At some point during the time that former antivirus software creator John McAfee spent as a fugitive from authorities in Belize, he started a blog. Take it from me: if you’re trying to get off the grid and totally disappear, you don’t want to start a blog. For one thing, you’re bound to make a mistake.
McAfee is a smart man. He made his fortune in the early days of Silicon Valley by pioneering antivirus research. Then he sold his company, sold all his assets in the United States, and for around four years, from 2008 to 2012, he lived in Belize, on a private estate off the coast. Toward the end of that period, the government of Belize had him under near-constant surveillance, raiding his property and accusing him of assembling a private army in addition to engaging in drug trafficking.
McAfee denied doing either. He claimed he was fighting the drug lords on the island. He said, for example, that he had offered a flat-screen TV to a small-time marijuana dealer on the condition that the man stop dealing. And he was known to pull over cars that he suspected were carrying drug dealers.1
McAfee in fact did have a drug lab, but not necessarily for recreational drugs. He claimed he was creating a new generation of “helpful” drugs. Hence his growing suspicion that cars full of white men outside his property were spies from pharmaceuticals companies such as GlaxoSmithKline. He further claimed that the raids by the local police were instigated by these same pharmaceuticals companies.
Guarding his property were several men with guns and eleven dogs. A neighbor two houses to the south, Greg Faull, complained regularly to the authorities about the dogs barking late at night. Then one night in November of 2012, some of McAfee’s dogs were poisoned. And later that same week, Faull was shot, found facedown in a pool of blood in his house.
The Belize authorities naturally considered McAfee a person of interest in their investigation. As McAfee relates in his blog, when he heard from his housekeeper that the police wanted to talk to him, he went into hiding. He became a fugitive.
But it wasn’t the blog that ultimately led law enforcement to McAfee. It was a photo. And it wasn’t even his own.
A security researcher named Mark Loveless (better known in security circles as Simple Nomad) noticed a picture of McAfee published on Twitter by Vice magazine in early December of 2012. The photo showed Vice’s editor standing next to McAfee in a tropical location—maybe in Belize, maybe somewhere else.
Loveless knew that digital photos capture a lot of information about when, where, and how they are taken, and he wanted to see what digital information this photo might contain. Digital photos store what is known as exchangeable image file, or EXIF, data. This is photo metadata, and it contains mundane details such as the amount of color saturation in the image so that the photo can be accurately reproduced on a screen or by a printer. It can also, if the camera is equipped to do so, include the exact longitude and latitude of the place where the photo was taken.
Apparently the photo of McAfee with the Vice magazine editor was taken with an iPhone 4S camera. Some cell phones ship with geolocation automatically enabled. Loveless got lucky: the image posted in the online file included the exact geolocation of John McAfee, who was, it turned out, in neighboring Guatemala.
In a subsequent blog McAfee said he faked the data, but that seems unlikely. Later he said he intended to reveal his location. More likely he got lazy.
Long story short, the Guatemalan police detained McAfee and wouldn’t let him leave the country. He then suffered a health condition, was hospitalized, and was eventually allowed to return to the United States.
The murder of Greg Faull remains unsolved. McAfee now lives in Tennessee, and in 2015 he decided to run for president to advocate for more cyberfriendly policies in the US government. He doesn’t blog nearly as often nowadays.
Let’s say you are an ambitious young jihadist, and you are proud to be posted to a recently established military headquarters of Daesh, or ISIL. What’s the first thing you do? You pull out your cell phone and take a selfie. Worse, in addition to the photo of you and your new digs, you post a few words about the sophisticated equipment available at this particular facility.
Half a world away, reconnaissance airmen at Florida’s Hurlburt Field are combing social media and see the photo. “We got an in,” one of them says. Sure enough, a few hours later three JDAMs (joint direct attack munitions) take out that shiny new military building.2 All because of a selfie.3
We don’t always consider what else lies inside the frame of a selfie we’ve just taken. In film and theater this is called the mise-en-scène, roughly translated from the French as “what’s in the scene.” Your picture might show a crowded city skyline, including the Freedom Tower, outside your apartment window. Even a picture of you in a rural setting—maybe a prairie extending out to the flat horizon—gives me valuable information about where you live. These visuals provide tiny location clues that might tip off someone who is eager to find you.
In the young jihadist’s case, what was in the scene was a military headquarters.
