
Doxxing defense: Remove your personal info from data brokers - ilamont
http://www.computerworld.com/article/2849263/doxxing-defense-remove-your-personal-info-from-data-brokers.html#tk.cwfb
======
blauwbilgorgel
Just because a data aggregation site does not show your data on the front-end,
does not mean they deleted it from the back-end. So now you can charge 50$ for
people to search in the "special" data pile, where people took the effort to
remove it from the front-end.

These data brokers crawl publicly available information. Telling them to
remove your data, only slows down the doxxer, it does not stop them at all,
since the data was already shared. It is not plugging the leak, it is mopping
up some of the water. A false sense of security and a clear sign to the doxxer
that you care about your anonymity (so more "lulz" to be had).

A proper doxxing is also much more than entering a name in some search
engines. Especially hackers do not like to be doxxed. For internet civilians
who already put this data out there (on social media) a simple data broker
doxxing is a mere reminder that such data is public to everyone, not just
friends.

Doxxing defense is guarding your anonymity online. Everywhere. Doxxing defense
is knowing when to change persona's, and when to log off. That is: If you care
about it at all. If you care about keeping your identity a secret online, see:
[https://www.youtube.com/watch?v=9XaYdCdwiWU](https://www.youtube.com/watch?v=9XaYdCdwiWU)
(The Grugq - OPSEC: Because Jail is for wuftpd).

~~~
hackuser
> Just because a data aggregation site does not show your data on the front-
> end, does not mean they deleted it from the back-end. So now you can charge
> 50$ for people to search in the "special" data pile

Do you have evidence of aggregators doing this? It's plausible, but I haven't
heard about it happening.

> Telling them to remove your data, only slows down the doxxer, it does not
> stop them at all

I think you have a good point overall but let's not dismiss the solution in
the ComputerWorld article, which is valuable. All security solutions do the
same thing: They increase the attacker's costs, which stops attackers
unwilling to pay the price. There is no perfect security.

For example, we tell users to use strong passwords on their Windows logons,
but that only raises the cost of an attack and does not completely secure the
machine.

------
Someone1234
The US really needs something akin to the EU's Data Protection Directive[0].

I've seen tons of businesses hide some tiny clause in their T&Cs (page 30,
subsection 15, paragraph 11, etc) which allows them to resell your data to
whoever will pay. For example the National Geographic Store sold my personal
data when I purchased something from them (even with no check-box opt out, etc
during checkout), and I've been receiving girly catalogues and credit card
applicaton snail mail ever since (with a glaring typo which points right to
National Geo's store).

I don't really see that happening (the US getting better data protections) as
the US constitution is being largely used to protect business's "freedom [to
do whatever the hell they want]" rather than individuals/people as was
intended.

I was really hopeful that when the blackmail criminal-record racket started
that that might finally result in substantial changes within the US, but nope.
Nothing has changed and the blackmailers still operate.

[0]
[https://en.wikipedia.org/wiki/Data_Protection_Directive](https://en.wikipedia.org/wiki/Data_Protection_Directive)

~~~
giarc
I know you can enter email addresses as x+y@example.com where x=your regular
email and y=some word/phrase to indicate who might have sold your email.

For example, if you register bill+NG@example.com with national geographic, and
you find yourself getting to: bill+NG@example.com from spam, you know who sold
your info. My question is, do you think companies know this trick and just
remove the portion following the "+"?

~~~
subsection1h
> _if you register bill+NG@email.com_

Please use the second level domain label _example_ [1] when writing examples
of email addresses. For all you know, you just posted someone's email address.

[1]
[http://en.wikipedia.org/wiki/Example.com](http://en.wikipedia.org/wiki/Example.com)

~~~
giarc
Changed it even though someone else pointed out it bounces. Thanks for the
tip.

------
ryan-c
Abine's DeleteMe[1] service will take care of removing you from these sites,
though it's not cheap. They will keep re-checking and re-removing. I've been
using it for a few years, and it seems to work pretty well. IIRC there was
still one site that I had to call and deal with myself.

