Who Let the Doxx Out?

By Adrian Tan

New anti-harassment law in time for new virus panic.

The Covid-19 crisis that began in Wuhan, China, brings to mind earlier epidemics.

In 2003, we were in the grip of the severe acute respiratory syndrome (Sars). It was the first pandemic in the era of the Internet, blogging and social media. Amid the panic about infections, one individual was widely labelled a “super spreader”. Her name and personal details were published. She was blamed for infecting over a hundred people in different countries. Her own family died of Sars. She survived, but was widely, and unjustly, criticised.

In 2009, the first H1N1 patient’s name was published. She, too, was cursed on social media, merely for unwittingly importing the virus.

Fast forward to 2020: If you found out the name of the first person infected by the coronavirus in Singapore, would you share it? You shouldn’t, because of a new anti-doxxing law that came into force last month.

What is doxxing?

To “doxx” means to identify someone publicly on the Internet. It’s a cyber weapon used to harass and victimise. Last year alone provided two memorable examples.

Just before Chinese New Year’s Eve last year, social media was ablaze with a video showing a dispute between a Gojek driver and his passenger. The argument culminated in an allegation of hostage-taking. The mainstream media piled in. Netizens leaked personal details of a person, supposedly the passenger in the video. Her name, photograph and workplace were shared online. Memes and jokes were spread to criticise and humiliate her.

And just before Deepavali, another social media clip made the rounds. It showed a condominium resident berating a security guard. The press reported it. Readers took sides. People circulated details of a person (supposedly the condo resident). His name, photograph, workplace and income were shared. But those details belonged to a completely different person who just happened to share a similar name and workplace. Nevertheless, a campaign was started to lobby his employer to sack him, and another group tried to put pressure to have him deported.

Doxxing is a bad thing. It’s carried out with malicious intent, in order to embarrass or harass a fellow human being. Doxxers expose your birth date, address, telephone number, employment information, and photographs of friends and family. The idea is to humiliate and destroy.

The victim might suffer in other ways. Because confidential information is disclosed, identity theft becomes a risk. Crooks can piece together someone’s personal information and misuse it. To make things worse, the Internet never forgets. Years from now, if that person applies for a job, and a prospective employer googles him, the doxxed information might reappear.

Why do people doxx?

We know doxxing is bad. But why do people do it? It happens when people become upset with a wrongdoer and feel that the wrongdoer will get away with bad behaviour. Usually, it isn’t anything as serious as a crime. The wrongdoer will not be punished by the authorities. So people feel that something must be done. They have to take matters into their own hands, to name and shame.

Doxxing is “street justice”. It increases as people lose confidence in society’s mechanisms to punish misdeeds. And doxxing is easy. Anyone can publish a photograph of you and name you, without your permission. That’s why we do so much of it on social media. Users happily fill up their Instagram and Facebook with pictures of people, without their consent, and with names tagged to faces. Add to that the anonymity of the Internet, and we have the perfect conditions for mob violence through doxxing.

Anti-doxxing rules comes into force

The Personal Data Protection Act doesn’t help. It regulates how companies and businesses have to safeguard our personal data, but it doesn’t control private citizens.

Thankfully, it is now illegal to publish identity information about someone, with the intention to harm that person. This has come about because of an amendment to the Protection from Harassment Act (confusingly abbreviated by lawyers as Poha).

The upgraded Poha makes it a crime to publish your identity information if it is done with a bad intention. Broadly speaking, that would be the intention to cause you harassment, alarm or distress (and that it does make you feel that way), or an intention to cause fear of violence or facilitate violence.

“Identity information” means any information which can help identify you: It includes your name, residential address, e-mail address, phone number, date of birth, NRIC or passport number, password, photo or video, and even your signature.

The amended Poha gives examples of what is okay and what is not. Here are two examples.

X and Y were formerly in a relationship. On social media, X accuses Y of promiscuity and posts photos of Y, together with Y’s mobile number, saying “contact her for a good time”. Y did not see the posts, but is harassed by calls and messages from strangers propositioning her.

Verdict? This is not okay. X is guilty of an offence. This is because X intended to cause Y to be harassed, and Y was in fact harassed. X can be jailed or fined.

Here’s another example: Q records a video of R driving recklessly. Q posts it in a chat group, where members share clips of dangerous driving, commenting: “Let’s avoid this.”

Verdict: This seems okay. Q didn’t intend to harm R. Q was trying to educate others.

So, intent is the key.

Good, but it could be better

Our Poha is a new and improved version of laws elsewhere. The United Kingdom and Australia have laws that may be used to prevent doxxing, but those laws were passed more than a dozen years ago, before social media became popular. The United States doesn’t appear to have a federal law criminalising doxxing, but it does have an anti-stalking law that can be used for certain situations. Most other countries don’t have any anti-doxxing laws. The Singapore law, coming into force this year, is the most recent and most specific.

There are still gaps. Our law says that you can’t post personal information if you intend to harass. I would like a rule which says you can’t publish certain types of information, no matter what the intention. For example, you shouldn’t be allowed to publish someone’s income, contact details, or health information, regardless of your intention. Once the information is on the Internet, it remains there forever. It will facilitate and enable future harassment.

Antidotes to doxxing

We lawyers know the laws aren’t a cure-all. Parliament can make doxxing illegal, but that doesn’t mean it will disappear. To stamp it out, we need to do more, as individuals and as a society.

As individuals, let’s fight the urge to share everything – with social media, it’s too easy to spread videos and messages quickly and unthinkingly. There will always be incidents where people will behave badly. We will be outraged or alarmed. But each of us has to pause to consider if we ought to be an agent for anger. Sometimes, it’s better to let matters cool than to act in the heat of the moment.

As a society, we have to give the system time to work. The authorities, on their part, must be quick to watch for incidents that spark unrest and give offence. If action is needed, then that must be said, as soon as possible.

This is where some of our politicians are more effective than others. Leaders who speak up quickly and clearly, on issues that capture the public’s attention, are doing their duty to dissuade doxxing. When people know the authorities are on top of things, and are taking a strong stand, people will feel less inclined to take matters into their own hands.

Doxxing happens as part of a wider social narrative. In the Gojek incident, it was about race. In the condominium resident case, it was elitism. For overseas epidemics, we might be dealing with xenophobia. It’s important for us, as a society, to challenge such narratives. So community leaders and thought leaders must speak up when harmful narratives are propagated. If too many of us take a back seat, then others will seize the microphone and influence the message.

Will I be a victim?

We’re all human. We get upset, and we say or do things that we regret. In this age of camera phones, it’s all too easy for us to be caught at our worst moments and for those moments to define us forever. How can we reduce the risk of being doxxed?

First, avoid being inflammatory on social media. The more you hurt people, the more likely people will want to get even. That’s just life.

Second, if you are ever in an argument, or in an altercation, try your best to see if anyone is recording it. If so, take steps to ask that person not to distribute the recording. Ask politely; don’t threaten. Threats seldom work, and often backfire.

Third, if you are portrayed online as a wrongdoer, take immediate steps to control the narrative. Make a public statement. Tell your side of the story. Apologise, if you should. Be the first to let your HR department know.

Finally, if you are doxxed, report it to the police. Doxxing is against the law. Protect your rights.

2019 was a bad year for doxxing. As we enter the Year of the Rat, let’s say goodbye to the year of mindless mouse-clicking. Let’s say goodbye to “The Year of the Doxx”.

There will be a lot of unverified information out there. Don’t be a super spreader.

A version of this article was published by the Straits Times on 13 February 2020 under the headline “Taking a strong stand against doxxing”.


TSMP law corporation