34

aka "how to scare my family into stopping publishing their life online?"

I do not publish personal photos / opinions publicly online as a rule. I never gave hard thoughts about that but I believe that one should either explicitly put information to the world (typically professional data such as LinkedIn), or do not put anything. Again, this is a personal subjective opinion.

My (extended) family does publish stuff online, though. This is not obviously dangerous information (nudes, drunken parties), nor strong political/philosophical/religious/ethical standpoints. What they put online falls roughly in the categories of

  • we are on vacation, look how happy we are (1)
  • look at this cat (2)
  • my children are cute (3)

The risks I can imagine for the various categories are

(1): "we are not at home, burglars welcome".

This assumes that their address is known (this is not a directly available information, though possibly available through reverse-engineering of some photos which may have some recognizable landscapes, or maybe GPS information) - but not pleaserobme.com-level known.

The fact that there is nobody home is also visible through casual observation of the house so it would be much easier to target them that way than to do some state-sponsored invigilation.

(2): no risk beside understandable social ostracism

(3): "paedophiles everywhere" or "they will track them down and abduct them"

This is a possibility but I am not sure that the fact that an image is online particularly increases the risk. Children go outside on their own, they can be observed, etc. Their children are also not particularly good looking or come form a wealthy family so there is no more risk on them than on somebody else.

Generally speaking, I am looking for elements (data points) which would show that online presence increases physical risks.

I am specifically not interested in digital tracking which brings in targeted advertising or similar soft threats - except if they bring in a physical components.

WoJ
  • 8,957
  • 2
  • 32
  • 51
  • 48
    You seem to have made up your mind and are now hunting for evidence to confirm your conclusions. *Usually* one should proceed the other way round: going from evidence to conclusion. – Konrad Rudolph Apr 20 '18 at 13:27
  • 10
    @KonradRudolph: no, I have subjective views which I would like to validate or invalidate with tangible facts. I would be glad to change my mind faced with some data points. – WoJ Apr 20 '18 at 13:32
  • 10
    *Look at this cat standing in my kitchen in front of the window with the broken latch* -- i.e. consider the background. – Chris H Apr 20 '18 at 13:48
  • 5
    It's probably notable that many people who are friends and following on something like Facebook may already know where you live. – mbomb007 Apr 20 '18 at 14:34
  • 9
    Feeding society's ridiculous thirst for the latest in paranoid fearmongering... – barbecue Apr 20 '18 at 15:57
  • 1
    @mbomb007 that's true, but it's not just friends you're worried about: If I click on many individuals in the same Facebook groups as me I can see quite a lot (and they can see quite a lot of my pictures but I'm careful about what I post, knowing that much of it is visible to friends without accounts and therefore to everyone). – Chris H Apr 20 '18 at 16:00
  • 1
    ... Careless acceptance of friend requests also means that FB friends who you wouldn't trust IRL know a lot about you. The reason I have friends not on FB is that they're teachers who've been burnt by their students seeing up fake profiles in the names of their colleagues to harvest embarrassing info – Chris H Apr 20 '18 at 16:23
  • between "explicitly put information to the world (typically professional data…)" and "do not put anything", there's also "post it anonymously / from a throwaway account, and carefully double-check for absence of any personal data before you put it out". – Display Name Apr 20 '18 at 17:59
  • 4
    @WoJ The tangible facts are that literally on the order of a *billion* people are doing such things. That makes it pretty clear that for the typical person, the increase in risk, if any, is negligible. Even ignoring the overt benefits (i.e. what they would give as their reasons), it can also mitigate physical risk. For example, letting people know where you are and where you plan to be can make it clear when you're missing and where you were last known to be. – Derek Elkins left SE Apr 20 '18 at 19:54
  • 2
    I think you're tilting at a windmill. No amount of warning about dangers is going to get your family to stop. Social media has become a part of modern society. You'd have as much luck as trying to get them to stop driving by pointing out the number of traffic accidents. – Barmar Apr 21 '18 at 12:00
  • 2
    @SargeBorsch Doesn't that defeat the purpose of posting? People post this stuff to share their life with their friends. If you post anonymously, how will your friends know it's you? – Barmar Apr 21 '18 at 12:01
  • The real issue is that it makes it easier to manipulate you, or gives people dirt that can be used against you later. You do not have to worry about random people abducting your children because you post a picture of them online. That's just silly. – forest Apr 21 '18 at 13:37
  • @Barmar, in the days of blogging, the cautious way to do this was to post as anonymously as possible and give the URL to your friends. That way, a random stranger on the Internet knows nothing useful—no names (initials, maybe), no precise locations, no photos of faces—but your friends can keep up with what's going on in your life. (If you paid and/or you've given them significant personal info on signup, there's always a chance the service itself will be compromised, leaking your info.) Facebook wants users to use their real names, so that puts a bit of a damper on this approach. – Mathieu K. Apr 22 '18 at 22:46
  • @MathieuK. Of course, if you only want to share directly with friends, you can just use private email. I don't use any of the popular social media platforms (FB, Twitter, Instagram) myself, but much of the point of them is the dynamic sharing that they permit, so you don't have to keep track of your friends yourself. – Barmar Apr 23 '18 at 16:33
  • @Barmar, You're quite right that you can do it directly by email, but you may still want to omit certain details, as you have no control over the security precautions taken by your recipients or their mail hosts. (And I think the reasons we used blogs rather than email were [1] that blogs allowed a sort of community via the comments section and [2] that email inboxes at the time were very limited in size, to the point that the pictures from a single blog post could fill them completely.) – Mathieu K. Apr 23 '18 at 21:49
  • OT: How about Facebook hiring psychologists and psychiatrists to see how they can manipulate you in coming back? That's what really freaked me out. – Nomad Jun 15 '18 at 17:24
  • Point (3) is problematic because of privacy and because it's terribly embarrassing for the children later on. Do not post pictures of people too young to consent. – gerrit Nov 20 '18 at 17:51

