Doxing (or doxxing) is a dangerous form of intimidation involving the publication of someone’s personal information such as their private email, personal phone number, home address, family address, etc. on various platforms in an attempt to frighten the individual and encourage additional harassment by others. Even if an individual’s personal information is not posted, sharing certain information without permission about an individual may still be a form of online targeting because of the implicit encouragement that others criticize or harass the person being targeted.
Recently, a number of students, faculty, and employees have been subject to targeting/doxing. The University takes these incidents seriously and they are being investigated. Targeting/doxing committed by University affiliates violates University policies (see, e.g., Information Security Charter and Acceptable Usage of Information Resources Policy). This conduct will not be tolerated and will be referred for disciplinary action in accordance with our policies. When such conduct is done by individuals or organizations outside the University community, the University’s options to address the conduct are limited—but we are committed to supporting the University community as best we can within those limited options. As of November 1, 2023, the University has created a Doxing Resource Group to continue exploring ways we can support our community. The Doxing Resource Group can be reached at [email protected].
In an effort to support our community and, in particular, students facing online targeting and/or doxing, we are sharing this resource, containing potential actions to mitigate targeting/doxing.* Additional resources for members of the Columbia community during times of crisis can be found here.
*This document uses information provided in Harvard University’s “Protecting against online abuse and harassment: resources for the Harvard community.” The Harvard document provides detailed advice, more ways to contact social media companies and other platforms regarding possible rules violations, and sample takedown requests. Additional information can be found through a variety of sources, such as CNN and UC Berkeley. See also the end of this document for a sampling of additional resources.
Potential Responsive Actions
If you have been targeted/doxed, consider the following actions (explained in further detail below): (1) request takedowns of false statements that may have been made in error, (2) request that platforms and web domain registrars remove abusive content, (3) document the abuse (i.e., preserve evidence), (4) report threats and other criminal misconduct to law enforcement and Public Safety, (5) obtain legal advice regarding consequences to you and possible civil actions against abusers, (6) delist from University directories and/or limit the availability of your directory information, and (7) scrub your online data.
(Please note that the links below have not been fully vetted and/or adopted as policy or practice by Columbia University. They serve as a means for additional guidance and support.)
If an individual or organization has targeted/doxed you along with false or misleading statements about you on their website, social media accounts, or elsewhere, and these statements are causing you harm, consider sending a written request to the organization to remove or correct the statements. In such a communication it is important that you: (1) identify yourself, (2) identify the statements that are false or misleading, (3) explain why the statements are false or misleading, and (4) describe how the statements are harming you.
But please carefully consider your options. Each situation is different and you will need to make judgments about what may be helpful or hurtful. For instance, it could be counterproductive to engage directly with a social media account that is targeting you—it rarely makes sense to “feed the trolls.” It may be better to report directly to the social media platform or web hosting service (see No. 2 below) if the site maintains community standards and those standards have been violated.
If a user account has targeted/doxed you on social media, you may submit a takedown request to the platform, in accordance with the platform’s rules and requirements. For example, on YouTube, you can click the “Report” button underneath the frame on each video’s webpage. To reveal the “Report” button, click the icon with three dots on it, just under the bottom right-hand corner of the video.
If the content is posted on a website operated by the individual(s) who targeted/doxed you (rather than on Instagram or a similar platform), you may still be able to request that it be taken down by contacting the web hosting service. Many companies that provide web hosting services have their own community standards/acceptable use policies and allow visitors to websites to report abuse. For example, see GoDaddy: Universal Terms of Service § 5 (“General Rules of Conduct”), Report Abuse.
You can find out which platform hosts a website by entering its URL into this database
If you are experiencing online abuse, harassment, or threats related to being targeted/doxed, consider taking steps to preserve evidence (though do this in a way that does not force you to re-read upsetting content, such as asking a friend or relative to assist):
- Save all emails, voicemails, or text messages that you receive.
- Take screenshots or photos of comments on social media; such comments can be deleted so screenshots are often useful to help document them.
Unlike some states, New York does not have a law that makes doxing illegal. However, there are laws against harassment and intimidation. The NYPD may take a report when targeting/doxing is accompanied by harassing or similar conduct.
If you or those close to you are in imminent physical danger or there has been a direct threat of physical violence, you should immediately call 911 (and you should contact Public Safety as soon afterwards as you can).
If there is no immediate physical threat, but you have received a threat to your personal safety or feel you have been criminally harassed, you can call the NYPD.
In addition to contacting the NYPD, you can report being targeted/doxed to Public Safety:
- If you are a Columbia or Union Theological Seminary student, report to Columbia Public Safety and submit a report to the University.
- If you are a Barnard student, reach out to Barnard CARES.
- If you are a Jewish Theological Seminary student, reach out to JTS Safety.
- If you are a Teachers College student, reach out to TC Public Safety.
Federal and State laws provide significant legal protections with respect to free speech and expression. But those protections are not absolute. For example, the First Amendment does not protect obscenity, defamation, fraud, incitement, or speech integral to criminal conduct.
Although free speech principles may present legal barriers to lawsuits (and criminal prosecutions) based on individual’s speech, you may wish to explore issuing a cease and desist letter and whether to pursue a legal complaint for online harassment related to targeting/doxing. In doing so, be sure to explore with a lawyer the benefits and risks of pursuing a legal claim, the cost of doing so, and the barriers to a successful claim.
While Columbia’s Office of the General Counsel (OGC) cannot, as a general matter, provide legal advice or representation to individual members of the University community about personal matters such as doxing, the Help for the Public section of the OGC website has links to websites where you can find legal resources, including information to assist with pro bono cases.
If you are concerned that online harassers can find you on campus or use your Columbia email or phone number to direct harmful communications to you, you may request that some or all of your personal information be removed from University directories. Instructions for making this request are available here.
Students may also direct their schools not to disclose information that has been designated as “directory information” under the Federal Education Record Privacy Act (FERPA). Under FERPA, schools may disclose a student’s directory information unless the student opts out. For more information about what qualifies as “directory information,” please visit the University Polices section on FERPA. To institute a FERPA block, please contact your school’s registrar’s office (links below).
Removing as much personal information as possible from across the internet can be a time-consuming and challenging task. The New York Times Digital Security Education Hub contains a list of resources for doxing security training, as used by The New York Times. These resources can help you prevent potential doxing by removing sensitive information from public access.
There are also services that can assist for a cost. This Consumer Reports article shares individual steps you can take, along with several companies who do this work such as Kanary and DeleteMe.
Additional Resources
- What is Doxxing and How to Avoid It (Heimdal Security, 2021)
- How to Protect Yourself from Doxing (MalwareBytes, 2019)
- I've Been Doxed: What to Do in the First 24 Hours (Medium, 2018)
- How Do I Avoid Getting Doxed? (Security Today, 2019)
- Online Harassment Field Manual: Protecting from Doxing (Pen America)