Full Report
Online disagreements among young people can easily spiral out of control. Parents need to understand what’s at stake.
Analysis Summary
# Best Practices: Protecting Children Against Doxxing
## Overview
These security practices focus on proactive measures parents should implement to minimize the risk of their children being doxxed—the malicious publication of personally identifiable information (PII)—and provide clear response steps should an incident occur. The recommendations cover online behavior modification, technical security controls, and communication strategies.
## Key Recommendations
### Immediate Actions
1. **Do Not Engage the Doxxer:** If doxxing occurs or threats are made, immediately instruct the child (and the parent) *not* to engage or respond to the perpetrator.
2. **Document All Evidence:** Immediately take detailed screenshots of all published posts, messages, or threats where personal information was leaked to create a record for reporting.
3. **Contact Law Enforcement (If Necessary):** If the doxxing includes any threat of physical violence against the child, contact the police immediately.
4. **Report Content to Platforms:** Report the incident to the relevant social media sites, forums, or website hosts, as this activity almost certainly violates their Terms of Service.
### Short-term Improvements (1-3 months)
1. **Secure Online Accounts:** Have your child review and immediately change passwords on all major accounts (social media, gaming, email). Implement strong, unique passwords, preferably managed via a password manager.
2. **Enable Multi-Factor Authentication (MFA):** Mandate and enable MFA on every possible service (email, social media, primary communication apps) to mitigate risks from phishing or credential stuffing after a breach.
3. **Conduct Initial Online Search (Digital Footprint Audit):** Search for your child's name, usernames, and known online monikers across major search engines. Identify and document any readily accessible PII.
4. **Request Content Removal:** Submit formal removal requests to search engines (e.g., Google removal requests) for any personally identifiable information that has been published by the doxxer and appears in search results.
5. **Review and Adjust Privacy Settings:** Navigate all active social media platforms and ensure privacy settings are set to the highest practical level (e.g., private accounts, restricting who can view posts or tag the user).
### Long-term Strategy (3+ months)
1. **Implement Ongoing Digital Footprint Monitoring:** Regularly perform comprehensive online research, involving your child, to identify and request removal of potentially compromising information before it can be aggregated by attackers.
2. **Educate on PII Avoidance:** Conduct regular, non-judgmental discussions with your child about what constitutes PII (addresses, school names, family details, frequent locations) and the dangers of sharing it, especially during online disputes.
3. **Establish a Trust Channel:** Ensure your child feels fully supported and knows they can approach you with *any* online concern or question without fear of anger or punishment. This facilitates early reporting.
4. **Review "Sharenting" Practices:** If you (the parent) frequently post about your child online, critically review all shared content. Cease sharing detailed location data, photos that reveal school uniforms or recognizable landmarks, or any other PII related to your minor child.
5. **Train Against Sophisticated Attacks:** Educate children on recognizing and avoiding phishing attempts and the dangers of downloading unsolicited files, which could lead to infostealer malware installation.
## Implementation Guidance
### For Small Organizations (Applicable to Family Units Concerned with Child Safety)
* **Focus on Low-Cost Tools:** Prioritize free or low-cost tools like robust password managers and platform-native privacy controls.
* **Direct Communication:** Implement bi-weekly "Tech Check-ins" focused purely on what platforms they are using and how they feel about their current privacy settings.
* **Manual Auditing:** Parents should manually search for and document their child's public information, as enterprise-grade OSINT tools are overkill.
### For Medium Organizations (Applicable to Schools/Community Groups Addressing Youth Online Safety)
* **Develop Standard Operating Procedures (SOPs):** Create a documented incident response playbook specifically for dealing with student doxxing threats or incidents involving their community members.
* **Mandatory Digital Literacy Training:** Institute mandatory, annual training sessions for students covering digital etiquette, PII management, and threat recognition (like phishing).
* **Provide Access to Secure Tools:** Encourage the use of password managers and ensure all school-provided accounts have MFA enforced.
### For Large Enterprises (Applicable to Organizations that may see employee family members targeted, or high-profile cases)
* **Implement Doxing Response Tiering:** Establish clear internal escalation processes: Tier 1 (Initial report/documentation), Tier 2 (Legal/HR consultation), Tier 3 (External forensic/PR involvement).
* **Utilize Threat Intelligence Platforms:** Employ subscription services capable of deep web/cybercrime forum monitoring to proactively scan for mentions of employee/family PII derived from historic breaches.
* **Formalize Policy on Revenge/Retaliation:** Ensure HR and IT security policies explicitly address an employee’s responsibility to secure their personal information and outline organizational support available if family members are targeted due to the employee's role.
## Configuration Examples
| Configuration Area | Recommended Action | Rationale |
| :--- | :--- | :--- |
| **Account Security** | Enable MFA using authenticator apps (e.g., TOTP) rather than SMS where possible. | SMS-based MFA is vulnerable to SIM-swapping attacks, increasing the risk of account takeover and subsequent information harvesting. |
| **WHOIS Records** | Ensure domain registration privacy settings are enabled if the child owns any personal website or domain. | Prevents personal registration details (name, address, phone) from being published publicly via WHOIS lookups. |
| **Location Services** | Audit and disable location tagging/metadata for all images or posts shared on public platforms. | Prevents automated extraction of current or recurring physical locations used by doxxers. |
## Compliance Alignment
The principles of protecting identifiable information align with several established security frameworks:
* **ISO/IEC 27001 (Information Security Management):** Aligns with controls related to identifying and mitigating external threats (A.12.1.2 Operational procedures for information processing facilities) and managing communications security.
* **NIST Cybersecurity Framework (CSF):** Primarily aligns with the **Protect** function (e.g., ID.AM-3 Access Management) by securing data access points, and the **Respond** function (e.g., RS.RP-1 Response documentation) through evidence collection.
* **COPPA (Children's Online Privacy Protection Rule - Regulatory Context):** Although primarily targeting operators, the underlying spirit requires demonstrable parental consent and strict handling of PII collected from children under 13.
## Common Pitfalls to Avoid
* **Assuming Privacy Settings Are Permanent:** Users often set settings once and forget them. Platforms frequently change defaults or introduce new sharing features that must be re-audited.
* **Reacting with Anger:** Parents must avoid immediately becoming angry when a child discloses an online confrontation. Anger inhibits future disclosure, allowing problems to escalate in secret.
* **Ignoring Secondary Accounts:** Focusing only on primary platforms (e.g., Instagram) while neglecting secondary or niche accounts (e.g., specific gaming chats, lesser-known forums) where disputes often originate.
* **Failing to Secure Parental Posts:** Parents who overshare about their children ("Sharenting") inadvertently provide the foundational PII that attackers use to anchor digital identities.
## Resources
* **Online Incident Documentation:** Utilize secure, offline note-taking methods or encrypted storage to keep copies of documentation (screenshots, timelines), as relying solely on cloud-stored evidence from compromised accounts is risky.
* **Search Engine Removal Hubs:** Consult official documentation for major search providers regarding Personally Identifiable Information (PII) removal requests (e.g., Google Search Assistance pages).
* **Password Manager Documentation:** Review secure implementation guides for reputable, third-party password managers to ensure children are using them correctly.