. She classifies doxing as a form of online harassment as a unique phenomenon, much like swatting, where someone makes a fictitious report to the police directing armed SWAT (Special Weapon and Tactics) officers to come to the home of an unknown “victim”.
Doxing is an attack in which the victim’s personal information is publicly released online (Peter Snyder, 2017). Peter defines this doxing attack as a form of online harassment.
A more detailed definition of doxing can be found in Roney Matthews’s research paper entitled “A Study of Doxing, its Security Implications and Mitigation Strategies for Organizations”. He defines doxing as the activity of publishing targeted individual information (without his consent) on the internet for public consumption, with the intention of causing shame, humiliation and harm, in a way that threatens the privacy of the victim and possibly those around the victim (friends, members family, etc.) (Roney Matthews, 2017) Roney’s emphasis on malicious intent (dolus malus) which motivates the perpetrator to do doxing.
This definition is also used by David M. Douglas in his paper “Doxing: a conceptual analysis”. In his paper David reveals doxing is often a tool for ‘cyberspace stalking’, because the information might be released in a context that would cause a reasonable person to fear his life (Citron 2014). Doxing can also serve as a tool for messing around on the Internet, where those who oppose someone’s actions retaliate by disclosing their identity and personal information, leaving the victim exposed to public taunts, harassment, and slander (Solove 2007).
Doxing is easy to do because the geographic location sharing feature available on social networks, forums and photos helps doxing perpetrators make references to current address / location, places visited, hometown etc. which allows doxing actors to narrow their search results to the targeted individuals.
Doxing often extends to the identity of the victim’s friends, family, co-workers, organizations and those familiar with the target, which leads to bullying, public humiliation, threats to life, identity theft, fraud and disclosure of their personal lifestyle.
Doxing is not a random act. A doxing actor selects a target and starts working on the target by gathering basic information (name, address, family members, gender, email address, username, registered website, etc.). Doxing uses a myriad of sources (media news, social networks, apps installed on mobile devices, Government websites, etc.). Applications (with insecure privacy settings) installed on the mobile device share data among other users of the same application, and additionally help form information records for the application developer database.
Doxing can actually be done by many actors at once in a larger campaign to bully one subject. (Julia M. MacAllister, 2017) Collective work on doxing can be found in the Ahok Effect case involving the Muslim Cyber Army (MCA) network in the 2017-2018 period.
The doxing perpetrator creates an aggregate of documents known as victim documents. Documents can include published information and hacked communications from websites such as WikiLeaks. These are published on doxing websites such as AnonBin, DoxBin and PasteBin. In the MCA case that occurred in 2017 in Indonesia, the doxing perpetrators saved the victim’s documents on the Muslim Fugitive Facebook Page Database.
There are three types of doxing, namely: deanonymization, targeting, and delegitimization. (Douglas, 2016).
Deanonymization is doxing that is done by providing information that reveals the identity of a person or several people who were previously unnamed (anonymous) or known by a pseudonym (pseudonym). An example for this is the disclosure of the identity of the person who is suspected to be behind the alias “Satoshi Nakamoto”. Satoshi Nakamoto is the name adopted by the creator (or creators) of the cryptocurrency Bitcoin (Nakamoto n.d.). The true identity of the creator of Bitcoin is still uncertain.
Targeting is doxing, which is done to reveal specific information about a person’s physical whereabouts by pinpointing their location. Doxing perpetrators share the GPS location of the victim’s house or photos of the front of the house. This type of doxing makes the targeted person more vulnerable to physical attacks.
While delegitimization is doxing which is done by sharing personal information with the aim of damaging the victim’s credibility, reputation and / or character. This type of doxing tries to humiliate and abuse the victim. For example, by disclosing personal secrets, or revealing sexual preferences of victims.
Doxing as Advanced Persistent Threats
Doxing can be an entry point for further cybercrimes including identity theft, credit card and / or debit card fraud, phishing, hacking or other cybercrimes.
It is illegal to post personal information publicly with the intention of humiliation, defamation, harassment or harm. This puts individuals in a potentially dangerous situation.
Because doxing actors can use a method of planting malware that is difficult for victims to detect, on that basis doxing can be categorized as Advanced Persistent Threats (APT), which is one of the cyber-attack methods used to perform data theft. APT is often used to steal data from devices belonging to the government, military or corporate sector. Attackers using the APT method must design professionally, so it is not a fad or trial and error, but more serious, it takes a long time to prepare before launching an attack. The victim only realized that he had been hit by an APT attack after a while. Many cybersecurity experts say that to detect the presence of APT malware, it is not enough to just rely on an antivirus, proxy or Virtual Private Network. To find out that a system has been entered into by APT, analysis must be carried out with several tools such as Palantir, splunk, arcsight, siem tools, cybernet falcon, solera, netwitness, and others.
