Doxxing response¶

Trigger: you have discovered that someone has published your personal information online without your consent. This may include your home address, workplace, phone number, family members’ details, financial information, or private images.

Doxxing is designed to cause harm through exposure. It may be accompanied by harassment campaigns, threats, or impersonation. Address the immediate safety question first, then the content.

Assess the immediate risk¶

Not all doxxing carries the same threat level. The most urgent situations are those where the published information could enable physical harm (home address combined with threats) or ongoing harassment at a known location (workplace, regular commute).

If you believe you are at physical risk, contact local law enforcement and consider immediately varying your routines. Your safety takes priority over documenting the exposure.

Preserve evidence before acting on removal¶

Removal requests and legal action require evidence of what was published and when. Before you report anything to platforms or submit takedown requests:

Take screenshots of every post, page, or message that contains the exposed information. Record the URL, the date and time, and the username or account that posted it. Use a browser extension or tool that captures full page content if the page is long.

If you are in a state of distress, ask a trusted person to do this. The documentation needs to be thorough but you do not need to do it alone.

Report to platforms¶

Most platforms have an abuse reporting mechanism for doxxing and privacy violations. This is often under “Report content” and specifically covers sharing private information without consent.

Under GDPR, platforms operating in the EU are required to have a process for handling requests to remove personal data. If a standard abuse report is not actioned promptly, escalate with a formal GDPR removal request. Use the same process described in the GDPR deletion runbook, directed at the platform hosting the content.

Document all reports: the date submitted, the reference number if provided, and the outcome. This record is necessary if you need to escalate further.

Assess what else is public¶

The information published was gathered from somewhere. Identifying the source reduces the risk of future exposure.

Check what personal information is already publicly accessible: social media profiles, professional directories, property records, electoral roll entries, old forum posts. See the data broker playbook for how to request removal from aggregation services.

Consider tightening privacy settings across accounts, particularly if the doxxer used publicly visible social media to build the profile.

Legal options¶

Doxxing may constitute harassment, stalking, or data protection violations depending on the jurisdiction. In the EU and UK, the publication of personal data without a lawful basis is actionable under GDPR. In the UK, it may also constitute harassment under the Protection from Harassment Act 1997.

A solicitor specialising in data protection or online harassment can advise on whether a formal complaint to a supervisory authority, a civil claim, or a police report is appropriate for your situation. Some organisations offer pro bono legal support specifically for doxxing and online abuse cases.

Support¶

The practical and psychological toll of doxxing is significant and should not be minimised. Targeted harassment campaigns are designed to exhaust their targets into silence. Support from trusted people, and in some cases professional support, matters alongside the technical and legal response.