Embedded in the metadata of the selfie were the precise longitude and latitude, or geolocation, of the place where the photo was taken. General Hawk Carlisle, the head of the US Air Combat Command, estimated it was a mere twenty-four hours from the time that selfie was first posted on social media to the complete destruction of that headquarters.
Certainly the metadata inside your image files can be used to locate you. EXIF data in a digital image contains, among other things, the date and time when the picture was snapped, the make and model number of the camera, and, if you have geolocation activated on the device taking the photo, the longitude and latitude of the place where you took the image. It is this information, within the file, that the US military used to find the Daesh headquarters in the desert, just as Mark Loveless used EXIF data to identify John McAfee’s location. Anyone can use this tool—it’s native in the file inspector on Apple OSX and in downloadable tools such as FOCA for Windows and Metagoofil for Linux—to gain access to the metadata stored in photos and documents.
Sometimes it’s not a photo but an app that gives up your spot. In the summer of 2015, drug lord Joaquin “El Chapo” Guzman escaped from a Mexican prison and immediately went off the grid. Or did he?
Two months after his escape—from Mexico’s maximum-security Altiplano prison—El Chapo’s twenty-nine-year-old son, Jesus Alfredo Guzman Salazar, posted an image to Twitter. Although the two men seated at a dinner table with Salazar are obscured by emoticons, the build of the man on the left bears a strong resemblance to El Chapo. Further, Salazar captioned the image: “August here, you already know with whom.” The tweet also contained the Twitter location data—Costa Rica—suggesting that El Chapo’s son failed to switch off the autotagging function on Twitter’s smartphone app.4
Even if you don’t have an escaped convict in your family, you need to be aware that the digital and visual information hidden (sometimes in plain sight) in your photos can reveal a lot to someone who does not know you and it can come back to haunt you.
Online photos can do more than just reveal your location. They can, in conjunction with certain software programs, reveal personal information about you.
In 2011 Alessandro Acquisti, a researcher from Carnegie Mellon University, posed a simple hypothesis: “I wanted to see if it was possible to go from a face on the street to a Social Security number,” he said. And he found that it was indeed possible.5 By taking a simple webcam photograph of a student volunteer, Acquisti and his team had enough information to obtain personal information about that individual.
Think about that. You could take a photo of a person out on the street and, using facial recognition software, attempt to identify that person. Without that person’s confirmation of his or her identity, you may get a few false positives. But chances are a majority of the “hits” would reveal one name more than another.
“There’s a blending of online and offline data, and your face is the conduit—the veritable link between these two worlds,” Acquisti told Threatpost. “I think the lesson is a rather gloomy one. We have to face the reality that our very notion of privacy is being eroded. You’re no longer private in the street or in a crowd. The mashup of all these technologies challenges our biological expectation of privacy.”
For his study, Acquisti and others stopped students on the Carnegie Mellon campus and asked them to fill out an online survey. The webcam on the laptop took a picture of each student as he or she was taking the survey, and the picture was immediately cross-referenced online using facial recognition software. At the conclusion of each survey, several of the retrieved photos had already appeared on the screen. Acquisti said that 42 percent of the photos were positively identified and linked to the students’ Facebook profiles.
If you use Facebook, you are perhaps already aware of its limited facial recognition technology. Upload a photo to the site, and Facebook will attempt to phototag the people within your network, people with whom you are already friends. You do have some control over this. By going into your Facebook settings you can require the site to notify you every time that happens and choose whether to be identified in the photo. You can also choose to post the photo to your wall or timeline only after you’ve been notified, if at all.
To make tagged photos invisible in Facebook, open your account and go to “Privacy Settings.” There are various options, including limiting the images to your personal timeline. Other than that, Facebook has not yet provided an option to stop people from tagging you without permission.
Companies such as Google and Apple also have facial-recognition technology built into some of their applications, such as Google Photo and iPhoto. It may be worth looking at the configuration settings for those apps and services so that you can limit what facial recognition technology can do in each. Google has so far held back from including facial recognition technology in its image search feature (indicated by that little camera icon you see in the Google search window). You can upload an existing picture, and Google will find the picture, but it will not attempt to find other photos showing the same person or people within the image. Google has, in various public statements, said that letting people identify strangers by face “crosses the creepy line.”6
Even so, some repressive governments have done just that. They have taken photos of protesters at large antigovernment rallies and then put the images on the Web. This is not using image recognition software so much as it is crowdsourcing the identification process. Also, some US states have used their motor vehicle departments’ photo databases to identify suspects in criminal cases. But those are fancy state-based operations. What could a lone academic do?
