Social Media Privacy & Security
Social Media is a nearly unlimited pool of information about its users.
For starters, there is a multitude of information available on social media platforms that the users provide willingly with premeditation but sometimes it seems they do so with little awareness of how this information can be used and abused. SM accounts are an Eldorado for social engineering hackers who can use this information to design effective phishing campaigns – after all, if one knows what makes you tick, then one can make you click in a spontaneous reaction to a received message.
There is also the invisible sea of information harvested by the SM platforms focused on your behaviour, mapping your profile in order to find out what drives you and be able to use it to influence you in this way.
In general, if possible, avoid using conventional SM altogether and if you already use them and plan to continue doing so, be aware of and implement the below advice wherever possible.
And remember as Tristan Harris, Google’s former design ethicist and Co-Founder of the Centre for Humane Technology said – ‘If you are not paying for the product, then you are the product’
Secure your account
This applies to all accounts, but as social media profiles get compromised all too often it is important to protect them with a unique and strong password and enable 2FA.
Set your privacy settings
Most social networks allow you to set the level of your privacy settings so you can control the level of public exposure. Make sure that you are comfortable with the type and amount of personal information you are sharing online and with whom. And bear in mind that the privacy settings only protect your information from being visible to other members of the network but not its owners.
Consider all interactions as public…
Although you might mark certain information as private, there are still ways of viewing a user’s ‘private’ content across many social networks. Therefore, before uploading, posting, or commenting on anything ask yourself “Would I mind if this was totally public?”
… and permanent
Nearly all posts, comments, photos, etc are being continuously backed up by third-party services, that archive this data and make it indexable and publicly available for years to come. Sites like Ceddit, and /r/undelete, Politwoops, The Way Back Machine allow anyone to search through deleted posts, websites, and media. Therefore, it is important to not reveal too much information for no good reason.
Don’t reveal too much information
Profile information is a goldmine of information for hackers who can use this kind of information to personalise phishing scams, so avoid sharing sensitive details such as your date of birth, hometown, etc. Especially never disclose your email address or mobile phone number as hackers can use this against you.
Be mindful of the content you upload
Seemingly innocent details such as status updates, comments, check-ins, and media can unintentionally reveal more than you intended – location, preferences, contacts, and relationships, etc). This applies especially to photos and videos, that may reveal unwanted sensitive information in the background such as documents, road names / signs, credit cards, electronic devices.
Don’t grant unnecessary permissions
If you use a social media app on your mobile device by default, they will ask for permissions to access your contacts, phone, call log, location, messages etc. If the app does not need this access, don’t grant it.
Be aware of third-party integrations
Avoid signing up for accounts using a social network login and revoke access to social apps you no longer use.
Don’t publish Geo Data while still on site
If it is your intention to share content that reveals location (such as ‘checking in’, sharing photos, or status updates that reveal your location), then wait until you have left that place. This is particularly important when you are at a restaurant, campus, hotel, public building, airport or taking a trip. This will let people know your whereabouts (and depending on the situation you might not want this).
Remove metadata before uploading media
Most phones and some cameras by default attach a comprehensive set of additional data (called EXIF data) to each photograph. This usually includes things like time, date, location, camera model, user etc. It can reveal a lot more data than you intended to share. Remove this data before uploading. You can remove this meta data using a CLI tool, or a desktop tool like EXIF Tag Remover.
Implement image cloaking
Tools like Fawkes can be used to very subtly, slightly change the structure of faces within photos in a way that is imperceptible by humans, but will prevent facial recognition systems from being able to recognize a given face. This can help prevent facial recognition search engines from linking your photos with your online profiles, identity, or other photos.
Consider spoofing GPS in home vicinity
Even if you yourself never use social media, strip geo-data from all media and disable device radios- there is always going to be others who are not as careful and could reveal your location. For example, if you have guests, family members or visitors to your home, their device will likely record GPS and log data. One method around this, is to use an SDR to spoof GPS signals, causing all devices in the vicinity to believe they are in a different, pre-defined location.
Consider using false information
If you just want to read, and do not intend on posting too much – consider using an alias name, and false contact details. Remember that there are still methods of tracing your account back to you, but this could mitigate a lot of threats. Consider using separate accounts/identities, or maybe different pseudonyms, for different campaigns and activities. Don’t link accounts in any way- don’t comment on / liking inter-account posts, avoid logging in from the same IP and use different passwords (so the accounts cannot be linked in the case of a data breach).
Don’t have any social media accounts
As social media is fundamentally lacking in privacy, for maximum online security and privacy, avoid using any mainstream social networks.