This week, Prime Minister Anthony Albanese announced the government was seeking to strengthen laws to combat doxing. Its ongoing review into Australian privacy law will now be expanded to include doxing, as will other laws covering hate crime and hate speech.
Doxing (sometimes doxxing) is shorthand for “document drop” and is the act of publishing identifying material about someone publicly, without their consent.
Doxing someone can lead to real-life harms, potentially including job loss, violence against the person, their family members and pets, and serious mental health issues.
What any legislation from that review will look like is hard to say at this point. But how has it worked internationally, and would it work here?
Doxing or in the public interest? Free speech, ‘cancelling’ and the ethics of the Jewish creatives’ WhatsApp group leak
What are other countries doing?
New laws around doxing came into effect in The Netherlands at the start of the year. This makes it illegal for Dutch citizens to obtain and share other people’s personal information without their permission and then use it to harass or target them.
Dutch conspiracy theorist Huig Plug was arrested earlier this month under the new legislation for allegedly doxing a member of the public prosecutor’s staff.
In the United States, laws like this are state-based. California has a special part of its law around so-called “indirect cyber harassment”, which is defined essentially as doxing.
In both of these examples, the doxer has to have intent to harm. They are posting the information because they want someone to, say, lose their job or be opened up to harassment.
The Dutch law goes slightly further in that it is also an offence to make someone’s job harder, as opposed to causing them to lose their job completely. The Dutch laws also carry harsher punishments for doxing people such police, lawyers and politicians.
From a legal perspective, showing intent to do someone harm can actually be a harder bar to pass than people might think. So, if Australian law follows this pattern, it could be difficult for plaintiffs to prove that being doxed has caused them genuine harm.
Not a new problem
Doxing isn’t a new phenomenon and there have been some high-profile doxing cases over the past few years.
What is doxing, and how can you protect yourself?
One of the most famous global events was the Ashley Madison data breach in 2015, which resulted in job losses and suicides. The current discussion, however, hinges around the sharing of information from a private WhatsApp group of 600 people and in the context of the ongoing war in Gaza.
We’ve seen the hasty introduction of legislation in these types of circumstances in the past, most notably the Sharing of Abhorrent Violent Material Act, which legal scholars criticised at the time for a lack of detail and it’s rushed introduction to parliament.
We saw similar concerns when the Morrison government introduced anti-trolling laws in 2021. I wrote at the time the law wouldn’t help victims that much, partly because it was practically impossible to police.
While the current discussion into changes in the law around doxing are happening, it’s worth revisiting some of these issues.
How can we police the internet?
The first thing to note is that it’s really hard to police what happens on the internet. There are several reasons for this.
The main one is that the internet is what we call inter-jurisdictional. There’s a mess of different laws around the world, and no real way to use them if you’re in a different country. This means if someone in The Netherlands doxes you in Australia, you can’t sue them under their laws, because you aren’t a citizen there. You also can’t do anything under Australia’s laws, because the perpetrator is not a citizen here. In short, to make this work, we would need global cooperation akin to Interpol.
The second reason is because Australian laws apply only to people currently in the country, there are many ways to get around them online. People can use anonymous accounts and virtual private networks (VPNs) to hide and make it hard to trace exactly who the culprit is and where they are.
The third comes down to the definition of what’s considered “public”. For example, a lot of doxing is done in smaller private groups with the express purpose of that community attacking specific people. That private information is still being shared without the consent or knowledge of the victims. In fact, as the journalist Ginger Gorman notes this is the type of behaviour that “predatory trolls” often engage in.
Trolling and doxxing: Graduate students sharing their research online speak out about hate
Finally, do we really need these laws when existing ones already cover many of the behaviours associated with doxing?
The biggest of these are found in the federal criminal code, a piece of legislation that deals with the use of telecommunications for crimes. It outlines the “use a carrier service” to threaten, harass or menace someone. This includes “hoax threats”. Penalties for these behaviours range from five to ten years in jail. There’s similar wording in the Online Safety Act.
While it’s great to see the government working to reform and strengthen existing legislation, I’m not convinced that these types of laws will have much impact given the complexity of policing online behaviours.