How can I prevent myself from being doxxed?

1) Promptly stop saying anything interesting under your real name. Opt out of all social media except to post messages like "Congratulations on the baby!". This will prevent you from making any enemies who know your real name, and reduce the chances anyone will want to doxx you.

2) Start adopting new pseudonyms. Use a different one on every site, and a password keeper to help you stay logged in. If you happen to forget, don't worry. Treat every account as disposable. These are not "you". This is not "your brand". These are merely tools that allow to into a walled garden party wearing the mask of anonymity.

3) Do not mix your two online personas. Keep your politics, jokes, and personality in your pseudononymous accounts. Keep your boring safe opinions and pictures of dogs in your primary account. Don't talk about anything in your real life in your pseudonymous accounts, even the weather. Reserve that kind of discussion for in-person friends only. If you make a mistake, just delete the account and make a new one.

If you are just worried about someone trying to steal your identity to abuse your credit or so, you probably already practice good basic security (like 2-factor authentication, not recycling your passwords etc. etc.) and have no particular need to worry about. You are more likely to have your security compromised in a corporate data breach than someone taking the time to dox you.

If you get in fights online or are a member of some group that frequently experiences abuse (from inside or outside your community) then you should consider rebuilding your social media identities, giving up some of them, compartmentalizing your digital life so that your work or business don't overlap with your friendships or public persona etc.

If things have gone sideways and you think people are already motivated to go after you, a determined person can pull your details together very quickly with a mixture of software tools, access to commercial databases, and some detective work. It's not difficult for someone with experience. In such a situation you should probably work with a commercial service like https://privacyduck.com which will do the work of erasing your digital footprints.

It's not cheap, last time I looked they charged $600/year or so and depending on your circumstances and vulnerability that might need to be budgeted as an ongoing expense. I'm sure there are other competitors int he same field but am not sufficiently informed to make comparisons.

This is an interesting question. Given your admission that your identity is loosely linked to your online accounts, I don't think it's possible to prevent someone from doxxing you-- someone just needs to tie it all together.

I agree with sibling comments here that the only way to really prevent someone from identifying you from your online personas would be to start over. If you want to truly be anonymous, you need to build these new personas with OPSEC in mind. The process includes 5 general steps:

1. Identify information you feel is critical. In your case, this could be anything that ties your online activity to your real life identity.

2. Identify your threat. This can be simple or complex depending on your needs. Are you concerned about hiding from pissed off gamers, hacktivists, or a nation state? Knowing the enemy you face will help you better understand their potential capabilities to find out information about you and how they could use this information.

3. Assess your vulnerabilities. Look at yourself from the viewpoint of the attacker. What information would you use to dox yourself?

4. Assess your risk. This can also be pretty involved depending on your vulnerabilities and threats. What could someone do with this information? How bad could you be hurt?

5. Apply countermeasures. Figure out how you can mitigate the risk you found above. This may include closing old accounts, creating new accounts, creating alternate personas, disinformation, heading off potential impact from a dox, etc.

Hope my ramblings helped.

Find the courage to post under your real identity. Society can’t cancel everyone. In my experience whatever political activism you’re engaging in (you mentioned as much in a sibling comment) will benefit far more from association with a real humans than with “internet commenters”. Politics happen in the real world, the internet is not representative in that respect. There are very few things that require true anonymity, and in a liberalist society political speech is not and should not be one of them, despite trends of late. The only effective response is to fight back and speak up for what you believe is right. Don’t be a coward. I mean this in the most sincere way possible.

What I do for things like Reddit and HN, is that I create a new account every few months to make it harder for them... and of course I try not to post information that could personally identify me. As a bonus, you almost stop caring about karma points ;) But of course the provider could still doxx you unless you take some additional steps to stay anonymous (like Tor, maybe).

What is your threat model? Whom you are hiding from and what will happen when the info leaks?

If you are the generally paranoid though, never publish photos from around your home, never make online purchases with home delivery, but choose midpoints like post stations to collect them.

Assume that if you type your info somewhere, it would be sold and will pop up somewhere. Currently my name, home address, and phone are published in a american data broker website. If I want them removed, I need to send them an id with even more personal data and even then they insist that it will be hidden from public view, not deleted. I need a lawyer if I want the situation delt with properly.

Create many accounts similar to your current ones or buy existing accounts with activity and change their information to be similar to yours. Muddy the water enough that anyone googling your real name can never guess you and misdirect people into clicking unsafe content.

You will leave traces of information no matter how hard you try if you spend enough time on any site.

Btw, did you know that even if you ask dang to rename your account - people can easily find you by searching on hn.algolia.com because they don't auto update indexes on renames?

Same for many other sites. There are many indexes and archives that never update old data and won't care about GDPR requests.

One approach is to simply not care if you are doxxed. What would really happen if someone figured out who you are? If the answer is not much, maybe don’t worry about it. This approach makes less sense if you are saying things that will get you in hot water.

Brian Krebs (krebsonsecurity.com) has a lot of fascinating stories on his blog on doxxing and revealing identities of people for whom remaining anonymous was vital (spoiler alert: they couldn't).

