It probably won't come as a surprise that there's all kinds of information about you floating around on the internet. 

How it got there and what it is can be hard to know. Falling into the hands of a doxxer is one way to find out, but it's not recommended. 

Doxxing is shorthand for 'dropping documents', and it comes in many forms, from revealing an identity that someone was trying to keep anonymous, to disclosing people's phone numbers, addresses, user names and passwords. 

Doxxers may also try to damage their target's reputation by publishing sensitive information such as medical or financial records or personal messages and photos. And a doxxer may be better at finding these things than you are. 

The targeted and malicious release of personal information without permission is unacceptable and cannot be tolerated

Australian Government statement

Earlier this year the Albanese government announced it would take steps to combat doxxing as part of its update of the Privacy Act, saying, "The targeted and malicious release of personal information without permission is unacceptable and cannot be tolerated".

The proposals include empowering victims to take doxxers to court for invasion of privacy and giving people more control over the information about them that lives in the digital world, including the right to delete or correct it. 

Australia's eSafety Commissioner says, "Using doxxing as a form of digital vigilantism can have a negative impact on society through increasing lawlessness, conflict and reducing trust in public figures".

What's the motive behind doxxing? 

The government announcement came on the heels of a high-profile case in Australia this year, where details of the members of a private WhatsApp group of Jewish Australians, who were reportedly discussing ways to challenge media coverage of Israel and Palestine, were published online.

But there have been other prominent cases. 

In 2021, a 15-year-old girl in Canberra reportedly started receiving horrific threats and phone calls after her contact and social media details were posted online. She had been mistaken for someone who had posted a racist video, and the social media comments from people around the world – especially the US – were vitriolic. The teen suffered severe stress and was afraid to leave the house. 

Some doxxers seek to expose what they consider wrongdoing, but others do it as a form of intimidation

At the height of the COVID-19 pandemic, the email addresses and passwords of people working for public health organisations responding to the crisis, including the World Health Organization and the Gates Foundation, were published on the internet. The information ended up on far right extremist channels on the messaging app Telegram. 

Some doxxers seek to expose what they consider wrongdoing, but others do it as a form of intimidation or blackmail, including targeting an ex-partner after a relationship breakdown. Many victims of doxxing only find out they've been targeted after people act on the information that's been exposed. 

In the US, doxxing has reached critical mass. According to the Anti-Defamation League, over 43 million Americans have been doxxed.

Locking down your security settings can go a long way toward keeping your personal info safe.

Where do doxxers find your information?

Nigel Phair, a cybercrime expert at Monash University, tells CHOICE that people who are looking to doxx somebody generally look in the obvious places. 

"The first port of call is usually just social media posts on the main platforms, Facebook, Instagram, et cetera," says Phair. 

We reveal a lot about ourselves, where we live, where we go on holidays, the cars we drive, pictures of our kids and so on

Nigel Phair, Monash University

"We reveal a lot about ourselves, where we live, where we go on holidays, the cars we drive, pictures of our kids and so on. It doesn't take much to start putting some of that information together, and then you start looking at the electronic white pages and before you know it, there's actually a fair bit of data out there." 

Whether they realise it or not, most people make this information available for anyone to see, he says.

"Quite frankly that's how the social media companies want it. They don't want you to lock down all the privacy settings on your account. By default, they're open."

[Social media companies] don't want you to lock down all the privacy settings on your account

Nigel Phair, Monash University

When Phair and his colleagues conduct e-safety presentations, they recommend people check their social media security settings on a quarterly basis. 

While major platforms like Facebook have made it easier to keep information secure in recent years, it's still easy to give away more information than you mean to. Locking down your settings can go a long way toward keeping your personal info safe, says Phair. 

Are you in the electronic white pages? 

You can give away your details just by signing up with an internet services provider. 

The electronic white pages will likely reveal your address and phone number unless you've opted out of being listed, Phair points out. The information is handed over by telecommunications providers. 

"Most people probably wouldn't know that they're listed, or that they can opt out," says Phair. 

"So even if your social media presence is minimal, it's not hard for people to find out your number and where you live." 

Even individuals with minimal online presence are vulnerable to doxxing because personal information can be obtained from other sources

Carmen Leong, UNSW

Carmen Leong, an associate professor at UNSW's School of Information Systems and Technology Management, agrees that social media platforms can be a fertile ground for doxxers, but she says they also trawl through e-commerce sites and secondhand online marketplaces for information they can use against their targets. 

"Even individuals with minimal online presence are vulnerable to doxxing because personal information can be obtained from other sources," says Leong.

Secondhand marketplaces are a particular concern, because people reveal their personal information without a clear idea of where it will end up

Tightening up your privacy settings and regularly changing passwords is a good idea, but, Leong adds, "the key is to minimise the sharing of personal information online, including details like addresses, workplaces, phone numbers, or the numbers of family members". 

Secondhand marketplaces are a particular concern, because people reveal their personal information without a clear idea of where it will end up. The items on offer may be relatively inexpensive, leading people to lower their guard.

"This highlights the importance of exercising caution when providing personal information online, regardless of the perceived insignificance of the transaction," says Leong.

Is doxxing getting worse? 

The extent of doxxing in Australia is difficult to quantify, Phair says, but more generally his research suggests that only one out of every five instances of cybercrime is reported. 

"I think it would be underreported because people don't know that they've been doxxed in many instances, and wouldn't know how to go about reporting it if they did know."

We need to put more effort into getting people to understand what it really means to participate in the online world

Nigel Phair, Monash University

Phair cautions that updating the Privacy Act to cover doxxing may not change anything.  

"You can create laws and parliament can pass them. But what does that mean, especially if people ignore those laws? We can't legislate our way out of online problems. 

"We need to put more effort into getting people to understand what it really means to participate in the online world, to get people to not do things online they wouldn't think of doing in the real world. We need a cultural shift rather than just chucking a big legislative stick at the issue." 

How to protect yourself from doxxing

• Make sure you know who can see the social media content you share and who has access to your personal information. 
• Use a variety of strong passwords and security questions. 
• Use a different user name for different online accounts.
• Use two-factor identification. 
• Regularly review your social media security and privacy settings.
• Impose strict limits on the personal information you share online, such as your address, where you work, and phone numbers. 
• Search for yourself online in incognito mode on a regular basis to see how much of your information can be accessed by other people. 

What to do if you've been doxxed

• Report the incident to the Australian Cyber Security Centre.
• Block unwanted contacts and seek further support from the eSafety Commissioner, police or a legal counselling service.
• Keep a file of the material that's been released about you.
• If your information has been posted on social media, report the incident to the platform.
• Check your privacy and security settings and update as necessary.

Stock images: Getty, unless otherwise stated.

Join the conversation

To share your thoughts or ask a question, visit the CHOICE Community forum.

Visit CHOICE Community