US Doxxing Laws

US Doxxing Laws: What Protection Actually Exists and Where Legal Remedies Fall Short

8 minutos de lectura • abril 15, 2026

Is doxxing illegal in the US?

There is no federal law that explicitly criminalises doxxing. At the federal level, doxxing cases are prosecuted under existing harassment and stalking statutes — the Interstate Communications Act, the Computer Fraud and Abuse Act, or cyberstalking provisions — depending on the specific conduct involved.

At the state level, the picture is more developed but still fragmented. According to the Council of State Governments, as of mid-2025 three states — Alabama, California, and Illinois — have established doxxing as a standalone crime with an explicit statutory definition. A further fourteen states have enacted laws that criminalise the conduct doxxing describes without using the term itself, covering the publication of personal information online with intent to harass or harm.

Illinois’s Civil Liability for Doxxing Act (Public Act 103-0439, effective January 2024) is one of the most comprehensive state-level protections, allowing victims to pursue civil action for economic injury, emotional distress, fear of bodily harm, and substantial life disruption. Alabama’s HB 287 (2023) created a standalone doxxing criminal offence. Washington State’s statute specifically protects criminal justice personnel. Oregon’s law covers the publication of personal identifying information with knowledge that the subject may be stalked, harassed, or injured.

A few key states and what their laws actually cover:

California — addresses doxxing under harassment and cyberstalking statutes. Despite common misconceptions, California does not have a standalone removal mandate requiring platforms to act within a specific timeframe. Doxxing cases in California are typically prosecuted under Penal Code 653.2 (electronic cyber harassment).

Illinois — Civil Liability for Doxxing Act allows civil suits for damages including economic injury, emotional distress, and life disruption. Criminal penalties apply under separate cyberstalking provisions.

Texas — Penal Code 42.07 classifies doxxing as criminal harassment when personal information is published with intent to cause fear or bodily harm. Penalties escalate when the victim is a public servant or law enforcement officer.

New York — doxxing is prosecuted under aggravated harassment statutes (Penal Law 240.30), though the term doxxing does not appear in statute. Cases require evidence of intent to harass, annoy, threaten, or alarm.

There is no federal law that explicitly criminalises doxxing in the US. Congress has introduced proposals — including legislation specifically targeting the doxxing of federal law enforcement officers — but none have passed into law as of 2025.

The legal reality for most victims is this: intent is hard to prove, cross-jurisdictional cases are difficult to prosecute, and the enforcement timeline rarely matches the damage timeline. By the time legal action produces results, the information has already spread.

What Google can and cannot do

Google’s personal information removal policy allows individuals to request the removal of doxxing content from search results — specifically content that combines personal information with explicit or implicit threats, or that aggregates a significant amount of personal data without a legitimate purpose. Eligible information includes home addresses, phone numbers, personal email addresses, government ID numbers, and financial credentials.

Google also offers a “Results About You” tool that allows individuals to monitor what personal contact information appears in Search results and request removal directly from the tool. This is more accessible than the formal removal request form and is worth setting up for any executive whose name is regularly searched.

The formal removal process requires submitting each URL individually, providing evidence of harmful intent or aggregation, and waiting for Google’s review. Google evaluates requests against public interest criteria — if the content is deemed newsworthy or professionally relevant, it may not be removed even if it contains personal information. A sitting executive’s home address published alongside their professional biography, for example, may be treated differently than the same address published on a harassment forum.

Critically, Google can only remove links from its search index. It has no authority over the hosting websites themselves. Content removed from Google Search remains accessible via direct links, other search engines, and dark web forums. For executives and high-profile individuals, this distinction matters significantly, removal from Google is one step in a longer remediation process, not a solution.

Why the legal framework fails executives specifically

For most individuals, doxxing is a personal safety and privacy issue. For executives, senior government officials, and high-profile individuals, the risk profile is substantially more complex. A home address published online creates a physical security threat. Internal communications leaked on a forum represent a reputational and competitive intelligence risk. Credential exposure enables network compromise.

The gap that doxxing laws and Google’s removal tools cannot bridge is time. Legal processes operate on weeks-to-months timelines. Doxxing campaigns typically spread in hours. By the time a removal request is processed or a court issues an injunction, the information has been shared, screenshot, mirrored, and republished across dozens of platforms that legal remedies cannot reach simultaneously.

El Foundation for Individual Rights and Expression has noted that many anti-doxxing laws face First Amendment challenges, particularly when the published information was already publicly available — public records, voter registration data, professional directories. Courts have consistently held that aggregating publicly available information does not automatically constitute a crime, which leaves a significant grey area that attackers exploit deliberately.

For security teams, this means legal remedies work best as a secondary response — useful for escalation, documentation, and takedown in clear-cut cases — not as a primary defence strategy. As CybelAngel’s REACT team observes: the gap between when a doxxing campaign begins and when a legal remedy takes effect is typically measured in weeks. The gap between when a campaign begins and when damage occurs is typically measured in hours.

Recent cases that show why legal remedies aren’t enough

Two incidents from 2025 and 2026 illustrate exactly why the enforcement timeline problem matters for executive security teams.

In May 2025, two websites, luigiwasright.com and its clone theceodatabase.com, published the full names, business emails, mobile phone numbers, compensation details, and LinkedIn profiles of hundreds of Fortune 500 executives. The sites were live for less than 24 hours before being taken down. But the data was archived, mirrored, and remains indexed. Security teams that detected the exposure within hours were able to begin removal requests while the window was still open. Teams that discovered it later are still managing the indexed copies. No state doxxing law could have acted within that window. Google’s removal process begins after submission — by which point the damage was already done.

