2011 saw one of the first large-scale uses of doxxing directed specifically against law enforcement.
The hacker group “Anonymous,” in retaliation for arrests of some of its members, breached the websites of federal agencies and over 70 state and local police departments, exposing a range of private data including officers’ email addresses, usernames, social security numbers, home addresses, phone numbers, passwords, and details about active investigations.
Since then, the threat posed by doxxing to law enforcement professionals has continued to grow. This past June, in an event now being referred to as “BlueLeaks,” the same hacker organization “Anonymous” released even more data than in their first leak.
Personal identifying information of over 700,000 US law enforcement officers was made available to anyone who wanted to access it. For law enforcement professionals, this leak may only be the tip of an iceberg compared to the future threat doxxing poses.
Doxxing and Cancel Culture
The term “doxxing,” an abbreviation of “documents made into a verb,” was first used by hackers in the 1990’s to describe the act of exposing, or threatening to expose, people’s “real identities” in forums where anonymity was the norm.
Doxxing became more popular in the early 2010’s when online media outlets began testing the limits of public interest journalism by exposing and publishing identities of anonymous social-media trolls.
Today, doxxing itself is often only a single step in a broader tactic of directing viral social-media (and often mainstream media) criticism against individuals.
This practice colloquially referred to as “cancel culture” can destroy victims’ lives. Once targets are identified, their online history can be critically deconstructed and leveraged into public relations disasters, often ending careers overnight.
In one high profile example, two successive police chiefs in Burlington Vermont were forced to resign over public disclosure of anonymous social media commentary.
Current high levels of political polarization, coupled with a tabloid culture in many media organizations, have created an increased incentive for activists to use these tactics to damage organizations — particularly those within the law enforcement community.
As seen following the recent Portland riots, doxxing has also become a targeted weapon for disgruntled protesters to use against the police. This tactic can put officers’ lives at risk. Faced with this growing threat, very few organizations seem to have any coherent strategy for addressing these risks.
Protecting Law Enforcement Officer Privacy Is Not Just About “Better Security”
Doxxing doesn’t just happen when data is leaked following a cyber attack. While data breaches continue to be a source of risk, they are not the only way someone’s sensitive information can be leaked. Private information can increasingly be accessed by people who don’t have the same technical knowledge as “hackers” and are not breaking any laws in doing so.
This is because of the vast proliferation of online data brokers. These are intermediaries that trade in people’s personal identifying information like home addresses, property records, phone numbers, names and addresses of relatives, social-media accounts, and employment history.
By putting people’s personal information for sale, data brokers make it trivially easy for motivated people to quickly assemble detailed profiles on targets without ever breaching an organization’s firewalls.
As more people’s personal information becomes easily accessible online, the standard approach to information security is often obsolete. Traditionally, the concept of organizational and personal identity risk-management has been seen as a straightforward “security” problem: network protections against hacking, user accounts secured with strong passwords, email encryption, and so on.
As employers fail to keep up with trends in data accessibility, law enforcement professionals are left increasingly vulnerable to doxxing attacks. The Department of Homeland Security issued warnings as recently as 2017 that threats of employee doxxing needed to be considered independently of organizational security practices.
However, despite the warnings, the DHS provides little in terms of actionable law enforcement best practices other than “practice good cyber-hygiene.”
How Professional Organizations Should Be Thinking About Employee Privacy
While many organizations give their employees guidelines on what not to do online, most cannot directly monitor employee profiles online.
Fewer still engage in active measures to help clean up and protect their employees’ digital footprint. Most responsibility is still left in the hands of individuals who are expected to regulate their own behavior and manage the costs of any additional identity protections they might take.
However, as high-profile incidents of employee doxxing increase, we see this attitude changing fast. Many organizations are now attempting to pre-empt the risks of data exposure, particularly for their senior executives. This involves actively auditing an individual’s entire digital history and doing so on a routine basis rather than as a one-shot measure.
Unfortunately, lower-level workers can often be reticent when it comes to providing full disclosure to employers about their online past. They can sometimes see internal human resources departments as potential sources of career-risk themselves.
Third-party privacy companies can help bypass these kinds of potential conflicts of interest. But the industry of providing better employee privacy is still in its relatively early stages. Many firms are primarily focused on executive-level “reputation consulting,” which is more about shaping the kind of information already available than taking sensitive information off the internet.
That being said, companies that can remove personal data from the web do exist.
DeleteMe, for example, can monitor employees’ personal information online, remove it from 3rd party data brokers, and provide tools to help users manage their online privacy.
For law enforcement professionals, keeping personal information private is a matter of personal safety and professional integrity. Faced with an increasing proliferation of data across different channels and outside of their own control, they, and their employers, need to take data security seriously.
In today’s polarized environment, data security is as much a personal safety issue as a cybersecurity concern.
Written by Rob Shavell, CEO of Abine/DeleteMe – Massachusetts-based data privacy experts who provide services that protect businesses and members of the public sector online.
—
Want to make sure you never miss a story from Law Enforcement Today? With so much “stuff” happening in the world on social media, it’s easy for things to get lost.
Make sure you click “following” and then click “see first” so you don’t miss a thing! (See image below.) Thanks for being a part of the LET family!
