Doxxing submission

Joint ZFA-ABL Submission in Respect of the Public Consultation on Doxxing and Privacy Reforms

28 March 2024
1. Introduction
Arnold Bloch Leibler (ABL) is pleased to provide this joint submission on its behalf and on behalf of the Zionist Federation of Australia (ZFA) in response to the Public Consultation on Doxxing and Privacy Reforms (the Consultation) opened by the Attorney-General’s Office on 11 March 2024.

ABL is a leading commercial law firm, renowned for its work on high profile and complex disputes, and for representing a diverse group of clients on matters of significant public interest on a pro bono basis. The ZFA is an elected representative roof body of the Australian Jewish community.

ABL has extensive and recent experience advising individuals who have been doxxed. Together with ZFA, we have assisted hundreds of individuals since 7 October 2023 whose lives have changed irreversibly by racial discrimination and abuse. Many have been bullied, victimised and dismissed from their workplaces. Many have been defamed, harassed and racially vilified. Others have had their businesses boycotted and received credible threats to their lives and safety.

Doxxing and vilification go hand in hand. Much of the recent racial discrimination and abuse experienced by members of the Jewish community started with an invasion of their privacy. But it does not end there. The current legal and regulatory landscape has proven inadequate to address the harm occasioned to victims of doxxing. This reflects our experience assisting those affected by the ‘Jew List’ doxxing attack of February 2024 (the February Doxxing). For many of those individuals, any claims they have lie downstream of a doxxer, against third party actors who take advantage of the initial doxxing to pursue conduct that is independently unlawful. In our view, that is unsatisfactory.

We support the government’s proposal to provide redress for victims of doxxing by introducing a statutory tort for invasion of privacy (Privacy Tort) based on the recommendations by the Australian Law Reform Commission (the ALRC) in its Final Report 123: Serious Invasions of Privacy in the Digital Era (ALRC Report 123).

As set out in further detail below, our recommendations are as follows:

1. the Privacy Tort is welcome, but an incomplete solution to the issue of doxxing;
2. to address the shortcomings of the Privacy Tort with respect to doxxing, Parliament should also introduce a statutory tort of harassment;
3. the eSafety Commissioner should have powers to make ‘take-down orders’ to act in real time and prevent the proliferation of harm;
4. in certain circumstances, including where doxxing involves racial vilification, the Privacy Tort should provide for:
   1. a representative body to make a claim on behalf of an affected group; and
   2. exemplary damages.

 
This submission is structured as follows:

1. in Part 3, we provide an overview of the harm that should be addressed by any new civil actions;
2. in Part 4, we explain why the status quo is inadequate to address doxxing;
3. in Part 5, we endorse the introduction of the Privacy Tort, and make certain recommendations in respect of its substantive and procedural limitations;
4. in Part 6, we propose further alternative forms of redress for victims of doxxing;
5. in Annexure 1, we set out a summary of our recommendations; and
6. in Annexure 2, we set out our responses to Questions A to E from the online Consultation Questionnaire.

 
In this submission, we refer to the results of a ZFA survey of those affected by doxxing. As at the date of this submission, the ZFA has received 61 submissions, including 31 victims of the February Doxxing. We also refer to the testimonies shared in a private forum for victims of doxxing hosted by the ZFA in March. The ZFA survey and the forum provide an instructive lens through which to view the deleterious impact of doxxing. We also anonymously refer to the accounts and experiences of certain clients we have advised.

2. Doxxing
This submission adopts the definition of doxxing provided by the Attorney-General for the purpose of this Consultation, being the intentional online exposure of an individual’s identity, private information or personal details without their consent.

This submission also adopts the definitions provided for Targeting Doxxing (being the revelation of specific information about someone that allows them to be contacted or located, or their online security to be breached) and De-legitimising Doxxing (being, the revelation of sensitive or intimate information about someone that can damage their credibility or reputation).

