Tuesday, 9 June 2015

You are sharing too much

You are sharing too much

Letting your data leak online could expose you to hack attacks - and even cost you your job. Nicole Kobie finds out how to stop oversharing

A tweet in the morning to share a link. A few photos on Facebook after a holiday. A snap on Instagram to show off a particularly tasty lunch. We broadcast the little details of our lives online without a second thought – but should we really be so cavalier?

Sharing information online can carry numerous risks. Mention the fact that it’s your 40th birthday and the whole world now knows your date of birth – and that could be enough to enable a hacker to impersonate you online. A holiday snap could reveal to burglars that you’re away from home, and a poorly worded status update could cost you your job.


Such dire consequences may seem unlikely, but they’ve all happened to real people. In this feature, we’ll show you how to avoid becoming the next victim. We’ll look at the risks of oversharing online, and see how you can audit and clean up the data that’s already out there. We’ll also guide you through Facebook’s privacy settings – so you can ensure that, in the future, your personal data stays personal.

HORROR STORIES


We all have moments when we blurt out the wrong thing in front of people; now imagine doing it in writing, for everyone to see. Facebook, Twitter and other social media hangouts make that very easy to do, and although most of us experience nothing more than a few mocking responses when our judgement momentarily fails us, some have suffered far harsher consequences. For example, pity the staff at a major hospital, who in a moment of boredom jokingly posted photos online of themselves lying down on the job – they were promptly suspended. Or waitress Ashley Johnson from North Carolina, who lost her job after posting complaints online about poor tips.

With such examples to learn from, why do so many of us share as much as we do? Dr Jennifer Golbeck, director of the Human-Computer Interaction Lab at the University of Maryland, suggests that the online world doesn’t seem real enough for us to appreciate the dangers. “The lesson we’ve learned, as we’ve watched privacy become an issue on social media, is that people really don’t understand the impact of what can happen from sharing something – until they have some personal experience of the consequences,” she said.

Indeed, we’re actually wired to share. A 2012 study by Diana Tamir and Jason Mitchell of Harvard University found that sharing personal thoughts triggers the release of dopamine, meaning your brain rewards you for doing it. So, as Dr Golbeck pointed out, the phenomenon isn’t a new development at all: “Online technology just made it possible for us to share with more people over a greater distance than they could before,” she said. “We want to make social connections with people and feel validated, and this is just one way of doing that.”

ACCIDENTAL SHARES


While sharing is a natural instinct, social media makes it easy to share more widely than we actually intend. “Certainly there are some cases of people who are naive, thinking that their post won’t be shared,” Golbeck said. “Or, it’s technically unclear what can happen.”

That’s no accident: shared information is the lifeblood of social media sites. Facebook in particular makes you feel as though a small number of people are seeing your posts, when in fact many more may catch sight of them – even if you’ve limited your posts to friends.

“You may have 400 friends on Facebook, but there are only 20 to 30 of them actively posting stuff every day,” Dr Golbeck pointed out. “Seeing information from a pretty small group of people gives you the idea that it’s only that group of people who is seeing what you post. In fact, the audience is usually much bigger.”

Part of the problem is complicated settings. Facebook is infamous for frequently changing its privacy rules and settings, making it difficult to keep up with. Dr Golbeck points to Mark Zuckerberg’s sister, who publicly posted a family photo she thought was private. Because someone else was tagged in the image, it spread and quickly leaked into the public eye. “Even some of the Zuckerbergs don’t know how to deal with privacy on Facebook; they don’t technically understand it,” she said.

Indeed, Dr Golbeck herself, whose work has focused on privacy and social media since the days of Myspace, still gets caught out. She pointed to a website called takethislollipop.com: give it permission to see your Facebook page, and it puts together a genuinely creepy video of a stalker poring over information culled from your profile. Golbeck didn’t think it would find any information on her – and was taken aback when she realised how much it was actually able to access. “I tell this story,” she said, “because if I can’t figure this out, when it’s my job to be an expert on this, no-one in the world could be expected to figure this out.”

CAREFUL WHAT YOU WRITE


Oversharing online has become such a problem that there’s now a whole industry dedicated to cleaning up people’s mistakes. Asked whether it’s a busy line of work, Simon Wadsworth, head of reputation management firm Igniyte, simply laughs. While such services have traditionally been used by businesses seeking to boost their brands, 40% of his firm’s clients are now individuals, from high-level executives being targeted by angry ex-employees to everyday people seeking to escape an unfortunate online history.

“For individuals, it’s less about social media, and more about how they’re perceived when someone Googles them,” Wadsworth explained. “Whether it’s a recruiting officer at a company or someone accepting graduates into a university, the first thing they’ll do is Google you. The traditional CV isn’t dead, but it now comes second to Google.”