1\. [https://www.abine.com/deleteme/](https://www.abine.com/deleteme/)

~~~
ghayes
I would also add Safe Shepherd [0]. We remove your information from the
standard data brokers, and also give you guides on how to remove yourself from
a large universe of sites yourself. Message me if you have any questions.

Edit: The service costs $13.95/mo, but you can get started with a 10-day free
trial where we'll kick off all of the removals. You can (fully) delete your
account at any time if you'd like.

[0] [https://www.safeshepherd.com/](https://www.safeshepherd.com/)

~~~
blacksmith_tb
Question - I can see the value of a service that automates all these removal
requests. That said, the monthly subscription model seems a bit excessive, as
I assume data would creep back in gradually. I would think quarterly, or even
annually resubmitting them all would be adequate. No?

~~~
ghayes
Many of our customers choose to turn the service on once every several months
(upgrade and then downgrade at the end of the month). We totally support
whatever works for you.

That said, our service is based around continually scanning the web for
exposures of your personal information. There's plenty of new information that
crops up all the time, and we're here to help you when it does.

------
gear54rus
The Internet never forgets. No app is going to change that because Internet is
de-centralized and de-centralization makes it impossible to know if the data
was really completely removed or not.

Let's face it: the only way to not expose your personal info is to not share
it in the first place (forget silly Facebook, G+, Instagrams and all that
stuff). If you've already done that, make sure that whatever you are doing
that might lead to doxxing is done with your other identity (although this is
hardly fool proof since linking identities can happen in many unexpected
places). Worst of all is that that kind of infomation, once it slips, is
impossible to contain and you have to cut ties and start over.

Relevant:
[http://en.wikipedia.org/wiki/Streisand_effect](http://en.wikipedia.org/wiki/Streisand_effect)

~~~
hyperbovine
Not relevant. I've never used social media a day in my life. Nevertheless,
clicking a few links in this article turned up my full name, age, birthday,
every address I've had since I was 14, email address, and convenient links to
pages containing that same information for every member of my family. This is
all obtained from public records over which you have literally no control if
you lead any semblance of a normal life. There should be more legal
protections in place to prevent using public data in this way.

------
cowsandmilk
There are plenty of sources of information where you cannot opt out.

If you own property in Massachusetts, I can find it using
[http://www.masslandrecords.com](http://www.masslandrecords.com) , you can't
opt out of that.

~~~
hackuser
The electricity provider here requires the use of 'smart meters' (that is, if
you want to use their electricity). Via smart meters, they can identify what
electrical appliances are used in your house and when (and possibly even how
you are using them, such as what TV show you are watching), giving them a good
picture of everything that goes on in the privacy of your home.[1]

There is no opt-out. They have this information on everyone in the state.

[1] This is not at all a fringe theory. It's been discussed on HN at least a
few times.

~~~
jn1234
Except is that information public? That information actually has an extremely
legitimate use, which is to better manage peak grid usage and how to optimize
that.

~~~
hackuser
> Except is that information public?

I don't think it needs to be easily accessible to the public to be
problematic. Many people, including businesses and government, can have
access. The electricity vendor has little incentive to protect it, to
scrutinize government requests, etc. Recent NY Times articles describe the US
Postal Service accepting almost all law enforcement requests for information
on their customers.

Also, data has a way of leaking ...

> That information actually has an extremely legitimate use, which is to
> better manage peak grid usage and how to optimize that.

I do see a benefit to it, but 1) It should be anonymized and minimized. For
example, how about aggregating data about usage on my block and storing that?
Cleaning it of anything that violates privacy, such as high-resolution
individual signals? 2) My privacy is a higher priority than their technical
benefits; there's an assumption (maybe not by you) that whenever there's a
tradeoff, privacy doesn't amount to much -- this is money we're talking about,
after all.

------
grecy
Rather than trying to make it harder for people to stalk/harass/intimidate
others by hiding data, why don't we get tough with laws and sentencing?

A 5 year jail stint for the next 10 idiots to pull this stunt will reduce the
incident rate of this happening a lot faster.

