Privacy & Security 101: Social Media

This blog was originally posted November 16, 2019. With the recent controversies surrounding social media, I thought this might be worth revisiting. The post has been edited to reflect my most current opinions, views, and knowledge.

Limiting Social Media

Social media is a ubiquitous part of modern life. I am the last person here to decry the negative effects of it, though for the record there are some we should be aware of address outside of privacy and security. No, for an introvert and avowed hater-of-small-talk like myself, social media is a godsend. I hate calling or even texting someone to go “hey, I have no reason to be bugging you but what's new? Let's chat.” Instead I love the ability to peruse the timeline at my leisure and respond to whatever someone else felt was worth sharing, whether it's their latest meal, their child, or their trip to the brewery.

But we all know social media comes with wide-ranging risks, from cyber-stalking and cyber-bullying to full on identity theft. Many of us likely know someone who was or have been ourselves victims of someone pretending to be us on Facebook. This usually isn't a problem when you can just post “hey, that ain't me, don't give them money.” But what happens when you're a well-known, respected person and your social-media doppelganger is posting things you would never endorse in a million years? Well, it happens. And sometimes, it has nothing to do with you. Another common abuse of social media is to use the information one over-shares for “social engineering.” For example, I can check your Facebook page, see your banner picture is the Green Bay Packers, and if your website security question is “who is your favorite sports team?” I now have a pretty good guess. Or on a more complex level, I can assume that the Packers might be part of your password and I can use that for a dictionary or brute-force attack. And last but not least, let’s not forget how information you posted can come back to haunt you. Something dumb posted in high school can sour a potential employer doing some research on you, or messages sent can be used in court and taken out of context to make you look guilty. Yes, these things can and do happen, even if they sound crazy.

So am I here to tell you not to have social media? Well, sort of. Not to be “that guy” but the quality of my friendships has increased dramatically since I deleted Facebook. I find it much more meaningful when my friends personally invite me to hang out rather than send me a faceless, impersonal, mass event invite. We also put more intentionality into our talks, even our texts. It's more engaging than a casual like while lying in bed at night waiting to fall asleep. But having said that, even I have a personal Mastodon account I'm in no rush to delete.

At very least, I do encourage you to ditch traditional social medias like Facebook, Instagram, Twitter, TikTok, and Snapchat (and others) in favor of more privacy-respecting services like Mastodon, Friendica, Pleroma, PixelFed, and others. Traditional social media companies are terrifyingly abusive in both the ways and extents that they collect data about you and process it. But that's a post for another time. Instead, this post is about how to best-use your social media – be it Facebook or Mastodon – and how to be smart about it to enjoy the best aspects of it while avoiding some of the worst.

-Ditch mainstream. I know I already said that, but I assume some people are going to skim this post, and it bears repeating anyways. Seriously. Here's just one site full of good reasons why Facebook sucks, and there's plenty more where that came from from each major company.

-Think about your privacy settings. This one is pretty well-known these days so I'm not going to spend much time harping on it, but unless you're a public figure intentionally attempting to reach the masses, you may want to consider locking down your profile behind as much privacy as you can. Making your Twitter private may cost you some followers, but it will make you significantly safer and make your experience more enjoyable. While you’re at it, consider the parts of your profile that can’t be made private like your bio, header, and profile pic. Ultimately the goal is to expose as little information as possible.

-Think about what's really worth posting. Again, I'm not here to decry “the good old days” and make fun of people who post their lunch on Instagram all the time, but does it really make you happy? Does “vaguebooking” about your unhappiness really fix the problem? Does sharing that link (that you didn't even read or fact-check) actually change anyone's mind? Don't just impulsively dump things into your profile or feed. Take a few seconds to ask “do I really want to share this?”

-Think about what you're posting. Okay, so you've thought about it and you're REALLY feeling that selfie. Your hair has never looked so good. Great! But do you really need to angle the camera in such a way that the company logo is visible on your work shirt that you're wearing? Did you leave any mail or personally identifiable information in the background? Is everyone in the picture consenting to be in the picture? I don't care if my girlfriend posts a selfie to Facebook but I politely ask her to angle the camera in such a way that it leaves me out. Think about what information someone could potentially learn from that photo, such as where you live or work, and remember that people search websites are a tragically real thing. (I'll do a post about that someday too). Again though, it's not just you. When you post a picture of your child to Facebook, that picture stays on Facebook's servers forever. Someday your child will be grown, and they should have the right to decide if they want Facebook to have their facial recognition data on file. Carelessly posting even statuses or location check ins can sometimes reveal more information than you or the people you're with may be comfortable with. Be sure to think about what information you're revealing and be sure everyone involved is okay with it.

-Remember who your audience isn't. One big reason I dislike mainstream social media is the lack of privacy. If your profile isn't set to private, literally anyone can see your posts, pictures, likes, and more. “I don't care if my friends see where I work,” you say as you check-in with your latest tweet, but what about the stranger? The Guardian wrote an article reminding us how easily one can “stalk” someone – even by accident – with how much information social media reveals about us. But it actually goes so much deeper than that. Even if your information is set to private, it’s not private from the provider. Facebook can still see every single “Friends Only” photo you upload or status you post. They can read all your messages, and they will happily share everything if requested by law enforcement, or if someone finds a bug in their code and exploits it to download your non-public data.

-Remember who your audience might be. This story shows how even the best intentions can backfire when you overshare on social media. Even if you make a post privately or in a closed group, you can't guarantee that it won't be screenshotted, printed out, or otherwise shared with someone it was never intended to see. Always assume anything you put on the internet is wide open to the public, even if it isn't.

-The internet never forgets. So you had a little too much to drink last night, or maybe the anesthesia the dentist gave you was pretty strong, or maybe you just were real depressed and it felt cathartic to make some emo posts. You can just delete them later, or set your profile to private, right? Allow me to introduce you to the Wayback Machine. The Wayback Machine is a free service from Archive.org that automatically creates a copy of every page on the internet it can find at all times for the sake of history. It's not trying to make everyone remember that picture of you in 8th grade, it's trying to ensure that a hundred years from now we have a copy of the front-page news from major events in history and such. The problem is that it's a bot. It doesn't discriminate. Now obviously the bot can't be everywhere at once, and it can't possibly get everything all the time, but it tries hard. The longer you keep something online, the more likely it is to get swept up in archiving services, and the harder it will be to remove. And Wayback isn't the only service that does this. Anything you post, even briefly, has the potential to stay on the internet forever, if not on the social media provider's servers then on an archiving service. The odds of this increase as your social media presence grows – aka, if you're a notable figure of some kind (musician, actor, influencer, etc). Posting something online and then deciding later “nah, I don't really think I want to share that with the world after all” isn't really an option. It's there forever and whatever prompted you to remove it – such as personal information, non-consenting parties, or even just bad lighting – will be there forever to haunt that decision.

Once again, I'm not here to bash social media (completely). I'm not here to tell you to delete Facebook (though I do encourage it). But I do want you to take the time to think about what you're sharing and make sure you know what you're getting into. Be smart with your social media usage. As I said in my first ever blog post here, our goal is to reduce our “attack surface.” We want to make ourselves a less convenient target so that bad actors go after an easier target. Think twice about anything you post on any social media platform, and that alone will get you pretty far. And since I’m posting this at the beginning of the year, I challenge you: log out of social media for the rest of the month. Delete the app off your phone, log out in your browser, and just try to spend the rest of January without it. If you still miss it come February, go ahead and log back in. But I bet you’ll find you rather enjoy the time away. I hope the pointers above have been helpful in that regard and given you some factors to consider. Use wisely!

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.