In addition, in this submission:

1. Doxxer refers to a person responsible for an incident of doxxing, and
2. Third Party Actor refers to a person who makes use of information disclosed by a Doxxer to target, intimidate or harass.

 
3. The harms of doxxing
Any legislative reform should be directed to curing and preventing the harms of doxxing. Throughout this submission, we refer to the February Doxxing and the harm that it caused. The February Doxxing involved at least two steps:

1. First, the Doxxers disclosed private and personal information of individuals without their consent (being their ethnic or religious affiliations) (the Disclosed Fact), often alongside their phone number, social media links and other identifying information (including their profession and employer);
2. Second, the Doxxers made representations about the individuals and the Disclosed Fact (the Characterisation), including as follows:
   1. That the individual is “mendaciously” and “in secret” defending a genocide, as The Age has reported Clementine Ford to have said;
   2. That the individual is “genocidal”, “thoroughly racist” and “committed to colonialism”, as The Australian has reported Matt Jones (AKA Matt Chun) to have said; and
   3. That the individual conspires with others “to plan co-ordinated attacks against Palestinians… while infiltrating a wide range of institutions”, as The Jewish Chronicle has reported Jones to have said.

 
Case Study
AA had been a member of a successful band for many years. AA was a victim of the February Doxxing. After their involvement in a Whatsapp chat was disclosed, AA was defamed by the other members of the band. AA was branded a racist and expelled from the band in contravention of the commercial agreement between band members. BB is a member of AA’s family who owned and operated a successful local business. As a result of the February Doxxing of AA, BB’s business was inundated with abuse (online and in person), boycotted online, stickered and graffitied. Long-standing customers sent BB a letter stating that “we can no longer support your business after learning you are Zionists and support genocide.” One person sent to BB photos of BB’s child taken at the location of BB’s business. Members of the public harassed BB’s customers in-store. As the Doxxers behind the February Doxxing were exposed, a commercial agent for one of the Doxxers harassed BB with repeated messages online and visits to the store, including calling BB a “practiced media slut” and a “media whore.”

(No Third Party Actors) The February Doxxing harmed the safety, security and wellbeing of many of the individuals concerned. This harm was experienced by those who were subsequently targeted by Third Party Actors, but also by those who were not.

According to victims of the February Doxxing:

1. “The daily online posts of the doxxers with their vicious content, the branding us the Zio600 and the threats prior to releasing the 900 pages of our chat – created panic, vulnerability and helplessness.
2. “When reported to the police, many of us were told “can’t do much because whilst your personal information was leaked, nobody PHYSICALLY took action.”
3. “When people with 250,000 social media followers publish the names of Jews, it is a form of stochastic terrorism – that is, on the basis of probability, someone is very likely to take extreme action. We have seen this to be the case, and while I have so far been fortunate in receiving only minor abuse, others have lost livelihoods and opportunities.”

 
(Third Party Actors) As set out above, the February Doxxing also led Third Party Actors to further harm the individuals concerned. For example:

1. Employers were pressured to terminate the employment of doxxing victims;
2. Doxxing victims received threats to their life and safety, with some going into hiding;
3. Doxxing victims had commercial partnerships and agreements terminated;
4. Doxxing victims received menacing phone calls from numbers originating in countries such as Iran, Iraq and Pakistan;
5. Posters were mounted in places of work, drawing attention to their ethnic or religious affiliations;
6. The businesses of doxxing victims were stickered and graffitied; and
7. Doxxing victims were defamed and subjected to unrelenting attacks on social media (both coordinated and ad hoc).

 
In the words of victims of the February Doxxing:

1. “For the first time in my life as an Australian – I feared for my personal safety – the safety of friends, family and colleagues, and that of my community.”
2. Doxing is extremely dangerous to individuals’ physical and psychological safety. It weaponises private information to harm people in the most insidious way as the person who reveals the personal data is not necessarily the one who may perpetrate the harm. In my case the person who doxxed me had over quarter of a million followers on instagram. It only takes one of those to act on the information. The doxxed then has plausible deniability because they claim they have “done nothing” but in-fact they have given their fans/ followers a mechanism ( the information) and message ( by publishing the private data) to go and attack you, threaten you or intimidate you.”

