Krzysztof Szewczyk

doxxing, stalking, both, or neither.

Doxxing is often misunderstood, confused with other terms (like stalking), or sometimes considered a good practice or an useful skill. In this very short essay, I'd like to talk about my (correct) standpoint and the interpretation of these terms. To get a rough idea around the topic, let's take a look at some definitions.

Stalking is unwanted and/or repeated surveillance by an individual or group toward another person.

Doxing, or doxxing (from "dox", abbreviation of documents), is the Internet-based practice of researching and publicly broadcasting private or identifying information (especially personally identifying information) about an individual or organization

Cyberstalking is the use of the Internet or other electronic means to stalk or harass an individual, group, or organization. It may include false accusations, defamation, slander and libel. It may also include monitoring, identity theft, threats, vandalism, solicitation for sex, or gathering information that is used to threaten, embarrass or harass

From this definitions, we can conclude the following facts:

  • Doxxing involves revealing the information gathered - fragment coloured red.
  • Stalking involves researching private information, not available to the general public by any means - fragment coloured blue.
  • Cyberstalking takes place only in case of malicious use - fragment colored green.

All of these terms have one in common - they involve malicious activity. If you're looking up public information, it's neither stalking, nor doxxing, notr cyberstalking. Can you imagine someone getting jailed just because of reading a few articles and wikipedia pages about someone famous?

Let's imagine, the stalker/doxxer/cyberdoxxer/neither of these decides to search up for information (it's called professionally OSINT, as in Open Source INTelligence) about a certain person. He doesn't have a malicious attempt, and he's willing to tell his/her target about the results of his work, aiming to secure his/her privacy, and he won't disclose any information. The ethical OSINT sources include (source: Jeffrey Richelson, The U.S. Intelligence community) newspapers, radio, television, online publications, blogs, discussion groups, guilds, phone recordings, YouTube, other social media (Facebook, Instagram, etc...). Overall, it's not private information and anyone at least mildly determinated can get to it without problems and punishment, in the same time avoiding breaking the law. If this person above, using only the OSINT techniques managed to learn something about a person, is it considered malicious? Let's look at a few simillar examples:

You own a website. I managed to find a vulnerability, so I report it to you. You didn't like me meddling with your website, so you blocked me and quickly patched the exploit. That's where the situation I witnessed ends. But - let's think what could happen, if the fix wasn't enough? Or the vulnerability was still there? Then the person can't report it and has to give up. Then, someone with malicious intent, will happily use and abuse the vulnerability. What will you do as a site owner? Cry. Cry, because you've been an idiot. You have burnt your bridge. You don't deserve to administrate anything.

You got into possesion someone's home adress. For example, from their Facebook profile. You message the person convincing it to remove it, so that it won't happen so someone sends them a pipe bomb (for example). On the other hand, they block you, and remove it. What would you feel? You tried to help someone, while all you got is a hot towel smacked on your face.

There is a consensus to this problem - educating, that OSINT isn't wrong, only stalking, doxxing, or cyberdoxxing may be considered such (although I don't find them wrong - you can't ban this, because a person with malicious intent's won't never ever share their work halfway through, so the enforcement possibilities are very low, and therefore, banning it makes literally no sense). I'm writing mostly with a very specific situation in mind. Some of you, dear readers, will know what is it, some of you won't. That's just my, correct $0.03 coined to the topic. Learn to appreciate people who want to help you and take care.

For slow learners...

If you already got the point, you can go on and do your thing. This paragraph is intended mostly for slow learners or people who like to argue in a lost argument.

1: "surveillance" also happens when one researches documents available to general public. No, it's not like that. If you could do surveillance with accessing only public documents, there would be no need for NSA to exist. There would be no need for spies to exist. They wouldn't need to risk their life gathering information in the enemy country, rather, just read their own archives trying to enemy's battle plan. Yes. Very smart.

2: Admitting to know a lot about someone but not sharing it with anyone else except the target, suggesting it to remove from given sources, is doxxing. It isn't. As long as you don't purposefully release anything that can eaisly trace down to your knowledge about a person, it's not considered doxxing.

3: The examples show cyberstalking. No, they don't. Because cyberstalking involves threatening, embarrasing or harassing.

4: Someone might feel uncomfortable with someone knowing his personal details, after he removed them. It's better when only your girlfriend saw your dick, not the entire world. It also depends on your sexual preferences, but I believe, that you get the point.

5: How do you guarantee that he won't release what he found? You can't. But you can be fairly sure if he didn't release stuff before. Also, you can be fairly sure that after you remove the evidence, no one will believe him.