Title: The Risk of Sharing Created: 2018-06-28 ---- To fellow gophers, I assume you know all of this already. It's just been on my mind and I wanted to share. Maybe it'll make it to the website. Send me an e-mail if you have suggestions on improving it. ---- Over the years, my family has repeatedly asked me "why aren't you on Facebook? We could keep in touch much better with Facebook." Each time I've explained, "because I value my privacy." They seemed puzzled by this. Maybe they value convenience and keeping in touch more than their privacy. Their rejection of my offer to e-mail tells me "no". I'm not sure; it's not a subject I pushed much due to something being lost in communication. I've spent some time thinking about what that barrier is. This phlog isn't about Facebook, but they serve as a convenient example of what I'm writing about: * the risk that information represents * the effects of others' knowledge on one's life * failing to consider the long-term effects of sharing We all share with others. Most of us are wired to be social, and that comes with a huge array of intricacies. With regard to information sharing, it tends to fall in line with our "associations": groups that we choose to associate with. If you're pretty close to someone, you generally don't hesitate to share your phone number (if they don't already have it), right? Some families still use snail mail, which comes with address information. But with others -- somewhat distant acquaintances or gaming friends -- you might keep it to pseudonyms or even anonymity. At work, you might not share *anything* personal. The core idea is we accept "roles", which have differing rules and levels of sharing with others. Most people can understand that you don't (or shouldn't) share your relationship woes with a coworker, or your sexual exploits with your mother. That's a good thing; it means we already understand *some* social risk of sharing with others. Culturally, the Internet is very young, and it didn't hit critical mass (in the US) until the mid-to-late 1990s. There are tons of people that *use* the Internet, but don't really *get it*. Unlike the printing press, the radio, the camera, and the TV, the Internet has a constant, omni-directional flow of information, and most of it is invisible unless you care to learn TCP/IP or other protocols. That sort of information is left up to "nerds" or "computer people", to the average person. It's similar to how some people turn off their brain when encountered with a mechanical or plumbing problem. This concept of a medium that's "alive" hasn't had a lot of time for our culture to gel with it. Most media is passive; a performer or artist produces work for others to observe. Active media (the Internet, video games) is newer, and its depth adds to its complexity. What perplexes me is clearly, people are capable of adapting their sharing. Why don't they adapt to use more discretion when sharing on the Internet? I believe part of it, at least, is due a failure to recognize the real consequences of sharing on the Internet, and how permanent that information tends to be. An average person is not likely to go looking for HTTP information on their own. They need a reason. Some people choose to explain the dangers of sharing information online to help others understand. I did it, a few times... Incredulous stares, followed by flippancy or "oh, that won't happen to me" or other excuses. They tend to disbelieve the information placed in front of them, too. Millions still use Facebook today, even in the face of the Cambridge Analytica scandal and other high-profile data leaks such as Equifax, Target, and Sony. Or the SWATting that happens in online gaming. This called for a philosophical question: how many disasters related to information need to happen for the general public to take information sharing seriously? I fear that the public won't change until it's too late. A common argument I see related to mass surveillance or telemetry is "the good guys are using it, it's okay. They'll only use it to track down criminals." Perhaps they've not realized that history doesn't agree. A tool used to fight "evil" can just as easily be used to fight the innocent. The "why" is more interesting to me. I think it has to do with proximity, awareness, and discretion. If it never shows up in the news, someone might not know about it. If they were never taught about the Internet in school, they'll only know what others have told them and/or what they found on their own. If someone hasn't heard of phishing or spam, they'll have a naïve view of e-mail. If they don't understand what their browser shares as part of the act of browsing, they'll never suspect that YouTube or Amazon are putting them into search bubbles, or know what a search bubble *is*. They might not know anyone who's had their identity stolen, or received a ton of pizza they didn't order [1]. "Duh," you might say. With such little knowledge of the Internet, why is it any surprise that they don't know how to use it carefully? It's less of a surprise and more ironic. Most people understand the idea of risk and the value of vigilance. We