~~~
frtab
There's no significant link between prison sentences and crime rates.

If there was, Norway would have a high crime rate and the US would have a low
crime rate.

~~~
jonahx
Your first point _may_ be true, but the US/Norway example is not good evidence
for it. There are significant other confounding factors -- relative
homogeneity of the population, economic differences, population size, cultural
history are just a handful that spring to mind.

~~~
innguest
Those oft-repeated "factors" can only be factors if you show that they are.

Simply mentioning that there are differences between those two countries does
not make any difference you care to list a "factor".

------
devindotcom
There are a LOT more data brokers than listed here, though it's a decent list
to start with. These are small fry in the scheme of things though. You can
start working your way through this one if you're really concerned:

[http://www.worldprivacyforum.org/2013/12/data-brokers-opt-
ou...](http://www.worldprivacyforum.org/2013/12/data-brokers-opt-out/)

------
spindritf
The threats of violence are usually empty posturing but there are other
serious risks associated with speaking out online under your real name. In the
US you can get "swatted"[1], which is an evil twist on usual pizza pranks.
It's not far from that to getting shot (or having your dog shot).

Then there are basic SEO threats to your good name. And the old "taking
information out of the Internet is like taking piss out of a pool." Whether
the information is true or not.

I don't think this is an appropriate defence though. Sticking to usual good
practices of not conflating anonymous personas with your real identity, using
a PO box and proxy services (whether for domain registrations or actual
network proxies) will be more productive. Not good enough when evading FBI but
probably more than fine otherwise.

[1]
[https://en.wikipedia.org/wiki/Swatting](https://en.wikipedia.org/wiki/Swatting)

------
peterwwillis
I don't think this is an effective defense.

First of all, doxing works the same way private investigators do, so they do
not require one-stop-shopping data banks. Social engineering and public
records searches usually give you everything you need and are free. Second, if
you're coming from the standpoint of a feminist decrying the ails of an
oppressive society, you are pissing people off that will be motivated in
attacking you; they aren't going to back off just because your information
didn't show up on PeopleFinder.

IMO, the only defense against doxing is to dox yourself. Doxing is just a form
of intimidation, after all, usually done by people who think publicizing some
"secret information" will be taken as a vague threat. Make the information
public and you remove their ammunition.

To me, the best defense against a troll is being completely nonchalant and not
giving a shit what they do. Hacked my accounts? Oh well, it's just an account,
i'll make another. Sent me death threats? Hey, life is short and we all die
some time. The more you show your attackers that you will not be bothered, the
more they realize they are powerless to harass you. That combined with
reducing one's online footprint in general will break down their motivation
and move them to other avenues for venting hate and frustration.

~~~
shadowfox
> IMO, the only defense against doxing is to dox yourself. Doxing is just a
> form of intimidation, after all, usually done by people who think
> publicizing some "secret information" will be taken as a vague threat. Make
> the information public and you remove their ammunition.

> To me, the best defense against a troll is being completely nonchalant and
> not giving a shit what they do. Hacked my accounts? Oh well, it's just an
> account, i'll make another. Sent me death threats? Hey, life is short and we
> all die some time.

I am clearly a little less nonchalant than you. But I don't feel all that
inclined to publicly post my home address or my kid's school address or scout
camp location.

------
r00fus
This is useless. The only way to defeat mass collection is to poison the well.
I always put some fake data wherever it's not legally required. The only issue
is where it is _required_ and that is the root of the problem - why is it
required in so many places?

------
rl3
The fact most of these sites even have opt-out mechanisms, and that they're
apparently effective, is surprising and quite nice.

Though, I suspect this became the case out of necessity as a result of horror
stories and litigation.

~~~
300bps
_The fact most of these sites even have opt-out mechanisms, and that they 're
apparently effective,_

My last name is one that fewer than 20 people in the world have. So doxxing
protection and name management in general is very important to me. A few years
ago I took about a day and had myself removed from everywhere I could find.
Far more comprehensive than this article.

