This post originally appeared on VICE Canada.
Comment sections can be hate-filled wastelands. Some posters share their racist, misogynistic, and demeaning thoughts behind the protection of aliases. When forced to use their real names, they believe they have a supportive audience, no one cares, or won't face any real consequences. A Canadian hacker I'm calling Danny takes joy in exposing and punishing these people.
"All I ever want from people is to simply stop oppressing others," Danny wrote over IM chat before I met him in person. "With belief, with privilege, or even just with online words. I want white males to accept the yoke of our horrible, terrifying track record in history."
The man who leaks others' personal information did not want to be identified. As part of an agreement for an interview, I can confirm he is "from the Prairies" and "holds a lofty position at a large IT company." In his spare time, he doxxes people he believes are bigots.
Doxxing is the practice of finding a person or group's private information and distributing it, exposing them to potential harm. It's fairly common and older than the internet. Danny, in his 30s, brags that he's been doxxing people "since forever." He told me this while smoking weed from a one-hitter as he prepared his computer for a demonstration. The laptop sat on a wooden toilet seat—"for stability reasons"—on top of a trolley. Nearby, a meditating warrior figurine and framed Frida Kahlo reproduction watched over his work.
Danny outs offensive commenters—from Facebook, Twitter, Reddit, news websites, the usual spots—about once per month, but he will "heat up around election times" or because of big news stories, like those centered around the victims of the refugee crisis. "What is their recourse?" he said of people bullied on the internet.
As for online trolls: "These types of people own the internet. They have anonymity, and they make that work for them. I like to take that away."
His current obsession is outing racist commenters related to the killing of an Indigenous man, Colten Boushie. Gerald Stanley, 54, is charged with second-degree murder in the shooting death of Boushie, 22, on a Glenside, Saskatchewan farm. A cousin of Boushie has said their group of five was driving home to Red Pheasant First Nation when they got a flat tire. While the group was stopped for help, Stanley allegedly attacked them and shot Boushie.
The story generated such a racist outburst online that Premier Brad Wall issued a statement calling the conversations "unacceptable, intolerant, and a betrayal of the very values and character of Saskatchewan." For Danny, talk isn't enough. He sends screenshots of users' comments and information revealing anonymous identities to their friends, families, employers, and even business partners. Currently, Danny explained he hopes to get firearms licenses revoked from commenters who made violent statements online, which he plans to send to the RCMP.
In this particular case, he claims many racist comments come from people in rural areas, and they don't have much of an online presence. But this merely delays his doxxing process. "Instead of 'hacking you,' calling a company [like a utility provider] to get that information is way easier."
Danny said he normally doesn't "keep trophies" from his doxxing work but agreed to show us his techniques. The day before we sat down with him at his apartment, he saw an anonymous Reddit user make a lewd comment about comedian Amy Schumer. Using the onion router Tor to hide his trail, Danny proceeded to spend four hours searching through the user's comment history, compiling dozens of folders worth of information from various sources linked to that profile.
"You can see by his profile he is very anti-Muslim and one of those Trump [supporter] kids, which bugs the fuck out of me," he said while scrolling through documents and sipping an energy drink.
Eventually, Danny located a photo of the Reddit user.
He created a link to the user's photo using a program that tracks the IP address of whoever clicks on it. He sent the link to the user, baiting him to open it by referencing personal details found in his comment history. Danny's message went something like, "Hello John Smith from Idaho. What would your wife, Jane, think about your comments about women? I know what you look like," along with the spoofed link to the photo.
Once the victim clicked that link, Danny had his IP address without his target knowing. In this case, Danny didn't feel the need to go any further because the user deleted his four-year-old Reddit account, which he called "a victory."
Before we met, he commented on whether shutting down accounts or leaking comments to families and employers is helping to fix bigotry. He wrote, "I would love to tell you some success stories, but honestly by the time it gets to that point the target has usually scrapped their online presence, which is OK with me." He said when it comes to contacting families and employers, he finds these types of commenters are often surrounded by like-minded groups.
"Employers are either apathetic or actively agree with the person's outlook," he said.
However, when Danny isn't satisfied he said he can go much further in his efforts.
"Once I have the IP address," he gestured to a Notepad file on his monitor, "I know his cell phone provider, browser, what kind of computer they use, and exactly where he lives." He combines the information he has and fills in any blanks, like solving little equations one at a time. For example, while he might not have an exact address, he can sometimes find it based on the geotag from an IP address along with the target's employment history snagged from a comment.
He said exploiting IP addresses can be risky. "I wouldn't really want to do anything illegal," he said, "I would if it was for the right thing … Getting the IP address, I usually only use [that information] to scare them because the second you start doing shit with IP addresses you're crossing into illegal territory."
He said he could DDoS attack them—disabling their internet using a team of people or botnet service. Botnet attacks are highly illegal. He could also get banking information or other intimate knowledge about his target by calling their cell phone provider pretending to be a supervisor at the company.
From there, he claims he can force his way into emails if a user reuses passwords on other services with weak security. He claims he can find out virtually anything given enough time. When asked if he's ever gone further than scaring people into wiping their online presence, Danny only smirked and continued highlighting information he'd gathered on the example Reddit user. He knew his phone number, height, weight, favorite sports teams, employment history, and more.
One of Danny's tactics is to call victims using a concealed number and voice changer. Once he has them on the phone, he simply lists off intimate knowledge about them, trying to scare them offline.
While Danny believes outing offensive commenters is morally justified, his methods open him to legal risks and it's pretty easy to see how his methods could be used for harm.
Gil Zvulony, a Toronto-based lawyer specializing in internet issues, said this type of vigilante doxxing could land Danny in serious trouble. "This guy's behavior can be broken down into a number of legal wrongs … and potentially criminal wrongs as well."
He said if a doxxer reveals an anonymous user with, say, a Google search, there is usually no criminal wrongdoing. However, commenting on Danny's other techniques, Zvulony said, "Phishing and misrepresenting who he is where it can get tricky. When you're penetrating computer systems or misrepresenting yourself to a person's hydro company or whatnot, that's when you get into some problems."
Malicious doxxing practices risk crossing the line into defamation, extortion, and disclosure of private information, according to Zvulony. "That's where you get into a lot of trouble."
I reached out to the RCMP to get their comments on doxxing, but they did not respond by press time.
When asked if doxxing people is morally wrong or potentially dangerous, Danny said, "There's a heavy amount of vanity involved in this, and I think if you don't admit that you're full of shit … But people post this stuff in their insular communities online. Me doing this opens the conversation into their communities in real life. Maybe there will be a boss who will think twice about giving a racist person a promotion. So many people who want social justice get into pointless arguments, but we need to make people realize there are consequences."
He wishes more people would dox hateful commenters. I asked how he would feel if he got doxxed—if other internet vigilantes can be trusted not to abuse their reach. He responded he has nothing to hide. I went to take his photo for this story, and he left the room. He returned with a bandana to cover his face.
Follow Devin Pacholik on Twitter.