Social media “exposés” expose serious gaps in law and digital morality
Identity theft: This can happen to anyone. You wake up to find that you’ve been fired, there are a dozen reporters outside your apartment, hundreds of unread emails accusing you of crimes against humanity, and finally, that an AI-generated video of you performing unspeakable acts on an endangered Himalayan cat has been circulating widely on Twitter (now X.com). The term “identity theft” comes from the hacker culture of the 1990s and is short for leaking “documents” of a private nature. Hacker collective Anonymous helped popularize the term, but identity theft isn’t exclusive to people like Edward Snowden and Julian Assange.
Twitter’s privacy policy as of March 2024 defines doxxing as “sharing.” [of] “Doxxing is the act of publishing someone else’s personal information online without their permission.” In modern usage, doxxing simply means revealing the legal name of a pseudonymous or anonymous Internet user. It often also involves providing identifiable information about occupation, location, and other data, making it easier for malicious individuals to find these individuals.
Today, people famous and unknown who seek freedom of expression choose to operate online under pseudonyms. Who can blame them? I have previously suggested that you should not choose just two of these: (1) meaningful personal and political expression, (2) a traditional career, or (3) an identifiable online following. Choosing more than two puts you at risk of having your personal information exposed.
We live in perhaps the most censored, professionally regulated and digitally surveilled times in history. The UK has over 90 regulatory bodies covering most forms of work, all of which restrict what named professionals can say in public. At the criminal level, S.4A of the Public Order Act (1994) criminalizes the act of displaying a “threatening, abusive or insulting visual representation”. Anyone who has used the internet for any length of time in the last 20 years knows very well that this is an unenforceable legislative fantasy applied to the pervasiveness of human behaviour online. Normal human behaviour therefore continues anonymously and without restriction online.
Who is anonymous?
In 2013, the Pew Research Center suggested that 86% of internet users take steps to remove or hide their digital footprint online, from avoiding using their names to hiding their IP addresses. A 2014 Twitter study found that between 26.9% and 59.6% of users are identifiable, with the rest remaining anonymous. A 2016 survey of 15-17 year olds found that 65% are anonymous online.
Ten years from now, we can expect even more anonymity online. Internet usage in the UK has increased by a staggering 78.6 percent since COVID-19. As on-ground communities have collapsed, digital pseudo-communities have taken their place. A sitting US president has been banned from platforms and impeached for tweets, a reality that was unthinkable just a decade ago. Heightened privacy awareness seems like a natural response. As anonymous digital identities grow, so will vigilante doxxing in response.
What remedies does the platform offer?
Thankfully for privacy-conscious people, doxxers are rarely hailed as heroes. Instead, they are often seen as attackers. This is especially true in areas of the Internet with a high percentage of completely anonymous users. One such community is found in Twitter’s tech community, a haven for West Coast tech workers who fear censorious retaliation from their Silicon Valley employers. To this subculture, doxxing is tantamount to digital murder. It’s no exaggeration to say that they believe Abraham should have included doxxing in the Ten Commandments.
Many online platforms agree, banning accounts and posts associated with people who reveal personal information, but enforcement can be wildly inconsistent. Twitter’s enforcement seems the most puzzling. For example, the name, likeness, and address of @VlonePredator, an anonymous account with over 300,000 followers, was leaked by a small throwaway account on January 6, 2024. Twitter immediately banned the account responsible.
On June 27, 2024, activist group Hope Not Hate (“HNH”) revealed the identity of anonymous user “Raw Egg Nationalist,” an account with over 200,000 followers. The incident resulted in Hope Not Hate being suspended for six days, meaning that while individuals like the @VlonePredator identity leaker are exposed, others are given amnesty.
The story might have been different if the people who exposed @VlonePredator’s personal information had been hired by a media outlet. For example, former Washington Post reporter Taylor Lorenz revealed the name and address of the anonymous account @Libsoftiktok in her exposé. She then visited their home uninvited and filmed the visit. Lorenz is still on Twitter.
Similarly, The Guardian’s Jason Wilson has previously been the victim of an identity theft across his articles. His latest victim is @L0m3z, an American academic at the University of California, Irvine, who anonymously founded the publishing house Passage Press, which he describes as “an alternative to the increasingly closed worldview of contemporary mainstream publishing”. As Wilson’s article was publicly available, it was not treated as an identity theft incident on Twitter.
In all these cases, the leaking of personal information did not result in an intended personal attack. In Lorenz’s case, the leaking of her personal information garnered a great deal of sympathy. Lorenz was temporarily suspended in 2022, after which two commentators rented a billboard in Times Square saying “Hey [Washington Post]Democracy dies in darkness. That’s why we’re shining a light on you. Taylor Lorenz doxxed @libsoftiktok. In Wilson’s case, his article was excellent publicity for Passage and only served to compliment the person behind @L0m3z in the eyes of many. That said, Twitter’s enforcement against doxxing (or lack thereof) is at odds with Musk’s February 2024 comment that “any doxxing, including real name doxxing, will result in account suspension.”
