Usually when talking about personal data in the context of increasing (online) privacy, the discussion is revolving around either one or two of the following subjects:

  1. Removing as much of your data as possible
  2. Populating data about you with disinformation

What I see talked about less (or barely at all) is the active management of your online data and the controlled method of data disclosure. Maybe some dismiss this as a no-brainer, but in my opinion there’s some easy and powerful wins to be gained by giving this third subject the attention it deserves.

Mom’s Spaghetti (of Identity Networks)

In the movie 8 Mile, an aspiring rapper B-Rabbit (played by Eminem) wins the movie’s final freestyle rap battle by rapping about himself, instead of dissing his opponent. When his opponent’s turn comes to perform, the opponent is left without ammunition to use against B-Rabbit, because everything critical has already been said and owned by B-Rabbit.

Similar logic can be applied to online identity management (OIM). But before proceeding, let’s establish what is meant by online identity. I think that researchers Zhu, Carpenter and Kulkarni defined it quite well in their 2012 paper “Understanding identity exposure in pervasive computing environments“:

An ‘‘identity’’ may include one (e.g. social security number) or multiple identity elements (e.g. name, address, physical characteristics on a driver’s license). An identity element is a characteristic that differentiates some people from others. It may be an element to identify who you are (e.g. eye color), what you have (e.g. a sports car owner), what you like (e.g. your favorite sports), or where you are (e.g. via a Foursquare app to report one’s locations). Some elements may never change (e.g. fingerprint), where as others may change (e.g. phone number), or be constantly changing (e.g. current location).

I must point out though, that a lot has changed in both pervasive computing and privacy since 2012. Most notable change being the omnipresent location tracking, with or without the phone user’s consent and/or knowledge.

Okay, so what about 8 Mile? I’m not saying that we should just disclose everything online, but what I’m saying is that we should pick our most important battles and make sure that the related data is accurate, up-to-date and preferably in a format we can control.

By taking ownership of the published facts about ourselves, we

  • reduce the ammunition that could be used against us e.g. in an online smear campaign
  • make sure that at least the first page of search results are legit and give the right picture about you
  • can define what online profiles are actually ours (with Keybase, for example) and
  • can be explicit about what online profiles are NOT ours and hence are not legitimate or are used by someone else who has the same name

 

Of course, everything you put online can be used against you.

About Doxxing

But how can deliberate data disclosure help against doxxing? Wouldn’t the effect be quite the opposite, making doxxing easier?

Well, yes and no. Identity exposure management certainly wont prevent doxxing, but it provides at least two other benefits. First, if you do the opposite and go deep down the rabbit hole while trying to completely remove yourself from the internet, you’re practically painting a big target over your head. There are certain circles that dox people for sport, and they’ll just see your privacy efforts as giving them a worthy challenge. And trust me, their weaponized autism knows no bounds.

Second, it has the potential for shielding against online mobs and their witch hunts, that might erroneously start targeting you when looking for someone else. Likelihood grows especially if you have a somewhat common name. This might not sound like a big deal, but it certainly is! Here’s what Reddit’s general manager Erik Martin wrote about the subject after 2013 Boston Marathon bombings:

…some of the activity on reddit fueled online witch hunts and dangerous speculation which spiraled into very negative consequences for innocent parties.

///

…“let’s find out who this is” events frequently result in witch hunts, often incorrectly identifying innocent suspects and disrupting or ruining their lives.

So in conclusion, in terms of data disclosure less is still definitely more. However, we should start giving some serious thought to make sure that we know what data about us is publicly out there, and how we could impact that data in a positive way. Identity and reputation management are rising trends in cyber security space and for a good reason. For now, it’s still up to us to integrate those concepts to our everyday online actions.

https://www.joellatto.com

3 thoughts on “Controlled Identity Exposure as a Doxxing Countermeasure

  1. Pingback: Why Quitting the Big Five is a Bad Privacy Advice – Joel Latto
  2. Pingback: How to Setup LinkedIn for Better Privacy and OPSEC – Joel Latto
  3. Pingback: Cyber Security in Gaming – Extensive Show Notes for KOVA Podcast X F-Secure – Joel Latto

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.