Saturday, 27 January 2018

Thing 16: Your Digital Footprint


What is a digital footprint, and why does it matter?

The internet is at this point an unavoidable part of our everyday lives. Yet it’s important to remember that whenever we do something on the internet, whenever we interact with it, we leave traces of ourselves that can be taken advantage of by others on the internet.



It’s very simple, users who are active on the internet and who take little or no precautions, are leaving a very large digital footprint. 

You might think, bar for a few extra advertisements, what difference does it make? Unfortunately, there are a large number of opportunistic entities on the network who will look to take advantage. For example, whenever you take a picture from your smartphone and post to Facebook, Instagram or other social media site / forum, you are most likely including image background information. This type of information can be as mundane as the time of the picture, aperture, type of camera, etc… But it can also include your GPS coordinates. 

Gerald Friedland has stated in his paper titled “Cybercasing the Joint: On the privacy implications of Geotagging”, that it is possible for any person with basic coding skills to access the publicly available A.P.I.s that companies like Twitter / Youtube / Instagram etc offer, and allow for searching of geotagged information in an orderly fashion. For example, show me everyone in Town X, with the following information, “holiday” or “vacation” or “new car” or “living alone” or “no alarm” or “safe”, etc… Or how about the following scenario, you have just joined a dating app. You put loads of pictures up to bolster your profile, some of these pictures are you at work, social images, and maybe at home. If you haven’t stripped this background information out / disabled the geotagging function - or your dating app also doesn’t do this automatically- you are opening up your life in a way that you never intended, especially to potential stalkers or other parties.  

Nowadays, Facebook strips this information from your pictures, but not all social media channels do so. It is advisable to check out the terms and conditions of the site you are using. Before you disable the feature entirely, remember that apps such as Tinder / Airbnb or Uber will look for your GPS coordinates to facilitate either a hook-up, suitable accommodation or your pick up / drop off locations. 

Remember too, though, that Facebook is in the business of using your data, including images, to sell itself back to its users or partners, without offering you any compensation. The old adage of "if you are not paying for it, then you are the product" is certainly true in this digital age. 

The following is a snippet from Facebook’s current terms and conditions: 

“…subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook …”

Fine Print by David Gadal / Flickr  CC BY 2.0
Sharing is set by your privacy & application settings, and within that Facebook retain the right to have a non-exclusive, sub-licensable, royalty-free…. Also, if you have shared this content or picture with others, it may still exist in the system, again to be subject to the same royalty free regime, even if you have deleted your profile and account. Many of the other social media platforms have similar terms and conditions. 

Finally, it is very important to remember that defamation law applies online as well. For example, if I was to post something that opened another person or organisation to ridicule or contempt, or lowers this person or entity in the eyes of society or potentially causes them to be shunned and my statement is not true, then I have defamed that party and opened myself up to a potential lawsuit. This can be as simple as me posting something on Twitter, Facebook, or any medium, and applies even if I only retweet a statement that is defamatory. Check out the Katie Hopkins Vs Jack Monroe defamation case in the UK or Ganley Vs Barrington in Ireland, as to how the courts are starting to come to grips with this evolving area.

As a general rule of thumb, be careful when posting, and try not to say or repost / retweet anything that you wouldn’t be happy to say to the person’s face in the cold light of day. 


How your Digital Footprint can come back to haunt you: cases

You should always remember that what goes up online about you, whether you created the content or not, forms part of your “digital brand”. Already some prospective employers will look at this publicly available information prior to calling you for interview. Now these checks are going to be limited in future so that the employer needs a “legal ground” and the search must be “relevant to the performance of the job”. However, this still leaves much scope in proving that you didn’t get called back for another interview because of an online search. Real-life examples of this are:

1. Employee X called in sick, but left posts on social media alluding to the “mental night” that was just had. 
2. Teacher in the U.S. who posted pictures of herself having fun / drinking alcohol and was subsequently fired as the school board felt her page promoted alcohol use and contained profanity.
3. 18-year-old Buckingham Palace guard who was fired ahead of the royal wedding for calling Kate Middleton an unflattering name.

What these all illustrate, is that you need to be exceptionally careful about online postings, what permissions you have given to your social media channels, what data your photographs give out, what permissions you have signed away for apps on your smartphone, e.g. location based data, microphone / camera / contacts access.

Look no further that the case of Alison Chang, regarding digital footprints. She was a 15-year-old student from Dallas, who had her picture taken at a church sponsored car wash. The photographer was Justin Ho-Wee Wong and he was Alison’s church youth counsellor. Justin a budding photographer, loaded the picture up to the photo sharing site Flickr. 

His picture ended up being used in a campaign by Virgin mobile in Australia who were looking for a picture that they felt represented “goofy”. They manipulated the image, removed the second girl from the picture, interestingly they also removed the Adidas logo from Alison’s hat either because they didn’t want to offend Adidas’s IP or they wanted Virgin to be the only brand on the image. (You can see the two images compared in this news story). In either case, the subsequent heading of “Dump your Pen Friend” & “Virgin to Virgin” cause many issues for Alison in both her school life and her on-life social media life where she was opened up to ridicule by her peers. 


When Justin had uploaded his image to Flickr, he agreed that Flickr were allowed to use the image or sublicense to their commercial partners. The subsequent issue that arose was whether Virgin needed Alison’s permission for her image to be used in that manner.

