Social media is a huge part of daily life for many people; some even ﬁnd it hard to imagine living without it. We use it to check in with friends, keep tabs on family members, shop for jobs and new purchases, and stay abreast of the latest breaking news. And let’s not forget the ﬂame wars in product reviews and comment sections. No matter your preferred means of self-expression, social media drastically expands your attackable surface for hackers.
If you want to minimize your exposure to the threat of identity theft, it is imperative that
you become master of your domain—at least as it exists on other domains like Facebook, Twitter, Tumblr, Pinterest, Instagram, and LinkedIn. And by “master” I mean that you need to learn how to use it in a way that minimizes your exposure to the threat of identity theft.
The Pew Research Center’s statistics for social media in 2014 showed that 74 percent of Americans used some form of social media, and more than 71 percent of these users have a presence on Facebook.
While I’m going to talk about Facebook here, feel free to pick your poison, because when it comes to social media, there isn’t a company out there that doesn’t make you an easier target for identity thieves. As far as the Three Ms go, the same thinking applies regardless of the venue. If you’re going to use social media, you must take steps to minimize your exposure.
Some people like the puppy pics and game app requests of Facebook, while others prefer the information river of Twitter or the career-focused content more native to LinkedIn. Some prefer to look at pictures and pithy memes on Instagram, while others just like liking things in the public way that Pinterest makes possible. Then of course there are all those gadgets and appliances—there are 2.8 billion currently installed in the United States—that fall under the category of the Internet of Things (e.g., Fitbit, Jawbone, or smart home devices like Nest; for more on this see Chapter 6), designed not only to make your life easier but also to feed your information to companies who use it for marketing, research, and product development. Virtually all of these devices invite you to share your personal information not just with their app but with the world as well, via social media. Often, the devices come preset to share everything with everyone, and you can only maintain your privacy if you change the right settings.
Every milestone achieved on your healthy lifestyle wearable, entered on a ﬁtness website, or logged on a phone-based app; every hour logged sleeping and talking and watching television; every time your smart appliance makes you coﬀee or turns on the morning news—all of that is tracked, and, depending on the company, either comes with a default setting to tell your friends and followers on social media your every move as related to that device, or includes an easy way to share those things.
#AlexFromTarget would have remained a humble checkout boy with a hip haircut had it not been for Twitter and Tumblr. He’s one of the few examples of someone who found an upside to social media—and troll me all you want, but I maintain that this upside does only apply to a few select users, even if we point to the growing army of microcelebrity, mega YouTubers or the assorted superaccounts on this or that platform. Even with all the stars launched on social media, including Justin Bieber, the odds that you’re beneﬁting from your proﬁle remain miniscule.
Like a Justin Bieber also-ran, Alex Lee’s odd luck put him within easy reach of fame and fortune. But that’s not how it usually works. Generally, social media serves only as a time-suck and an open door through which any bad player can glean what’s needed to steal your identity.
Social media makes you vulnerable to identity thieves in ways that most people aren’t thinking about. They all know that some of their “friends” may be weirdos, or possibly even criminals—but even so, they still put their personal information where it can be seen by those “friends.” It deﬁes logic.
In a SUNY–Buﬀalo study published in 2014, Facebook users were asked about a phenomenon called farcing—friending a target with a fake account that looks like it comes from someone they know. Most of the users they talked to were aware of the dangers— that among all those they counted as Facebook friends, there were possibly a few scammers—but that understanding didn’t have a big eﬀect on the ways they used the site. The underlying belief was that ﬁnancial harm (or worse) wouldn’t come about as a result of their information being on the site. (It’s important to bear in mind that while the focus in the above study was on Facebook, farcing happens on every social media platform.)
Unfortunately, we know this to be a false assumption. Identity thieves do not need much of your personal information to scam you, and what they need may be in the “about” silo of your timeline. It could be in a tagged photo, or, as we saw in the Science study on unicity and the reidentiﬁcation of anonymized data, it could be a picture of your lunch or cocktail on Instagram coupled with a tweet or Facebook status update that provides that last piece of the puzzle that a scammer needs to access your credit.
A few years ago I read a story about a newly instituted (and quickly suspended) employment screening policy of the Maryland Department of Public Safety and Correctional Services. There was the usual stuﬀ you might expect in the job seeking process—you had to complete an application that included a bunch of personally identiﬁable information—but there was an extra piece of information requested that gave one applicant pause: The Maryland Department of Public Safety and Correctional Services had requested his Facebook username and password.
