Updated at 2:12 PM EST.
In what appears to be an all-out fear mongering and intimidating announcement, IC3, the Internet Crime Complaint Center, which is a website maintained by the FBI, issued an emergency alert stating that “family members of law enforcement personnel and public officials are also at risk for cyber attacks and doxing activity.”
While re-packaging the announcement as a brand new Internet Security emergency, the fear-mongering is little more than a copy and paste from an announcement made in January 26, 2011 by the United States Computer Emergency Readiness Team (US-CERT) emergency “Security Tip” titled “Staying Safe on Social Networks.” While masquerading as a “national emergency,” the emergency alert is little more than a poorly-written list of activities or steps that anyone could take to increase their online privacy rather than just law enforcement or police officers.
Without citing any specific threat, Mindi McDowell wrote in 2011 that law enforcement personnel are at risk of having personal information unveiled and exposed on social media networks and other public web sites. Yesterday, April 21 2015, the FBI, using their IC3 website issued a newly re-packaged alert re-stating the same warning, with the exception of going into a bit more detail but still not quoting any credible threat and sticking to very generic language:
“Recent activity suggests family members of law enforcement personnel and public officials are also at risk for cyber attacks and doxing activity. Targeted information may include personally identifiable information and public information and pictures from social media Web sites.”
To make matters worse for the average reader of this release, the IC3 advisory is even explaining “doxing” as being one of the main reason for issuing this advisory, except doxing is a perfectly legal activity and it largely involves gathering publicly and legally available information about a particular topic or individual. Their alert however defines doxing as follows:
“The act of compiling and posting an individual’s personal information without permission is known as doxing.”
Not only is this blatant fear-mongering on the part of FBI and Homeland Security, but as I mentioned above, doxing is in fact completely legal activity and it involves little more than the simple ability to use online search tools like Google and other search engines to find and compile information legally available!
The brand new “fake” security alert was picked up by other government agencies and was sent out to millions of information security and IT professional subscribers late yesterday:
IC3, NCCIC and US-CERT have all been tasked with maintaining awareness about ongoing cyber threats to our national defense systems and Internet infrastructure, however it appears that these organizations and the alerting mechanisms they are using to create awareness about serious threats are now being used to instigate fear about actual legal activities which are being used every day by millions of Americans for research work.
One notable FBI case related to doxing was the case of the Steubenville, Ohio rapists who were exposed by an Anonymous hacker Deric Lostutter. Working under the handle KYAnonymous, Lostutter was interviewed for this article related to doxing and said,
“…as far as the legality of doxing goes, it is perfectly legal should you use data gathered from public sources such as google, spokeo, linkedin etc. The problem the feds have with the practice is they dont hold the people who leave all of their information freely on the internet accountable. When the FBI raided me in april of 2013, I explained to agent bixby of Ohio that Spokeo had an address that I lived at that was a safe house. He stated “well that just seems illegal”. Seeming illegal and being illegal are two different things. It was my fault, as it is the fault of the target, that the information is publicly obtainable. Information on the internet grows exponentially.”
In that case, Lostutter claims to have spent a substantial amount of time researching legally accessible information which was publicly available to identify the rapists and expose them. Shortly thereafter he was raided by an FBI SWAT team, arrested and his computer equipment was confiscated. As a result he is now facing more time in prison than the rapists he helped expose.
His closing statement to TruthVoice about doxing and his message to the FBI was,
“I can find anything out, about anyone, dead or alive. cop or not. all legal, they can suck my left nut“
Unfortunately FBI’s methodology of pushing announcements about doxing via emergency notifications channels may be having the opposite effect and may be detrimental to maintain awareness about Information Security topics by lowering the bar for what constitutes a true cyber security emergency and desensitizing the security industry to real threats and risk factors.
If the folks at Homeland Security, IC3 and NCCIC (who are largely former law enforcement officers) truly believe doxing to be such a danger to the general public, they should issue a general advisory for all Americans who may be at risk of having their privacy violated, not just to cops or current law enforcement members. The issuance of this alert is illustrating that the current channels used for emergency alerts are little more than a joke and are now seemingly being used for what appears to be political motives and reasons.
You can read the original advisory here: https://www.us-cert.gov/ncas/tips/ST06-003
You can read the re-packaged advisory here: http://www.ic3.gov/media/2015/150421.aspx
Virgil Vaduva is a Libertarian security professional, journalist, photographer and overall liberty freak. He spent most of his life in Communist Romania and participated in the 1989 street protests which led to the collapse of the Ceausescu regime. He can be reached at vvaduva at truthvoice.com.