- Recommend the usage of the Tor Browser for this activity.
- Treat threat and adversary data with the utmost security.
- Ensure that any physical notes/drawings are erased and destroyed once digitally recorded.
- Ensure that any digital recordings of this process are kept secure and encrypted.
- Before targeting any individuals, do the research for the organization itself.
- If using a staff member for the example, have a private session with them beforehand to make sure you do not expose any sensitive information to the group.
- Ensure that you have consent from the staff members you will use as an example for this activity.
- Prepare before the activity by doing this research on a few members of the organization to identify good examples
Present the problem to the group:
Harassers and stalkers use several tools and techniques to gather information about their targets, but since these tools and techniques are mostly public and easy to use, we can also use them ourselves, on ourselves, as a preventative measure. "Self-doxing" can help us make informed decisions about what we share online, and how. (Of course, these same instruments can also be used to learn more than is immediately obvious about someone we have met online before we give them our full trust - for example to decide if we want to admit them to a private mailing list or group on social networking platforms.) Methods used for doxing (and self-doxing!) include exploring archives, yellow pages, phone directories and other publicly available information; querying common search engines like Google or DuckDuckGo; looking for a person's profile in specific services; searching for information in public forums and mailing lists; or looking for images that the person has shared (and for instance may have also published in another, more personal, account). But it can also simply consist in looking up the public information on the owner of a website, through a simple "whois search".
- Ask the group to brainstorm possible search engines and websites where information could be found on them and their communities - encourage them to think of local services or services used by their friends, including social networking platforms.
- Give out copies of this self-doxing guide
- While projecting to the group, conduct a research on yourself or a high-profile member of the organization who has given their consent. Perform the search on websites mentioned in the self-doxing guide and during the brainstorming activity.
Either have them do the same research on themselves in pairs or assign this research as homework.
Note: If participants perform the research at home, it is important to warn the group that when practicing self-doxing, there is a risk of getting exposed to results that they may find disturbing. Tell them that if they think they may need support, they should ask a close friend to be around while they carry out their research.
- Instruct participants to use the Tor Browser and a browser different than their usual one to perform the research, and ask them to search both on the websites and services listed in the self-doxing guide and in the ones mentioned during the brainstorming.
- Explain that, to decide what to search for, one should try to understand what activities expose them to a higher risk of being attacked by trolls or other malicious actors. They should ask themselves: "Why would someone want to spend hours of their time to track information on you in the internet?" Add that this kind of attack often affects minorities or people who support controversial opinions online, and the attack starts from the information that the malicious actor will find immediately available - like the nickname and profile used by the target in the platform where the attack has started, or the pictures the target has published in their page. This is where they should start from.
- Instruct the group to check the properties of the posts and media they have published, to make sure that they aren't leaking their IP address or other metadata.
- Show the group a reverse image search on TinEyE or Google and recommend they do it on pictures of themselves they have published online.
- Show the group how to check if their online account has been previously compromised on Have I Been Pwned?. Explain that often results are old and if they have changed their password recently, showing up on this search may not be a problem. Tell them that if they are still using that old password for the compromised account of for other accounts, they should immediately change that password.
- Facebook: Form to request removal of photo or video because it violates someone's rights
- Twitter: Form to report doxing or posting of private information
- Snapchat: Help Center - Click on "Report a Safety Concern".
- Reddit: What to do if someone posted your personal information
- If the public form cannot help, abuse can be reported by email following these instructions
If significant results are found that might endanger an individual or the whole organization, the auditor should give immediate mitigation recommendations.
If the personal information is on a website, help the organization identify the contact point they need to contact for the takedown request. European Union citizens can often rely on the right to be forgotten.
What follows is a list of links to start a takedown request: