Recently, in the case of Shaviya Sharma v. Squint Neon, a single-judge bench of Justice Pratibha Singh of the High Court of Delhi dealt with the intricate issues and complexities surrounding the phenomenon of ‘doxing’. Doxing, the abbreviation for ‘dropping dox’ where the word ‘dox’ connotes a slang for ‘document’, denotes the publishing, revealing, or identifying of information about an individual or set of persons on internet platforms, specifically social media sites, with malicious intent. Such acts of 'doxing' are explicitly intended to harass an individual or group often manifesting itself as revenge porn or ‘swatting’.
This article explores doxing and its legal ramifications, specifically within the Indian context. Analysing critical judicial pronouncements such as Shreya Singhal v. Union of India and Justice K.S. Puttaswamy (Retd.) v. Union of India, the article explores doxing by highlighting the frictures alongside an evolving judicial stance on privacy and free speech. It critically examines the Digital Personal Data Protection Act (DPDP), identifying legislative flaws and loopholes. This article highlights the pressing need for more potent legal safeguards against doxing by contrasting Indian legal systems with foreign rules and regulations such as the GDPR, Dutch Criminal Code, and state laws in the United States of America. It demands more stringent sanctions, defined legal definitions, and improved enforcement methods to combat the rising menace of doxing in the digital era.
Unmasking the Consequences: The Legal and Personal Fallout of Doxing
Certain social groups are more severely affected by doxing than others, particularly women and the LGBTQIA+ community. According to Amanda Manyame, a digital law and human rights adviser notes that doxing disproportionately impacts women, causing significant emotional and psychological challenges, and frequently leading to intimidation, threats, and, actual physical assault. A recent report from the public-interest research group Advance Democracy, Inc., reported by VICE News, claims that there has also been a noticeable increase in ultra-violent rhetoric on far-right forums like "Patriots.win" and "Gab," with users threatening lawmakers, specific teachers, and Disney employees. Radical activists of all stripes are now going one step beyond, doxing school administrators and demanding that they be put to death.
This trend indicates the global political weaponisation of doxing to intimidate and silence individuals, especially those who are vocal about feminist issues or hold public positions. In doing so, what we are seeing is digital harassment that exacerbates the already high levels of gender-based violence in India, creating a climate of fear and repression.
Kaspersky has recently reported a notable case, whereby a popular Twitch streamer, Wolfabelle, was blackmailed for sexual favours by an online doxer. The attacker identified where she lived and threatened to publish her address and other private information unless she submitted to his sexual demands. The doxer even went so far as to stalk her home and take pictures of it, which he then sent her. The pervasive nature of such attacks not only affects mental health but also limits the freedom of expression and participation in the public discourse of victims.
Leading social media players, such as Meta and X (formerly Twitter), frequently permit content that explicitly targets LGBTQIA+ people to remain on the platform despite breaking the policies of the parent company. However, it must be disclosed that these companies are quick to point out that they swiftly remove posts and accounts that report on human rights violations or show support for contentious issues.
The insufficiency of Meta's explicit protection of LGBTQIA+ users against harassment and outings highlights the necessity of more robust digital security protocols. The LGBTQIA+ community confronts particular difficulties in safeguarding their digital footprints, as they frequently lack the tools or expertise necessary to adequately protect their personal data, according to cybersecurity specialists at NordVPN.
Safeguarding Privacy: Legal Challenges and Responses to Doxing
Doxing also poses a severe threat to the privacy and security of individuals, particularly in India, where legal protections are still in the evolutionary stage. A central component of Indians' privacy rights, Article 19 of the Indian Constitution provides that “All citizens shall have the right-(a)to freedom of speech and expression”; however, such a right is not absolute and can be subject to reasonable restrictions. The intrinsic nature of the rights enshrined in Article 19 and the degree to which they protect individuals from doxing are made clear when examining Article 19 and subsequent Supreme Court rulings such as Kaushal Kishor v. State of U.P.. and Justice K.S. Puttaswamy (Retd.) v. Union of India, which have exceptionally safeguarded the individual's information by regulating information privacy.
In the pivotal judgment in Shreya Singhal v. Union of India, the Supreme Court of India invalidated Section 66A of the Information Technology Act, 2000, which had formerly criminalised offensive messages via communication services on grounds of being unconstitutional. The Court ruled that the provision was vague and overly broad, infringing upon the right to free speech. This judgement brings to mind the delicate balance between freedom of expression and the imperative to shield individuals from harassment and abuse.