 
(Silencing) Doxxing can have the effect of silencing its victims. We advised a number of individuals who had options to pursue legal claims against Third Party Actors. However, many decided not to do so, let alone draw attention in the media to their experiences, because attracting publicity put them at greater risk.

We observed that following the February Doxxing, the doxxing victims were recast by the Doxxers (and others) as the true offenders. This strategy is known as DARVO: deny, attack, and reverse victim & offender. Individuals who pursued legal action also risked giving further life to the Disclosed Fact (i.e. their ethnic or religious affiliations) and the Doxxer’s Characterisation (i.e. that they are genocidal or racist). In other words, taking action compounded the harm they already suffered.

Case Study
Family G owns a business. Online content creator XYZ disclosed that Family G is Jewish and has family members who are Zionists. XYZ accused Family G of being complicit in genocide, racism and oppression. XYZ encouraged others to boycott the business of Family G.

Family G was inundated with customer correspondence in relation to these allegations. The sales of its business were noticeably affected. The allegations by XYZ were defamatory of Family G. However, were Family G to commence proceedings against XYZ, it would have spread XYZ’s defamatory allegations to a wider audience. It would also have lent credibility to XYZ’s defamatory allegations that Family G are oppressors.

Family G decided against any action. 

(Public harm) Where doxxing involves protected attributes such as race or religion, it often creates a broader risk of harm to the public. The harm of the February Doxxing extended beyond those individuals named. The February Doxxing insulted and offended Jewish people across Australia. As a result, many felt that they may also be targeted because they are Jewish.

4. Existing measures are inadequate
(Summary) In this section, we set out our view that the existing measures are inadequate, do not provide effective or appropriate redress for victims of doxxing, and that as a result, there is no effective deterrent.

(Current law) There are a number of existing civil causes of action which, depending on the circumstances, may arise in the context of doxxing. As set out in the table below, each has its challenges and is an inappropriate solution for doxxing.

(Racial vilification) While racial vilification is not the focus of the Consultation, as we set out above, doxxing and racial vilification may go hand in hand. For completeness, we note that there are laws governing racial vilification at federal and state level, including s 18C of the Racial Discrimination Act 1975 (Cth), s 7 of the Racial and Religious Tolerance Act 2001 (Vic) and s 20C of the Anti-Discrimination Act 1977 (NSW)) (among others). In this submission we do not provide our recommendations with respect to the legislative framework for racial vilification, but note that most instances of doxxing (on racial, religious or ethnic grounds) are unlikely to contravene existing laws.

(Criminal offences) As to the criminal law:

1. (carriage service to harass) under section 474.17 of the Criminal Code Act 1995, it is an offence to use a carriage service in a way that reasonable persons would regard as being menacing, harassing or offensive. On its face, this appears to be an appropriate way to deal with doxxing under the criminal law. However we are not aware of there being any charge or prosecution under this section in relation to the February Doxxing.
2. (intervention orders) in Victoria (with similar schemes existing in other States), the Court may grant a Personal Safety Intervention Order (IVO) – on the application of the Police or an affected person. An IVO may be ordered to prevent a respondent from harassing a protected person or causing another person to do so, where the harassment is likely to continue and a reasonable person in the position of the protected person would fear for their safety.

   Intervention orders may only be effective in limited cases of doxxing. An IVO will stop a named respondent from engaging in further doxxing or harassment, but nobody else. By way of example, the February Doxxing was coordinated by a group of Doxxers, and after the doxxed information was disclosed, a much wider group re-published the doxxed information online. After information is initially disseminated, an IVO would not assist victims with respect to republication or conduct by Third Party Actors.

