Oxford Student newspaper doxes Twitter account by possible criminal unauthorised use of a comptuer system

[QuietContraryMary]

Heads up.

www.oxfordstudent.com/2018/10/26/transphobic-tweets-linked-to-oxford-sociology-professor/

"The Twitter account, named Henry Wimbush and still online at the time of publication, has been tweeting statements such as “transphobia is a word created by fascists, and used by cowards, to manipulate morons” since first Tweeting in January.

"it was found that the account in question could be linked to a partial phone number and Yahoo! email using freely available data and by making use of Twitter’s various functions. The Yahoo! email itself is also linked to a phone number ending in the same numbers as those previously identified, while also revealing that it is connected to the" [partially redacted email]

How this hack works:

go to twitter.com/login

click 'forgotten your password'

type in your username, or a third party's username

you will get a message something like this:

We found the following information associated with your account.
Text a code to my phone ending in 12.
Email a link to ab*********@a.**

Note that:

• the last digits of the phone number can be used to tie your account to any phone number, since there are obviously 100 different combinations, so if it matches a phone number known by the doxer, it essentially identifies you
• I'm not clear exactly how much information is given on email addresses in every case, but at a minimum you get the first two letters of the username (before the @), the first two letters of the domain name (the bit after the @), and the exact length of both parts of the address.

So for example, if you signed up, anonymously, to Twitter using the email address justine*@mumsnet.com, then it would show to any attacker ju******@mu.** if they tried to recover it in order to dox the owner.

The use of this feature in order to dox people most likely constitutes an offence under the Computer Misuse Act s1 as the use of this feature to dox people is clearly not authorised by Twitter, and I would encourage those affected to report the people involved to the police.

Hence I am not repeating the criminally obtained dox of the person, and I would encourage people NOT the repeat the name in this thread.

Note that this doxing follows quite soon from Aimee Challenor boasting of outing Miranda Yardley's Twitter account using the same means.

Whether there are more serious offences committed is hard to say, as the doxing itself is obviously a preparatory act to having people fired, harassed, threatened, family & children harassed, and so on, but the doing so is not necessarily planned by the original doxer so it would be hard to prove a more serious offence.

I would advise those who are on Twitter and are not using their real name to create a gmail/yahoo/other anonymous webmail account, matching the twitter username (so if you are @ARealRadFem on Twitter, make a yahoo mail account [email protected]). In terms of the phone verification that's a little trickier as the 1/100 last two digits is VERY outing if they have a suspicion who you are, but otherwise completely useless. I have had some luck in the past with adding an extra digit (so if you are 07812 456789, you can add an extra digit on like this 07812 4567890, and verification phone calls still work), but YMMV on that.

just to clarify, I did not add those *'s in the first version of justine's email address (if it is her email address, I don't actually know), I presume that's some sort of anti-spam feature. The point is the length of the email shown for recovery will be the same length as your real email.

The Tweeter did give away clues:

"Another tweet states that the person behind the account has gone from “teenage shitlord to Oxford professor” [sic]. While this could refer to Oxford Brookes, the account references an update to their employer’s trans policies in a Tweet in February 2018. Oxford University last updated its transgender guidelines in March 2018, while Brookes’ was in May 2017, suggesting that the person behind the account was an Oxford University staff member."

So essentially the Tweeter having outed himself as an Oxford don, was narrowed down to one of hundreds of people, and they outed him by illegally accessing the 'recover password' function.

Exactly who did the illegal access is not clear, however they give a couple of suspects:

"In addition, both the Oxford LGBTQ+ Society and Dr Clara Barker, a trans woman and vice-chair of the Oxford University LGBTQ+ Advisory Board, have confirmed to The Oxford Student that they have passed on complaints to the University in June. The account’s last activity was on July 1st. "

I.e. Barker knew the identity of @mrhenrywimbush and submitted a complaint, hence the account stopping Tweeting on July 1.