Keeping totally separate identities across different services is key (using unrelated usernames, avatars, emails for every service). It’s also extremely difficult and unpractical to pull off.

In most doxxing cases perpetrators manage to get access to a single service and use it as a foothold to penetrate to other services. For example, someone learns your email from a forum, somehow hacks your email, gains access to Dropbox and finds the scan of your passport, driver's licence and social security card. Email in general is the key one's digital kingdom so the surest way to minimize the blast radius is to keep everything separate and unrelated.

Edit: typos

Start new accounts with no reference to your old ones, your name or your location. Be careful about what you put online publicly. I think most people would be horrified at what the likes of Facebook, amazon or google knows about them.

I’m actually trying to address this problem by creating a place for “kind, clear and constructive” discussion online, which uses anonymous identities, so that all users can express themselves in safety. Of course, the hard thing is to have both high quality discussion and anonymity, take a look at conferacity.com if that sounds interesting.

"You can google me and find my social media account"

Why can i do this? Sounds like you know the problem already and want a push ;)

A lot of people I know have, no photo of their face, and not their real full name, and goes without saying totally private. Use Facebooks feature to check you have no accidental public ones.

Using photos people have taken from their house, I've found the location and unit numbers before. So all these need to be private if you are really worried.

Wives/husbands/family are good attack vectors. Not much you can do here to begin with. But you want things locked down to at least friends of friends.

I shouldn't be able to easily escalate from necessary public profiles to private ones.

But it's all about working towards the goal. Just make a start. Every little bit reduces the chance you'll get doxxed. You might just have to be the stronger gazelle.

Maybe privacy is dead, maybe it's about having a job you can't be fired from or a gun in the house? Some peoples incomes depend on the public profiles.

Extreme Privacy: What It Takes to Disappear by Michael Bazzell

https://www.amazon.com/dp/B0898YGR58

This guy sells books on both sides, OSINT and privacy.

Interestingly, nobody seems to have talked about email.

I run my own mail server, and I have a domain registered for handling incoming mail. Every single website, and I mean every single one, has a different email address under that domain.

Now, while it could be relatively easy to correlate all usernames with domain part of the email, I make it as difficult as possible.

Additionally, some handles are further separated. For example, my professional handles (so stuff I use at work but on my name, my GitHub public email, and similar stuff like that) are under other domain names from a professional (paid) email service. And even those aliases get changed over time (damn you automated email crawlers).

So even if the database of a website was leaked and my mail was in that database, I would , as soon as I’m made aware of the breach, delete the account immediately and instruct my mail server to discard all incoming mail to that address. Of course, every online identity of mine has a different name. This onr has a Japanese name, but I have others with common American names, tongue twisters, and sometimes keysmashes. Good luck correlating it all.

At the most basic level, don't say anything online you wouldn't want seen again. Not in discord, not on twitter, nowhere. Always treat anything you disclose online as if it's public knowledge from that point on. Even if you delete it, there's a tonne of third parties that archive data you post, even on more "ephemeral" services.

https://jameswmontgomery.com/2020/08/15/how-to-create-a-pseu...

If you’re trying to prevent an online persona from being tied to your real identity, then you just have to be incredibly paranoid about anonymity. It’s not enough to hide your name, you have to consider hiding anything that makes you identifiable. If I knew somebody was a software engineer, well I wouldn’t know how to find out who they were. If I knew they were a software engineer from Arkansas who contributed to Rust projects, all of a sudden my search would have been narrowed down significantly.

If you want to prevent somebody who knows your identity from finding your phone number, address, etc... good luck. Whether somebody can find that would pretty much boil down to how much effort they’re willing to invest.

Source: I used to do some of these sorts of OSINT investigations as part of a fraud investigations team.

The problems are not kids, the problems are grownups. Like police, border control, visa applications, which can harass you if you dare to voice your opinions.

Which is a problematic turn of events. When I grew up, the western world was not like China or Eastern Europe, as it is now. So you didn't use pseudonyms, because your name was your brand. Only immature kids or lgbt people used pseudonyms, the rest was honest, and it helped you with your job prospects. Now a new wave of fear, bullshit and lies has taken over cooperate and public matters. You can now even trust the Eastern Europeans more than westerners.

Have your lawyer transact your business. Have your holding companies own shell companies that own your assets.

The above is not complete snark: a friend's brother, whose daughter's fiesta de quinceañera I'd attended, was put in a coma working full-time for a fellow who employed two full-time accountants as part of his "family office" but who was not only too cheap to carry insurance but then even explicitly said the brother, as an independent contractor, should've had his own and refused to contribute anything towards his medical bills. I spent an afternoon trying to track down assets, and the structure I managed to reveal was ... interesting.

If it can happen, it most likely will happen if someone really wanted to (ie by doing phising attacks, looking up public records, hiring private investigators, etc), so the best thing to do is to think about what can be done to minimize any collateral damage after the fact (ie protecting your image, securing online accounts, keeping your home safe, etc), since any sensitive information (ie confidential or embarrassing) they can acquire can be used to blackmail. It's pretty hard to remain anonymous online for a long time given how everything is connected and archived on the internet these days.

