1 00:00:00,470 --> 00:00:01,630 We’re now going to talk about 2 00:00:01,750 --> 00:00:04,829 how much personal information you might be reveling 3 00:00:04,830 --> 00:00:08,199 on the social sites that you use in forums, 4 00:00:08,200 --> 00:00:10,249 and when you fill out forms, 5 00:00:10,250 --> 00:00:13,170 and really, any time where you’re providing information, 6 00:00:13,280 --> 00:00:16,159 and we’re going to look at using identity strategies 7 00:00:16,160 --> 00:00:19,540 to limit your exposure to your adversaries 8 00:00:19,560 --> 00:00:21,480 when revealing personal information. 9 00:00:21,860 --> 00:00:24,160 Increasingly it’s getting harder and harder 10 00:00:24,290 --> 00:00:26,000 to not provide information 11 00:00:26,260 --> 00:00:28,930 if you want to function in the modern world. 12 00:00:29,060 --> 00:00:31,109 Our children simply won’t understand 13 00:00:31,110 --> 00:00:32,750 the concept of privacy 14 00:00:33,130 --> 00:00:34,640 in the same way that we do, 15 00:00:34,980 --> 00:00:36,469 but the clear facts are 16 00:00:36,470 --> 00:00:39,830 that the less information about you that is out there, 17 00:00:40,150 --> 00:00:43,160 the more security, privacy and anonymity 18 00:00:43,210 --> 00:00:46,440 you can grasp, attempting to attain. 19 00:00:46,600 --> 00:00:48,419 The less information out there about you, 20 00:00:48,420 --> 00:00:51,640 the better protected against identity theft, 21 00:00:51,850 --> 00:00:56,049 phishing attacks, spam, conman, social engineering, hackers, 22 00:00:56,050 --> 00:00:58,979 nation state surveillance, local law enforcement, 23 00:00:58,980 --> 00:01:00,550 basically everything. 24 00:01:00,580 --> 00:01:01,950 But you have to balance 25 00:01:02,330 --> 00:01:05,069 your personal information disclosure 26 00:01:05,070 --> 00:01:09,890 with your need for an identity or identities online. 27 00:01:10,160 --> 00:01:13,090 Here is a scrolling list of 28 00:01:13,500 --> 00:01:15,580 information you should consider 29 00:01:15,650 --> 00:01:17,970 before revealing online 30 00:01:18,030 --> 00:01:21,420 or consider before giving to companies. 31 00:01:21,640 --> 00:01:23,689 The more of this personal information 32 00:01:23,690 --> 00:01:25,439 that is out there about you, 33 00:01:25,440 --> 00:01:27,190 the more of a complete picture 34 00:01:27,500 --> 00:01:29,280 an adversary can have of you. 35 00:01:29,600 --> 00:01:32,400 Questions to consider when putting this information online 36 00:01:32,700 --> 00:01:34,310 or providing it to companies. 37 00:01:34,650 --> 00:01:37,170 Who can ultimately access the information? 38 00:01:37,340 --> 00:01:39,249 You might think it’s just your friends, 39 00:01:39,250 --> 00:01:40,510 or just the company, 40 00:01:40,600 --> 00:01:42,560 but they can forward the information on. 41 00:01:42,720 --> 00:01:44,849 If it’s a social site, the social site 42 00:01:44,850 --> 00:01:46,549 will have access to it, if it’s a company, 43 00:01:46,550 --> 00:01:48,070 the company will have access to it. 44 00:01:48,210 --> 00:01:51,360 Your adversary then may also have access to it. 45 00:01:51,740 --> 00:01:54,060 Who controls and owns the information 46 00:01:54,160 --> 00:01:55,230 that you are disclosing? 47 00:01:55,390 --> 00:01:56,390 You might find that 48 00:01:56,640 --> 00:01:58,240 some of the sites you use 49 00:01:58,320 --> 00:02:00,730 own the content you publish. 