Robert Collins had previously worked for the department. He took a leave of absence after his mother died, and when that came to an end he applied for a job at another facility under the
oversight of the corrections department. This process involved being recertiﬁed for employment in a job that involved regular contact with criminals. It was an admittedly sensitive hire, and the employer in this instance really did have to do a good job screening potential hires. The wrong person could cause serious problems, ranging from the proliferation of illegal substances within prison walls to smuggling prisoners weapons to aiding and abetting an escape.
The Internet ages very fast, and by any measure, 2011 was a very long time ago in the realm of things digital. But the behavior that Collins reported was inexcusable even at the time. According to Collins, his interviewer did not ask for, but rather demanded, his Facebook username and password.
Now, imagine you need a job. You know the process is winding down to a last sanity check—where the prospective employer calls a few people to make sure you’re not a loony—and then you’ll get an offer. You can tell. Now, imagine you’re sitting in an oﬃce waiting for them to make that next move, and instead you get this curveball: “Do you mind if we poke around your Facebook account?” What would you do? If you are like a lot of people, including Robert Collins, you’re going to hand over the keys to your Facebook account, or whatever other account the gatekeeper asks to see. The interview process is intense. You’ve gotten this far. It’s simply too hard to ﬁnd a job, and the stress is too great not to acquiesce to such a request— no matter how wrong it seems—when the alternative is not getting the job oﬀer. And you are pretty careful about what you post, right? There aren’t any embarrassing pictures of you. What about your private messages? Are you careful there, too?
So what happened at Mr. Collins’s interview?
“He logged into my account and went through my pages, my posts, my messages, all my pictures, things like that,” Collins told a reporter, not long after it happened. This private aﬀair had become a news story because, immediately following the interview, Collins contacted the American Civil Liberties Union. When the ACLU got in touch with the Department of Corrections about the incident, the explanation demonstrated two things: that no one there had thought much about the parameters native to privacy and social media—much less about best practices—and that they didn’t really understand why requesting login information might be a problem.
If I had to guess, I’d say there was a question on the application about social media (i.e., do you use it?), and if the answer was yes, the follow-up gave the option of providing an applicant’s login information “for screening purposes.” In other words, it was yet another one of those “voluntary” items that an employer can review—like your credit report or a drug test—to determine if they should hire you. And once asked for their information, who wouldn’t feel some pressure to say yes? Doubtless there would be plenty of applicants willing to hand over the keys to their likes, dislikes, and online behavior—including the way it chronicles their behavior in real life.
The point is that it’s not okay for an organization to say, “We didn’t think through the ramiﬁcations,” and call it a day. We’re somewhere on the Oregon Trail when it comes to Internet security, and many organizations have been behaving like bandits. And make no mistake, there has been a huge expansion of what’s knowable about a person over the past decade or so, and it owes a lot to the explosive growth of social media. What hasn’t evolved (or at least improved) is our sense of where the boundaries between public and private should be set. The tendency for most of us is to feel numb about it all. According to the November 2014 survey conducted by the Pew Research Center, “91% of adults in the survey ‘agree’ or ‘strongly agree’ that consumers have lost control over how personal information is collected and used by companies.”
It makes perfect sense that employers would see the proliferation of personal information as a way to inform hiring decisions and staﬀ up more eﬃciently. Why wouldn’t they, if prospective workers don’t complain, and the company beneﬁts? It’s the same tug of war between common sense and temptation that seems to occur on countless social media accounts every nanosecond of the day. According to the IACP (International Association of Chiefs of Police) Center for Social Media, there are more than 243,000 photographs posted to Facebook alone every minute. Worldwide, users log more than 3,125,000 likes per minute. The stats are impressive. What is both remarkable and still more disconcerting is the way that social media desensitizes users to the perils of public sharing.
The problem with handing over your username and password to a prospective employer—or really anyone—should be obvious. If it’s not obvious, consider similar gambits. Should a potential employer get to interview a job candidate’s spouse or partner? How about their siblings? Parents? Should they get to see your online dating proﬁle? Or your personal email? Can they silently grade you on your grammar, your spending habits, and your friendships?
Thankfully, Collins’s story is less common these days. Maryland, along with nineteen other states, has made it illegal for an employer to access an applicant’s social media accounts. Back in 2011, the Maryland Department of Public Safety and Correctional Services said the policy was an attempt at better screening. By looking at an applicant’s Facebook account, it would be possible to determine if he or she had any gang aﬃliations or family members incarcerated in the system.
