Imagine you have decided to run for office, to speak out publicly against an injustice, to enter the job market, or even to join a new online forum. Now, imagine after starting your chosen endeavor, you go online to discover that someone who disagrees with your position posted your personal information on the internet and called for others to harass you. To make matters worse, you realize that you cannot determine who posted your personal data. You have been doxed. Because you cannot identify the person who posted your information, where can you turn for recourse? The next logical party is the website where your personal information was posted. Unfortunately, under current laws online intermediaries are typically immunized from liability in these situations. This Note argues that this lack of legal recourse is no longer acceptable in the internet-dominated modern world.
Despite growing awareness of doxing’s pernicious consequences, existing laws do not adequately address either the underlying behavior or its consequences. Some signs of progress, however, are emerging. Proposed legislation in the U.S. House of Representatives — the Online Safety Modernization Act of 2017 (Online Safety Act) — would provide for federal criminal and civil liability for doxing. This bill is a step forward, but it does not address the lack of legal recourse for a victim if the person posting the information cannot be identified. This Note aims to explain why it is appropriate, and necessary, to hold online intermediaries secondarily liable when the doxer cannot be identified.