What are the real physical risks of casual social media publishing?

Question

aka "how to scare my family into stopping publishing their life online?"

I do not publish personal photos / opinions publicly online as a rule. I never gave hard thoughts about that but I believe that one should either explicitly put information to the world (typically professional data such as LinkedIn), or do not put anything. Again, this is a personal subjective opinion.

My (extended) family does publish stuff online, though. This is not obviously dangerous information (nudes, drunken parties), nor strong political/philosophical/religious/ethical standpoints. What they put online falls roughly in the categories of

• we are on vacation, look how happy we are (1)
• look at this cat (2)
• my children are cute (3)

The risks I can imagine for the various categories are

(1): "we are not at home, burglars welcome".

This assumes that their address is known (this is not a directly available information, though possibly available through reverse-engineering of some photos which may have some recognizable landscapes, or maybe GPS information) - but not pleaserobme.com-level known.

The fact that there is nobody home is also visible through casual observation of the house so it would be much easier to target them that way than to do some state-sponsored invigilation.

(2): no risk beside understandable social ostracism

(3): "paedophiles everywhere" or "they will track them down and abduct them"

This is a possibility but I am not sure that the fact that an image is online particularly increases the risk. Children go outside on their own, they can be observed, etc. Their children are also not particularly good looking or come form a wealthy family so there is no more risk on them than on somebody else.

Generally speaking, I am looking for elements (data points) which would show that online presence increases physical risks.

I am specifically not interested in digital tracking which brings in targeted advertising or similar soft threats - except if they bring in a physical components.

Answer 1

When looking for actual physical risks, doxing and the results are most important.

There are examples of the hivemind of Reddit and 4chan where peoples exact locations, addresses, names and anything else might useful for actual physical attacks (or swatting) available online to which I will not link for obvious reasons.

The amount of information that can be found and linked is astonishing. Examples of 4channers whos lives got destroyed that way might help you discourage your family from posting this kind of information.

Answer 2

For example, I had experienced this in my practice:

When penetration testing one company, I got access to the system via a password recovery form, because the mail server provided options for security questions like "name of your dog" and "your school". This information was displayed in profiles in social networks.

Having many accounts makes it difficult for you to remember what personal information you have committed to each one. And this info could then be used, for password recovery to your Yahoo email, for example. And there could be emails with very important info, or that could be used to compromise your bank account or other things.

Answer 3

The "look at us on holiday" type of pictures are of interest because they can be viewed without arousing suspicion or notice, unlike keeping an eye on the house istelf. A single approach to a house that's expected to be empty could then lead to a break-in.

If the same or a linked account includes pictures of valuables (whether as the subject -- "look at my new TV" -- or in the background) then you start to look more like a target. If you are prone to posting these sorts of pictures in groups, especially local ones, it's a lot worse:

• Last month: Fred Bloggs posted in Mytown helpful advice "how do I wire in my new 100 inch smart TV".
• Yesterday: Fred Bloggs posted in Mytown helpful advice "where's best to eat dinner at the airport before a long flight tomorrow"

It's probably as well to assume that the address is known or at least findable with some effort if you make yourself look like a target.

You also open yourself and your contacts up to scams based around bad things happening to you, for example claiming you were robbed/injured on holiday and need money wired to you to pay hospital bills, or (as Stephan Branczyk suggested)

"Hey Grandma, I'm stuck in jail in Mexico for having bought a little bit of weed. Can you follow the directions below for wiring $400 to the jail for bail? I'd ask dad, but you know how he gets with his religious sermons. Please hurry! I have to go to the bathroom in front of everyone!" And to Grandma, this message makes perfect sense because she has been reading your wall, she knows you're supposed to be in Mexico for spring break (out of phone range). And she knows your dad is on an evangelical streak these days.

Something else to watch out for is (auto-)posting activities/check-ins that locate you away from home: I tend to wait until I get home from a trip away before manually uploading to Strava, for example, as I don't want to reveal that I'm away (neither do I want to make my activities private by default as sharing is the point of posting them). Strava then doesn't auto-post to facebook in my case. Similarly I don't post routine commutes.

Luckily mitigation isn't hard: restricting who can see photos posted while you're away (to people you really know), then posting the holiday album when you get home is a good start. Avoiding posting to a wide audience things that might make you a target is also a good plan (anyway boasting about how much money you've just spent is uncouth). The threat in most places is of course low.