Acquisti and his fellow researchers wanted to see how much image-derived information about a person could be cross-referenced online. To find out they used a facial recognition technology called Pittsburgh Pattern Recognition, or PittPatt, now owned by Google. The algorithms used in PittPatt have been licensed to various security companies and government institutions. Shortly after the acquisition, Google went on record about its intentions: “As we’ve said for over a year, we won’t add face recognition to Google unless we can figure out a strong privacy model for it. We haven’t figured it out.”7 Let’s hope the company sticks to its word.
At the time of his research, Acquisti was able to use PittPatt paired with data-mined Facebook images from what he and his team considered to be searchable profiles, i.e., those on which the Carnegie Mellon volunteers had already posted photos of themselves along with certain pieces of personal information. They then applied this set of known faces to the “anonymous” faces on a popular online dating site. There the researchers found that they could identify 15 percent of these supposedly “anonymous” digital heartbreakers.
The creepiest experiment, however, involved linking a person’s face to his or her Social Security number. To do that, Acquisti and his team looked for Facebook profiles that included the person’s date and city of birth. Previously, in 2009, the same group of researchers had shown that this information by itself was enough to enable them to obtain a person’s Social Security number (Social Security numbers are issued sequentially per a state’s own formula, and since 1989 SSNs have been issued on or very near the date of birth, making it even easier to guess a person’s last four digits).8
After some initial calculations, the researchers then sent a follow-up survey to each of their CMU student volunteers asking whether the first five digits of his or her Social Security number as predicted by their algorithm was correct. And a majority of them were.9
I’ll bet there are some photos that you now don’t want online. Chances are you won’t be able to take them all back, even if you could delete them from your social media site. That’s in part because once you post something to a social network, it’s owned by that network and out of your hands. And you agreed to this in the terms of service.
If you use the popular Google Photos app, even deleting a photo there doesn’t necessarily mean it’s gone. Customers have found that images are still there even after they delete the app from their mobile devices. Why? Because once the image hits the cloud, it is app-independent, meaning that other apps may have access to it and may continue to display the image you deleted.10
This has real-world consequences. Say you posted some stupid caption on a photo of someone who now works at the very company that you are applying to work for. Or you posted a photo of yourself with someone you don’t want your current spouse to know about. Although it may be your personal social network account, it is the social network’s data.
You’ve probably never taken the trouble to read the terms of use for any website where you post your personal data, daily experiences, thoughts, opinions, stories, gripes, complaints, and so on, or where you shop, play, learn, and interact, perhaps on a daily or even hourly basis. Most social networking sites require users to agree to terms and conditions before they use their services. Controversially, these terms often contain clauses permitting the sites to store data obtained from users and even share it with third parties.
Facebook has attracted attention over the years for its data storage policies, including the fact that the site makes it difficult to delete an account. And Facebook isn’t alone. Many websites have nearly identical language in their terms of use that would very likely scare you away if you had read the terms before signing on. Here’s one example, from Facebook, as of January 30, 2015:
You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition:
1. For content that is covered by intellectual property rights, like photos and videos (IP content), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.11
In other words, the social media company has the right to use anything you post to the site in any way it wants. It can even sell your picture, your opinions, your writing, or anything else you post, making money from your contribution without paying you a penny. It can use your posted comments, criticisms, opinions, libel, slander (if you’re into that sort of thing), and the most personal details you’ve posted about your children, your boss, or your lover. And it doesn’t have to do it anonymously: if you have used your real name, the site can use it, too.
All this means, among other things, that images you post to Facebook can end up on other sites. To find out whether there are any embarrassing photos of you out there in the world, you can perform what’s called a reverse image search in Google. To do this, click on the tiny camera within the Google search window and upload any photo from your hard drive. In a few minutes you will see any copies of that image findable online. In theory, if it’s your photo, you should know all the sites that come up in the results. However, if you find that someone has posted your photo on a site you don’t like, you have limited options.
Reverse image searches are limited by what’s already posted. In other words, if there is a similar image online but not the exact same image, Google won’t find it. It will find cropped versions of the image you searched for, but in that case the central data, or enough of it, remains the same.