In March 2026, the Handala Hack Team, a group US prosecutors have formally linked to Iran’s Ministry of Intelligence and Security, announced it had breached FBI Director Kash Patel’s personal Gmail account. More than 300 emails, personal photos, travel records, and his resume were published online within hours. The FBI confirmed the breach. Critically, this was not a sophisticated zero-day attack on government infrastructure. It was a personal email account, compromised through the kinds of credential and personal data exposures that occur routinely across the open, deep, and dark web.

"Handala, a group that mostly performs “hack-and-leak” operations targeting small and medium-sized Israeli businesses, went dark on Jan. 8, according to Sergey Shykevich, a researcher at Israel’s Check Point Software Technologies Ltd. Nine days later, they resurfaced. Shykevich… https://t.co/0Ae0ZYN5OL
— Michael J.J. Tiffany (@kubla) February 27, 2026

An update on the activities of the Handala Hack team.

Both cases share the same core failure: the information was accessible before anyone was monitoring for it. In the CEO database case, the attack vector was aggregated public and semi-public data. In the Patel case, it was a personal email account with exposed credentials. Neither is addressed by state doxxing statutes. Both are addressed by proactive external monitoring.

So what does proactive protection looks like in practice?

The most effective protection against doxxing for executives operates on a different timeline than legal remedies. It starts before the incident, not after.

Digital footprint reduction removes the raw material doxxers use. Data broker sites — Spokeo, WhitePages, BeenVerified, and dozens of others — aggregate home addresses, phone numbers, family member names, and previous addresses from public records and resell them legally. This is where most doxxing campaigns source their initial targeting data. Requesting removal from these sites before an incident, and repeating that process regularly since many relist information automatically, reduces the available attack surface significantly. A quarterly audit of what Google surfaces for each executive’s name is the minimum baseline.

Dark web and forum monitoring detects early-stage targeting. Doxxing campaigns typically begin in closed communities — private Telegram channels, Discord servers, fringe forums, and encrypted messaging platforms — before spreading to mainstream sites. A mention in a closed forum is usually a 48–72 hour warning before public posting. Monitoring these channels for executive names, email addresses, home locations, and family member names provides an intervention window that legal remedies do not. The window is narrow but it exists.

Credential monitoring addresses a related and frequently overlooked vector. Exposed credentials — from data breaches, phishing campaigns, or infostealer malware — are regularly used alongside doxxing attacks to amplify impact. The Patel breach demonstrated exactly this: personal email credentials, not government systems, were the entry point. Monitoring underground markets and breach repositories for executive email addresses gives security teams the ability to force credential resets before those accounts are weaponised as part of a broader targeting campaign.

Data broker and people-search removal is often treated as a one-time exercise. It is not. Many broker sites automatically repopulate from public records within weeks of a removal request. Ongoing removal — particularly for the highest-risk executives — requires a continuous programme rather than a periodic audit.

The underlying principle across all four of these controls is the same: US doxxing laws respond to harm that has already occurred. Proactive monitoring reduces the probability of that harm occurring in the first place.

How CybelAngel’s Brand Protection detects executive doxxing early

CybelAngel’s Protección de marca module monitors for the early circulation of executive personal information across social media, paste sites, dark web channels, and the closed forums where doxxing campaigns typically originate.

This is the detection gap that state doxxing laws and Google’s removal tools cannot fill. Legal remedies respond to content that is already public. Brand Protection monitors for content before it becomes public — giving security teams the intervention window that the luigiwasright.com incident showed is measured in hours, not days.

For a deeper look at how executive doxxing attacks are built and what early warning signals to monitor, read our guides:

Preguntas frecuentes

There is no federal anti-doxxing law. Three states — Alabama, California, and Illinois — have standalone doxxing statutes. Fourteen more states criminalise the conduct without using the specific term. Most other states prosecute doxxing under harassment, cyberstalking, or privacy statutes. Proving criminal intent remains the main enforcement barrier.

Google can remove links to content from its search results if the content combines personal information with explicit or implicit threats, or aggregates personal data without a legitimate purpose. Google cannot remove content from the hosting website itself, and will not remove content it deems to be in the public interest or newsworthy.

Google reviews removal requests individually. The process involves submitting each URL, providing evidence of harmful intent or significant aggregation, and waiting for evaluation. There is no guaranteed timeline — and content remains accessible via direct URL and other search engines during that period.

Most statutes require proof of malicious intent, which is difficult to establish in court. Cross-jurisdictional cases, where the perpetrator and victim are in different states or countries, complicate prosecution further. Courts have also found that aggregating publicly available information does not automatically meet the legal threshold for doxxing, leaving a gap that attackers exploit.

Proactive monitoring of dark web channels, data broker removal, and credential exposure tracking are more effective than legal remedies for prevention. Legal processes operate on weeks-to-months timelines; doxxing campaigns spread in hours. The goal is detection before publication, not remediation after.

Illinois has the most comprehensive framework — its Civil Liability for Doxxing Act (effective 2024) allows civil suits for economic injury, emotional distress, and life disruption. Alabama and California have standalone criminal statutes. Texas and Washington provide enhanced protections for specific groups including public servants and law enforcement personnel. No state currently has a law that requires platforms to act within a set timeframe for removal of doxxing content.