Let’s talk about your information. You know, all that stuff about you that could be used to track you. Like your address. And phone number. And credit card numbers. Simply put: we have been suckered into exposing all the things that a bad actor would need to successfully track our every move, and we didn’t even realize it. How? Well, how many of those retail “rewards” program cards are hanging off of your keychain? How many social media accounts do you have? If the answer is not “zero”, you probably should read this article. Here’s how to assess your own information exposure.
First, what do I mean by information exposure? Well, it’s simple: there’s a concept in Information Security called Personally Identifiable Information (PII): in short, PII is anything that can be used to positively identify a specific person. The obvious things are full name, Social Security number, phone number, and address. Date of birth is another one. Basically, anything that your favorite social media site uses to verify your identity could be considered PII. It’s information unique to you, that can be used to identify you.
Why is this important? We live in an incredibly interconnected world. The Internet is literally everywhere, even on the gas pump at the grocery store: that’s how they verify that rewards card you just scanned to get 10 cents per gallon off. Sure, it’s an encrypted tunnel to the company’s datacenter, but the chances are very good that the tunnel traverses the Internet at some point. Even if it doesn’t, the company will have used a private Wide Area Network (WAN) to link up all their stores. The potential here is that as soon as you scan that card, your exact location can be determined. Now, normally this is relatively innocuous: the grocery store just wants to determine your spending and travel habits for a variety of perfectly legitimate reasons. In the vast majority of cases that information never leaves their organization. But the fact is that the information is stored there, persistent, ready for anyone to take for less innocuous reasons. Did you know that the FBI actually went to some of these stores and credit card companies to track down Capital trespassers? That’s just one example of how that innocently-gathered information can be turned against you. How about your online activity? When was the last time you snapped a picture of your nice dinner at a restaurant and posted that on social media? Do you know what you just did, other than make a lot of people hungry? You just pinpointed your location. This allows a process called Open Source Intelligence (OSI); it’s simply the practice of scooping up readily-available information on an individual or organization and building a picture of that target’s behavior patterns and habits.
Now, I’m not trying to suggest that there’s a government agent lurking around every corner here; in most cases your activity will probably pass unnoticed. But you leave a trail that can easily be scooped up in case you ever do end up on their radar, and in the case of bulk collection could pop up in some AI algorithm or other. We have already seen that the government is not only able, but eager to collect this very same information covertly; witness the recent revelation that the United States Postal Service inspectors have been trawling through social media posts to find people planning protests and other undesirable behavior, then feeding that info to the FBI and other intel agencies. It’s no longer a wild conspiracy theory: it really happened.
So here’s what you can do to assess how exposed you are:
- Create an inventory of all your loyalty rewards accounts, and order them by how frequently you use them
- Create an inventory of your social media accounts, ordered by how much you post on them
- Create an inventory of all the e-commerce sites you have saved payment information on
- Create an inventory of all your credit cards (don’t forget debit, they can be tracked too), including retail store credit cards
- Create an inventory of travel site accounts and how frequently you use them
- Create an inventory of “free” e-mail accounts and how frequently you use them
Now, let’s talk about mitigation. The obvious advice is “stop using those cards!”, but that may or may not work for you. If you can’t avoid using cards and rewards accounts for whatever reason, at least be aware of when and where you have used them. Try to minimize their use. For social media, be mindful of the value of the information you post there, and set your privacy settings so that you’re not sharing everything with the entire world. Look at it from the point of view of someone trying to find you: can what you’re about to post be used to determine even a general location? If you do post something that pinpoints your location, avoid doing that in real-time: wait for a few hours, then post it. Make sure that post is restricted to friends and family only. With that said, be mindful that anyone with the right access at the social media company can see what you’re doing on their platform; if they can see it, they can provide it to the authorities.
And about that Yahoo or GMail account: do NOT, under any circumstances, use them to send sensitive financial information or other PII to ANYONE. Ever. All of your e-mails are stored on a remote server, and can be easily retrieved by the service provider. That includes deleted ones, especially if you haven’t emptied your deleted items folder. Typically, those servers are backed up periodically so even if you do delete an e-mail and purge it from the trash, there’s a good possibility that it still exists on a backup somewhere. Law enforcement agencies routinely include backups in subpoenas for that very reason. If they can do it legally, they can also do it illegally; it was done to the Trump team and several reporters during the Obama administration. If you need to exchange sensitive information with anyone, do that using something that’s encrypted end-to-end like Telegram or an encrypted e-mail service like Protonmail, and only person-to-person; anything you post in a group on Telegram is visible to the entire group, and you never know who might be in there. Use other services like Skype or Zoom with caution; they’re better than free e-mail, but still not designed to be a secure means of communication.
What about VPNs? There has been a lot of attention on VPNs lately, and they sound magical: they offer complete anonymity. Or do they? Maybe not. You see, a VPN is simply a way to encrypt your information in-flight (as it travels from your computer to somewhere else). That helps mask your activity from, say, your Internet Service Provider (ISP): you don’t use the ISP’s Domain Name Servers (DNS) to find sites, which is how they typically track traffic trends. You use the VPN’s DNS instead, which is encrypted and totally independent of your ISP. Good so far. It also helps obscure your Internet Protocol (IP) address, which is another way sites track you; again, good. But that information has to be decrypted somewhere, and your activity on specific sites is still logged and tracked by those sites. A VPN does not make you anonymous to your favorite social media site at all; you still have to sign in there. Your information is still being gathered at the endpoints, and is still available for nefarious actors to use. So while VPNs do help, they are not a complete solution. You still need to be aware of what you’re providing to websites.
There will be more articles on the subject of Information Security; this is just a first step to help you assess your information exposure on the public Internet. You should be able to determine how much exposure you have and what you can do about it. Don’t be a sucker anymore; know what information is available and think about how it could be used against you.