In the three years since, I've slowly been added back to all of them. I
haven't moved, I haven't added or subtracted phone numbers, I've made no life
changes. It just seems like these data brokers remove your information when
you ask and then for whatever reason just add it back again. One example:
whitepages.com. I was removed from there about two years and then suddenly my
name and address are back again. That's just one example that leads me to
believe the opt-out at these data brokers is "temporarily effective" at best.

~~~
rl3
Seems like doing it on a persistent basis is required then, regardless.
Admittedly it's a sad state of affairs, but it beats nothing.

------
legohead
If any of your personal info is on the internet, it has already been saved
where you cannot remove it. This is a personal conundrum I have been trying to
wrap my head around, especially as it relates to pictures of my kids I'd like
to keep offline (but other people take pictures of them and upload them, and
it's too late at that point...)

A company I'm familiar with was attacked by a blackhat. He sent the company
owner all his personal information including SSN, address, etc. It scared the
owner enough to pay off the blackhat, but he also asked the blackhat how he
got his information. The blackhat sent the owner a website that you can go to,
pay around $4 in bitcoin, and search for anyone's information.

------
pasbesoin
People who can afford to are going to begin hiding behind shell corporations.
Houses, other assets, etc. will be corporate-owned, with suitable non-
descriptive names and corporate addresses.

In fact, this is already occurring, although a prime driver has been a form of
trust that reduces taxes particularly inheritance taxes.

I'm not familiar with what e.g. Hollywood celebrities do, but at a guess many
of them are likely also doing something similar.

Need to restrict access? Introduce a layer of indirection.

~~~
gcb0
agreed. most of the data those companies had on my name were from utilities,
insurance, etc.

and most of them aggregated people with my common name in several states.

they had a lot of info, but also a lot of wrong info. all mixed together. i
send removals for all entries, mine and otherwise :)

------
Joona
I think just using a nickname (instead of your own name) and not sharing
addresses etc is the best way to go.

Lirik (a big Twitch streamer) chooses to only use his online alias, and
although it's a common question what his real name (or other details) are, no
one really has an answer. You just have to put some effort to not leaking
information from registrations to sites (and such).

------
wpietri
Wow. This is an app just waiting to be built. I would definitely subscribe to
a service like this. And I would happily give money to a nonprofit who
provides this as a free service for women in tech. Developers, start your
IDEs!

~~~
muyuu
Why not men too?

~~~
wpietri
This response grates a little. It's so common that it's widely discussed and
parodied. E.g.:

[http://finallyfeminism101.wordpress.com/2007/10/18/phmt-
argu...](http://finallyfeminism101.wordpress.com/2007/10/18/phmt-argument/)

[http://www.robot-hugs.com/but-men/](http://www.robot-hugs.com/but-men/)

And it's closely related to the "not all men" line, equally mocked:

[http://www.listen-tome.com/save-me/](http://www.listen-tome.com/save-me/)

[http://imgur.com/gallery/z5AYz66](http://imgur.com/gallery/z5AYz66)

But assuming that you are sincere and just unaware of the context: The reason
that I personally would offer to fund this service for women in tech is that
diversity in tech is an issue I have been working on for a while. Even though
women are a relatively small proportion of the field, those women are a
disproportionately large share of those getting abused with things like
doxxing. I don't like that and want it to stop.

It would be my hope that by offering it widely, it would enable more women to
speak up both about tech and about their experience in tech. Which I in turn
hope will promote a more diverse and inclusive field. Which I think is a good
end in itself, but I also think that means better empathy for all sorts of
users of tech, and therefore better products and less systemic waste.

Is that helpful?

~~~
TeMPOraL
This is sexist and ostracizing :P.

Such service doesn't have a natural gender discrimination so it's actually
additional work to create one. Sure, it might be worth to focus on marketing
it to women, if indeed they get "disproportionately large share" of abuse (it
sounds plausible to me, but I don't have data) - but there's no need for
artificially limiting the service itself. Male privacy nerds would happily use
it too.

