@samfbiddle still, conceptually lame. Doxx the powerful.
— Anil Dash (@anildash) May 19, 2014
Doxxing is the process of publishing a person’s private information — bank account, address, medical data, social security, stuff like that — on the internet in an effort to embarrass, shame, or just to harass them. It is not always illegal, but it is always hostile.
Anil Dash, the tech entrepreneur quoted above, has suggested that only the powerful be doxxed, as if powerful people have zero privacy rights compared to ordinary people. He said that in response to Gawker writer Sam Biddle “outing” the identity of an anonymous twitter account for, apparently, no reason whatsoever beyond Gawker’s normal tabloid excesses. Rather than random twitter users, Dash said, you should do that to powerful people.
Nevermind how hypocritical Dash’s stance is (as an actual wealthy and influential person, he should be the subject of doxxing, according to his logic). The idea that it is okay to harass and embarrass a public person simply because they are public is, when you think about, quite horrific. It is the endorsement of bullying, plain and simple.
Anyway Wikileaks has done just that: publishing an archive of the private emails of CIA Director John Brennan. Among the leaked and unredacted documents are Brennan’s security clearance application form, which contains detailed information such as his and his wife’s social security numbers.
There is no sense from Wikileaks that what they are leaking has any relevance at all to government transparency, to civil liberties, or to opposing government surveillance. Rather, it is a vindictive act meant to embarrass an official they have decided does not deserve privacy.
It is a continuing theme among so-called radical transparency and privacy activists: they deserve privacy, but if anything is juicy, or prurient, or in some convoluted way interesting, then there is no right to privacy. That is why Wikileaks published the hacked Sony emails: not out of any concern over how a movie executive ran her company, but because exposure for the sake of exposure is their goal.
Much like the Brennan hack, the Sony hack contained a lot of private, and potentially embarrassing, information about employees: their health records, details of their insurance coverage, stuff like that. And yet, rather than oppose Wikileaks’ willful violation of normal people’s privacy, many journalists eagerly gulped up the emails and used them to generate clicks for a weeks.
There are two things at play here: the first, naturally, is the self-important assholery of believing that simply because someone is in a certain position in life, that they deserve absolutely no consideration or privacy (Wikileaks’ friends have done this, like when the Intercept published a bizarre hatchet job on a Democratic party operative simply because he had succeeded at his jobs).
The majority of these leaks do not establish anything criminal; a small minority of them reveal conduct many consider inappropriate (such as the radical pay disparities for female actors in Hollywood). But above all, they are meant to embarrass through disclosing otherwise private information that should never be made public.
The second bit at play is the public’s tacit endorsement of this form of doxxing, from a voyeuristic desire to see other people’s business to a malicious desire to ruin the lives of public figures people dislike for whatever reason. Brennan’s hack clearly fits the entire spectrum, but that does not justify breaking into his private email and publishing its contents — especially when they have no news value (and most seem to be drafts of papers that were later published publicly anyway).
A man as important as Brennan really had no business using an AOL email account — not even in 2007. And it’s likely that had he used an email service with more stringent access control, such as a long passphrase and two-factor authentication, would have made it either impossible or at least impractical for a teenager to gain access.
But those forms of access control are, at best, one half of an arm’s race — one that targets simply cannot win in the long run without extreme measures. It is the same dilemma as the IED-vs-armor arms race in Iraq and Afghanistan: ultimately it is cheaper to creatively invest small amounts of money into unpredictable attacks than it is to construct a perfect defense. Defense will always lose at some point, and the cycle will repeat. At the end of the day, the Internet is fundamentally insecure, and no amount of investment will make it secure.
But, contrary to what information security types think, the answer is not just more encryption for everyone. That only feeds into an arms race — one they happen to profit from, quite handsomely. Rather, there needs to be a change in norms about security breaches.
I’ve made this analogy before, but think of it like home security: yes locks on your doors and windows are an important first line of defense, but they will never stop a determined thief from entering your house. What we do have, however, is a strong norm against home invasion, coupled to ruinous judicial punishments when a home invader gets caught. It is not perfect, and it cannot prevent all home invasions, but it sufficiently raises the stakes to make it incredibly high risk to deter casual thieves from even a moderately hardened house that might identify them later for the police.
While there are some stiff penalties for computer crime on the books, those penalties are the target of endless criticism by the tech community. Information wants to be free, they all say, unless it’s their medical records or something (what a dumb, immature phrase, but it remains an article of faith to many). Breaking into a computer to steal information is described in euphemism: as “security research,” as “discovery,” as “transparency,” as “lulz.” And when someone does break into a computer to steal information, they are as often lauded as a hero as they are criticized for being a common thief.
Because there is no strong norm against information theft, it is difficult to muster much outrage over the latest round of embarrassing leaks. Does John Brennan’s wife deserve to have her personal information exposed to the public, making her the target of identity theft and credit fraud, simply because she is married to a powerful man? Of course not. But the people gleefully punishing her for her marriage do not care. And as long as they are cheered on, instead of criticized and excluded from polite society, more leaks like this, which hurt innocent people, will only continue.