Computers, Privacy & the Constitution
It is strongly recommended that you include your outline in the body of your essay by using the outline as section titles. The headings below are there to remind you how section and subsection titles are formatted.

Sunlight or Stalking? The Legal Ramifications of Doxing

-- By StewartPollock - 09 Mar 2022

Introduction

Doxing, also known as doxxing, is the act of exposing a web user’s identity and other personal information, such as their location or address. Depending on who you ask, doxing is either an especially malicious form of harassment, or a sometimes-justified act of vigilantism, which can prevent bad actors from using the relative anonymity of the web as a shield for harassment and misconduct. This latter view, which could be summarized as the “sunlight is the best disinfectant” approach, has been at the center of a number of high-profile incidents over the last decade, such as the 2012 doxing of a controversial reddit moderator by the late website Gawker, or the 2016 resignation of an editor for the site Politico after he published the home address of white supremacist Richard Spencer.

Section I: Legal Status of Doxing

Doxing frequently exists in a legal grey area—there is no federal “anti-doxing statute”, but doxing or doxing-esque behavior has been prosecuted under broader federal and state anti-stalking statutes. However, these statutes, which impose criminal penalties, have limited ability to reach individuals who are part of larger campaigns of loosely organized harassment. In particular, statutory language which requires a “course of conduct” by one individual limits the applicability of these laws where many people are involved individually. Kentucky recently passed what has been described as the first true “anti-doxing” statute, which would create both civil and criminal penalties for releasing personally identifying information with the intent to intimidate, abuse, threaten, harass, or frighten individuals. This law, by imposing joint and several liability on would-be doxers, goes further than federal or state laws. However, by moving doxing into the realm of civil law suits, the Kentucky law raises questions about where to draw the line between doxing and legitimate muckraking.

Section II: Federal and State Anti-Doxing Laws

The federal law which most closely covers doxing behavior is 18 U.S. Code § 2261A(2), the federal anti-stalking and cyberstalking statute. This statute makes it a crime to, among other things, use the mail or any electronic communication service to engage in a course of conduct with the “intent to kill, injure, harass, or place under surveillance with intent to kill, injure, harass, or intimidate another person.” Although the language of the statute would seem to cover doxing that is intended to harass or intimidate, in practice courts have set a very high threshold for the applicability of the anti-stalking statute to threats based on revealing personal information. This is because of the specific “course of conduct” language of the statute means that a single threatening post or message is not enough to be prosecutable, even if it contains information that would put the target at risk. As many doxing attacks are coordinated from multiple accounts and users, the language of § 2261A(2) makes holding any individual accountable difficult. Furthermore, there is some evidence that federal prosecutors do not have the capacity to utilize § 2261A(2) in the doxing context, because there are more pressing cases concerning drugs and terrorism.

Several states have laws analogous to § 2261A(2), but they generally suffer from the same enforcement limitations when it comes to doxing carried out by coordinated groups. California’s cybercrime law, codified in California Penal Code § 653.2, has been used to prosecute doxing and doxing-like activities. Under this statute, enacted in 2010, this statute makes it a misdemeanor to use electronic communication in order to (1) intentionally cause another person to fear for their safety; (2) to harass, alarm, annoy, terrorize or cause injury to another person without “legitimate purpose”, and (3) to make personally identifiable information viewable or available to download which would be reasonably likely to cause that person or their family harm. This language is broader that the federal statute, however, like the federal law, California’s statute contains “course of conduct” language which makes it hard to utilize against a particular individual who is acting as part of a larger group.

Section III: Kentucky's "Anti-Doxing" Law

In January 2019, a confrontation at the Lincoln Memorial in Washington, D.C. involving a group of high school students from Park Hills, Kentucky (several of whom were wearing “MAGA” hats in support of Donald Trump) went viral on social media, leading to one of the students, Nicholas Sandmann, having much of his personal information revealed. In part in response to this incident, the state of Kentucky passed a law last year intended to provide both civil and criminal penalties for doxing. This bill, signed into law in April 2021, makes it a civil tort to “release of someone’s personal information [in a way that] would cause a reasonable person to be in fear of physical injury to himself or herself, or to his or her immediate family member or household member.” The Kentucky statute has the possibility of being more effective than federal and state laws which criminalize doxing, because it imposes joint and several liability on would-be doxers, rather than requiring a “course of conduct” by one individual. In addition, the Kentucky statutes shifts away from using criminal statutes to punish doxing, and instead creates a private right of action for individuals who are the target of doxing campaigns. Moving anti-doxing into the civil sphere eliminates one of the major problems with using § 2261A(2) to prosecute doxing, which is a lack of law enforcement resources. However, these attributes of Kentucky’s anti-doxing law, particularly in light of the politically-charged circumstances in which it was adopted, raise questions of a potential chilling effect such a law could have on legitimate journalism.

Section IV: Potential Issues

Laws such as Kentucky’s anti-doxing statute may provide a valuable way for the victims of harassment to strike back against those who maliciously publish their personal information online. However, by creating a private right of action for the release of publicly available information, they have the potential to create a chilling effect on legitimate journalism. Although the Kentucky law has not yet been tested, a relatively narrow construction, emphasizing the “reasonable fear” language of the statute, is necessary to prevent the bad-faith use of the law to prevent the dissemination of identifying information that serves a legitimate journalistic purpose.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r3 - 10 Mar 2022 - 19:31:53 - StewartPollock
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM