Today I want to talk about online privacy concerns. When it comes to online privacy, I tend to take a slightly different road than many of my cybersecurity colleagues. Many in my industry tend to preach that you should never ever under any circumstances share anything personal online. I understand where they are coming from and respect their perspective; however, I do things a little differently.
Just like in real life (IRL), privacy is not a one size fits all. Some like to live out in the country with not another soul for miles. Others want to live in large cities where you can’t even turn around without hitting another person. Some like to dress very conservatively and show as little skin as possible, always keep their curtain drawn, etc. Others like to test the boundaries of public decencies laws both in the ways they dress as well as their choice in curtains and stuff. To me, I say to each their own.
Similarly, online privacy isn’t one-size-fits-all, so instead of being prescriptive, I like to talk about risks and dangers and then let people make their own decisions.
The most significant danger about oversharing online is it significantly increases your risk of becoming a victim of identity theft. It also gives scammers material they can use to come across as if they know you when trying to scam you. Additionally, if you are sharing a lot about your daily schedule to a point where everyone knows exactly where you are going to be, how long, etc., that could lead to physical attacks against you.
One way to mitigate these risks is never to share anything online. This does not work for me as I’m an open person and over-sharer. I like who I am, and I do not let the world change me. So instead, I take other precautions. For example, I subscribe to an identity monitoring service to monitor if someone uses my information to impact my identity. I know what information about me is available online, and I am skeptical about anyone trying to use that information to get close to me. I avoid sharing any deeply personal info such as names of friends or family, my SSN, phone number, address, etc. When I’m sharing things about me, I obfuscate location details and names of other participants. This is both for my security as well to protect other people’s privacy.
One key aspect that I think all cybersecurity professionals agree on is that it is each person’s right to control their privacy, what is disclosed to who, etc. Consent is the key here. Never take pictures of people without their consent and never name them in anything without their consent.
One thing that is often overlooked when it comes to security is that there are very few things online that are actually private. Basically, there are two ways to ensure something is private. First is never put it online in any form, don’t put in cloud storage, don’t talk about in chat applications, and, most of all, don’t put on social media. The second method to ensure privacy is to encrypt it. In my book, and in this blog, I give a layman’s explanation of what encryption is and how it works. It is worth mentioning that an encrypted connection does not mean the content is encrypted. Again check out my book for more details on that distinction.
Anything that is in electronic form and not encrypted in a way that ensures that you are the only one able to read it, can be compromised and made public. Now, as with everything else, there are varying levels of risk, and various levels of “does it really matter.” This again depends on your threat model. For example, anything in Gmail or Goggle Drive can probably be read by someone with access to those platforms from within Google. The same goes for Outlook Online and Onedrive from Microsoft.
Now just because they can does not mean they do or that they will. Assuming they can’t does seem rather foolish. If your threat model requires absolute assurances that not even the platform owner can read your email, you need to use ProtonMail, a mail provider in Switzerland that fully encrypts all emails so that you need a password only you have to decrypt it. Before you sign up with then, please read my book errata blog entry on issues that caused me to stop using them. They are working on a fully encrypted cloud storage offering scheduled for public release later in 2020.
Most, if not all, social platforms have a feature they call either private messaging (PM) or direct messaging (DM). I feel the term direct messaging more honest because that feature allows for direct messaging between two people, but they are not private in the strictest sense of the word. Anyone with access to the backend for those platforms can read those DMs. For truly private conversation you need a dedicated chat application guaranteeing end to end encryption, such as Signal or Viber.
Just remember that just because something isn’t blatantly public doesn’t mean it is private. On the topic of social media, I want to remind the reader about the old adage, “there is no such thing as free lunch.” What I mean by that is that any application or service for which you don’t pay for with money, you pay for with your privacy. When you look at companies like Twitter or Facebook that have a large staff and are reasonably profitable, where does that money come from? The answer is that they get paid large sums of money to target advertisements specifically to those who are more likely to purchase. This is done by analyzing what you post, what you share, what you like, and possibly even your DMs, and coming up with a formula describing your likes and dislikes. In other cases, companies are selling all the data they have on you so other companies can aggregate it and creating your marketing profile. In summary, no such thing as a free app. You either pay with money or your privacy.
One final thought to leave you with is the idea that anything you post on social media, blog, etc., never goes away even if you delete it. You never know who might have saved it before you removed it. If that is difficult to grasp you should check out the way back machine at https://archive.org/