7 Answers7

30

When looking for actual physical risks, doxing and the results are most important.

There are examples of the hivemind of Reddit and 4chan where peoples exact locations, addresses, names and anything else might useful for actual physical attacks (or swatting) available online to which I will not link for obvious reasons.

The amount of information that can be found and linked is astonishing. Examples of 4channers whos lives got destroyed that way might help you discourage your family from posting this kind of information.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • 2
    Request for clarification: I cannot tell in your second paragraph whether you mean (1) that there are examples online of doxing that Reddit and 4chan users have perpetrated, or (2) that there are, on Reddit and 4chan, instructions for doxing. – Mathieu K. Apr 22 '18 at 22:57
15

For example, I had experienced this in my practice:

When penetration testing one company, I got access to the system via a password recovery form, because the mail server provided options for security questions like "name of your dog" and "your school". This information was displayed in profiles in social networks.

Having many accounts makes it difficult for you to remember what personal information you have committed to each one. And this info could then be used, for password recovery to your Yahoo email, for example. And there could be emails with very important info, or that could be used to compromise your bank account or other things.

Limit
  • 3,191
  • 1
  • 16
  • 35
Fon Korn
  • 161
  • 4
  • 1
    Thanks - but this would rather fall into the "soft threats" category I mentioned in my question. I am looking for (broad) physical security risks. – WoJ Apr 20 '18 at 12:21
  • 15
    Gaining access to your online banking - or the email account that your bank will send password reset emails to, which amounts to the same thing - is not a soft threat. It is a "someone will use this to take all your money" threat. – anaximander Apr 20 '18 at 18:29
  • 1
    @anaximander Indeed. I gave a talk at a local OWASP gathering very much about this. It was along the lines of 'app developers are shit' and your password for everything is stored in plain text somewhere and blam - your bank account is empty. – mylogon Apr 20 '18 at 20:12
  • @anaximander: this is a huge inconvenience but not a threat. In France (where I live), the customer is very much protected against these thefts (https://www.legavox.fr/blog/maitre-joan-dray/responsabilite-banquier-pour-respect-devoir-14877.htm - in French). In particular, the bank must prove that the wire was "very probably" from me, usually by showing that the IP is my usual one (the wire being sent from my account is not enough). But it is true that this is the case in France, maybe not elsewhere. – WoJ Apr 20 '18 at 21:55
  • @WoJ How does "The IP is my usual one" work if your IP changes ever so often? – Hagen von Eitzen Apr 22 '18 at 03:57
  • @HagenvonEitzen: the idea is that the bank can show that I usually connect from the pool of my ISP and the wire transfer I am disputing also comes from the same set (and was assigned to me at that time). This is in contrast with someone suddenly transferring 10k€ from a remote country (which would be a reason to revert the wire despite the fact that it was done with my credentials) – WoJ Apr 22 '18 at 09:57
  • 3
    @WoJ Even assuming that stealing your money is near-impossible, that's not the only threat. If you have order confirmations in your email, the attacker knows when you buy expensive things, and can log in as you to get them delivered elsewhere. If you have booking confirmations, they know when you're away from home so your house is safe to rob. They can send emails from your account, impersonating you in ways that might damage your reputation, risk your job, implicate you in crimes... yes, many of these things can be corrected in time, but until they they will cost money and ruin your life. – anaximander Apr 22 '18 at 16:18
  • @anaximander: yes, this is a very good point indeed. – WoJ Apr 22 '18 at 16:20
  • 1
    There are banks that use emails for password recovery? What?! – Mathieu K. Apr 22 '18 at 23:06
12

