Privacy on IRC

Risk Assessment

Users engaged in copyright infringement, dissidents, activists, and whistleblowers are most at risk from breaches of privacy, although all users should exercise some degree of caution in protecting their identity.

Be aware, that in an age of sharing every conceivable detail of your life on Facebook, instant access to searchable public records, and search engines that compete constantly for the ability to accurately find the tiniest snippet of useful information about anything, seemingly innocuous information can be personally identifiable in the hands of someone who knows where to look.

Avoiding social networks may reduce your online footprint, but in practice, you have little control of what others may post about you, and little control over access to public records, both of which can be more than sufficient for a determined individual to identify you.


Derived from “documents” or “docs”, the term Doxing refers to compiling personal information on a subject, and publicly posting such information. Doxing may be motivated by a sense of justice or revenge, and is an especially powerful tactic against individuals involved in underground activities.

The goal of doxing someone is to start with the little bits of information you know, such as a forum handle, first name, and possibly a rough geographical location, and expand that through clever searches and deductive reasoning to reveal as much personal information as possible - the more sensitive the information, the better.

A typical doxing will reveal addresses and other contact information. Depending on the motivations and skill of the person dropping dox, a doxing may also include more sensitive information, such as social security numbers, bank account numbers, and even passwords.

Against a person deeply involved in underground activities, doxing can be an electronic death sentence - reputation tied to a formerly anonymous handle often has to be abandoned once it’s associated with a real name and address.

Doxing is primarily a tool of criminal hackers (crackers), hacktivists, and security specialists. Most users are at very low risk for doxing. Public figures, those in underground scenes, and those involved in highly controversial activities online and off are most likely to be doxed - the average IRC user will never attract such attention.

IP Addresses

IP addresses are an integral part of how users are identified on the IRC network, and on some networks, the only reasonably reliable form of identification. The address your connection to the IRC network originates from will be displayed to other users unless the server has been configured to do otherwise.

In most cases, having your IP address displayed in this way is of little or no consequence. IP addresses of cable, DSL, and dialup users are not easily connected to individual subscriber identities without the cooperation of the service provider. The most information someone will get in the typical scenario is a rough estimate of geographical location, which may be very coarse or fairly specific depending on how your provider chooses to allocate IP addresses.

While it is generally impossible to prevent the display of your IP address, proxying your connection through an intermediary server or routing it through a VPN will cause the address of the intermediary server or network to be the address displayed.

Identification by IP address is heavily relied upon to curb abuse, and most networks are extremely intolerant of any unsanctioned means of masking IP addresses, or of anyone providing connections which are deemed to be too “disposable” to support proper accountability, such as use of the Tor network (although, some networks may make exception for users once they have registered).


Cloaks are a server-side feature to mask user’s IP addresses. They may be implemented through network services, pr they may exist directly in the server configuration file (where they are more commonly called a “spoof”). .

Although similar in concept and operation, generally a “cloak” is administered through services, and applied based on registration and identification, while a “spoof” is administered directly through the server configuration, and automatically applied via the I:line or auth block in the server configuration.

Services-based cloaks may be widely available based on network policy, while spoofs granted in the server configuration primarily to shield IRC operators from DDoS attacks associated with controversial, confrontational, or unpopular acts that may be part of their duties.

With a cloak IRC operators on such networks will have access to the real IP address, but normal users will not, offering some measure of increased privacy. However, if cloaks are being issued via services, there is a brief time after connecting that the real host is visible, and your real host could stay visible if something goes wrong with the identification process or services are down.

Services-based cloaks may be widely available based on network policy, while spoofs granted in the server configuration primarily to shield IRC operators from DDoS attacks associated with controversial, confrontational, or unpopular acts that may be part of their duties.

On some networks, such as Freenode and OFTC, cloaks are given freely to established users. and will typically identify you by your preferred nickname.

On other networks, such as EFNet, spoofs are highly restricted - few people outside of IRC operators are given a spoof.


While Tor nodes are generally restricted from connecting to IRC, some networks do make a limited allowance for their users to connect via Tor.

Generally, where use of Tor is permitted, it will only be allowed for established users - users are expected to register for access via Tor, and the registration is expected to happen from the user’s own IP address. While this significantly reduces anonymity, it’s seen as necessary in order to curtail the abuse that an endless supply of disposable connections would otherwise enable. While network staff may ultimately be able to identify you, depending on how long records are kept, this still provides a stronger protection than a cloak would, as no ordinary failure of the process will expose your IP address publicly.

Other Proxies

Other anonymous proxies may be available, but tend to be rapidly banned from IRC networks due to persistent abuse.

Bouncers and Shells


VPN technology is best known for its use in connecting remote workers to a corporate LAN, but a number of services have sprung up for the purposes of anonymity, bypassing geographical restrictions on services, performance, and enhanced privacy.

These services

IPv6 tunnels

Address Leakage from DCC

DCC chat and file transfer attempt to establish a direct connection between two clients. As part of establishing such a connection, the clients send “handshake” messages which contain the IP address to complete the connection. There is no way for a viable connection to be established without this exchange, however, VPN and Shell setups can use the desired publicly visible address for the connection, rather than the address the user is trying to keep private.

Address Leakage from visiting a URL

A word about ban evasion

Unfortunately, many of the users that inquire about changing or hiding their IP address want to do so because they have been banned from a channel, server, or entire network. Attempting to evade responsibility for your own actions, or evade bans so that you can continue the same activities that got you banned in the first place almost always makes the situation worse.

Bans of any sort may be widened due to evasion - no matter how just or injust the original ban was, evading a ban is almost universally regarded as justification for a longer lasting, and broader ban. In addition, on many networks, IRC operators will intervene with server bans in certain cases of ban evasion, particularly when channels are in danger of filling up their ban lists.

Internet services which are deemed to be “throwaway”, including any public anonymizing services, are likely to be banned on sight - this include open proxies, free ISPs, and Tor connections, among others.

Frequently redialing a dialup connection, or releasing your DHCP address to get another IP to bypass a ban generally results in the ban being expanded to a mask which will cover all of the addresses you have used.