Once, for my birthday, someone tried to create a stamp with my image on it. The company, Stamps.com, has a strict policy against using images of convicted persons. My image was rejected. Perhaps they did an online image search.
I was in a database somewhere as Kevin Mitnick, convicted of a crime.
The following year my friend tried an earlier photo under a different name, one taken before I was well known. She reasoned that perhaps this photo had not been uploaded online. And guess what? It worked. The second photo, showing a much younger me, was approved. This shows the limitations of image searches.
That said, if you do find photos of yourself that you’d rather not see online, you have a few options.
First, contact the site. Most sites have an “abuse@nameofthesite.com” e-mail address. You might also contact the site’s webmaster at “admin@nameofthesite.com.” Explain that you own the image and don’t give permission for it to be posted. Most webmasters will take down the image without much fuss. However, if you need to you can file a Digital Millennium Copyright Act, or DMCA, request by e-mailing “DMCA@nameofthesite.com.”
Be careful. Misrepresenting a DMCA request might get you into trouble, so seek legal advice if it gets to this level. If you still can’t get the image removed, then consider going upstream and contacting the website’s ISP (whether it’s Comcast, GoDaddy, or another company). Most will take a legitimate DMCA request seriously.
Besides photos, what else is in your social media profile? You wouldn’t share everything there is to know about you with the person sitting next to you on the subway. In the same way, it’s not a good idea to share too much personal information on impersonal websites. You never know who is looking at your profile. And once it’s out there, you can’t take it back. Think carefully about what you put in your profile—you don’t have to fill in all the blanks, such as the university you attended (or even when you attended). In fact, fill in the least amount of information you possibly can.
You may also want to create a dedicated social media profile. Don’t lie, just be deliberately vague with the facts. For example, if you grew up in Atlanta, say you grew up in the “southeastern United States” or simply “I’m from the South.”
You may also want to create a “security” birthday—a day that is not your real birthday—to mask personal information even further. Be sure to keep track of your security birthdays, since they are sometimes used to verify your identity when you phone technical support or need to reenter a site after you’ve been locked out.
After creating or tweaking your online profiles, take a few minutes to look at the privacy options on each site. For example, within Facebook you should enable privacy controls, including tag review. Disable “Suggest photos of me to friends.” Disable “Friends can check me into places.”
Kids with Facebook accounts are perhaps the most worrisome. They tend to fill in every blank box they can, even their relationship status. Or they innocently reveal the names of the schools they attend and the teachers they have as well as the numbers of the buses they ride each morning. While they don’t necessarily tell the world specifically where they live, they might just as well. Parents need to friend their kids, monitor what they post, and, ideally, discuss in advance what is acceptable and what is not.
Being invisible doesn’t mean you can’t share updates about your personal life securely, but it involves both common sense and visiting and revisiting the privacy settings of the social media sites you use—because privacy policies do change, and sometimes not for the better. Do not display your birthday, even your security birthday, or at the very least hide it from the Facebook “friends” you do not personally know.
Consider a post that says Mrs. Sanchez is a great teacher. Another post might be about a crafts fair at Alamo Elementary. From Google we can find that Mrs. Sanchez teaches the fifth grade at Alamo Elementary—and from this we can assume the student account holder is around ten years old.
Despite warnings from Consumer Reports and other organizations to those who do post personal information, people continue to tell all online. Remember that it is perfectly legal for third parties to come along and to take that information once it is out in public.12
Remember also that no one is compelling you to post personal information. You can post as much or as little as you want. In some cases you are required to fill in some information. Beyond that, you decide how much sharing is right for you. You need to determine your own personal privacy level and understand that whatever information you provide cannot be taken back.
To help you get on top of all the choices you have, Facebook launched a new privacy checkup tool in May of 2015.13 Despite tools like these, almost thirteen million Facebook users back in 2012 told Consumer Reports magazine that they had never set, or didn’t know about, Facebook’s privacy tools. And 28 percent shared all, or almost all, their wall posts with an audience wider than just their friends. More tellingly, 25 percent of those interviewed by Consumer Reports said they falsified information in their profiles to protect their identity, and this figure was up from 10 percent in 2010.14 At least we’re learning.
