This article first appeared in Digital Edge, The Edge Malaysia Weekly on December 12, 2022 - December 18, 2022
Doxing has been a problem since the beginning of the internet. Feuds between hackers often culminated in the disclosure of personal information as an act of vengeance.
Today, the rapid proliferation of social media has made doxing a form of extreme vigilantism. It exacerbates a polarised online discourse to exact revenge or create a hostile environment that carries real-world consequences, from social backlash to professional damage and risk of physical harm.
Despite the harrowing effects of doxing, it is not easily redressed under the Malaysian legal system as legislation prohibiting the grievous violation is not spelt out unequivocally.
Doxing — tech slang for “dropping documents” — is the malicious disclosure of personal information online that is usually intended to condemn, punish, intimidate or humiliate the individual in question. Doxers will search for, collect and publicly share personally identifiable information without the victim’s consent.
In the case of Joanna Joseph, she was just 15 years old when a private, compromising photo of herself was leaked online by her then supposedly 20-year-old online boyfriend. The photo that the latter had solicited was soon all over social media.
A decade on, Joanna — who was a victim of cyberbullying or, more specifically, doxing — sought recourse, but has yet to find justice.
As it stands, doxing — if it is ever reported — falls under laws related to personal data, misuse of network facilities, unauthorised use of computers, harassment and threats. These include the Personal Data Protection Act 2010 (PDPA), Section 509 of the Penal Code, the Communications and Multimedia Act 1998 (CMA) and the Computer Crimes Act 1997 (CCA).
“If a person is identifiable through the photos, even without revealing the name, for example, through tattoos, birthmarks or other identifying factors, it can be considered doxing,” says Louise Tan, head of campaigns at Women’s Aid Organisation (WAO).
This is why the WAO has been calling for doxing to be added to anti-stalking provisions.
“I was so freaked out when that happened to me because I never expected it. I was so young and I didn’t know what to do. I was still in school and everyone in Klang had the photo, and it went all the way to Ipoh and Kuala Lumpur and so many different states. I felt so trapped,” says Joanna.
“The worst part was my ex threatening me, saying that he was going to kill me if I told anyone [about what had happened]. I thought maybe if I kept quiet, it [the incident] would go away. But it never really went away. Once the photo was out, that was it. No matter how much you try to make sure it is taken off the internet, it is impossible [to stop the photo from being circulated] because people still have it on their phones or keep a physical copy.”
“Reasons for doxing can range from the relatively trivial, such as fake email sign-ups, to far more dangerous ones, like harassing a person’s family or employer, identity theft, threats or even in-person harassment. Regardless of the motivation, the core purpose of doxing is to violate privacy, and it can put people in an uncomfortable situation — sometimes with dire consequences,” says Vitaly Kamluk, director of the global research and analysis team (Asia-Pacific) at Kaspersky.
And dire it was in the case of a 20-year-old man from Gombak who committed suicide by hanging himself in September after falling for a woman’s ploy to extort money from him by using videos of him in the nude that he had sent to her.
According to a report by China Press, the woman successfully extorted RM1,000 from the victim, but she did not stop there. She continued to threaten him and demand that he pay another RM2,000 or the videos would be leaked online.
Apart from local news coverage, precise data on the extent of doxing in this country or those who were targeted isn’t available.But Malaysia ranked No 6 out of 28 countries and was second in Asia, behind India, found Ipsos — a global market research company — in its Cyberbullying: A Global Advisor Survey conducted in 2018.
In the US, however, 21% of Americans — more than 43 million people — have personally experienced doxing, according to US-based security analysis firm SafeHome.org. In its article, “Doxxing in 2022: An Unexpectedly Widespread Cybersecurity Threat”, published in April, it notes that even though 52% of doxing attacks stem from online interactions with strangers, almost one in four perpetrators were personally known to the targets.
Joanna, who is now 25, a professional model and a vocal advocate against cyberbullying, eventually decided to make a police report in 2020, thinking that if she were to seek redress for her ordeal, many more would be aware of the offence and be able to prevent easily impressionable individuals from falling prey to such acts.
However, things didn’t go her way. The response from the police personnel was at best dismissive and lukewarm.