Dr Golbeck’s students frequently air the view that this isn’t a fair way to assess someone’s personality. “On one hand that’s true,” she noted. “I think we’ve evolved to the point where people are a little bit forgiving of traces of teenage life online.”

However, some people’s jobs require them to be unforgiving, as Dave King, CEO of reputation-management specialists Digitalis, pointed out. “If we’re asked by a law firm to look into an individual in a criminal case, we’ll be digging for as much content as we can.”

OVERSHARING SECURITY


Oversharing online isn’t only potentially embarrassing or career-limiting – it could also be dangerous, noted Chester Wisniewski, senior security adviser at Sophos. “We might think that sharing personal data online just means we can be stalked or spied upon, but sharing too much information online can also make identity theft, tax fraud and social engineering significantly easier,” he told PC & Tech Authority.

The riskiest information to divulge on the web varies by individual, but Wisniewski pointed out that some items are sensitive to almost everyone. These include your postcode, date of birth, national insurance number and other unique identifiers – such as your mother’s maiden name. “Much insecurity comes from the old world colliding with the new world,” he noted. “Information that we wouldn’t have shared widely before the internet is still being used to verify our identities.”

It may seem unlikely that you could become the target of a hacker based on such inane details, but it happened to former US vice presidential candidate Sarah Palin, whose email address was compromised during the election campaign. “The password-reset question asked which high school she had attended, and this information was in her Wikipedia entry,” Wisniewski said.

You don’t have to be famous – or infamous – to be a target. “The biggest [attack] we have seen of late involves fraudulent tax filings in the United States,” Wisniewski noted. “A few key details about an individual can provide enough information for a crook to impersonate you and claim money.”

King revealed that his company, Digitalis, looks after the online outputs of several heads of state, international royal families and FTSE CEOs. Part of that job is to minimise the risk of burglary when high-profile clients are away from their expensively kitted-out homes, and to ensure the children of famous parents aren’t put at risk of kidnapping by tweets that reveal their whereabouts.

“For the normal person on the street, the same rules apply,” King said. “Increasingly, criminals are using social media, even if it’s just to work out when a target is on holiday – to work out when to break into their home or steal their car.”

“Location is a big thing,” he added. “As soon as you tweet that you’re enjoying a day out at the Taj Mahal, I know you’re not in the country. With public information on the web, I can probably find out where your house is, as well as whether you have a mortgage, what kind of car you drive and so on. People so often put up pictures or notes about their travel, and that’s one of the biggest risks.”

Keri McMullen from Indiana found that out the hard way. After she had posted on Facebook that she was off to see a band, a childhood-friend-turned-burglar checked to see what time the show started, and broke into her home knowing that it would be empty. In New Hampshire, a gang robbed at least 18 properties after using Facebook to discover who was away from their home. It isn’t only Facebook, of course: services such as Twitter and Foursquare may  present even more of a danger, since your tweets are visible to all, while Foursquare confirms your location. The website pleaserobme.com checks these services to find out whether you’ve shared information that would be of use to burglars.

CLEANING UP YOUR ONLINE PROFILE


If you’re concerned that there might be too much personal information about you in the public domain, the first thing to do is check. That’s right: Google yourself. And don’t stop with your name; also search for your email addresses, alternative usernames and images. Take a profile photo from Facebook or Twitter, and drag it into the search box on Google’s Image Search page. This will show you any other websites using that image. “This is an easy way to discover whether something you once posted through Facebook became public,” Dr Golbeck pointed out.

If you do come across something that you want removed, you can often log in to the hosting service and delete it yourself – after all, in many cases you were the one who posted it. If that option isn’t available, you can ask the host to remove it – but this isn’t necessarily easy to do. And when it comes to overseas companies, there’s little you can do except ask nicely.

European residents can take advantage of the EU’s unique “right to be forgotten”, which lets you get outdated information removed from web search results. To make a request, you simply need to enter the details at tinyurl.com/pu8mhko – although Google isn’t obliged to honour requests if it considers the information to be in the public interest.

“The type of clients we have, when they make the applications, aren’t generally successful,” noted Simon Wadsworth. “The clients will always insist that we try it, with good reason, but Google will hide behind the public-interest angle. To the majority of requests we make, Google just says no.”

Dave King agreed, noting that even if Google does remove the link, it doesn’t mean the unwanted search result has been cleanly suppressed. Not only does the link currently remain listed outside of Europe, Google places a notice in the results warning that something has been removed, which can “look rather fishy for the high-profile individual,” he said.