While you do have the right to post information about yourself that isn’t strictly accurate, be aware that in California it is illegal to post online as someone else. You cannot impersonate another living individual. And Facebook has a policy that will not allow you to create an account under a false name.
This actually happened to me. My account was suspended by Facebook because Facebook accused me of impersonating Kevin Mitnick. At the time there were twelve Kevin Mitnicks on Facebook. The situation was fixed when CNET ran a story about the “real” Kevin Mitnick getting locked out of Facebook.15
There are, however, many reasons why individuals might need to post under a different name. If it is important to you, then find a social media service that allows you to post anonymously or under a different name. Such sites, however, will not match the breadth and reach of Facebook.
Be careful whom you friend. If you have met the person face-to-face, fine. Or if the person is a friend of someone you know, maybe. But if you receive an unsolicited request, think carefully. While you can unfriend that person at any point, he or she will nonetheless have a chance to see your entire profile—and a few seconds is all it takes for someone with malicious intent to interfere with your life. The best recommendation is to limit all the personal information you share on Facebook, because there have been very personal attacks, even among friends, over social networking websites. And data visible to your friends can still be reposted by them elsewhere without your consent or control.
I’ll give you an example. A guy once wanted to hire me because he was the victim of extortion. He had met an amazing, beautiful girl on Facebook and began sending her nude photos of himself. This continued for a time. Then one day he was told to send this woman—who might have been some guy living in Nigeria using a woman’s photo—$4,000. He did, but then contacted me after he was asked to send another $4,000 or his nude photos would be sent to all his friends, including his parents, on Facebook. He was desperate to fix this situation. I told him his only real option was to tell his family or to wait and see if the extortionist went through with the threat. I told him to stop paying the money—the extortionist wasn’t going to quit as long he continued to pay.
Even legitimate social networks can be hacked: someone could friend you just to get access to someone you know. A law enforcement officer could be seeking information on a person of interest who happens to be part of your social network. It happens.
According to the Electronic Frontier Foundation, social networks have been used for passive surveillance by federal investigators for years. In 2011 the EFF released a thirty-eight-page training course for IRS employees (obtained through the Freedom of Information Act) that the foundation said was used for conducting investigations via social networks.16 Although federal agents can’t legally pretend to be someone else, they can legally ask to be your friend. In doing so they can see all your posts (depending on your privacy settings) as well as those of others in your network. The EFF continues to study the privacy issues associated with this new form of law enforcement surveillance.
Sometimes corporations follow you, or at least monitor you, if you post or tweet something that they find objectionable—something as innocent as a comment about a test you took in school, for example. For one student, a tweet like that caused a lot of trouble.
When Elizabeth C. Jewett, the superintendent of the Watchung Hills Regional High School, in Warren, New Jersey, received a communication from the testing company that provided her school with a statewide exam, her reaction was surprise rather than concern. She was surprised that Pearson Education was watching a student’s Twitter account in the first place. Minors are given a certain amount of privacy and leeway when it comes to what they post on social media. But students—whether they’re in middle school, high school, or college—need to realize that what they are doing online is public and being watched. In this case one of Jewett’s students had allegedly tweeted material from a standardized test.
In fact the student had actually posted a question about a question—not a picture of the exam page, just a few words—on a one-day statewide test given in New Jersey, the Partnership for Assessment of Readiness for College and Careers, or PARCC, test. The tweet was posted around 3:00 p.m.—well after students in the district had taken the test. After the superintendent spoke with a parent of the student who posted the tweet, the student removed it. There was no evidence of cheating. The tweet—not revealed to the public—was a subjective comment rather than a solicitation of an answer.
But the revelation about Pearson unnerved people. “The DOE [Department of Education] informed us that Pearson is monitoring all social media during PARCC testing,” Jewett wrote to her colleagues in an e-mail that a local columnist made public without her permission. In that e-mail Jewett confirmed that at least three more cases had been identified by Pearson and passed along to the state DOE.
While Pearson is not alone in monitoring social media in order to detect theft of intellectual property, its behavior does raise questions. How, for example, did the company know the identity of the student involved from his Twitter handle? In a statement provided to the New York Times, Pearson said: “A breach includes any time someone shares information about a test outside of the classroom—from casual conversations to posts on social media. Again, our goal is to ensure a fair test for all students. Every student deserves his or her chance to take the test on a level playing field.”17
The Times said it confirmed through officials in Massachusetts, which is also administering the PARCC test, that Pearson does cross-reference tweets about standardized tests with lists of students who have registered to take the tests. On this Pearson declined to comment for the Times.