~~~
skybrian
Nobody asked that the service to be limited to women. That's something you're
adding to the conversation. So it seems to me that you're politicizing it even
more.

~~~
TeMPOraL
From the top comment of this thread:

> _And I would happily give money to a nonprofit who provides this as a free
> service for women in tech_

That's how I understood it, and I think it's supported by the poster's other
comments.

~~~
wpietri
Skybrian is right; you're wrong.

I am speaking of two separate things: a commercial product and a nonprofit
that gives away free subscriptions to the commercial product. Although now
that you mention it, if some sort of existing nonprofit focusing on diversity
in tech built a service, that would also be something I'm glad to support.

One easy way to tell that I didn't want guys excluded from the service: I said
I wanted to subscribe, and I am a guy.

------
michaelochurch
What creeps me out is that there are now salary databases that people can use
to see someone's prior salary history, job titles, and (in some cases) details
of separation. It shouldn't be legal for those to exist, nor for companies to
use them.

I actually checked myself in one ("The Work Number") in 2012 and it had an
accurate title and salary history, which I hadn't made public. Scary, creepy
stuff going on. How the fuck are they able to know that?

~~~
ci5er
> How the fuck are they able to know that?

This is a good question, that I'd like to see answered too -- if anyone here
knows.

On a related (only to me) note: Is there any way that I can set a watcher on
your comment to notify me if there is a response to it?

~~~
ben010783
I'm just guessing, but they could be using info that was obtained when a user
was trying to get a loan. Typically, your info is sent to multiple lenders so
you can get the best rate. Somebody could be collecting the info somewhere
along the line.

------
doctorfoo
"Many women gamers and developers, as well as those who support them, have
lately come under attack from online trolls"

Please don't whitewash the GamerGaters who have also experienced such attacks.
(For example, one was "doxed" and mailed a knife with a suggestion to kill
himself - which I'd argue a far worse "attack" than any online threats. The
anti-GamerGate media of course doesn't report on this.)

~~~
lentil_soup
What about a source for that?

~~~
doctorfoo
[https://twitter.com/kingofpol/status/525755692318457856](https://twitter.com/kingofpol/status/525755692318457856)

Keywords "gamergate knife".

~~~
ceejayoz
I'm sure all the folks claiming @femfreq made up her death threats will be
equally skeptical about this one.

~~~
rudolf0
"KingOfPol" is known for lying and generally being not too mentally stable, so
it's certainly not a stretch. Sarkeesian on the other hand is unlikely to lie
about such things, but there was clearly some exaggeration involved.

~~~
mafribe
Why is Sarkeesian "unlikely to lie about such things"?

~~~
rudolf0
Because she's (sort of) a public figure and if it was revealed she was lying,
it would look very bad for her? She also hasn't had a history of lying about
such things in the past, so there's no reason to suspect she is now. She is
known to have lied about certain other issues, but not in a way that's
relevant to threats or harassment. She also doesn't come across as mentally
unhinged or malicious. I dislike her, but I don't think she lied about any of
the threats.

The other person being discussed, KingOfPol, is known for his narcissism and
fabrication of stories, so it's a bit different.

~~~
mafribe
That's not an exhaustive analysis. I recommend to look at risk vs reward.

The risk of getting caught is essentially zero: just use Tor and VPN via an
'unfriendly' third country to send fake threats to yourself, or get a friend
to do that for you. Clearly the police is not going to investigate, because
all these cyberthreats are obviously not serious. The upside on the other hand
... Sarkeesian made how much last time by playing the damsel-in-distress?
Wasn't it over $100k? That's quite an incentive. And then there is the
political effect: the mainstream media, for various reasons, will
automatically sides with the damsels.

I spent quite a lot of time in activists' milieu and I smell attack techniques
in a Leninian mould, see e.g. Alinsky's "Rules for Radicals".