She then took the evidence with her and approached a lawyer. But the lawyer advised her to drop the case as it would be “a waste of time” as it happened “too long ago and the police weren’t going to investigate”.
“It made me wonder what would be considered a wrongful act to them [the police]? What would be deemed inappropriate to them? Because no one knows. As a victim, I just thought that if I was harassed, I could go to the police and they would take care of it because it’s their job,” says Joanna.
(Digital Edge has approached the Royal Malaysia Police and the Malaysian Communications and Multimedia Commission, or MCMC, for comment.)
It is important to provide legal avenues for victims of doxing to avail themselves of timely remedies against doxers and to deter doxing, says Chew Kherk Ying, partner and head of intellectual property and technology practice at Wong and Partners.
“Doxing can have severe repercussions, ranging from loss of reputation to loss of employment, harassment, physical harm and loss of life. Even where doxing falls under laws such as PDPA, CMA and CCA, these laws do not expressly provide for a statutory civil right of action for victims of such crimes,” she points out.
Under Section 130(1)(a) of the PDPA, it is an offence for a person to knowingly or recklessly disclose personal data without the consent of the data user. But the PDPA does not cover instances where personal information is obtained through common searches, as is common with doxing. The act only applies to personal data processed for commercial transactions.
In Section 509 of the Penal Code, it is an offence to intrude upon the privacy of a person and the offender is liable to imprisonment of up to five years and/or a fine. This provision has been traditionally enforced in crimes against modesty.
According to the MCMC website, there are two provisions used to address offensive content on the internet under the CMA. The first provision is Section 211, which is the prohibition on provision of offensive content. The second is Section 233, which is the improper use of network facilities or network services.
Doxing may fall under Section 233(1) of the CMA if it is in the form of communication that is obscene, indecent, false, menacing or offensive with the intent to annoy, abuse, threaten or harass another person. The person who initiates such communication is guilty of an offence and liable to a fine not exceeding RM50,000 and/or imprisonment of up to a year. The offender will be fined a further RM1,000 for every day the offence is continued upon conviction.
Doxing may also fall under Section 3 of the CCA if it involves unauthorised access to a computer such as in hacking cases.
However, there are still shortcomings to these laws as they are not well equipped to tackle issues such as doxing, stresses Chew.
“The laws in Malaysia concerning cybercrimes such as the CMA and CCA were enacted well before many of the cybercrimes such as doxing that are now prevalent were relevant. The law often has to catch up with technology, like what we are seeing in Hong Kong and Singapore where amendments were made to existing laws to address this issue,” she adds.
“I think we are trying to cope and adapt to new technologies and the way people are using these technologies. The reality is that in all things, the law is slower than technology,” says Dr Rachel Gong, deputy director of research at Khazanah Research Institute.
“[Doxers know] the way to do that is to exert control over a person, to put them in a vulnerable position by releasing their information and putting them at risk,” she notes.
With the lack of a specific law and rising rate of online abuse, victims are under pressure to find a way to protect themselves.
“I’m loath to put the burden on individuals to find their own solutions when they are the ones being harmed, but without laws that explicitly protect them, they may need to seek legal counsel to see if there are other laws under which the harm can be reduced,” says Gong.
In Singapore and Hong Kong, legislation has been enacted or proposed to criminalise the act of doxing. Hong Kong recently amended its data privacy law, called the Personal Data (Privacy) Ordinance, to introduce anti-doxing provisions.
“Pursuant to the amendments, it is now an offence to disclose a data subject’s personal data without consent with the intent to cause any specific harm to the data subject or with reckless disregard for the possibility of harm, regardless of whether actual harm has been caused by the disclosure,” says Chew.
There have been proposed amendments to Singapore’s Protection from Harassment Act (POHA), calling for the prohibition of the publication of personal information when it is done with the intention to harass or cause violence. “As part of the proposed amendments, a specialised court would be set up to address all criminal and civil matters under POHA with simplified procedures and expedited timelines,” says Chew.
When the Malaysian government amended the Penal Code to include stalking violations in August, doxing wasn’t explicitly specified. The amendments, which were passed by the Dewan Rakyat on Oct 3, have made stalking a punishable offence, imposing imprisonment of up to three years, a fine, or both.