For years the state of California also monitored social media during its annual Standardized Testing and Reporting (STAR) tests. In 2013, the last year the tests were given statewide, the California Department of Education identified 242 schools whose students posted on social media during administration of the tests, only sixteen of which included postings of test questions or answers.18
“The incident highlighted the degree to which students are under surveillance, both within and outside of traditional school environments,” said Elana Zeide, a privacy research fellow at New York University’s Information Law Institute. “Social media is generally seen as a separate domain from school. Twitter seems more like ‘off campus’ speech—so that Pearson’s monitoring is more like spying on students’ conversations in carpools than school hallways.”19
However, she goes on to say, “The conversation also needs to shift from focusing on individual interests and harms to take the broader consequences of information practices into account. Schools and vendors need to stop dismissing parents as Luddites simply because they can’t articulate a specific and immediate harm to their child. Parents, in turn, need to understand that schools can’t defer to all their privacy preferences because there are also collective interests at stake that affect the entire educational system.”
Twitter, with its iconic 140-character limit, has become pervasive, collecting a lot of seemingly tiny details about our daily lives. Its privacy policy acknowledges that it collects—and retains—personal information through its various websites, applications, SMS services, APIs (application programming interfaces), and other third parties. When people use Twitter’s service, they consent to the collection, transfer, storage, manipulation, disclosure, and other uses of this information. In order to create a Twitter account, one must provide a name, username, password, and e-mail address. Your e-mail address cannot be used for more than one Twitter account.
Another privacy issue on Twitter concerns leaked tweets—private tweets that have been made public. This occurs when friends of someone with a private account retweet, or copy and paste, that person’s private tweet to a public account. Once public, it cannot be taken back.
Personal information can still be dangerous to share over Twitter, especially if your tweets are public (the default). Avoid sharing addresses, phone numbers, credit card numbers, and Social Security numbers over Twitter.20 If you must share sensitive information, use the direct message feature to contact a specific individual. But be aware that even private or direct-message tweets can become public.
For today’s youth, so-called Generation Z, Facebook and Twitter are already old. Generation Z’s actions on their mobile devices center around WhatsApp (ironically, now part of Facebook), Snapchat (not Facebook), and Instagram and Instagram Stories (also Facebook). All these apps are visual in that they allow you to post photos and videos or primarily feature photos or videos taken by others.
Instagram, a photo-and video-sharing app, is Facebook for a younger audience. It allows follows, likes, and chats between members. Instagram has terms of service and appears to be responsive to take-down requests by members and copyright holders.
Snapchat, perhaps because it is not owned by Facebook, is perhaps the creepiest of the bunch. Snapchat advertises that it allows you to send a self-destructing photo to someone. The life of the image is short, about two seconds, just long enough for the recipient to see the image. Unfortunately, two seconds is long enough for someone to grab a quick screenshot that lasts.
In the winter of 2013, two underage high school girls in New Jersey snapped photos of themselves, naked, and sent them to a boy at their school over Snapchat, naturally assuming that the images would be automatically deleted two seconds after they sent them. At least that’s what the company said would happen.
However, the boy knew how to take a screenshot of the Snapchat message and later uploaded the images to his Instagram app. Instagram does not delete photos after two seconds. Needless to say the images of the naked underage girls went viral, and the school superintendent had to send a note home to the parents asking that the images be deleted from all students’ phones or they would risk being arrested on child pornography charges. As for the three students, as minors they couldn’t be charged with a crime, but each was subjected to disciplinary action within the school district.21
And it’s not just girls sending nude photos to boys. In the United Kingdom, a fourteen-year-old boy sent a naked picture of himself to a girl at his school via Snapchat, again thinking the image would disappear after a few seconds. The girl, however, took a screenshot and… you know the rest of the story. According to the BBC, the boy—and the girl—will be listed in a UK database for sex crimes even though they are too young to be prosecuted.22
Like WhatsApp, with its inconsistent image-blurring capabilities, Snapchat, despite the app’s promises, does not really delete images. In fact Snapchat agreed in 2014 to a Federal Trade Commission settlement over charges that the company had deceived users about the disappearing nature of its messages, which the federal agency alleged could be saved or retrieved at a later time.23 Snapchat’s privacy policy also says that it does not ask for, track, or access any location-specific information from your device at any time, but the FTC found those claims to be false as well.24
It is a requirement of all online services that individuals be thirteen years of age or older to subscribe. That is why these services ask for your birth date. A user could, however, just say, under penalty of perjury, “I swear that I am over the age of thirteen”—or twenty-one or whatever. Parents who find that their ten-year-olds have signed up for Snapchat or Facebook can report them and have those accounts removed. On the other hand, parents who want their kids to have an account often alter the child’s birth date. That data becomes part of the child’s profile. Suddenly your ten-year-old is fourteen, which means that he or she might be getting online ads targeted at older children. Also note that every e-mail address and photo your child shares over the service is recorded.