Again:

• TRAs want you silenced
• TRAs want you to lose your job
• TRAs want you arrested by the police

Hence anything in a public name, including FB likes ARE being monitored by TRAs, and they will use them against you. The Lewisham Momentum group investigated each like and comment on their comments on Lily Madigan to check if they were Labour party members.

They are absolutely batshit insane, so please be careful.

(Now if you are publicly 'out', that's great, no problem, but if not, be very careful....)

Hi so er, your interpretation of the Computer Misuse Act s1 is totally off. and this would absolutely not meet the criteria. Moreover there is just no way that a court would prosecute journalists, even student journalists, under the act for doing this. It isn't what the act is meant to protect, and just doesn't fit.

They were not unauthorised to access that information, anyone is able to access that information and twitter (and users when they sign user agreements which go into lots of detail that information like this will be publicly accessible so that twitters arse is protected) is fully aware of it. Its why lots of the information is astricted out. Its why you only get a snipet of it, because they are aware that people who aren't the real user will use that.

It is not unauthorised used of the service. You don't have a clue if you think this is going to be used against a student paper.

Hi OrangeStudent, welcome to Mumsnet. I don't think the student journalists did the doxing by themselves. It looks like Clara Barker or chum did it. So I agree that the journos are likely safe here.

The fact that Twitter don't promise to keep your information safe is neither here nor there in terms of whether it's lawful to use a password recovery function to obtain personally identifying data about an individual.

More importantly, the whole point of free speech and living in a free society is that people (especially the press lol) get to criticise you for your views. The idea that it is wrong for an Oxford student newspaper to criticise a university professor for his conduct and views is absurd, and lets be clear a big part of it is not the views by itself but his conduct and language.

He has gone beyond just being a bog standard gender critical and trans exclusionary (people were already aware of that because he has signed open letters to that affect), it is about some of the conduct and language he has used.

If you are unwilling to have your views scrutinised, and the social and academic consequences of your speech, then you both don't understand what it means to live in a free society and clearly don't hold the courage of your convictions strong enough to stand by your views.

Nobody is silencing him, nobody i silencing you. They are just making everyone aware of what he really thinks.

QuietContraryMary Regardless of who did it, it isn't against the law. The information that you get from that function is not unauthorised access to that information. You fundamentally misunderstand the act, its purposes and how its implemented.

Did Aimee challoner get prosecuted for that? That is a very serious offence.

Noqont No, because thats not illegal. It is just simply not how the CMA is even remotely interpreted.

Aimee Challenor boasted about using the same technique to dox people on Twitter.

Well aren't you the patronising little student journo.

It is NOT the intention of a password reset function to be used to dox an anonymous Twitter user. This is absolutely within the meaning of unauthorised access.

QuietContraryMary I'm not a journalist. But I am very very aware and have stuidied the CMA and other data protection and computer related legislation. The CMA would never be applied to this case. You may belive that it should but it just won't, its not within the scope of what is unauthorised access.

Ok well if you're going to continue to assert that without any kind of supporting reference we'll just have to believe you I suppose.

Burner phones

Charliethefeminist If you are needing to use burner phones to protect your identity from the things you are saying, perhaps you need to reevaluate your views and conduct on twitter.

QuietContraryMary As apposed to your highly referenced assertion that the Computer Misuse Act is used to prosecute journalists finding out a handful of letters from emails using a publicly and openly accessible function on twitters website, which if you read user agreements clear set out that the information will be made available. k

Michael Biggs. Associate Professor in Sociology and Fellow of St Cross College wrote the following article after Woman's Place UK meeting in Oxford:

users.ox.ac.uk/~sfos0060/FreeSpeechOxford.pdf

'Free speech at Oxford: Do women have the right to meet to discuss legislation?'
(extract)
"A meeting was held on 25 April 2018 to discuss proposed changes to the law on gender recognition. The proposed legislation will eliminate sex-segregated spaces and activities, from women’s refuges to competitive sports. In a democracy, people have the right to meet to discuss—and indeed oppose—legislative changes. This should be incontrovertible. I am appalled that a small number of students at Oxford used extreme measures to stop this meeting from being held.... "