The easiest way is to be insignificant. But it's still no guarantee.

It depends on what you mean by being 'doxxed'. It is trivially easy to find out what city I live in and a few other non-identifying details. It's harder to pinpoint my real name or address without the active cooperation of website owners (and maybe not even then).

Miniscule levels of risk are not worth worrying about, unless you are a figure in the public spotlight or likely to be a person of interest to police or intelligence orgs, in which case you should probably seek advice specific to your situation.

Easy, just dox yourself first.

Effectively you've already doxxed yourself. The ability to associate a real name with an address without excessive effort predates the internet and these days it is even easier, so with the internet the only winning move is not to play. Stop using your real name, period. Creating fame and an online persona that can pay your bills is directly at odds with maintaining privacy.

Essentially any info you have posted that you remember that can be linked to any of your real ID can be traced to you. Sometime it doesn’t need to be public as hackers sell a lot of these info from hacked sites. I would say difficult to hide unless you don’t really use the internet or you are so careful it takes the joy out of it.

Don't use your real name online. I don't have any complicated privacy best practices, I'm just not on social media and don't use my real name online if I can at all help it.

Edit: Sounds like it's too late for you, but don't be an activist online using your real name unless you have some real, physical security.

Avoid politics at all costs.

Stay quiet and mainly share content about food, gardening, and occasionally programming.

You have to define your threat model. The easiest way to not get doxxed is to always use a throwaway account. Don't bother having persistent identities online.

Google your full name (and any variations, Edward -> Ed, etc) and remove yourself from these whitepage direcetory type websites that people can look up your past/current residences

do your family a favor and remove them too

1) get a "burner" cell phone, pay in advance service that isn't tied to you. Use cash to buy "gift card" or prepaid ahead of time for anything you do with this phone or online. Disable location tracking.

2) get a chromebook or other cheap laptop that isn't connected to "you"

Use the laptop and phone for anything you do online. Do not connect to public wifi, or use the accounts on other devices or your personal accounts on these devices.

You should be able to stay relatively anonymous this way. You will have a phone and laptop to run whatever operations/statements or other activities you want to remain private from your real life person.

You may want to go a step farther and use a pre-paid VPN service for all activities as well. But by all means, don't mingle your devices...

Its almost worth changing your name if you have an unusual one. It must be great to be have a name like John Smith because no one can google you to find anything interesting.

Read everything ever written by thegrugq and apply it.

One thing: Delete url of your HN bio with information about who you are and hide your real name in the footer your website.

Maybe adding false information?

Harder in blog articles if you already have an identity and a real name, but if you are in twitter or reddit, you can post about fake locations, hobbies, family members etc. This way at least is harder to be doxxed by automated tools and add some plausible deniability.

I’d say, vote.

ask gwern

My technique is to use my real name and offer only opinions that I think are quite reasonable. Of course I still run risks, but I imagine everything is knowable to someone determined enough to go looking for you. I'd hate to have posted something I wouldn't be proud of later.

It seems to me that the whole threat of being doxxed relies on two things: (1) that you’ve done something in one sphere of life that would be reprehensible (and maybe actionable) to another sphere of life, and (2) that the unholy Russian Twitter not mob can influence that other sphere of life.

It may not be possible to have different spheres of life cohabitate peacefully, especially if the doxxing involves shining light on old character flaws you’ve since remedied, but thanks to the digital world we live in, can be easily surfaced. I’d say “get off social media forever” to at least prevent your self 20 years in the future having this same worry about whatever it is you are innocently sharing this month, but that always seems to draw a gasp from people who apparently can’t imagine life without the internet.

Seems to me that everyone who has ever been doxxed is doing “something” that draws attention to them. That doesn’t make it right, but I haven’t heard of doxxing of any quiet Amish families, or guys building cabins in the woods minding their own business.

It’s usually some loudmouth on some open source software forum, or some politician’s operative, or someone being a potential whistleblower.

What you are asking is, in essence, how can I keep from getting punched in the mouth? It’s not too difficult, if you think about it. Someone randomly punching you in the mouth “for no reason” is about as statistically probable as being struck my lightning twice in the same week.

Some people attack punches more than others. I’m not saying it’s right, or even deserved. Just that there are life choices that can increase the odds.

Maybe what you’re really asking is how can I avoid the risks of some life choices I am making or want to make?

All the advice here will only partially mitigate the risk. The only real way to eliminate it would be to make different choices to stop unwanted attraction.

I somewhat laughed at all the “privacy” tips here. My friend, if you tick off the wrong person, they will find you or hire someone good to do it for them. And if doxxing is their chosen revenge, you can’t choose to then decide to be a quiet mild-mannered ordinary citizen when you already opened your mouth and drew attention to yourself.

I’m sure everyone who flips someone off across the street wishes the same when they see the scrawny guy reach into his jacket and pull out a gun.