Organizational Doxing and The Future of Massive Leaks
What if governments start to dox us?
When a group calling itself The Impact Team dumped 25GB of files lifted from cheating site Ashley Madison’s servers, they were unusually honest in their demands: shut down your site and dissolve your company. A few months before that, 400GB of files from an Italian surveillance contractor called Hacking Team were uploaded to torrent sites, and the politically motivated hacker claiming credit posted, “[Hacking Team] down, a few more to go :)”.
Over the past few years, activists, trolls, and governments have learned that one of the best ways to destroy an organization they don’t like is to get into their servers, grab everything they can find, and publish it all online without redactions.
Security researcher Bruce Schneier calls this “organizational doxing”, but makes the mistake of conflating massive leaks to journalists – like the Saudi foreign ministry cables slowly dribbling out of WikiLeaks – with unredacted and unfiltered data dumps meant to wipe out a target organization and cause maximum harm to the people associated with it.
The latter is a tactic that emerged in 2010 during Operation Payback, when members of Anonymous published 350MB of data from a law firm that represented copyright holders, leading to an investigation by British regulators and the shuttering of the firm. In the years since, it has been used against a variety of targets to devastating effect.
Leaks have been growing exponentially larger, and this is an inevitable side effect of organizations using insecure digital systems as their primary means of communication, and storing huge amounts of information on networked hardware. What qualified as a massive leak in the past – like the Pentagon Papers, or the FBI files that revealed COINTELPRO – were on the order of a few thousand pages. Nowadays when an organization is doxed, it involves hundreds of thousands of documents, since scooping up everything on a server is often as easy as grabbing a single file once you have admin privileges. The leaks are so enormous that news organizations need to design custom search tools and work with software developers just to understand them. The “collect it all” logic behind the NSA’s mass surveillance programs, where everything is hoovered up indiscriminately and sent to a data center for later analysis, works just as well for a hacker with smaller ambitions.
The groups behind doxing attacks often drape themselves in hacker culture clichés, which makes for good press and helps to obscure the actual motives of the group behind a particular attack. During Operation Payback, this wasn’t really a put-on. A decent amount of Anonymous’ imagery and theatrics were lifted from the fictional hackers in V for Vendetta and Ghost in the Shell: Stand Alone Complex, but they really were a decentralized hacker activist swarm going after anti-piracy organizations, finance companies, and conservative politicians – traditional enemies of the scene. They wore masks, but they had a clearly articulated agenda.
Participants in early Anonymous political actions recognized that one of the greatest strengths of the swarm, that anyone can put on a Guy Fawkes mask and claim affiliation, is also a vulnerability: anonymity didn’t just work for them, but also for groups with opposing political goals. When trolls and governments caught onto organizational doxing in the years that followed, they donned the hacker vigilante mask to obscure their real goals and to prey on the public’s fear of and fascination with computer hackers.
A good example is the 2014 attack on Sony Pictures Entertainment, widely attributed to the government of North Korea. The attack began in full Hollywood Hacker style, with a glowing red skeleton popping up on the screen of every computer connected to Sony Pictures’ corporate network, along with a title for their invented hacker group (“Guardians of Peace”) and threats of severe repercussions if their vague demands were not met. Working down the checklist of movie hacker signifiers, the group maximized fear, confusion, and press interest in the early days of the attack.
The fictional hacker group and their demands were a smokescreen. After a few days it was clear that the real endgame for the attackers was to dump everything online and wipe the computers on their way out. The vigilante hacker charade was covering up a government attack.
Similarly, in 2011 the STD test database of Adult Industry Medical (AIM), a health organization for performers in the adult film industry, was stolen and details from it were published by a group of misogynistic and homophobic trolls. They presented themselves as crusaders for truth and advocates for performer safety, even as they published STD test results for thousands of people in the industry and linked their real names and addresses to their stage names. To do this, they tried to co-opt one of the biggest names in hacker culture, calling their site Porn Wikileaks.
The privacy lawsuits that inevitably follow a doxing attack can be debilitating or fatal for the target organization. After the AIM leak, the organization was hit with a lawsuit over their handling of patient records, which forced them to close their doors permanently. Ashley Madison has been hit with a class action lawsuit seeking $578 million dollars after they were doxed, which may threaten the long-term existence of their company. Sony Pictures settled a lawsuit out of court.
Comparing these doxing incidents to the high-profile leaks to journalists in the last few years, it becomes evident that in order to understand the future of massive leaks, it’s important to differentiate between two kinds of leakers: those aiming to reform the target of the leaks, and those aiming to destroy the target.
Leakers aiming for reform typically send their document troves to journalists, whose professional ethics compel them to publish the material carefully and selectively. Leakers in this category, such as Chelsea Manning and Edward Snowden, often have first-hand knowledge of the target organization and clearly articulated political goals. They fit the traditional model of a whistleblower; they’re just using the new tools made available to them by mass digitization, networked systems, and the generally awful state of computer security.
The major downside to this kind of leaking is that redacting and publishing massive leaks can take a very long time. More than two years after Edward Snowden left Hong Kong, we are still learning new information from the documents he passed to journalists, and WikiLeaks has only published a tenth of the leaked Saudi foreign ministry cables since they started in June 2015.
The second kind of leaker, who aims to destroy a target through total exposure of their digital communications, is a new phenomenon. Doxing at an organizational scale became possible when mass digitization placed a huge amount of private information onto networked devices, cheap data storage made it easy for organizations to archive everything by default, and torrents and broadband Internet made it feasible for attackers to release all of that data to the public directly.
The press still plays a role in analyzing the data and drawing out interesting stories, but leakers of this type don’t consult with journalists to decide what to publish. To the extent they interact with journalists at all, it’s to build hype for the data dumps they’ve already decided to release.
Organizational doxing may not always be a bad thing, depending on your political views. Some of the most successful leaks of this type were aimed at extremely unsympathetic organizations, like surveillance contractors selling spyware to Sudan or cooking up plans to smear journalists. If your goal is to wipe out an organization you consider evil, doxing may be a cheap and effective strategy. Unfortunately, as the Adult Industry Medical and Sony Pictures attacks have shown, doxing is equally effective when used against organizations we might sympathize with.
We are still in the early days of organizational doxing as a tactic, and its newness and association with Anonymous and WikiLeaks may lead people to the false assumption that it’s a tool most useful to dissidents and activists. It has not been used very often yet by governments, which have the most targets to hit and the most resources at their disposal. But governments with major surveillance apparatuses already have all of the docs they need on targeted groups, sitting in a data center waiting to be weaponized. What does COINTELPRO 2.0 look like when governments can leak hundreds of gigabytes of private information about any group they don’t like, and do it anonymously, wrapping themselves in the banner of an invented hacker crew?
Even if the person or group behind a given attack can be unmasked, their motives don’t affect the impact of the attack that much, since doxing uses an organization’s own data and internal conversations against it. The best defense against a targeted attack is to make that data hard to access through regular security audits and compartmentalization. The best defense against a global passive attack, where a state pulls in huge amounts of leakable data through mass surveillance, is mass encryption.