Attacks using the APT method can be very dangerous, because the attacker must certainly recognize the system being attacked, in contrast to other methods that tend to attack directly, brute force or DDoS. APT implements a benign malware that is not detected, until at the specified time the malware performs the activity desired by the planter, which is meant here is harvesting data. Until the malware is detected and removed from the victim, doxing attacks can occur at any time.
Risks Facing Victims of Doxing
What the victims of doxing experience cannot be simplified by saying that the data is known by many people because of the doxing perpetrator. Even though doxing is done online, it has caused real and serious harm to victims by transferring bullying from the Internet to the physical world.
In the doxing cases that have occurred, apart from facing online trolling, it turns out that many people get physical terror, starting from their homes being visited by unknown people, surrounded and persecuted, receiving death threats. It is not rare that the latter is to be directed at the victim’s family, parents and spouses.
In addition, because they feel they have received direct threats via Direct Message, mentions, instant messages, or telephone calls from unknown numbers, victims of doxing experience psychological trauma, become paranoid in their surroundings, shut themselves off and even in certain cases have to move locations, whether to stay overnight at a relative’s house or into a safe house for a while.
Another risk that victims of doxing face are the legal risks of being taken to the police station and criminalized. Most of these victims were subject to the articles of blasphemy or the articles of hate speech when the group carrying out the pick-up at the victim’s house was not satisfied with the apologies that the doxing victim gave. Doxing practices accompanied by mobocracy like this happened a lot in the 2017-2018 period during the Ahok Effect cases in Indonesia.
Doxing actors usually involve a large number of people working to find your personal details through social media and online public databases. They can use your personal data, such as your home address, to threaten you or family members. In order to minimize doxing actors using personal data to attack you, it is important to check and manage your personal data spread on the internet:
2) Review what information is available about you online and note the sites where this information is stored.
3) Take steps to delete any information online that makes you uncomfortable or could harm you, such as your home address or photos of your children.
4) Be aware of the photos of you currently accessible online and think about how they could be used against you.
5) Consider deleting your personal information from public databases. [Read the steps to delete personal information on Google services at this link: https://s.id/hapusdatapribadi
6) Check your social media account privacy settings to see what information others can see. Remove or limit access to content that you think could be used to discredit you or that could harm you.
7) Disable location tracking for any social media accounts, including not sharing your real-time location on social media.
8) Avoid uploading ID cards, tickets, photos of houses, photos of children in school uniforms, full names of children, or other personal information that could reveal your or your family’s privacy.
When being the target of doxing, each individual must know what emergency steps are to be taken to deal with it. Equally important, civil society organizations, including journalist organizations and media companies, should start drafting SOPs to advocate for doxing cases that are accepted by their members.
Here’s a quick guide for individuals:
a. If the doxing exposes your home address and could potentially compromise the safety of you and your family, consider temporarily evacuating to a place deemed safer until the attacks decreased.
b. Report posts containing doxing to the platform and block the doxing offender’s account. Report feature available on each platform.
c. If the doxing perpetrators uncovers a phone number and you’re receiving a lot of distraction, turn off your phone for a while. Consider changing the phone number at a later date.
d. If the doxing perpetrators has exposed your bank, credit card, or other financial account information, immediately contact all financial institutions involved and report the breach.
e. Temporarily closing social media accounts is the best option if the doxing attacks escalate.
f. Report to the police for the doxing you experienced by bringing the documentation and url.
Advocacy steps for organizations:
- Every organization should monitor the development of threat levels for victims of doxing.
- Immediately respond quickly when the threat level increases, such as issuing public alerts or press releases.
- Helps report perpetrator accounts and post doxing actions to platform providers.
- Provide a safe house for victims and their families if the doxing perpetrator opens their home address.
- Providing litigation assistance to victims to report to legal officials if doxing threatens the safety of their lives.
If the doxing perpetrators use services such as Facebook, Twitter, or Google, we can easily report to users’ platforms on the grounds that they violate the Community Guidelines. However, law enforcement in Indonesia is not that easy.
Even so, bringing doxing cases to the realm of law enforcement is important considering that doxing is a dangerous cybercrime. Before bringing this case to law enforcement, you should take steps as follow:
- Retain all e-mails, messages, and other communications as evidence. It is very important that this is not changed in any way, and that electronic copies are kept, not just printouts.
- Keep records of all threats to the safety or life of the victim. This includes written or recorded threats, and records of verbal threats, dates, times, and circumstances.
- Report to law enforcement officers by making a cybercrime report.
- Keep detailed records when reporting to law enforcement officials. It is important to keep records of all reports made to any agency or provider, and to obtain copies of the papers if available.