In Justice K.S. Puttaswamy (Retd.) v. Union of India, the Supreme Court affirmed that the right to privacy is a fundamental right under the Constitution, derived from the right to life and personal liberty enshrined in Article 21. The judgment further explored the nuances of privacy by asserting that it is not an “elitist” concept but rather an inextricable aspect of individual liberty. The Court also noted that the current age of technology has led to complex privacy breach issues, where detection is deeply challenging as breaches can occur largely 'invisibly', with information being accessed, stored, and transmitted at light-speed. Additionally, it noted that information is recombinant, meaning that produced data can generate further data.
Such data and information breaches can seriously violate people's privacy when they are not controlled or monitored by appropriate and effective regulatory bodies. As a result, data breaches and 'doxxes' put innocent people's fundamental liberties at risk. Doxing risks a person's safety, security, and general well-being by disclosing private information like addresses, phone numbers, or personal routines. The court's decision emphasises how important it is to protect personal information from misuse and unauthorised access, essential to reducing the adverse effects of doxing.
Doxing Dilemma: Evaluating the Digital Personal Data Protection Act's Efficacy
The Digital Personal Data Protection Act, 2023 (“DPDP”) is India's first cross-sectoral personal data protection law. One of the significant objectives of the DPDP is to govern the processing of digital personal data and respect individuals' right to data privacy while also acknowledging the importance of processing and using such data for authorized reasons. Furthermore, the Act intends to create an extensive legal framework for digital personal data protection in India. DPDP bears several similarities and specific notable differences from the General Data Protection Regulation (“GDPR”), but it has undoubtedly proved a guiding principle for drafting Indian legislation.
While Section 2 (t) of the DPDP defines ‘personal data’ as ‘any data about an individual who is identifiable by or in relation to such data’, Section 3 (c) (ii) of the DPDP precludes the application of the DPDP to ‘personal data that is made or cause to be made publicly available by either the Data Principal to whom such personal data relates or any other person who is an under obligation under any law to make such personal data publicly available’. Notably, the implied exclusion of 'personal data that is made or caused to be made publicly available' is a double-edged sword in the context of new-age cybercrimes such as Doxing. Therefore, this exemption shall only be applicable in cases wherein data has been made available by the person or under the law. One potential loophole is that it does not include personal data made public by a person authorised by the data principal.
The exclusion, as mentioned above, creates a complex environment in which such personal data is particularly susceptible to misuse, such as identity theft, reputational damage, expulsion from employment opportunities or expulsion from academic programs, since perpetrators carrying out doxing may readily obtain and gather such data to harass, threaten, or damage persons. At the outset, one of the major lacunae of the DPDP is that it does not define the contours of what constitutes ‘publicly available data’. Although the exemption for readily available data to the public may improve handling efficiency and ease, it may unintentionally encourage doxing.
This omission risks being exploited and weaponised by ‘doxers’ who may argue that the data they leaked was already accessible in the public domain. Victims of doxing may, therefore, find it difficult to pursue legal action under the DPDP. Individuals have minimal alternatives for dealing with information misuse because the Act excludes publicly available data from its safeguards. The relative simplicity of accessing such publicly available data on social media platforms undermines the protective barriers that the DPDP attempts to construct, reducing its efficacy. Despite the publicly available data, it must be highlighted that it may be scattered across various platforms and sources. Doxers may aggregate this data into a singular and centralised dossier that may be potentially used for harassment, stalking or malicious activities.
The reason why this proves so necessary to tackle is that doxing can serve as a link between virtual harassment and physical harm. Doxers can take their online harassment to the next level by using personal addresses and other location-based information to precipitate and facilitate physical stalking, vandalism, or even violent crimes, with the practice often entailing dissemination of the victim's details to a larger audience in an attempt to get others to engage in the harassment. This may result in mob mentality behaviour, when a large number of people support the abuse, making it more widespread and difficult to stop. Since the ‘previously accessible’ data falls within the exemption, safeguards for the right to erase the data may not be applicable. Thus, such data shall remain on the internet perpetually and be inflicted on the victim indefinitely. Thus, it is contended that exemption for publicly accessible personal data is legally related to doxing since it may make it easier to obtain and misuse such data.