The "look at us on holiday" type of pictures are of interest because they can be viewed without arousing suspicion or notice, unlike keeping an eye on the house istelf. A single approach to a house that's expected to be empty could then lead to a break-in.

If the same or a linked account includes pictures of valuables (whether as the subject -- "look at my new TV" -- or in the background) then you start to look more like a target. If you are prone to posting these sorts of pictures in groups, especially local ones, it's a lot worse:

  • Last month: Fred Bloggs posted in Mytown helpful advice "how do I wire in my new 100 inch smart TV".
  • Yesterday: Fred Bloggs posted in Mytown helpful advice "where's best to eat dinner at the airport before a long flight tomorrow"

It's probably as well to assume that the address is known or at least findable with some effort if you make yourself look like a target.

You also open yourself and your contacts up to scams based around bad things happening to you, for example claiming you were robbed/injured on holiday and need money wired to you to pay hospital bills, or (as Stephan Branczyk suggested)

"Hey Grandma, I'm stuck in jail in Mexico for having bought a little bit of weed. Can you follow the directions below for wiring $400 to the jail for bail? I'd ask dad, but you know how he gets with his religious sermons. Please hurry! I have to go to the bathroom in front of everyone!" And to Grandma, this message makes perfect sense because she has been reading your wall, she knows you're supposed to be in Mexico for spring break (out of phone range). And she knows your dad is on an evangelical streak these days.

Something else to watch out for is (auto-)posting activities/check-ins that locate you away from home: I tend to wait until I get home from a trip away before manually uploading to Strava, for example, as I don't want to reveal that I'm away (neither do I want to make my activities private by default as sharing is the point of posting them). Strava then doesn't auto-post to facebook in my case. Similarly I don't post routine commutes.

Luckily mitigation isn't hard: restricting who can see photos posted while you're away (to people you really know), then posting the holiday album when you get home is a good start. Avoiding posting to a wide audience things that might make you a target is also a good plan (anyway boasting about how much money you've just spent is uncouth). The threat in most places is of course low.

Chris H
  • 4,185
  • 1
  • 16
  • 22
  • 4
    Please add the following and adjust accordingly. I don't need credit. "Hey Grandma, I'm stuck in jail in Mexico for having bought a little bit of weed. Can you follow the directions below for wiring $400 to the jail for bail? I'd ask dad, but you know how he gets with his religious sermons. Please hurry! I have to go to the bathroom in front of everyone!" And to Grandma, this message makes perfect sense because she has been reading your wall, she knows you're supposed to be in Mexico for spring break (out of phone range). And she knows your dad is on an evangelical streak these days. – Stephan Branczyk Apr 22 '18 at 10:21
9

One risk that isn't mentioned, but is very real for a lot of people, is identity theft. Identity theft is the act of someone using your identity, usually to do criminal things. Lots of people tend to post a photo of their passport/identity card/drivers license/certificate with full name and/or anything else with a social security number at some point, usually celebrating an achievement or showing off their new skills.

This kind of information can be used to impersonate someone, opening a bank account in their name, taking over existing assets, committing fraud, etc. Physical threats associated with these include:

  • minor annoyances as being flagged in government systems causing renewing a passport to take more time or having to endure extra questioning when traveling
  • temporary loss of access to financial assets, in the best case causing an embarrassing moment in the supermarket when you can not pay your bill, and in the worst case being unable to pay your rent or loan, repossession of cars or other goods you require to live, being expelled from your home etc
  • being marked as a criminal on the internet (e.g. "I went to Mr. X. Y. for help with my taxes. He was even certified! Never heard from him again after I payed his fees.") Such things can cost you a job offer or two.
  • facing lawyers, investigations and/or trials for crimes committed under your name, without your knowledge. Living with the knowledge that you may have to pay damages caused in your name or even have to spend time in jail as you may or may not be able to defend yourself against those accusations.
Sumurai8
  • 197
  • 1
  • 8
6

Few years ago there was a strong opposition to Gawker Stalker app for posting current locations of celebrities.