wash our hands, lock our doors, put passwords on things, we don't give out our driver's license number to just anyone. The problem comes when risk presents itself and people do not recognize it as risk. So, what is it about information that's risky? I'll start with a simple and common one: selfies. Let's say you just took a random selfie on a nice day while you were out. Before we've even digitized it, it's a self image, proving that you were at a certain place, and if you're outside, probably some indication of the time of day. If there are any notable signs in the background, someone could find your exact position. When digitized, it records EXIF data, which includes information such as the make and model of the camera you used to shoot the picture, the camera settings such as aperture and mode, the date and time of the picture, and in a fancier camera, the rough GPS coordinates that the picture was taken at. Note that the most common digital camera these days is a smartphone, which not only has a GPS device, but a cellular connection to triangulate with. Even if GPS satellites are down, there's enough information on the ground to isolate the location of the device. The average person will gladly upload an image like that to $SOCIAL_SILO, and receive their Internet points for style, having no clue about the amount of information they are sharing. Information that a mildly-determined person could use to pinpoint them and become a threat. By the time we get to the upload phase, the server knows the IP address that's uploading, the user that's uploading, the time of upload, the size of the picture, and all the EXIF data that's included in that picture. Yes, I know, "some sites wipe EXIF data". That may be true, but if they're still *receiving* that information, it's still a risk. Their software might not correctly strip all relevant information, and others might gain this information simply by viewing the image. The host may share that information with advertisers, who inadvertantly leak it. Or the host collects the information for their own gain. How about another? Forum posts, like on Reddit. Reddit gathers IP address information, used mostly to gather analytics on browsing trends and to facilitate banning. It will remember every IP you use to login to your account with. Reddit will know the times you post most, the kind of content you post, the kind that you *respond* to, and knows your voting history. What some might *not* know is Reddit is also crawled on a regular basis by bots, gathering pretty much everything and storing it, so that if anything is deleted from Reddit, it can still be found on one of the "mirrors". Reddit's API has allowed for tools like Reddit Investigator [2] and Redective [3] to empower people to spy on others. This is often used against people to socially ostracize or otherwise manipulate their behavior. Some use it to follow a person around on the site to harass them. Similar technology can be used to harass people on federated networks, too, but thankfully one can block entire instances if needed. There's more: language analysis tools have been written and used to track people down by studying their writing patterns. This can be used on any forum facilitating text-based communication, including Slack, traditional Web forums, Discord, Twitch, and so on. These tools are beginning to get more commercial attention, meaning that companies are studying your habits to make money from you, and they don't mind misleading you (i.e. convincing you to trust them) to do it. Video's too obvious, so let's try one less obvious: screenshots. Even stuff like unixporn (screenshots that show off interfaces) can end up revealing too much information about you: * the software you use * the time of day the shot was taken * sometimes your social activities (like your bookmarks bar or a conversation window) * your OS; and by extension: * the rough version of software installed * the likely vulnerabilities your software has On a smartphone screenshot, someone might be able to glean: * your cell provider (in some cases) * any uncensored phone numbers or contact names * your location (based on weather status, time zone, etc) * the apps you use (via notification icons) So what do you do, just give up? I don't think that's necessary. I think it's enough to just think about a piece of information and ask yourself, "Can someone use this information against me, if combined with other information that I've already shared?" Risk, like most things in life, is relative. Putting drunken pics on Facebook on a day you called out of work is riskier than someone figuring out that you draw doodles in GIMP at 2AM. Consider the risk of sharing, which is really the risk of disparate actors sharing their information with each other to form a more complete profile of you and your habits so they can sell you things you don't need. Think for yourself, think before pressing "Submit". And maybe read a privacy policy for once. [1]: https://www.huffingtonpost.com/2014/03/21/mother-facebook-humiliation-4chan_n_5007170.html [2]: http://redditinvestigator.com [3]: http://www.redective.com/