PETALING JAYA: While ransomware, viruses and phishing frauds are terms that can frighten computer users and generate ominous headlines, another cyber threat is hitting even closer to home – doxxing.
A growing online practice that weaponises sensitive data to threaten personal lives, careers and safety, it is considered a criminal offence under the Personal Data Protection Act 2010 (PDPA), although it is not specifically mentioned.
Doxxing is tech-speak for “dropping documents”, and refers to targeting individuals by maliciously publishing their personal information.
Lawyer Parveen Kaur Harnam said “publishing” could also be considered circulation of such information on social media, blog sites or even WhatsApp.
“It occurs in the context of online vigilante justice or ‘digilante justice’, where a herd of netizens band together with the ostensible purpose of teaching someone a lesson because of an assumed wrongful act,” she said, adding that doxxing should not be accepted in society as it has severe and harmful consequences.
“The public must make themselves aware of what constitutes ‘private information’ or ‘private data’ to ensure that every individual’s private information remains confidential as far as possible.
“Data publication can only be done where there is knowledge and consent on the part of the person whose data is being published. For context, Section 6 (1)(a) (General Principle) of PDPA provides that in the case of sensitive personal data, a user cannot process (it) unless the data subject has given consent.
“Therefore, it is an offence for a person who has come across data processed under PDPA to leak it to the public without the data subject’s consent and prior knowledge.
“Personal data is information processed regarding commercial transactions, (which) include supply or exchange of goods or services, agency, investments, financing, banking and insurance,” Parveen said, adding that the public must be mindful of the intent of publishing.
In such a situation, Section 499 of the Penal Code (criminal defamation) is worth noting.
“Where there is intention to bring harm to the reputation of a person when personal information is published, Section 499 may denote criminal liability on the part of the publisher of the personal information.
“Defamatory statements are words that have the (effect) of lowering the estimation of any individual to subject such a person to being ridiculed, spurned or hated.”
Parveen said doxxing tends to follow not just individual emotions but the emotions of a crowd.
“It has dangerous impacts because it (is) untrammelled. Often, it is not tempered with rational consideration of facts and legal liability, unlike a court’s decision.
“Disillusioned (individuals may) feel that taking the law into their own hands can bring justice. But justice must not only be done, it must also be seen to be done,” she added.
“More importantly, justice is a word to which there is no true definition. There is no real guarantee of it. It is ever elusive. What netizens consider justice may be acts that have civil or criminal liability.
“This should be looked at within the reality that doxxing sometimes causes swatting – another form of online abuse which results from doxxing.”
Media expert Adlene Aris said doxxing should not be normalised in any given situation as it could lead to negative consequences like cyberbullying or harassment.
“Let the authorities handle the issues, especially those that are crime-related,” she said, adding that there should be a specific law to address doxxing due to its harmful and dangerous outcomes.