50 00:02:00,980 --> 00:02:01,630 Did you know that? 51 00:02:01,780 --> 00:02:03,660 Can the information ever be taken back 52 00:02:03,680 --> 00:02:06,010 or taken down that you've disclosed? 53 00:02:06,420 --> 00:02:07,949 The answer is probably no, 54 00:02:07,950 --> 00:02:10,109 because other sites and services 55 00:02:10,110 --> 00:02:12,550 archive the internet, so ultimately, 56 00:02:12,730 --> 00:02:14,399 even if it is taken down, 57 00:02:14,400 --> 00:02:16,400 it may be archived somewhere else. 58 00:02:16,750 --> 00:02:20,240 And as we know, nation states are archiving data as well. 59 00:02:20,670 --> 00:02:22,669 Will your associates mind if you share 60 00:02:22,670 --> 00:02:25,090 information about them with other people? 61 00:02:25,540 --> 00:02:27,360 What information about you 62 00:02:27,460 --> 00:02:30,270 are your associates passing on to other people? 63 00:02:30,710 --> 00:02:31,849 Do you trust the people 64 00:02:31,850 --> 00:02:33,890 in organizations you’re connected to? 65 00:02:34,190 --> 00:02:37,160 They can forward on information you have posted. 66 00:02:37,220 --> 00:02:39,730 Even if you post on a private forum, 67 00:02:40,000 --> 00:02:41,769 you should consider the information 68 00:02:41,770 --> 00:02:43,969 still public because you no longer 69 00:02:43,970 --> 00:02:46,370 have control over that information anymore. 70 00:02:46,890 --> 00:02:49,059 Are you relying on a social site 71 00:02:49,060 --> 00:02:51,419 or other site as a primary host 72 00:02:51,420 --> 00:02:53,240 for your content or information? 73 00:02:53,470 --> 00:02:55,119 What happens if that site disappears, 74 00:02:55,120 --> 00:02:56,549 if it goes down, will you lose 75 00:02:56,550 --> 00:02:57,850 those precious pictures? 76 00:02:58,160 --> 00:02:59,900 Are there photos of you online? 77 00:03:00,020 --> 00:03:01,900 Do people tag you in photos 78 00:03:02,000 --> 00:03:04,920 even if you don't post pictures yourself? 79 00:03:05,370 --> 00:03:06,669 Consider the risk associated 80 00:03:06,670 --> 00:03:08,370 with the information you post online. 81 00:03:08,650 --> 00:03:10,499 Could an unfortunate post on social media 82 00:03:10,500 --> 00:03:12,929 for your career, or posting your opinions 83 00:03:12,930 --> 00:03:13,930 get you fired? 84 00:03:13,960 --> 00:03:16,369 What are the consequences of posting, viewing or creating 85 00:03:16,370 --> 00:03:17,750 this sort of content online 86 00:03:18,120 --> 00:03:19,430 that you wish to do freely? 87 00:03:19,730 --> 00:03:21,679 Just re-tweeting or forwarding 88 00:03:21,680 --> 00:03:24,730 a message indicates your views on a topic? 89 00:03:25,120 --> 00:03:28,360 Are you comfortable that your social media presence 90 00:03:28,580 --> 00:03:30,720 creates a profile of you online 91 00:03:30,800 --> 00:03:32,770 that can be used by employees 92 00:03:33,000 --> 00:03:34,140 and your adversary? 93 00:03:34,480 --> 00:03:37,379 Do you want to mix colleagues with friends and family? 94 00:03:37,380 --> 00:03:38,460 Are you doing that now? 95 00:03:38,730 --> 00:03:40,889 Do you have distinctly private activities 96 00:03:40,890 --> 00:03:43,520 that you don't want associated with your real identity? 97 00:03:43,980 --> 00:03:45,279 Do you perform activities that 98 00:03:45,280 --> 00:03:47,759 law enforcement agencies or nation states 99 00:03:47,760 --> 00:03:48,840 have laws against? 