1. 62
  1.  

  2. 17

    I don’t think journalistic ethics have caught up with the ethics around doxing yet. The problem is that journalism tries to answer some basic questions, like “who, what, where, why, when, how” and historically, “who” has been a meatspace “who” because that was the only “who”. Now folks have persistent online identities, so it would be reasonable to refer to this guy just as MalwareTech and it would be fine. “Who” in this case doesn’t have to just be, “an anonymous person online” because MalwareTech is himself an identifiable person online, separate from what he does in meatspace.

    Clearly, some kinds of doxing aren’t OK in journalism, like publishing someone’s address, telephone number, or social security number, but violations of privacy have always been somewhat fuzzy. Cf paparazzi, or revealing who Elena Ferrante was.

    For what it’s worth, the SPJ code covers this kind of thing, but I suspect it will still take more time for journalists to get a good sense of how this works in the internet era.

    1. 3

      And now I was sitting here, slightly confused whether Simon Peyton-Jones gave an enlightning talk about online privacy that I missed before I followed the link …

    2. 8

      It was irresponsible and dumb.

      It’s also what journalists have done forever. The term “doxxing” is the new part… the idea of allowing people to preserve the anonymity of their online identity is relatively new. I think we’re going to see a protracted struggle to establish a new cultural norm about this.

      For example, can you believe that companies used to publish big books with everybody’s name, home address, and phone number printed right in it? And they would give it away totally for free. (I’m only half-joking… kids now are stunned to learn that phone books used to be a thing.)

      1. 2

        allowing people to preserve the anonymity of their online identity

        It’s more of a collective fiction. Let’s all pretend that what we wrote last year can no longer be accessed by the people we have silly feuds with today. So many people think that this is a good idea, that even the European Union took it seriously and gave people the right to rewrite online history to better suit their mood.

        Real anonymity is hard, with almost all the communication channels wiretapped with the excuse of terrorists and paedophiles, so we’re supposed to focus on pretend-anonymity now. Unfortunately, it’s working.

        1. 9

          I have to disagree. Your point about the intractability of the problem is well-taken, but taking the attitude that anonymity is a fiction has the result that nobody feels responsible for fixing it.

          Besides, there actually is a clear line here: Disclosing somebody’s legal residence has very real consequences for them. And it’s clear that putting it together in this case wasn’t an easy task, even though the information was nominally “public”.

          People who have the knowledge and experience to follow that kind of trail should be careful about how they use it, just as a locksmith shouldn’t go around unlocking random people’s doors and rationalize it by saying they’re just rearranging public pieces of metal which were on the outside of the home.

          1. 4

            Unlocking a locked door is clearly a single unified action. There might be some objective sense in which it’s a bunch of separate movements of pieces of metal, but no human would see it that way.

            There is something deeply, viscerally oppressive about the idea that it might be ok to read published fact A, read published fact A => B, but not ok to publish B. It seems like 1984-style doublethink.

            1. 4

              I think your second paragraph is insightful, and gets to the heart of a lot of objections to my position, especially objections from technically-minded people. Thank you for saying it.

              I nonetheless do take the position you mention. “Not okay” is a pretty broad term, and I’m not suggesting it should be illegal… but I really do feel that it’s the consequences, not the actions themselves, which should have primary importance when we talk about ethics.

              I don’t really think the “single unified action” thing is a meaningful distinction; I think that it’s a valid perception, but more a matter of perspective than anything really different between the scenarios. I had to hire a locksmith not long ago, which is why it came to mind; I’m pretty sure it was a bunch of individual steps to him, establishing tension then working one pin at a time, even though to me the upshot was that I waited a few minutes and then my door was open. (It was also somewhat frightening how few minutes it took.)

              1. 2

                I don’t really think the “single unified action” thing is a meaningful distinction; I think that it’s a valid perception, but more a matter of perspective than anything really different between the scenarios. I had to hire a locksmith not long ago, which is why it came to mind; I’m pretty sure it was a bunch of individual steps to him, establishing tension then working one pin at a time, even though to me the upshot was that I waited a few minutes and then my door was open. (It was also somewhat frightening how few minutes it took.)

                Well, put it this way: I don’t think there are many noncontrived cases where it would be unclear who had unlocked your door. I mean it would be possible for a locksmith to jiggle a few pins, leave the tools in place, and have another locksmith come and finish it off, but I don’t think that’s a common enough case that we need to worry about the morality of it.