The main argument for the app was: By posting someone's location out on a public forum, you allowed stalkers/psycopaths to reach there with guns and be ready when they come out of the building. This is an incredibly scary physical threat.

Suppose somebody has a crazy stalker/ex that has not been blocked on the social media or if their social media publishing status is public, they are under a similar risk.

Having said that, it is important to note that having stopped posting such information doesn't mean that they are free from such threats. Crazy people could be lurking in their neighborhood or burglars could be looking for changes in newspaper subscriptions/heaps of newspapers/mail/milk cartons etc.

Limit
  • 3,191
  • 1
  • 16
  • 35
3

As this answer says, some personal information can be answers to security questions, possible allowing someone to access your email. I want to clarify the physical risks associated with that, since the connection was not made clear in that answer.

Losing your email can further compromise your personal information (and online assets, bank accounts, etc.), since email accounts can often control access to other accounts through password resetting. Essentially, losing your email can give up your address if you've ever entered it online or billed/shipped something there. It should be noted, though, that if you own property the owner/address can easily be looked up online anyway, even if you never share your address. Think of how phone books work, but online.

The revelation of your address provides a physical location for someone to target you and your family. If you post that you are leaving for vacation, someone could enter your residence and do whatever they want. If they know your address, someone with enough will and money could try to assassinate you, like in the recent poisoning of Sergei and Yulia Skripal.

Additional information which could be physically dangerous if discovered could include:

  • Where your kids go to school
  • Places you frequent
  • Activities you are involved in and what the schedule is
  • The information of your relatives and friends

In my opinion, there's no sense in worrying too much about this, because though you can guard your information, there is little you can do if someone wants to harm you bad enough.

mbomb007
  • 181
  • 13
  • 1
    I'm pretty sure assassination is not part of OP's threat model... – forest Apr 22 '18 at 08:15
  • @forest So what? It's the information that allowed it to happen. The same information can be used for bullying, threats, violence, anything else. If it's the information we're concerned about, then focus on that. Sure, what people do with it can be extreme, but the information allows less extreme threats as well. – mbomb007 Apr 23 '18 at 02:31
  • 1
    If assassination is a realistic threat, then "casually posting to social media" is the least of OP's worries, and avoiding that would _not_ mitigate the threat to any acceptable extent. You would have to completely remove your online presence, and more. – forest Apr 23 '18 at 02:35
  • I think you should re-read my answer. I mention how easy it is to get someone's address. It doesn't take an assassin or funds to present physical threat if you know someone's address. I was simply presenting an example from recent news. – mbomb007 Apr 23 '18 at 13:11
-1

We live in a world increasingly ruled by mindless algorithms. Algorithms fed by massive amounts of data. Algorithms that don't have to be perfectly accurate, but only mostly accurate.

Imagine that companies start building different profiles of everyone in the world, based on what they share on Facebook. These companies then sell these profiles to employers, creditors, government, or anyone who will pay for it.

Employers make decisions on hiring/firing based on these "social media scores". "Find the BEST, most RELIABLE, most CONSCIENSCIOUS employees with our NEW Social Scoring System! Filter out all those deadbeat nonproductive, alcoholic, or potentially racist employees!".

Creditors use this for debt collection "We noticed you went a trip last month Mr. Jones, if you have money for vacations, surely you can afford to pay us more!".

Government uses it to cast wide nets for any political activity, or simply to crack down on groups it doesn't currently like. "We KNOW you're a communist sir, you're best friends with 5 known communists on Facebook, and have had 300 conversations with these Communists in the past 3 years!. Plus, based on your location score, you spend a lot of time at known communist hot spots."

Facebook knows:

  • Where you were last night.
  • Who your friends are.
  • Where you work.
  • What your politics are.

Combine all the data, and you can create a very interesting (and maybe not always accurate) picture of someone. Analyzing your friends, where you've been, what you say, etc, can be far more revealing than your opinion on cat pictures.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76