(concludes)
"I have entered this debate not because I am a feminist but because freedom of speech is one of the highest values of a democratic society, and the basic foundation of university life.
Transgender activism poses a grave threat to freedom of speech. I think of the young MPhil student who had to disguise herself to attend this meeting because she feared the reaction of fellow students. This is the generation that we have educated."

thread:
www.mumsnet.com/Talk/womens_rights/3257819-Michael-Biggs-Sociology-Dept-Oxford-Free-speech-at-Oxford-Do-women-have-the-right-to-meet-to-discuss-legislation

It was a total own goal anyway
The reporter basically published an article which says ‘this prof speaks truth, this dr is trying to dob him in and get prof fired’.
I rather hope that Oxbridge is above curtailing academic freedoms and enforcing the adoption of false belief.
Otherwise, their reputation is about to plummet

Mamaryllis Knowing some oxford students I doubt he will be able to last long, Oxford students are very inclusive and won't put up with this guys bullshit. And their reputation won't plummet except amounts people who don't really matter.

so if you are@ARealRadFemon Twitter, make a yahoo mail account [email protected]

Another suggestion. Don't use the exact same for your email as they'll certainly try to crack that too.
Only the beginning and end are visible. I suggest something like:
[email protected] with numbers you'd remember in the middle. Makes it much harder to guess.
And an EE payg SIM only costs £1.

As to anyone thinking this is paranoid, as indicated above there are people out there trying to expose, dox and get people fired for their views on gender or politics.

Sorry I retract this comment:

"So essentially the Tweeter having outed himself as an Oxford don, was narrowed down to one of hundreds of people, and they outed him by illegally accessing the 'recover password' function.

That was the Oxford Student being disingenuous

I found the comment in question

twitter.com/Morvern_C_/status/997511639099375616

and it looks like someone had attempted to out him, hence his very plainly sarcastic comment. That someone is most likely Kilgore Sprout, who is crowing currently, but has had a number of previous accounts, so the comment that triggered that isn't necessarily still online.

I don't believe this person is stupid, and I don't think there is in fact anything from his public tweets to out him, it looks like the outing came solely from the 'recovery password' function, which in the case of Oxford Uni addresses is VERY outing.

StarsAndWater Free speech includes the social consequences for your actions, individuals are entitled to argue against you and society is entitled to give you consequences for your actions. You aren't entitled to keep your job as an Oxford Professor if you hold views which are fundamentally contrary and incompatable with the values of the University.

Founder of TransOxford issued the following statement after the WPUK meeting referred to above:

twitter.com/i/moments/990001689422979077

"l‘m not condemning the meeting of WomansPlaceUK but the shameful campaign of bullying and intimidation organised by the students and transactivists outside of the QuakerHouse.
I’ve studied in Oxford, once a capital of freethought and freespeech, known for its fair debates with respect to the opinions of one’s opponents and refreshingly skilful and witty arguments challenging their views.

Bullying, although surfacing occasionally, was never welcome, especially, in the LGBT circles having too many victims of it knowing only too well how much it hurts. But last night the tables have turned - and the bullied became the bullies

I founded TransOxford in 2015 to promote the greater unity and more extensive communications between the separate transgender groups some of which had no idea of the others existing in the same city.

It eventually became a connecting hub between the trans groups in London Brighton, Reading, Swindon, Bristol, Bath.

I was promoting unity and understanding between these groups and the society around them, acceptance and equality and, most importantly, social integration of trans people with the rest of the world.

After all, we all are humans and have more things which unite us than divide us. I stepped down after a while having my doubts about the direction transgender movement was taking and being too busy with my motherhood duties.

