It Could be You: Preventing Doxxing, Hacking, and Spying

National Young Feminist Leadership Conference 2017

Beth Soderberg
Digital Programs Director, Feminist Majority Foundation

Photo by Alvimann on Morguefile

Photo by geralt at

It Could Be You


Doxing (from dox, abbreviation of documents), or doxxing, is the Internet-based practice of researching and broadcasting private or identifiable information (especially personally identifiable information) about an individual or organization.
  • name
  • address
  • birthday
  • social security number
  • phone numbers
  • financial information
  • relationship information
  • private photos
  • private videos
  • harassment
  • bullying
  • cyber and physical stalking
  • physical threats
  • identity theft
  • extortion

Step 1: Remove Your Personal Information from the Internet

opt out of data brokers


don't publish your information

Step 2: Pay for Private Domain Registration

you won't be findable on WHOIS

WHOIS documents who is responsible for a domain name's registration.

  • name
  • address
  • email
  • phone number
  • administrative contacts
  • technical contacts

Step 3: Check Social Media Privacy Settings

assume there is no privacy

remove anything you've said that is embarrassing

Step 4: Google Yourself

log out of everything and be incognito

set up a simple website with a name-oriented domain name

optimize your online presence

If You Are Doxxed

stay calm: the goal is for you to overreact

take screenshots of everything

report threats of violence to the police & FBI

file complaints with Twitter, Reddit, etc.

change all of your passwords

consider changing your phone number

take care of yourself


to circumvent security and break into (a network, computer, file, etc.), usually with malicious intent

Our Goal Here: Stop 99% of Attacks

Step 1: Use Unique Passwords

passwords should be:

  • difficult for someone else to guess
  • easy for you to remember
  • not reused across multiple accounts

passwords should not be:

  • birthdays (of you or people close to you)
  • “password” or “secret” or “qwerty”
  • the same word repeated over and over
  • names of pets or children
  • anything someone could guess from your social profiles

the most secure passwords are very long and easy to remember

don't send passwords over email, text, instant message

use a password manager

  • e.g. LastPass
  • write things down on real paper
  • never lose your master password for your password manager
  • use keyvault to send things securely

Step 2: Use Two-Factor Authentication

Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).

Two-factor a method of confirming a user's claimed identity by utilizing a combination of two different components.

even if someone has your password, they won't be able to get in

places to set this up

Step 3: Lock Down Your Privacy Settings

questions to ask

  • Is your location publicly viewable?
  • Is your birthday publicly available?
  • Can people learn your habits?
  • Can people figure out the answers to your security questions through what you post?

Step 4: Lock Down Your Email

your email is your MOST important account

run Google's Security Checkup

recognize and avoid fraudulent emails

  • no one legitimate will ever ask you for your password
  • don't believe anyone "from IT" who calls to help you "fix" your account

scam emails

  • “Nigerian Prince” scam
  • Sudden inheritances from long-lost relatives
  • Relative traveling abroad, got hurt, needs help
  • Fake US government emails targeting immigrants
  • These scams almost always revolve around money
  • If it’s too good to be true, it probably is

if you're not sure, log into your actual account for whatever it is

verify the sender

verify links

never open attachments you're not expecting

  • be careful with emails you weren’t expecting telling you to open a link or download an attachment
  • frequently they will appear to come from friends or colleagues
  • they’ll commonly have little or no explanation other than “click here” or “download this”

some attachments aren't actually attachments

questions to ask about suspicious emails

  1. Were you expecting the email?
  2. Is it from someone you know?
  3. Can you verify they sent it?
  4. Check the reply-to address.Was it actually from them?
  5. Is it possible their email address is compromised?
  6. Is it from someone you haven’t heard from in a long time?

if you think an email is fraudulent, delete it!

heads up for suspicious texts too

what would you do with this?

if you clicked, you'd get...

Step 5: Lock Down Your Important Accounts

make a list

  • online banking, loans, anything financial
  • anywhere you’ve saved a credit card (Amazon, etc.)
  • social media
  • what else?
  • use this sample worksheet

for each account

  • use strong passwords
  • use two-factor authentication
  • review your security and privacy settings

Step 6: Lock Down Your Computer

run available updates

back up everything

store a backup somewhere where you don't live

enable passwords for your computer

Make sure you need to enter a password to access your computer:
  • on startup
  • on waking up from sleep
  • on exiting the screensaver

lock your computer when you leave it

  • on Windows, the keyboard shortcut to lock your computer is Windows + L
  • on a Mac, you can set up your Hot Corners to lock your screen

lock your phone: it's a mini computer

  • iPhone users, make sure your password is at least 6 digits long
  • Android users, use a long, complicated pattern to unlock
  • Police can force you to unlock your phone with your fingerprint, but can’t ask for your password

Step 7: Use the Internet Carefully

fake websites look real

verify URLs

fraudulent URL examples

  • https://onlinebanking.wellsfargo.wells-fargo-online-

be careful what you download

  • Don’t download counterfeit software
  • Don’t download programs that promise free system scans or PC speed boosts
  • Download software only from trusted websites


  1. One who secretly collects information concerning the enemies of a government or group.
  2. One who secretly collects information for a business about one or more of its competitors.
  3. One who secretly keeps watch on another or others.

anything you have stored on someone else's servers is at risk

  • browsing data and history
  • emails
  • chats
  • videos
  • photos
  • file transfers
  • social media interactions

courts can subpeona private companies to hand over your data

Step 1: Hide Your Browsing Data

your browsing data is:

  • sites you go to
  • links you click on
  • ads you see
  • where you hover

use a vpn

A virtual private network (VPN) is a virtualized extension of a private network across a public network, such as the Internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network.

here's an article to learn how to set up a VPN for your computer or phone

beware of public wifi

Step 2: Try to Fortify Your Email Account

email is inherently insecure

heads up: gmail scans your messages

check out Pretty Good Privacy

Step 3: Encrypt Your Chats, IMs, Texts

off the record (OTR) messaging

Both people need to enable OTR messaging on the chat client.

Adium and Pidgin provide OTR encryption capabilities for:

  • Google Talk
  • Facebook chat
  • AIM
  • some others

check out Cryptocat

check out SafeChats

look for messaging apps with end to end encryption

  • WhatsApp
  • Telegram
  • Silent Text
  • Threema

use Signal for texting

Step 4: Be Aware of Metadata on Your Phone

metadata includes

  • who you call/who calls you
  • length of calls
  • location data/geotracking
  • browsing data
  • app usage

Step 5: Know Your Social Network Can (Easily) Be Mapped Whether You Participate Online or Not

Play with Immersion from MIT's Media Lab

tl/dr: everything you do online could be public, be careful!

Thank you!


* Special thanks to Shannon Turner of Hear Me Code for her open source Security is for Everyone training. Parts of this workshop derive from this training.