Privacy and Peril: Doxing in the Context of Global Data Protection Regulations
The GDPR is a crucial data privacy legislation, underpinning EU privacy and human rights laws. It is widely recognized for its rigorous standards for businesses worldwide that target or collect data on EU citizens. The GDPR exemplifies the "Brussels effect," which occurs when the EU's regulatory norms are internationally externalized via market processes. As such its regulatory impact has inspired numerous nations across the globe to implement comparable data privacy regimes, notably India's DPDP.
Important protections within the Regulatory framework are most clearly laid-out in Article 9, which restricts the processing of personal data that exposes an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health data, or information about a person's sexual activities or orientation. Furthermore, Article 9(2)(e) of the GDPR excludes the processing of personal data, if that data has been manifestly made public by the data subject. Even if the data is deemed ‘publicly available’, the principles outlined in Article 6 of the GDPR apply, and a legitimate basis must be established before utilizing such publicly available data.
However, despite the efficacy of the GDPR protection, doxing is not directly dealt with within the contours of the GDPR, and the Dutch Criminal Code offers a relatively progressive stance in addressing the intricate issue of doxing by comparison. A recent amendment to Section 285d of the Dutch Criminal Code essentially makes ‘acts of providing, distributing or otherwise making personal data available with the intention of intimidating someone’ tantamount to a crime.
Recently, in a sign of the efficacy of such legislative developments, Dutch conspiracy theorist Huig Plug, was arrested in February 2024 under the new legislation for allegedly doxing a member of the public prosecutor’s staff. Further afield, in California, § 653.2 of its Penal Code makes it a crime to electronically distribute personal information to cause fear, harassment, or harm. In the state of Washington, RCW 4.24.790 allows victims of doxing to sue for damages if their personal information is published with the intent to harm. Legislative developments against doxxing have also made great leaps in South-East Asia, where Section 64 3(A) of the Hong Kong Personal Data (Privacy) (Amendment) Ordinance, 2021 provides that ‘a person commits an offence if the person discloses any personal data of a data subject without the relevant consent of the data subject (a)with an intent to cause any specified harm to the data subject or any family member of the data subject; or (b)being reckless as to whether any specified harm would be, or would likely be, caused to the data subject or any family member of the data subject.’
From a legal standpoint however, demonstrating an intent to harm might be a more difficult hurdle than people realise in the global digital age. To effectively fight doxing, section 64 3(A) of the Hong Kong Personal Data (Privacy) (Amendment) Ordinance, 2021 does not require a specific course of activity to be considered a criminal. Section 3(a) requires that the offence be committed to inflicting specific injury. It also enables exclusions if the disclosure is for an 'authorised new activity' or in the public interest.
The many legal regimes prohibiting doxing explored, highlight its significant consequences and necessity for solid protection. The GDPR requires legitimate handling of public data, but the Dutch Criminal Code, US state legislation, and Hong Kong ordinances prohibit deliberate data misuse. Despite the difficulties in establishing intent, these statutes all provide crucial deterrents and remedies for victims. Continuous refining and enforcement is required to balance individual privacy rights and freedom of speech, assuring adequate protection against the growing threat of doxing.
Conclusion
Doxing poses a multidimensional threat to privacy and security in the digital age, exposing individuals to severe physical as well as emotional hazards. The Indian legal ecosystem, whilst improving, is nevertheless insufficiently suited to handle these challenges completely. Landmark decisions such as Shreya Singhal v. Union of India and Justice K.S. Puttaswamy (Retd.) v. Union of India have emphasised the difficult balance between freedom of expression and the right to privacy. Additionally, the country's DPDP does not correctly define 'publicly available data,' leaving loopholes for doxers to exploit. As such, further work must be done.
Robust measures are exemplified by international statutes, such as the GDPR, the Dutch Criminal Code, and specific state laws in the United States, which enforce more stringent rules and punishments for the misuse of personal data. These legal structures offer valuable insights that may be used to improve Indian law. As the country refines its legal definitions, it must take a leaf from international best practice - imposing stringent penalties and ensuring robust enforcement mechanisms to effectively combat doxing
Image by Subhashish Panigrahi via Wikimedia Commons