Being a woman, i’m a feminist. In the eyes of some radical feminists, I may be a ‘delusional male’ which doesn’t bother me. I look like a woman, live as a woman, accepted by the world at large as a woman, and that’s enough for me, I need no further justification.

My friends include feminists who care for the real cause: women’s safety, health, equal opportunities, empowerment of women and recognition of their achievements.

In today’s Britain where misogyny isn’t a crime but transphobia is, we have too little time to discuss biology and chromosomes. We need to talk about the more important issues. And yes, we all need to talk...

But every time I suggest this to the trans activists, I hear the same arguments in reply: they won’t listen to us, there’s no room for debate, transrights aren’t debatable, they only invite cisgender people...

I believe that ‘cisgender’ and ‘terf’ are as much hurtful and derogatory terms as ‘trannies’. Let’s avoid that language!

I think WomansPlaceUK do invite everyone as long as they have something to contribute to the debate. I know a number of transsexuals who attended and spoke at their events (and were immediately branded as apostates by the transcommunity).

‘No debate’ is the only option? What are you going to do with so many women and transsexuals who support WomansplaceUK ? Eliminate them? Charge them with hatecrime after your lobbyists push through another piece of legislation?
Inviting anyone for an open debate is not a hatecrime. WomansPlaceUK has only five things on their agenda they want to discuss. Only five. Is that too much?

They want an open debate on how the new transrights might affect womensrights - what’s wrong with that? It is obvious that their rights will be affected in some way - so why not discuss their concerns in a civilised and evidence based way?" (continues)

thread:
www.mumsnet.com/Talk/womens_rights/3234661-Condemnation-of-the-shameful-campaign-of-bullying-intimidation-against-WPUK-meeting-by-founder-of-TransOxford

I'm sure he'll be fine. He only speaks the truth.

Amazing. I applaud your extremely high opinion of your own power, stude. When adolescents and those who are old enough to know better conflate a difference of belief system (with respect paid to one side by the side other, but not the reverse) to hatred and phobia, it demonstrates very clearly the failures inherent in the system.
With the ongoing adventures of Pluckrose et al, and the standing up to be counted of many academics who are tired of being accused of bigotry, I’m hopeful that we can settle into old school academia where ideas and beliefs can be robustly discussed and taken apart as they should be.
But it’s important that everyone has a voice and the authority to challenge orthodoxy. No?

I think our new visitor is right about the legalities of the situation.

Take the low-tech example of that old-fashioned tabloid journalism technique, dumpster diving.

If celebrity A fails to shred stuff before it goes in the bin, knowing that journos do this sort of thing, they're a fool.

If they employ a firm of commercial cleaners to (among other things) shred their documents before they go in the bin, and the firm fails to do this, and a journo digs them out, celebrity A should be suing the firm of cleaners for breach of contract, not the journo.

Ditto this situation - HenryWimbush's legal beef is with twitter, not the people who did the doxxing.

As for why one might keep details secret and seek anonymity, it could be to hide unsavoury views. Or it could be that even mainstream feminist views are being used as the basis to send rape and death threats and approach employers. Or it could be that you work in a job where you are allowed to be politically active so long as it is not tied back to your place of employment, so you choose to do your activism under a pseudonym (this will apply to most junior civil servants for e.g. - they can for example go on political demos, but not put posts on social media of the form "I, real-name, who works for Ministry Blah, thinks politician Bloggs is a complete waste of space and doesn't read any of the briefs we send him or understand them once they've been read.") Or it could be that you want to talk in general terms about something covered by an NDA (for instance, equal pay claims are routinely covered by NDAs, and someone who has successfully brought an equal pay claim might want to say, in an online discussion, when confronted with a sexist who says "the gender pay gap is a myth", "oh yeah, so how come I won an equal pay claim then?"). Or it might be because you want to discuss a very contentious issue (Brexit, Indie Ref, voting Republican) without losing loads of your friends over it. Lots of reasons for online anonymity, most of them not in the slightest bit sinister.