It was just one of countless overreaches that occur with any new opportunity—especially one that revolves around useable data. Depending on your settings on Facebook, even employers without your login information can still see what you’re like, and if you have good grammar. It goes without saying that Twitter is an open book unless you are protecting your tweets. There are, in fact, settings to protect your posts on all the major sites, but the real question is why would anyone, given the risks, want to post anything personal online?
Here’s the deal: There is already way too much information about all of us out there just waiting to be found and exploited at our expense. Sometimes the exposure of information is intentional—you post pictures, you name family members, celebrate birthdays, attend school reunions—and sometimes you’re oblivious to the slow leak of your personal information into the cybersphere. Regardless, we’re all shedding a lot of personal identifying information just by dint of being a member of society. Our transactions on social media and beyond need to become more of a focus if we want to avoid having our lives turned upside down by an identity-related crime—we need to keep the focus on controlling what we can, and never lose sight of the fact that it’s anyone’s guess where our information may be.
According to Consumer Reports, more than 85 percent of Americans oppose online ad trackers that gather their personally identiﬁable information, and it doesn’t matter if it’s anonymized. Nobody trusts that their information is safe, and contrary to some industry-funded studies, most people are not comfortable with the sacriﬁce of privacy on the altar of convenience. But while we are quick to gripe about ad tracking and the gathering of our data, even by places like the IRS that absolutely need it, there we are, clicking and pecking away on our keyboards, trained on little boxes asking us to tell the world what’s on our minds. It really does seem insane.
I do have one thought for those who insist on the real-time documentation of life. My former press secretary at New Jersey’s Division of Consumer Aﬀairs, Larry Nagy, used to call it the “60 Minutes” theory.
Larry’s advice: “Don’t do anything”—and here I would insert, “or type anything”—“that, if on a Sunday evening, when you’re eating your TV dinner in front of your television set, and Mike Wallace came on 60 Minutes and told you about you, would prevent you from ﬁnishing your dinner.”
No one has a greater stake in our future and economic security than we do. That means we need to be ever vigilant, self-aware, and, above all, careful. Even if no one ever asks for your social media and login information, that doesn’t mean someone (on their own behalf or that of another) is not looking through your pages, posts, messages, pictures, and Facebook wall as you read this, and you need to assume that’s the case. As a company, Facebook’s mission is not to be a personal journal or an archive of your correspondence. Their mission is to collect your personal information and sell it to advertisers—that’s it. They get you to hand it over by giving you access to a lifetime’s worth of friends and memories. It’s a seductive proposition, and you may decide that it’s worth it. Just be careful, because it comes at a price.
It has been ﬁve years since Mark Zuckerberg declared that the age of privacy was over. He was in a position to know, because he was the one ending it.
The wild pronouncements of an unstoppable force of nature worth billions of dollars notwithstanding, many of us still care about our privacy, and if we choose to protect it, we can. Privacy is not dead, but to some extent it’s going underground. The cattle call of data megabreaches now includes the world’s largest companies and most powerful governments. When Sony Pictures and Centcom can get hacked—and they are just two obvious examples—one has to assume that Facebook is hackable, too. For legions of hackers, the social media giant is the white whale. If our operating theory holds true, that everyone and everything is vulnerable and it’s just a matter of time before it gets got—then news of Facebook’s breach is coming. And when it does, it won’t be pretty.
Consider what would happen if a ﬁle about you, one that would put to shame anything that the CIA could have amassed (because you sourced it yourself), a dossier with not only your personally identiﬁable information, but everything that makes you unique, suddenly was out there, available to the highest bidder. Bear in mind, whoever got your ﬁle would also have a pretty good idea of how much money you make, and thus would be able to take maximum advantage of your identity.
A huge percentage of Americans don’t think that Facebook is using their personal information fairly. Yet there we are, keeping up with friends and family; spying on enemies or former signiﬁcant others; checking out the latest tragedy in some faraway place or right next door; watching cute animal videos, amazing child performers, or various acts of political chicanery; or ogling the beach photos of our prom dates from 1974.
One option is to do something that Mark Zuckerberg has derided as inauthentic. You can alternate between a number of different Facebook accounts, migrating from one to the next every
couple of months. If Facebook’s game plan is to get an accurate picture of you, they will be foiled, confronted with a cubist version worthy of a modern art museum or a hall of mirrors. While it’s far from foolproof, this strategy is at least one way to prepare for a potential megabreach of any major social networking site, since it will be harder for a third party to piece together your identity and use it. It’s a lifehack to protect your privacy and personal information.
Excerpted from "Swiped: How To Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves" by Adam Levin. Published by PublicAffairs. Copyright 2015 by Adam Levin. Reprinted with permission of the publisher. All rights reserved.