The term “doxxing” has been in the cybersecurity news for over a decade, but it gained universal recognition when Elon Musk, the owner and CEO of Twitter, suspended the handle @Elonjet in December 2022 due to doxxing concerns. Jack Sweeney, a 19-year-old freshman from the University of Central Florida, started monitoring and sharing information about Elon Musk’s flight paths in June 2020, which was published live on @Elonjet. Sweeney turned down Musk’s initial offer of $5,000 to shut down the Twitter account and requested $50,000 instead. Despite Musk’s refusal to pay, the account gained over 300,000 followers and was later blocked by Twitter in December 2022 due to Musk’s concerns about his personal security.
The act of doxxing is the act of curating and publicly announcing Personal Identifying Information (PII) about a person, group of people, or a firm on the internet. Sweeney’s initial motivation for tracking flights was his hobby, which began with monitoring influential personalities’ jets but expanded as he gained popularity. Sweeney tracks more than 127 other flights, including those owned by influential individuals such as Bill Gates, Jeff Bezos, Donald Trump, and several Russian oligarchs, including Vladimir Putin. He also recognized the potential of transforming his hobby into a business due to the significance of the information he had access to.
After Musk acquired Twitter, the @Elonjet account was restricted in December 2022, and subsequently blocked, along with the personal Twitter handle and other flight tracking accounts operated by Sweeney. The move was part of the larger Twitter account suspensions in December 2022 due to accusations of doxxing.
Many of the suspended journalists said they had not violated the rule, and while some had included links to @ElonJet in their articles or reported about the account, it was already suspended at the time. Mastodon’s Twitter account was also suspended after linking to @ElonJet. Musk ran two Twitter polls asking followers when the accounts should be restored, and in both cases, a majority of users said it should happen immediately. Following those polls, Musk reinstated several of the accounts, but others remained suspended, and some journalists were told that their accounts would not be restored unless they deleted certain posts, as outlined in the Twitter enforcement policy.
Cybersecurity practitioners have noted the thin line of classification between threat intelligence and doxxing, with the intention and purpose behind the collection of information being the main difference. Cyber Threat Intelligence (CTI) is a crucial tool for preventing, detecting, and responding to cyberattacks. CTI can be classified into three types: strategic, tactical, and operational. Each type serves a unique purpose, and integrating them provides a comprehensive understanding of the threats an organization faces.
“Threat intelligence is the collection and analysis of information about potential threats to an organization or individual. This information is typically limited to Tactics, Techniques, Procedures (TTPs) and Indicators of Compromise (IOCs) from threat groups,” explained Brad Freeman, Director of Technology at SenseOn. “It does not normally extend to personal information about the actors involved in the activity.”
While cybersecurity companies are unanimous in their stand that doxxing is harmful, a crucial factor turns detrimental in determining whether threat intelligence gathering falls under doxxing: the source of the information. “While the concept of doxxing is decades old, doxxing is still alive and well today, and it can be very dangerous. Once someone’s physical address, job location, phone number, email, or other information is out there, they become an easy target,” read an advisory by cybersecurity company Avast. The act of doxxing has become simpler than ever in the era of technology. A person can easily search for and find personal information about someone else with just a few clicks. Typically, this information can be located on various social media platforms, forums, and websites.
In conclusion, the debate on whether open-source intelligence (OSINT) methods and processes can be considered doxxing is ongoing. Cybersecurity practitioners have emphasized the intention and purpose behind the collection of information as the main difference between threat intelligence and doxxing. CTI is a crucial tool for organizations to prevent, detect, and respond to cyberattacks, and integrating the different types of CTI provides a comprehensive understanding of the threats an organization faces. However, the source of the information is a crucial factor in determining whether threat intelligence gathering falls under doxxing. The act of doxxing has become simpler than ever in the era of technology, and it can have serious implications for the personal security of individuals.