Answer 4

One risk that isn't mentioned, but is very real for a lot of people, is identity theft. Identity theft is the act of someone using your identity, usually to do criminal things. Lots of people tend to post a photo of their passport/identity card/drivers license/certificate with full name and/or anything else with a social security number at some point, usually celebrating an achievement or showing off their new skills.

This kind of information can be used to impersonate someone, opening a bank account in their name, taking over existing assets, committing fraud, etc. Physical threats associated with these include:

• minor annoyances as being flagged in government systems causing renewing a passport to take more time or having to endure extra questioning when traveling
• temporary loss of access to financial assets, in the best case causing an embarrassing moment in the supermarket when you can not pay your bill, and in the worst case being unable to pay your rent or loan, repossession of cars or other goods you require to live, being expelled from your home etc
• being marked as a criminal on the internet (e.g. "I went to Mr. X. Y. for help with my taxes. He was even certified! Never heard from him again after I payed his fees.") Such things can cost you a job offer or two.
• facing lawyers, investigations and/or trials for crimes committed under your name, without your knowledge. Living with the knowledge that you may have to pay damages caused in your name or even have to spend time in jail as you may or may not be able to defend yourself against those accusations.

Answer 5

Few years ago there was a strong opposition to Gawker Stalker app for posting current locations of celebrities.

The main argument for the app was: By posting someone's location out on a public forum, you allowed stalkers/psycopaths to reach there with guns and be ready when they come out of the building. This is an incredibly scary physical threat.

Suppose somebody has a crazy stalker/ex that has not been blocked on the social media or if their social media publishing status is public, they are under a similar risk.

Having said that, it is important to note that having stopped posting such information doesn't mean that they are free from such threats. Crazy people could be lurking in their neighborhood or burglars could be looking for changes in newspaper subscriptions/heaps of newspapers/mail/milk cartons etc.

Answer 6

As this answer says, some personal information can be answers to security questions, possible allowing someone to access your email. I want to clarify the physical risks associated with that, since the connection was not made clear in that answer.

Losing your email can further compromise your personal information (and online assets, bank accounts, etc.), since email accounts can often control access to other accounts through password resetting. Essentially, losing your email can give up your address if you've ever entered it online or billed/shipped something there. It should be noted, though, that if you own property the owner/address can easily be looked up online anyway, even if you never share your address. Think of how phone books work, but online.

The revelation of your address provides a physical location for someone to target you and your family. If you post that you are leaving for vacation, someone could enter your residence and do whatever they want. If they know your address, someone with enough will and money could try to assassinate you, like in the recent poisoning of Sergei and Yulia Skripal.

Additional information which could be physically dangerous if discovered could include:

• Where your kids go to school
• Places you frequent
• Activities you are involved in and what the schedule is
• The information of your relatives and friends

In my opinion, there's no sense in worrying too much about this, because though you can guard your information, there is little you can do if someone wants to harm you bad enough.

Answer 7

We live in a world increasingly ruled by mindless algorithms. Algorithms fed by massive amounts of data. Algorithms that don't have to be perfectly accurate, but only mostly accurate.

Imagine that companies start building different profiles of everyone in the world, based on what they share on Facebook. These companies then sell these profiles to employers, creditors, government, or anyone who will pay for it.

Employers make decisions on hiring/firing based on these "social media scores". "Find the BEST, most RELIABLE, most CONSCIENSCIOUS employees with our NEW Social Scoring System! Filter out all those deadbeat nonproductive, alcoholic, or potentially racist employees!".

Creditors use this for debt collection "We noticed you went a trip last month Mr. Jones, if you have money for vacations, surely you can afford to pay us more!".

Government uses it to cast wide nets for any political activity, or simply to crack down on groups it doesn't currently like. "We KNOW you're a communist sir, you're best friends with 5 known communists on Facebook, and have had 300 conversations with these Communists in the past 3 years!. Plus, based on your location score, you spend a lot of time at known communist hot spots."

Facebook knows:

• Where you were last night.
• Who your friends are.
• Where you work.
• What your politics are.

Combine all the data, and you can create a very interesting (and maybe not always accurate) picture of someone. Analyzing your friends, where you've been, what you say, etc, can be far more revealing than your opinion on cat pictures.