According to a report by the New Straits Times, then deputy minister in the Prime Minister’s Department (parliament and law) Datuk Mas Ermieyati Samsudin, when tabling the bill, said the proposed amendment was to protect victims from harassment in an offline or online environment.
“Doxing may have been excluded from the list due to a lack of understanding about doxing, and also the feeling that the acts that make up stalking can be covered by existing laws. However, it is still important to include doxing as one of the recognised acts that can make up stalking, so that survivors of doxing can also get protection orders,” says Tan.
“The current [amendment] contains the provisions for protection orders. Protection orders are essentially issued against the suspect. The suspect can be ordered to cease all communication with the survivor and ordered to stay a minimum amount of distance away from them. The suspect can also be asked to avoid certain areas where the survivor is as well.
“This is while the investigation is ongoing. Once the investigation is completed, the interim protection order can be transitioned to a protection order in full.”
Perpetrators tend to not use their own social media accounts to avoid the crime being traced back to them. As a result, it is hard to take action against the perpetrators as they will delete the account and move on.
What makes cases of doxing even more complicated is that other people act on the doxed information through harassment.
“Survivors may get a lot of spam calls or messages from random people on the internet, usually due to the information being posted on some forum or the other. They may experience a heightened sense of anxiety and insecurity because information on their home and whereabouts are being shared,” says Tan.
If doxing were recognised as an act of stalking, it could make investigations go more smoothly. Also, victims would not have to lodge multiple reports with different agencies as is currently the case. Another reason why doxing needs to be included in the law is to streamline the process of reporting for police officers to act, she asserts.
Currently, the MCMC report is not part of the police report made by the victims.
“For most stalking or doxing cases where there is an overlap of online and in-person harassment, survivors have to lodge both a police report and an MCMC report. The process is not straightforward and rarely leads to the issue being resolved,” says Tan.
“Additionally, if doxing happens on social media platforms such as Twitter or Instagram, MCMC will simply direct the survivor to lodge a complaint with the platform itself and close the complaint.”
In Joanna’s case, she had to make a police report before she could lodge a report with MCMC. “They only came back to me six months later, while the issue was still ongoing. Anything could have happened during that time. The worst part is they came back to me and said nothing was wrong,” she laments.
Her ordeal did not end with the release of the photo. She had another traumatic experience when she made a music video on sexual relationships in 2019. After the video was released, a segment of the community did not take well to it, deeming it as “raunchy”.
“The worst part was my personal details got out because the music video went viral. Where I lived, my university, my contact details … all of those were suddenly accessible online. It came to the point where I couldn’t even leave my house because the minute someone recognised me, they would shout, “How much for a night?”
She subsequently lodged a police report. But again, it was to no avail.
“It was scary. I went through a really difficult time all because I wanted to find a way to stop all of this from continuing, and do something about it [doxing] so that things like these wouldn’t happen to other people as well,” she says.
All Joanna wants now is for law enforcement to take doxing seriously.
“What we want them [law enforcement] to do is to look into it. If someone gets a [threatening] phone call from an unknown number or via social media, these accounts should be looked into, regardless if it is a fake account or not. I feel that they should just trace the IP and find the person behind it,” she says.
“Give us the feedback that we need and not keep us waiting in the dark all the time. Don’t just say the case is ongoing. Doxing does affect a lot of people and I’ve seen so many of them go through so much emotional turmoil.”
Despite the repercussions of doxing, which exacerbates polarised and extreme online discourse, there is little awareness of the severity of the violation.
Even in the US, the reason these attacks aren’t often reported is that doxing is not necessarily illegal, which leaves authorities without jurisdiction, states SafeHome.org. Second, doxers tend to operate anonymously. This leaves victims scrambling to identify their perpetrators and unable to find a resolution. Finally, as doxing often involves accusations, embarrassing facts or personal photos, the targets might not wish to further publicise their humiliation.
In the case of stalking and domestic abuse, there has been an increase in awareness because more victims who have experienced abuse have come out to talk about it, especially online. The Covid-19 pandemic heightened this further, as people spent more time online to stay connected, says WAO’s Tan.
“Data privacy is increasingly difficult to secure. It is easier than ever for a determined individual to get access to someone’s private information. The growth of the internet and social media has far outpaced any efforts to police and regulate it,” she adds.