The Guardian’s Kenneth Roth suggested that the US government’s actions to pursue Julian Assange under the Espionage Act “threaten to criminalize ordinary journalistic practices” like those of Lorenz and Wilson. In other words, Assange may be the most prolific serial doxxer in history, having doxxed most of the women in Turkey, a significant portion of the population of Saudi Arabia, and 76,900 case files and intelligence reports on the Afghanistan war, to name just a few. Assange’s plea and release will not change this, and it will be interesting to see how Musk reconciles with Twitter’s doxxing policy, given that WikiLeaks frequently publishes leaks on Twitter.
On an individual level, there are two things to consider: If an individual has a large enough following, revealing the true identity of their followers may be deemed in the public interest by Twitter. If they claim to be operating as a journalist, they may be exempt from permanent suspension as well. The most concerning change in Twitter’s policy is the suggestion that it may also be acceptable to reveal the identities of anonymous accounts for the purposes of “gossip” or “allegations.” Adding “and I can’t stand them” may be enough for a doxxer to reveal your identity to millions with no penalty.
What is the legal situation?
So, outside of the US Espionage Act, where does the law stand on the disclosure of private information about individuals? I reached out to Legal 500’s top defamation experts on the subject. Simply put, it’s far from reality. If the digital environment were an adult cinema, then the UK case law and statute on this subject would be the equivalent of two teenagers in oversized trench coats trying to get in while standing on top of each other.
A possible solution would be to criminalise personal information and impose standard non-custodial fines for that offence.
Currently, the only recourse for doxxers is a civil lawsuit for defamation, which is not a cheap one. When it does go to court, it is not uncommon for damages to run into the hundreds of thousands of dollars. One solution would be to make doxxing a criminal offence and impose standard non-custodial fines for the act. Essentially, this would act as a deterrent to people who are doxxed, and a free punitive measure. However, it won’t do much if the doxxer lives outside of your jurisdiction.
The possibility of continued publication (retweeting and reposting) circumvents legal statutes of limitations. Doxxers can arm themselves with multiple accounts and their own followers, creating problems in restoring plaintiffs to their original positions. Cross-jurisdictional issues make defamation lawsuits even more costly to pursue, and doxxers operating overseas are often completely protected. Importantly, for defamation laws to cover “doxxing”, it is not enough that personal information has merely been shared; a person must be harmed in order to bring a lawsuit.
Essentially, doxxing is free; it’s practically a right these days. In contrast, reverting to a pre-doxxed state is a very expensive, time-consuming and largely ineffective legal process that only those with deep pockets can afford.
Conclusion on Twitter/X
Given that no legal solution is available, I believe Twitter (and sites of similar size) need to take a stronger, more permanent approach to suspending doxxers. A temporary suspension is merely an inconvenience, but doxxing an anonymous user is an irreversible act. Doxxers usually have little worth losing, but doxxed parties uniformly have something worth losing.
Sites like Twitter and Instagram offer financial incentives to individuals who divulge personal information, and if users can monetize their profiles and be paid for engagement, why not try to reap the attention, and therefore revenue, that such scandals bring?
Additionally, Twitter itself has a vested interest in generating engagement and site traffic. If a data leak occurs on its platform, Twitter essentially has a monopoly on the story and its associated digital readership. For similar reasons, Twitter also appears hesitant to permanently suspend highly followed accounts involved in data leaks. News of the World’s complicity in phone hacking still exists by proxy; its modern equivalent is social media companies’ complicity in data leaks.
Musk’s comments about zero tolerance for personal data leaks are encouraging
Elon Musk’s involvement with his platform may be seen as a positive in that he personally funds US lawsuits against people who were wrongfully fired due to their tweets, such as the lawsuit filed by @BronzeAgeShawty against his former employer. But like Sauron, Musk can only look in one place at a time. His zero tolerance for leaking personal information is reassuring, but may be empty words given the site’s need to generate revenue. Most of us have to take control of our own privacy, rather than expect enforcement or legal action.
To completely avoid this threat to your privacy, you have two options:
A) They have nothing to lose because they are entirely online and have no interest in analogue life, or B) They have some interest in career, reputation, family and society and are completely uninterested in being online at a time when digital impacts nearly every aspect of our lives.
Of course, option B is a pretty unreasonable request for many people. The University of California, Berkeley’s advice on preventing identity theft is essentially the same, and it assumes that you remain anonymous online and keep your secrets strictly confidential. Until we understand the law and platforms can enforce identity theft policies, we’ll be left in a privacy nomadland.