The internet is a great source of information and it is fun to play in, but it is not always a hospitable place. Therefore, it stands to reason that we should have measures in place to adequately protect our digital security and privacy online. Whether or not we care to invest time and energy defending ourselves online (i.e. the “it could never happen to me” argument) has become a moot point, as the below example illustrates.

Yes, we know. Some might say…

Here comes yet another digital security and privacy piece from 14Charlie that adds more to our to-do list and emphasizes the fear of what could happen to someone online. 

Just send me my tin foil hat and put me in a Faraday cage… I’m sick of being vulnerable.

*Pumps shotgun* I’ll take my chances *stares off into distant sunset* out there.

We get it. We find ourselves emphasizing digital security and privacy a lot, and it’s not because you don’t already know it’s important. However, there are countless reasons as to why we recommend a renewed emphasis on digital security and privacy in your lives (besides, if we don’t publish at least one reminder about digital security and privacy a month, Stavros’s blood pressure drops too low and impacts his managerial editing duties).

Most recently, we wanted to briefly discuss an instance of mistaken identity online that was compounded by the current events. It led to a perfectly innocent man having his entire life disrupted by complete strangers hell-bent on dishing out the Internet’s brand of street justice: doxing.

Doxing: your information in the hands of the internet mob

Doxing (var. doxxing) is the practice of finding and publicly broadcasting personal information about somebody online, usually with the intent to shame them or to instigate some kind of follow-on actions by other parties. Somebody usually gets upset at you or wants to generate some kind of effect against you. They dig up all the dirt they can through hacking, stalking, social engineering, etc. and then your personal information (address, phones, relatives, date of birth, etc.) all get plastered online in the hopes someone taking some kind of follow-on action (see: “swatting” for a prime example).

In our example today, we have an innocent man, 49-year-old finance marketing executive, Peter Weinberg, who by virtue of going for a mere bike ride, was mistakenly identified as Anthony Brennan III. Brennan had assaulted two teenage girls and used his bike to assault an adult (the perpetrator was charged with three counts of second-degree assault).

A not-so-quiet night in Maryland

Our hapless friend, Peter, was sitting peacefully one night at his home in Bethesda, Maryland, when he suddenly began receiving a stream of angry, accusatory, and threatening messages from complete strangers on LinkedIn. Given Peter’s propensity for minding his own business and not doing much to warrant such emotional outbursts from strangers, this was a most unpleasant phenomenon. It also did not bode well for his online presence, where his LinkedIn profile views reached the thousands, and not for the right reasons.

In a slight panic, Peter checked his Twitter account, where his mouth dropped in horror at the snowballing activity before him. He was accused of being a racist, of assaulting a child, and pictures of him wearing his bike helmet and sunglasses were being circulated online. Complete strangers were downloading their hate and aggression onto him, saying things like:

“Hey you racist bitch….we’re coming for you.” “You deserve to pay.” “Ur going down u disgusting piece of shit.” “Nice job assaulting a small child today. You need to be fired from your job immediately.” “YOU UGLY RACIST BITCH.”

Peter entered a state of shock and dismay while trying to process what was unfolding before him.

The worst case of mistaken identity

As this out-of-control experience developed, Peter saw that these complete strangers were comparing pictures of him alongside a different man who was also wearing a bike helmet and sunglasses. Peter, an avid cyclist, slowly began to piece together this case of mistaken identity. To his horror, Peter learned there was a man captured on film “hitting children and ramming his bike into an adult after becoming enraged that they were posting [sic] fliers around the Capital Crescent Trail in support of George Floyd.”

Even worse, this internet mob honed in on Peter after comparing the results of a fitness tracking app that Peter used to record his regular rides, also along the Capital Crescent Trail where the original assault incident was caught on film. The mob initially found Peter after the Park Police crowdsourced their search for the man caught on video. The only problem? The guy wasn’t Peter, didn’t look anything like him, and the incident occurred on a different day than the data in Peter’s tracking app. But the cat was already out of the bag — more than 55,000 times out of the bag to be precise, based on how widely the Park Police’s original post proliferated.

Peter immediately reached out to the Park Police and spoke with the Detective assigned to investigate the assault incident. Despite Park Police making a correction to their original crowdsource statement, it barely made a drop in the bucket and was only shared 2,000 times. Park Police quickly excluded Peter as a suspect, but the internet mob was in full swing. Worse, Peter wasn’t alone. Another unfortunate man, a former Maryland cop, was also falsely accused: the “tweet accusing him [was] retweeted and liked more than half a million times.”

The woman who found and shared Peter’s home address? She apologized and deleted her post, but her correction was shared by less than twelve people. The damage was done, and Peter is still reeling from this incident, having done nothing but go for a bike ride near his home.

What did we learn?

Now, the obvious so what we’ll mention here is that with proper digital security and privacy measures in place, this entire charade would at the very least have been diffused, made more difficult, or possibly even completely avoided. But alas, we would not have had the great fortune of learning from such an unfortunate event.

Can we fault the Park Police for asking for the public’s help in identifying and locating an assault suspect? No. To what extent can we control the internet heroes who attempted to answer the Park Police’s call for help? We can’t. Where does the responsibility lie for ensuring events like this don’t happen to innocent citizens? At the individual level.

We won’t pretend it’s easy or convenient to invest your precious time and energy towards improving your digital security and privacy online. We simply don’t know exactly what Peter could have avoided had he been able to improve his online digital security and privacy practices. However, we can claim with high confidence that Peter could have, at least, minimized the damage done to him had his digital security and privacy been more robust.

That’s all this whole thing is about. Take an honest look at your own digital security and privacy. Learn from Peter and the information that was available about him. Have a friend or family member try to dig up as much info as they can about you, and use that to help inform your understanding of your current posture. It can be challenging and fun to improve your skills and see how far you can get.

As we are reminded, none of this stuff works retroactively. Doing damage control is far more difficult than being proactive. “An ounce of prevention is worth a pound of cure” — this rings absolutely true here. Implementing small, incremental changes to your digital security and privacy becomes the foundation upon which a robust posture is built and maintained. Our goal is to make that accessible and easy to understand for all of you, starting with the Digital Security Guide, available here, and in articles such as this one, where we all learn and continue to improve.

Thanks for listening.