What are the risks of posting family pictures online, for example on a blog site, without any access control in place? What should be my threat model?
I am weary of posting (recognizable) pictures of my self and my family on Facebook. Facebook is a foreign company whose primary goal is making money for their shareholders by milking other people's personal information. Combined with the current state of AI, they could do a lot worse then passing personal information to low-lives like Cambridge Analytica. Even a fairly innocent future-use like 'selling' facial recognition to advertisement companies, who could then spam me and my loved ones IRL using in-store cameras would be horribly annoying.
A very simple solution would be to just post any pictures i want to share online on a blog. Coming up with a nefarious business case is a lot harder if you have to collect data from disparate sources, without any machine readable metadata (Facebook already has at least one email address, a name, a network of friends, login data, data from cookies and pixels to go with the pictures). As it would be very hard for a company to abuse openly available pictures on a large scale, the risks of an actual 'industrial scale attack' are nil. But there is no protection against individuals who may use the pictures for whatever purposes.
The risks i can see:
- people using the pictures to aid building a fake persona online for criminal purposes (see this answer in related question) or just for fun.
- people photoshopping the pictures just for fun and posting them somewhere. Obviously, this could be very unpleasant depending on what is photoshopped and who sees the results.
- pictures could attract someone really disturbed
What else?