3. (Incitement, hatred or violence) certain States (including Victoria and NSW) have introduced criminal offences in respect of the incitement of hatred or violence on the basis of a protected attribute. In Victoria, these are set out in Sections 24 and 25 of the Racial and Religious Tolerance Act 2001, and in NSW, under section 93Z of the Crimes Act 1900 (NSW). We are only aware of two successful criminal prosecutions under the Victorian legislation to date. The NSW offence is subject to an ongoing review.

 
5. The Privacy Tort
In our view, the Privacy Tort would improve the available legal options for individuals who have fallen victim to doxxing. There are, however, a number of limitations with the Privacy Tort which we explain below:

1. (Private information only) Assuming that the ALRC’s model is adopted, the Privacy Tort would only be available where a person in the position of the plaintiff would have had a reasonable expectation of privacy in respect of the information doxxed. However, doxxing attacks can occur with respect to information that is compiled or accessed from publicly accessible sources that would not be regarded as private information, and we expect may not be actionable under the Privacy Tort. One such example is set out in the hypothetical case study below:
    
   Hypothetical case study: A religious youth movement publishes its public annual reports on its website, with each report disclosing the members of its executive committee in that year. The reports are available for the preceding 20 years. A Doxxer compiles a spreadsheet containing the identity of each former committee member, hyperlinks to their Facebook, Instagram, and Linkedin profiles, their employer and employer’s contact information as sourced from their Linkedin profile, and their image as sourced from their publicly accessible social media accounts. All of this information is disclosed in a single spreadsheet, with a directive to ‘go after’ the listed individuals.

   The Privacy Tort is also not concerned with the Characterisation (i.e., that an individual is racist and genocidal) or its effects. The Privacy Tort would only relate to the Disclosed Fact (i.e., the person’s ethnic or religious affiliations), and whether or not disclosure of the Disclosed Fact is a breach of privacy.

   Recommendation: As we set out in Part 6 below, we recommend the introduction of a further cause of action, a tort of harassment.

2. (Representative bodies) When cases of doxxing involve vilification or protected attributes, the requirement for a doxxed person to litigate in their personal capacity is a barrier to the commencement of proceedings. As we set out above, many individuals who ABL advised ultimately decided not to pursue any legal action to avoid public scrutiny, reliving the trauma of their doxxing, and creating further risks to their safety and wellbeing.

   The Government should give close consideration to the regime that applies to the Racial Discrimination Act 1975 (Cth). For certain claims, an organisation may have standing to commence an action where its members are aggrieved by the impugned conduct. This may allow an appropriate organisation or representative body to bring claims in cases where the victims of doxxing are vulnerable or susceptible to further harm.

   Recommendation: We recommend that, for doxxing attacks in which the victims share common protected attributes (e.g. race, religion, sex, gender), there is a regime that permits representative bodies to commence proceedings with respect to the Privacy Tort.

3. (Exemplary damages) The ALRC recommended that any Privacy Tort should provide for exemplary damages as a remedy in exceptional circumstances, where the court considers that the other damages or remedies awarded would not provide a sufficient deterrent against similar conduct in the future. We adopt that recommendation. For the Privacy Tort to operate as an effective deterrent, it may be necessary to incorporate a provision for exemplary damages.
    
   Recommendation: The Privacy Tort should provide for exemplary damages.

 
(Countervailing public interests)

1. We agree with the ALRC’s recommendation that for the Privacy Tort to be actionable, the court must be satisfied that the public interest in protecting the litigant’s privacy outweighs any countervailing public interest, and that the legislation should list certain examples of public interest that a court may consider.
2. We also agree with the ALRC’s view that there should not be a broad-brushed exemption for journalists and media organisations from liability under the Privacy Tort. That would wrongly direct the focus of the Privacy Tort to the status of the publisher, rather than the disseminated material. It would also wrongly assume that each publication by a journalist or media organisation pursues a legitimate aim in the public interest, and that the benefits of publication are always proportionate to the harm done by the interference with the plaintiff’s right to privacy.
3. In 2020, The Age unmasked the ringleaders of the Nationalist Socialist Network which as Australia’s largest neo-Nazi group is committed to a violent uprising, including discussions in secret meetings and encrypted chatrooms. This form of investigative journalism should be permitted because the subject matter of the publication is in the public interest, not because of the identity of the publisher.
    