                I’m reminded of the “ghost gun” business in the US. Roughly, from memory: commercial gun sellers are required to register their sales, but private individuals are allowed to make their own guns, and gun professionals are allowed to sell replacement parts or help people assemble guns without needing to check registration. Eventually the government was obliged to formalise things, and thus we have the “80% finished lower receiver”: one particular part is regarded as being “the gun”, and it’s considered a piece of metal after it’s shaped but before the holes are drilled in it, and a gun afterwards. So to “make” your own gun you can buy the parts, drill the holes in that one piece yourself, then get it assembled.

                Kind of absurd, but at least they did manage to draw a line somewhere. Doing this with linking a name and address is much harder - is it the person who publishes that person x went to school in town y? The person who publishes that internet personality z is a fan of sports team w?

                It doesn’t feel like it should be the person who puts published facts together, though maybe that’s my biases. The classical philosophical tradition is that all true logical statements are regarded as vacuous; if we knew all the facts that lead us to a given conclusion, then we already knew the conclusion. This is unsatisfying when it comes to something like Fermat’s Last Theorem, where the proof was clearly an enormous amount of work. But we don’t really have a good model for assigning credit/blame for that kind of work - for mathematical theorems the credit tends to go to whoever puts the capstone on, but that seems rather unfair. We seem to be approaching these inferences the same way.

                1. 3

                  Sorry I missed this yesterday.

                  You make a fair point. The category of response I’m thinking about is: I’m less interested in assigning blame than in raising awareness. If people are conscious of how the information they’re sharing could be used against other people, we can get to a higher level of responsibility. It would be unreasonable to demand constant caution until awareness of the threat model is widespread.

                  If I were trying to assign blame, I’d place it on everyone who could reasonably anticipate the result. People who post things; site owners who don’t have a process to remove private information; unnecessarily broad data-retention policies; people who train customer-service representatives and don’t adequately prepare them for social engineering … In this particular case I do imagine some of the blame belongs with the journalist who put the pieces together; I kind of doubt that it was entirely a matter of web searching, or it would have happened long before.

                  But I really am not trying to assign blame so much as encourage people to take responsibility. I understand that this must seem like a fantasy, but if every raindrop decided to be responsible, there wouldn’t be a flood.

            2. 0

              People who have the knowledge and experience to follow that kind of trail should be careful about how they use it, just as a locksmith shouldn’t go around unlocking random people’s doors

              A more appropriate comparison would be a photographer going around public places and taking pictures. Not illegal, not immoral, not unexpected. (yes, I think requiring Google/Bing Maps to blur faces and street numbers is absurd).

              1. 5

                You’re just restating your position that there’s nothing immoral here. I don’t want to put words in your mouth, but I understand your reasoning to be that people should expect doxxing to happen, and therefore there cannot be anything wrong with it, regardless of its effects. But I expect a laptop to get stolen if I leave it visible in my car; that doesn’t mean the thief has done nothing wrong. Have I summarized accurately? Do we agree on that example? Does it seem like a relevant example to you?

                You don’t have to debate, of course, and I’m happy to drop this if you want to. Just to say that, because it can’t be taken for granted.

                1. 1

                  Have I summarized accurately? Do we agree on that example? Does it seem like a relevant example to you?

                  No, of course not. My position is that “doxxing” is nothing more than journalism and that journalism is not illegal, not even when done by amateurs.

                  1. 3

                    Heh, well it’s of course to you, but that’s why I asked…

                    I feel like there are a lot of things that cause serious harm that aren’t illegal. The law necessarily takes a quite weak position on what things people should avoid doing. There’s no law that says you can’t cut in line at the supermarket, but don’t do it, anyway. I don’t really see the law as relevant here at all, so I doubt we’ll find agreement.

          2. 2

            For example, can you believe that companies used to publish big books with everybody’s name, home address, and phone number printed right in it? And they would give it away totally for free. (I’m only half-joking… kids now are stunned to learn that phone books used to be a thing.)

            Are phonebooks no longer a thing in the United States? When did that stop?

            1. 1

              They were still publishing them as of a couple years ago, but I suspect they were mostly used as a source of free kindling for backyard BBQs.