The Snapchat app also transmits Wi-Fi-based and cellular-based location information from Android users’ mobile devices to its analytics tracking service provider. If you’re an iOS user and enter your phone number to find friends, Snapchat collects the names and phone numbers of all the contacts in your mobile device’s address book without your notice or consent, although iOS will prompt for permission the first time it is requested. My recommendation is to try another app if you want true privacy.
In North Carolina, a high school student and his girlfriend were charged with possessing naked photos of minors even though the photos were of themselves and had been taken and shared consensually. The girlfriend faced two charges of sexual exploitation of a minor: one for taking the photo and another for possessing it. Sexting aside, that means it is illegal for North Carolina teens to take or possess nude photos of themselves. In the police warrant, the girlfriend is listed as both victim and criminal.
The boyfriend faced five charges, two for each photo he took of himself plus one for possessing a photo of his girlfriend. If convicted he could face up to ten years in prison and have to register as a sex offender for the rest of his life. All for taking naked photos of himself and keeping one that his girlfriend sent him.25
When I was in high school, I simply met someone and asked her out. Today you have to put some information online so people can check you out first. But be careful.
If you are using a dating site and access it from someone else’s computer, or should you happen to use a public computer to access it, always log out. Seriously. You don’t want someone to hit the Back button on the browser and see your dating information. Or change it. Also, remember to uncheck the box that says “Remember me” on the log-in screen. You don’t want this—or any other—computer to automatically log someone else in to your dating account.
Say you go on a first date, maybe a second date. People don’t always reveal their true selves on a first or second date. Once your date has friended you on Facebook or followed you on Twitter or on any other social network, he or she can see all your friends, your pictures, your interests… things can get weird fast.
We’ve covered online services: what about mobile apps?
Dating apps can report your location, and part of that is by design. Say you see someone you like in your area: you can then use the app to find out if that person is nearby. The mobile dating app Grindr gives very precise location information for its subscribers… perhaps too precise.
Researchers Colby Moore and Patrick Wardle from the cybersecurity firm Synack were able to spoof requests to Grindr in order to follow some of the people in its service as they moved about a single city. They also found that if they had three accounts search for one individual, they could triangulate the results to get a much more precise measurement of where that person was at any given moment.26
Maybe dating apps aren’t your thing, but even logging in to the Yelp service to search for a good restaurant gives third-party businesses information about your sex, age, and location. A default setting within the app allows it to send information back to the restaurant, telling it, for example, that a woman, age thirty-one, from New York City was looking at its review. You can, however, go into your settings and choose “Basics,” which reveals only your city (unfortunately you cannot disable the feature entirely).27 Perhaps the best way to avoid this is to not log in and simply use Yelp as a guest.
Regarding geolocation, it is a good idea in general to check if any mobile apps you use broadcast your location. In most cases you can turn this feature off, either in each individual app or entirely.28
And before agreeing to download any Android app, always read the permissions first. You can view these permissions in Google Play by going to the app, then scrolling down to the section above Google Play content that says “Permissions.” If the permissions make you feel uncomfortable, or if you think they give the app developer too much control, then do not download the app. Apple does not provide similar information about the apps in its store, and instead permissions are prompted as they are needed when using the app. In fact, I prefer to use iOS devices because the operating system always prompts before disclosing private information—like my location data. Also iOS is much more secure than Android if you don’t jailbreak your iPhone or iPad. Of course, well-funded adversaries could purchase exploits for any operating system in the marketplace, but iOS exploits are quite expensive—costing over a million dollars.29