In the United States, doxing violates the right to privacy. Privacy is highly respected and protected by privacy laws. But recently doxing was proposed as a crime. The state of Utah once proposed a draft of Anti-doxing Act in 2016. Utah’s ‘anti-doxing’ bill would prohibit the mention of someone’s name online ‘for offensive’ purposes. In addition, doxing is considered an act of cybercrime of online stalking (cyberstalking). The US Attorney’s Office (USAO) released a report in 2016 which stated that, “ ‘cyberstalking’ includes any action or set of actions taken by an offender on the Internet that places the victim in reasonable fear of death or serious bodily injury, or cause, attempts to cause, or can reasonably expect to cause great emotional distress to the victim or immediate family of the victim. The federal law often used to treat doxing is 18 U.S.C. § 2261A (Title 18, United States Code, Section 2261A) and doxing can be charged to up to five years in prison and a fine of $ 250,000.
In Europe, article 8 of the European Convention on Human Rights protects personal information that individuals could reasonably expect not to be published without their consent. This type of information, for example, is a person’s full name and home address. Therefore, doxing is considered a violation of Article 8 of the European Convention on Human Rights.
The biggest challenge from the aspect of law enforcement in Indonesia is that no specific doxing measures are regulated in legal norms. But what’s interesting about the doxing case experienced by influencer Denny Siregar, the police can catch the doxing perpetrator in a short time after Denny Siregar’s personal information, such as name, address, ID number, Family Certificate number, IMEI, OS, and the type of device being screenshot, then loaded on Twitter account @opposite6890. In this case, the perpetrator was charged under Article 46 or 48 of Law number 11 of 2008 concerning ITE, or article 50 of Law number 36 of 1999 concerning telecommunications and or Article 362 of the Criminal Code or Article 95 of Law number 24 of 2013 concerning Population Administration with the longest criminal punishment of 10 years in prison or a fine of IDR 10 billion. The authorities are still hunting for Twitter account owner of @opposite6890.
Indeed, according to Article 58 of Law Number 24 of 2013 concerning Amendments to Law Number 23 of 2006 concerning Public Administration (UU Adminduk), people who disseminate the population data will be subject to a maximum imprisonment of two years and / or a maximum fine of Rp25 million. Likewise, in Article 30 in conjunction with Article 46 of the ITE Law, people who access by means of unlawful (illegal) can be subject to imprisonment of 6-8 years and a fine of IDR 600 to IDR 800 million.
However, not all doxing cases get fast treatment like Denny Siregar’s doxing case. It is common for the victims of doxing to go home empty-handed when law enforcement officials have difficulty finding articles that can be used to ensnare doxing perpetrators. Journalist Cakra has experienced something like this when he was about to report what happened to him.
By all means, this will be a challenge for academics and the task of legal experts and cybercrime observers to push for doxing to be prohibited in the Indonesian legal system.
Researchers: Abu Hasan Banimal, Damar Juniarto, Ika Ningtyas
Translators: Indra Khrisnamurti, Supriyono Hemay
Lisa Bei Li, Data Privacy in the Cyber Age: Recommendations for Regulating Doxing and Swatting, Federal Communications Law Journal (FCLJ) Volume 70, Issue 3, September 2018 https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3012266
Roney Matthews, A Study of Doxing, its Security Implications and Mitigation Strategies for Organizations, 2017. https://concordia.ab.ca/wp-content/uploads/2017/04/Roney_Mathews.pdf
David M. Douglas. Doxing: a conceptual analysis. Ethics and Information Technology 18, 3, 2016. https://link.springer.com/article/10.1007/s10676-016-9406-0
Peter Snyder, Periwinkle Doerfler, Chris Kanich, and Damon McCoy. Fifteen Minutes of Unwanted Fame: Detecting and Characterizing Doxing. In Proceedings of IMC ’17.ACM, 2017
Cambridge Dictionary, meaning of doxing https://dictionary.cambridge.org/dictionary/english/doxing
Oxford British and World English Dictionary, meaning of dox https://www.lexico.com/definition/dox
The Economist Explains What Doxxing Is, and Why It Matters, THE ECONOMIST (Mar. 10, 2014), https://www.economist.com/blogs/economist-explains/2014/03/economist-explains-9
What Is an Advanced Persistent Threat (APT)? https://www.kaspersky.com/resource-center/definitions/advanced-persistent-threats
Advanced Persistent Threats https://www.fireeye.com/current-threats/apt-groups.html
Bruce Schneier, Doxing as an attack, 2015 https://www.schneier.com/blog/archives/2015/01/doxing_as_an_at.html Julia M. MacAllister, The Doxing Dilemma: Seeking a Remedy for the Malicious Publication of Personal Information, 2017. https://ir.lawnet.fordham.edu/flr/vol85/iss5/44