 
6. Suggestions for other options (legislative and non-legislative) to respond to doxxing

While we support the introduction of the Privacy Tort, we consider that further measures are required to address doxxing.

(Take downs) We recommend that the eSafety Commissioner should have power to issue ‘take-down orders’ with respect to content disclosing private information or sensitive information (as that term is defined under the Privacy Act 1988 (Cth)). When doxxing occurs, the harm proliferates rapidly across multiple social media channels. ‘Take-down orders’ (whether permanent or for a fixed period of time) may be an effective tool that permits a victim of the doxxing to cauterize the harm quickly and inexpensively.

(Enforcement) Many examples of doxxing, including the February Doxxing, appear to contravene section 474.17 of the Criminal Code. While the Government should review whether the current legal framework is fit for purpose, the police must also enforce the applicable laws already in force, especially to deter any future contraventions of the criminal law.

(Supplementary action – tort of harassment) As we set out above, doxxing does not necessarily involve the disclosure of private information. It can also involve the collation and redistribution of publicly accessible information.

As we set out above, doxxing does not necessarily involve the disclosure of private information. It can also involve the collation and redistribution of publicly accessible information.

We endorse the design recommendations for a tort of harassment at Part 15 of ALRC Report 123, noting however that in our view, a tort of harassment should be legislated alongside the Privacy Tort to supplement it. The United Kingdom has introduced a similar action in the Protection from Harassment Act 1997 (UK) under which civil remedies are available.

Annexure 1

• Recommendation 1
  For doxxing attacks in which the victims share common protected attributes (e.g. race, religion, sex, gender), there should be a regime that permits representative bodies or organisations to commence proceedings with respect to the Privacy Tort.
• Recommendation 2
  The Privacy Tort should provide for exemplary damages.
• Recommendation 3
  The Privacy Tort should excuse an individual from liability if it is in the public interest to intentionally expose an individual’s identity, private information or personal details without their consent, and the public interest in exposure outweighs the individual’s interest in privacy.
• Recommendation 4
  Many examples of doxxing, including with respect to the February Doxxing, appear to contravene section 474.17 of the Criminal Code. Police must enforce applicable laws already in force.
• Recommendation 5
  The eSafety Commissioner should have the power to issue ‘take-down orders’ (whether permanent or for a fixed period of time) to effectively and inexpensively limit harm to victims of doxxing.
• Recommendation 6
  A tort of harassment should be introduced to protect individuals where the doxxing does not relate to private information, and may not be actionable under the Privacy Tort.

Annexure 2

• Question A. Do your views officially represent those of an organisation?
  This submission is jointly submitted by ABL and ZFA.
• Question B. Which of the following best describes your engagement/experience with doxxing?
  See above in Part 1.
• Question C. When did you first learn about the practice of doxxing?
  ABL has been advising clients with respect to doxxing and related matters for many years.
• Question D. How important is addressing doxxing to you?
  Very important.
• Question E. How important is the strengthening of privacy protections to you?
  Very important.

– Ends –

The ZFA has appeared in numerous media articles about the doxxing issue, including:

• “Surging anti-Semitism sparks calls for new anti-doxxing penalties”, The Australian, 2 April 2024
• “Jewish creatives tell Israel haters: ‘see you in court’”, The Australian, 30 March 2024
• “Doxxing inquiry”, Australian Jewish News, 18 March 2024
• “Melbourne-based actor joins calls to ban doxxing after pro-Palestine activists target Jewish artists”, Herald Sun, 12 February 2024
• “‘This isn’t advocacy’: Social posts on distant conflict tear at close community”, Sydney Morning Herald, 10 February 2024
• “Vic employees on Jewish hit list urged not to bow down to ‘hateful extremists’”, Herald Sun, 9 February 2024