A final case is that of the Ashley Madison website in 2015, illustrating the real world consequences of some of our online activities. This is a website that facilitates hook-ups between married people and has the tagline, “life is short, have an affair”. When they had a large data breach and their customer list was published online. There were subsequent reports from global newspapers about suicides that were directly linked to their names being published / associated with this site.


How do most people secure themselves against the threats presented by one’s digital footprint? Is it enough?

Changing passwords irregularly is what the average person does to secure themselves online. But in fairness, most have no idea as to what is possible on the internet and to make it more difficult, even if the average user does receive some training, the goalposts keep changing as to how you can be targeted.  For example, man in the middle attacks, reading usernames and passwords in a HTTP session in clear text. Installing a fake SSL cert in the browser to capture effectively all your details irrespective of you being in an encrypted session with the webserver and thinking that most online emails offer end to end encryption.

Training and awareness are critical to raise awareness as to the pitfalls on the internet.  

Whether the infrequent changing of passwords is enough as a defence depends on what is on a person’s device, i.e. any PII information (Personally Identifiable Information) and where they are browsing, and whether or not they are on a a public Wi-fi that is potentially an unverified access point.

If the answer is just browsing a few websites that don’t require you to login / not conducting any type of sensitive business, then the answer is most likely yes, the user is fine.

However, the reality is usually far from this. Banking sites may be used, Email (which in many instances can be referred to as the central point of your digital life, where most of your accounts can be reset --note some services now will also send a verification to your mobile which is a welcome extra step), Social media sites, work portals and cloud based services are becoming more integral to our daily online lives.

When you are downloading content, or maybe an app that is especially not part of the Android market, do you know what are you allowing to be loaded onto your device or what ports on the firewall have you given permission to be permanently opened that may be assessed at a later date? If you were to use specialised tracking software when downloading / streaming on certain sites, you would be very surprised at the amount of private and governmental organisations tracking various IP packets across the network and subsequently logging your details, potentially for use in future lawsuits, especially if you are downloading illegal content.

Your device / your bandwidth could be used to launch a DDOS (Distributed Denial of Service Attack) attack in a larger botnet on government computers or a private organisations computer. You will most likely not be even aware that this is happening, bar for the fact that the internet just appears to be a little slower.

To come back to the question, based on the average users’ usage habits, the answer would be a categoric no, not enough is being done.
                                        
In conclusion and in no particular order, the following points offer a brief overview of the areas to be aware of:  

  • Be very careful giving out personal information to websites that you are unfamiliar with.
  •  Do not respond to phishing emails. Remember, Banks or Paypal, etc will never ask you to send personal details or to “Click Here” to login. Only ever call them on a number you trust or login into your account on a trusted computer on a secure internet connection that you initiated.
  • Don’t download illegal software - apart from the legal ramifications - quite often, this software will have backdoors programmed in to allow access to your device or information at a later stage.
  • Be careful when connecting to the internet when out and about. For example, a coffee shop, or bar or airport waiting room. Make sure that you are connecting to a legitimate hot-spot and that it is encrypted. In the public domain there is potential for fake wi-fi hotspots to be set up, such as “freeStudentWiFi” that could steal your information.
  • Do read T&C’s of the apps you download so that you can give “informed consent”
  • Be aware online of what you post, both from a defamatory perspective and regarding giving out too much information about yourself or your family.
  • Educate yourself about the basics of the internet and how it works. This will allow you to become more aware of the risks out there and how to mitigate them if needed
  • Do use an alphanumeric password, i.e. characters, numbers a special character. Do not use the same password or a very close derivation for all your accounts. Remember, if I can get access to your email account, I will be able to reset most of your online accounts and take control of them. Change your passwords reasonably often.
  • Finally, enjoy yourself online but always remember the pictures or content you post could potentially end up in a newspaper / in an ad campaign / looking back at you in a job interview, etc... So be prudent and careful about your digital footprint.


Your task: Look through the above list of points to be aware of in terms of your digital footprint. Use these to run a kind of diagnostic of how you protect yourself against violations of your privacy on the internet. How do these compare with the precautions that you take?

Additional tools / resources

DuckDuckGo: It’s a search engine that, unlike Google or Bing, doesn’t track you. You can download the app, and an updated version has just been released.

WhatsApp messaging app: features end-to-end encryption to protect your privacy.

ProtonMail: An encrypted email service

Library Freedom Project: Collection of resources to help protect privacy. Includes Toolkits for Librarians and curricula for courses in online and mobile privacy.

VPN (Virtual Private Network). Allows the user to hide their IP address and encrypt traffic from their local computer to the VPN server. Note VPNs and TOR are separate things and allow for varying degrees of anonymity on the network, but further discussion is unfortunately beyond the scope of this article


Thing 16 was written by Brian Hickey, MBS. Brian is a professional member of the Irish Computer Society, has extensive information technology industry experience, predominantly in the areas of IT consulting, project management and training and development.

Brian is currently a Senior IT Lecturer at Dublin Business School, delivering industry focused tuition to students up to and including level 9. His research interests lie in the fields of Data Privacy, Risk as it relates to Cloud based business solutions and Cloud technologies.

POPULAR POSTS

The Calendar of Things