What’s more, Google will often write to the website publisher, advising that the link has been removed – to which a site may respond by making a high-profile public statement, drawing attention to precisely the information that you wanted to keep quiet. Still, that’s more likely to happen in high-profile cases: for us ordinary types, there may be less fuss.

For Australians no such protections currently exist. According to Susan Walsh, Senior Associate at Swaab Attorneys (sjw@swaab.com.au, www.swaab.com.au) “There is currently no right under the Australian Privacy Act 1988 (Cth) (Privacy Act) for individuals to request an entity to delete their personal information. Individuals do have a right to request an entity to correct personal information held about them and the entity must take reasonable steps to do so. Entities must also destroy or de-identify personal information that is no longer required for any purpose for which the personal information may be used under the Australian Privacy Principles (APPs). “

Susan goes on to explain that Australia lags behind EU initiatives in this area: “A recent Australian Law Reform Commission (ALRC) discussion paper has recommended a new APP which would give individuals the right to request destruction or de-identification. While the ALRC has also proposed a statutory cause of action for serious invasions of privacy, there remains no Australian equivalent to the European fundamental right to privacy.”

Even if you can’t remove all the personal information leaked online, knowing what details are out there can help make you safer. For example, if your mother’s maiden name is public knowledge, you can ask your bank to use a different question as a security check.

REINING IN YOUR SHARING


Even if you do manage to cover your online tracks, there’s no way to know who accessed your information while it was out there. The moral is obvious: share less information in the first place. Do social media sites truly need your birthday? “It is nice to let your friends know, but it can be risky,” said Wisniewski. “Everyone needs to decide for themselves.”

Dr Golbeck suggests that one way in which you can stay relatively anonymous online is to use a nickname. “I have usernames that don’t have anything to do with my name,” she said. “If I have a statistics question, I don’t want my professional name showing up on a stupid question, right? So I have a different account for that.”

You should also be choosy about who you add as a friend, King advised. If you don’t know a person, don’t add them – and remember your friends may not be
so discriminating. King revealed that intelligence firms commonly use such tactics to gain access to personal data: “Who can we befriend on Facebook so we can get to a user without them knowing about it?”

When it comes to privacy settings, it’s always good practice to lock things down as far as possible – but, as we’ve mentioned above, even your best attempt to tighten settings may not guarantee your safety. And it’s important to be aware that a breach of your personal data isn’t only possible via social media.

“Your personal information is just as likely to be exposed due to a database breach of some company,” pointed out F-Secure security analyst Sean Sullivan. “Family names, location and interests are all bits of information that companies have on us. There’s little we can do to safeguard much of it unless we just don’t do business online. And that isn’t really an option.”

If you’re worried about third parties leaking your data online, there are simple steps you can take to limit how much web retailers and others have on you. For example, Sullivan limits the exposure of his credit card by using gift cards to shop online. “This prepaid investment significantly reduces the number of purchases that I need to audit on my credit card statement each month,” he explained. “It’s reduced to one transaction, and I’m better able to spot any fraudulent use of my credit card.”

Sullivan also uses multiple email addresses to keep personal information leaks limited, and takes the time to ask to be removed from unwanted “rewards” programmes. “If I don’t frequently do business with a company, I kill the account and ask for my information to be purged,” he said. “Sadly, that’s probably too much management for most people.”

NEXT-GENERATION SHARERS


Thankfully, for all the stories of robberies and lost jobs, this isn’t necessary for most of us. The horror stories make the news because they stand out, not because they’re the norm. “I’d say that the majority of people do a relatively good job of not sharing too much,” said Sullivan. “It’s easy to find people that overshare – we don’t see evidence of those that don’t. Because they don’t.”

Indeed, while younger generations certainly use Facebook, they spend more time on services where personal information is less likely to accumulate, said Dr Golbeck. “They’re on WhatsApp, Snapchat and Whisper,” she told us. “They’re not using Facebook much – they tend to prefer the more ephemeral communication mediums.”

Rafael Laguna, CEO of Open-Xchange, said that research by his firm also suggests that people are gradually coming to use social media more responsibly. “The way I like describing this is when you’re young, you smoke,” he said. “As you get older, you see more and more that smoking is bad for you, and most people stop smoking as they get older. I think it’s the same with sharing. We’re slowly growing up – not only teenagers, but even older people, who hadn’t previously been using social media because it wasn’t available. We’re starting to see what can happen if that data gets into the wrong hands.”

Even for those who do share too much online, the rest of us may become accustomed to it, said Wadsworth – and perhaps that’s a good thing. “I think people will become more tolerant as generations go on. I think at the moment, people are judging people very quickly in all sorts of scenarios. But they’ll realise that it’s easy to make a mistake.”