              1. 3

                The Bells no longer print phone books themselves; that business was sold off, at least ten years ago, to independent companies. I’ve met salespeople who were doing hard-sell approaches to get local businesses to buy ads in the yellow pages, which was always a significant revenue source and now seems to be all that’s left.

          3. 8

            Since we’re doing hot lobster takes this morning: I don’t think investigating who MalwareTech was was irresponsible or dumb, it makes a difference to the story if it turns out they are a rival hacker gang, for example, or some hazy Illuminati front.

            However, once they worked out that it’s a young person who was curious and lucky, they should have treated him as a source to be protected, not a scoop to be published.

            1. 5

              I don’t think publishing someone’s identity beyond “rival hacking group” is necessary though. Knowing their real name, age, and day job doesn’t change the story to you, the reader. Maybe the media learns it, but they’ve been dealing with anonymity in sources forever. There was absolutely no reason to publish any of his personal information beyond the “security researcher” part.

              1. 3

                The problem here isn’t that he is doxxed, but that a man is somehow in danger because he stopped a malware from continuing to damage people’s lives and properties and that the societal arm responsible for protecting its citizens isn’t effective enough to give him peace of mind.

              2. 10

                So I guess this security researcher is gonna get hit by the mob, nice job journalists.

                1. 3

                  To be fair it’s not as if it was the only security researcher the mob knows about. Why would the mob hit someone who just happened to shut down their malware by chance? There’s many researchers that can be easily found and that are known to actively work and track on malware families. There’s even some that are known to shut down botnet from conference…

                  Don’t get me wrong, the press doxxing people is stupid, but saying the guy is now in danger because of this is rather naive.

                  1. 8

                    He may not be in immediate danger, but his doxx are irreversibly out there. Nothing says he won’t become more interesting to dangerous people in the future.

                    1. 6

                      Exactly, and the fact is we simply don’t know if he’s in danger right now. He really might be, and if he does get a nasty visit, then it really would be on the journalists, who outed him purely for their own ends. Totally irresponsible and selfish. Sure, if they found him then sufficiently motivated bad actors could too, but the point is, the journalists did it for them, for free.

                      I saw a piece earlier which just said “he lives in Cornwall and works for a security company” and thought even that was irresponsible, given the extent of the potential nastiness of people who carry out organised crimes. But putting the guy’s name out there? Really? Out of control.

                      1. 2

                        The data was already irreversibly out there. Someone just brought it together. Do you believe that “the mob” doesn’t have the resources to do the same if it wants to? Only, probably in a way that would give him less warning.

                        1. 3

                          That’s addressed in the piece - the researcher says he always assumed it would be some criminal who tracked him down. But instead, it was a journalist who got there first. Probably because they’re specifically trained to do this kind of investigation, don’t you think?

                    2. 2

                      I don’t think it’s legitimate to blame the journalist for other people’s criminal actions.

                      If the mob cares enough to harm this guy, then they were certainly looking for him already, and if the journalist could find him, then so could the mob.

                      Second, the logical extreme of your position is that everybody should censor themselves because information may be used by criminals, which I don’t agree with.

                    3. 3

                      In this brave new world we live in, “doxxing” is used to label and shun investigative journalism. If it can be argued that unlicensed civilians researching public information about somebody can have unpleasant consequences, trying to stop actual journalists from doing it is absurd.

                      1. [Comment removed by author]

                        1. 1

                          The point is not whether it’s useful to investigate this guy through legal means (though one can argue that the arsonist-fireman scenario is a real possibility), but whether it’s desirable for people to pretend that publicly available data is somehow private from individuals, even if we all know that multiple organisations collect it freely.

                      2. 3

                        So the other implicit message here, is that attackers might have part of their (illicit) budget (to be) earmarked for the harassment of members of the security community, up to and including the bribery of shady British tabloids, at a minimum.

                        I guess, when conducting crime research, one needs to be prepared, and anticipate people in the loop who don’t play fair, or follow the rules. ( …especially if there could be gaps in the legal framework which provide for certain loopholes, since the nature of the beast being hunted is, indeed, one that deals in the exploitation of technicalities)

                        1. [Comment from banned user removed]

                          1. 4

                            Do they have federal crimes in the UK?

                            1. 1

                              How so?

                            2. 0

                              Doxxing [most anyone] is irresponsible and dumb..