Joanna has become very transparent about her struggles, be it her mental health or the hate speech she receives. She does this to spread awareness.
“I always speak about the things that I am going through. When I go through something like cyberbullying or doxing, I always post it. But I always make sure to hide the name and photo of the person because I am doing it to create awareness. I just want people to realise what this person is doing is not right, and there are other means to go about it if you have something to say to someone,” she says.
Joanna also speaks at universities to share her experience in the hope that people can relate to this and learn from her experiences. “We create this safe space where everyone can speak about what they have endured and what they are experiencing.”
“Awareness of the consequences of doxing, the measures that can be put in place to prevent doxing and the avenues that are available to seek relief against doxing should be improved to curb the prevalence of doxing culture,” says Chew.
Although there is an absence of stringent laws to protect the victims of doxing, there are a few measures that can be taken to protect themselves.
1. Victims must always document the evidence of doxing. To do this, victims should take screenshots of pages on which their information has been posted. The evidence is essential for the victim’s own reference and can aid law enforcement and other agencies involved in pursuing legal action.
2. Victims must report the doxing to the online platforms hosting the disclosed personal information. “Certain platforms such as Facebook and Twitter have terms of service that prohibit doxing and should respond to the victim’s request and remove the disclosed personal information,” says Chew Kherk Ying, partner and head of intellectual property and technology practice at Wong and Partners.
3. A victim should involve local enforcement and report the crime to the police. To be on the safe side, phone numbers, usernames and other personal information that is publicly available should also be changed.
4. Where possible, a victim should lean on a family member or friend for support. Victims should also approach organisations such as the Women’s Aid Organisation (WAO) and Befrienders for support. Survivors often face a high level of anxiety and insecurity as they may need to make changes to their daily routine to avoid harm.
Additionally, victims can reach out to WAO if they require case management. A social worker will aid the victim in assessing the various risks as well as the sources of support they may need. The support ranges from assistance in lodging a police report, shelter and also connecting them with mental health services.
The Befrienders free hotline is available 24 hours a day, 7 days a week, to provide emotional support to people who are lonely, in distress, in despair and having suicidal thoughts.
“We provide emotional support by listening to them and giving them a safe space and to talk about the pain they are going through. We don’t directly advise them, but what we do is listen to them non-judgmentally,” says Ardy Ayadali, publicity director at Befrienders.
“One of the challenges faced in Malaysia is that there is no specific law to deal with cases like doxing. People feel helpless because there is nothing much they can do and there are not many places they can seek legal help. In that sense, the extent of help we can provide is of emotional support.”
In cases of doxing, the onus to protect oneself unfortunately falls on the victims. Doxing can happen to anyone. The tools that doxers tend to use are legitimate and public. Some of the tools used are common search engines, social networks and professional data collectors.
Despite the risk of doxing being high in the age of social media and the widespread use of the internet, there are certain steps that can be taken to protect oneself online.
1. Protect your Internet Protocol (IP) address by using a virtual private network (VPN), which is an excellent protection against exposing IP addresses. “A VPN takes the user’s internet traffic, encrypts it and allows you to browse the internet anonymously. This is typically applicable if a doxxer has access to your network or internet channel,” says Vitaly Kamluk, the director of global research and analysis team (Asia-Pacific) at Kaspersky.
2. Install good cybersecurity software with anti-virus and malware detection tools that can stop doxers from stealing information through malicious applications. “Regularly updated software helps to prevent any security holes that could lead you to being hacked and doxed. Malicious software is not uncommon for cases where a doxer is hired to collect information in a targeted fashion,” says Kamluk.
“Typically, anti-virus protection is very efficient against such techniques because most of such spyware is well known and detected by security products. Doxers normally don’t have the budget to develop their own custom malware or use expensive commercial spying tools.”
3. Setting strong passwords is key to being safe online. Passwords should never be reused. Instead, use unique passwords and store them in a password manager.
Other steps to protect oneself online include using separate usernames for different platforms, separate email accounts for separate purposes, reviewing and maximising privacy on social media and getting rid of obsolete profiles.
Save by subscribing to us for your print and/or digital copy.