Public Consultation on Doxxing and Privacy Reforms

Both the eSafety Act and existing torts around defamation are insufficient to address doxxing because they are reliant upon action by platforms to engage with the eSafety commissioner, or rely upon the individual who experiences doxxing to have the considerable resources to bring a defamation case. These resources are well outside the reach of most ordinary citizens, requiring hundreds of thousands of dollars, even if the case is unopposed (see the procedural history of Fong-Jones v Flow Chemical Pty Ltd [2023] VSC 770, for instance). Additionally, unmasking and identifying to sue those who anonymously engage in doxxing and harassment would have considerably added to the expense. See Musicki v Google LLC [2021] FCA 1393 and Musicki v de Tonnerre [2023] FCA 222 where proceedings took multiple years to even identify the poster of the harassing remarks. And my previous experience with reporting serious online harm to the eSafety commissioner and the AFP is that Commonwealth resources currently are not available to defend the privacy of individuals where the behaviour occurs outside of large platforms that can be negotiated with or subpoenaed.

A tort for serious invasions of privacy is only one step towards solving online hatred, harassment, and doxxing. As I have elaborated above, the courts move far too slowly to address doxxing and require the individual filing a serious invasion of privacy tort to have substantial resources and the ability to endure continued harassment for multiple years as they attempt to determine who has actually injured them and obtain judicial relief.

Doxxing frequently is carried out by anonymous or pseudonymous individuals, and the doxxing material is frequently hosted offshore or the provenance hidden behind multiple layers of protection and indirection to hinder its removal. It requires a very high degree of technical expertise to identify who created and is hosting the dox, let alone secure the takedown of dox. The technical, legal, and financial barriers combine to make it extremely difficult to hold perpetrators accountable and ensure the correct parties are named.

It may be necessary to, similar to how Webb v Bloch (1928) 41 CLR 331 imposes vicarious liability for any knowing and material contributors to the publication of defamatory material, enforce platform liability for doxxing if providers do not offer or carry out expeditious takedown of doxxing material that seriously invades the privacy of individuals.

Precedents abroad in common law could aid in assessing what mechanisms are available to address serious online harms. While the Uniform Defamation laws in Australia rightly prohibit a corporation with 10 or more employees from suing for defamation, only allowing them the tort of injurious falsehood, there is often a nexus between an employee acting as an agent of their employer, and them being doxxed independent of the size of the company. A company can only act through its representatives, so an attack on a representative in their capacity as representative is an attack on the company. In Bungie, Inc. v. Comer, Case No. 22-2-10761-8, King Cnty. Super. Ct (2023) in the state of Washington in the United States (https://drive.google.com/file/d/1kx0O9GlYpUMUzsz-un-6n76lOUKg9voa/view), it was found that an employer has standing to sue for harassment of its employees in connection with their jobs. The Australian legislation and judicial system would do well to take notice of this, as corporations and their employees often suffer this harm together. Rather than treating invasion of privacy/doxxing/harassment as a tort that only individuals can bring, corporations, including those with more 10 employees, should be able to bring suit and bring their full resources to bear to protect their employees from online harassment and a hostile workplace environment.

Additionally, it may be helpful to examine Caplan v. Atas, 2021 ONSC 670 (Canada) which established a common law tort in Ontario for internet-mediated harassment similar to the one under discussion here with regard to defamation, de-legitimising doxxing, targeting doxxing, and other harassing communications. See https://www.canlii.org/en/on/onsc/doc/2021/2021onsc670/2021onsc670.html

As someone who has personally experienced doxxing, who has attempted to use existing Australian tort law to hold doxxers accountable, who has worked via industry channels to combat doxxing/is an expert in tracking/tracing "bulletproof hosting" networks, who advocates for fellow victims of doxxing, and who is a funder and on the board of an anti-harassment/doxxing startup (Tall Poppy Security / tallpoppy.com), I would be happy to further testify in person before Parliament or the Attorney-General's office.

De-anonymising (unmasking) is not a form of doxxing, unless it associates an individual with a protected characteristic. For instance, de-anonymising and publishing the name of a politician who has made odious racist rants online should not be regarded as doxxing; instead, it should be regarded as a matter of public interest reporting. Racist rants ought not to be protected. But outing the identity of a LGBTIQ+ blogger might well expose that person to harm on the basis of their identity which might fall closer to the line of de-legitimising or targeting doxxing.

As I understand, the procedural history of this consultation came from the publication of the names of individuals associated with pro-Zionist group chats who were engaging in ostracising and blacklisting pro-Palestinian activists. Publication of an individual's name alone should not be sufficient to attract civil or criminal penalties, especially in connection to behaviour they have done that relates to the public interest and political activity.

I strongly agree that it needs to be a civil and criminal offence to engage in stalking, blackmail, and other forms of de-legitimising doxxing or targeting doxxing. But it would be a grievous insult to civil liberties to prohibit political reporting on subjects of public concern, for fear of publishing an pseudonymous individual's name.

I would also ask that Commonwealth agencies examine whether the owner and operator of Redacted text should face criminal charges. Redacted textWhere there is an organised crime ring centred on doxxing, it seems strange to require individuals to sue to take action against it when there undoubtedly are State and Commonwealth crimes that have been committed that could be used to protect Australians much sooner than a full legislative cycle and then waiting for victims to work cases through the courts.