100 00:03:49,330 --> 00:03:50,920 Will the information you disclose 101 00:03:51,000 --> 00:03:53,319 lead to the targeting of your friends 102 00:03:53,320 --> 00:03:55,570 and family members by your adversaries? 103 00:03:55,850 --> 00:03:57,359 Will your children appreciate 104 00:03:57,360 --> 00:03:59,489 you posting photos and information 105 00:03:59,490 --> 00:04:01,420 about them when they get older? 106 00:04:01,660 --> 00:04:03,260 Does this make them more vulnerable? 107 00:04:04,250 --> 00:04:05,739 I recommend this site here 108 00:04:05,740 --> 00:04:07,199 who do a great breakdown 109 00:04:07,200 --> 00:04:10,250 of the terms of use and privacy policies 110 00:04:10,530 --> 00:04:12,170 of companies that you use. 111 00:04:12,520 --> 00:04:14,449 They also have a browser plugin, 112 00:04:14,450 --> 00:04:16,199 so if you are interested 113 00:04:16,200 --> 00:04:17,879 in the social sites that you’re using, 114 00:04:17,880 --> 00:04:19,880 so let's for example look in Facebook, 115 00:04:21,030 --> 00:04:22,569 and here we get a breakdown of 116 00:04:22,570 --> 00:04:24,500 what this particular social site 117 00:04:24,540 --> 00:04:26,600 has to say in their policies. 118 00:04:26,670 --> 00:04:28,420 So the breakdown here, very broad 119 00:04:28,440 --> 00:04:30,420 copyright license on your content, 120 00:04:30,500 --> 00:04:33,009 this service tracks you on other websites, 121 00:04:33,010 --> 00:04:35,750 Facebook automatically shares your data 122 00:04:35,780 --> 00:04:37,460 with many other services, 123 00:04:37,560 --> 00:04:40,470 Facebook uses your data for many purposes, 124 00:04:40,560 --> 00:04:42,009 the Android app can record 125 00:04:42,010 --> 00:04:44,680 sound and video from your phone at anytime 126 00:04:44,970 --> 00:04:46,170 without your consent. 127 00:04:46,360 --> 00:04:47,360 And if we click here, 128 00:04:47,530 --> 00:04:48,769 we can see more details 129 00:04:48,770 --> 00:04:50,100 if you want to see a breakdown, 130 00:04:50,390 --> 00:04:51,390 So what I do, 131 00:04:51,550 --> 00:04:52,859 what I suggest is that 132 00:04:52,860 --> 00:04:55,450 if you are using social media websites 133 00:04:55,540 --> 00:04:56,250 and you want to know 134 00:04:56,251 --> 00:04:57,920 what they’re doing with your information, 135 00:04:58,130 --> 00:04:59,460 this is a good site to go, 136 00:04:59,730 --> 00:05:00,839 check out the detail 137 00:05:00,840 --> 00:05:03,200 for the social sites that you use or other sites, 138 00:05:03,600 --> 00:05:05,079 and see whether or not, you know 139 00:05:05,080 --> 00:05:07,179 you’re happy with what it is 140 00:05:07,180 --> 00:05:09,370 that they are potentially doing with your data. 141 00:05:09,590 --> 00:05:11,399 You need to determine if these terms 142 00:05:11,400 --> 00:05:12,959 are really in line with 143 00:05:12,960 --> 00:05:14,880 what you’re currently posting online. 144 00:05:14,950 --> 00:05:15,840 If they aren't, then you 145 00:05:15,841 --> 00:05:18,320 need to consider a different identity strategy. 146 00:05:19,370 --> 00:05:20,509 In the section on Op Sec, 147 00:05:20,510 --> 00:05:22,959 we discuss identity strategies, 148 00:05:22,960 --> 00:05:24,630 so let's revisit them in terms of 149 00:05:24,700 --> 00:05:26,670 giving away personal information 150 00:05:27,040 --> 00:05:29,259 and how you can use identity strategies 151 00:05:29,260 --> 00:05:31,680 to manage the information that you’re giving out. 152 00:05:32,010 --> 00:05:33,540 So the strategies I’m going to list 153 00:05:33,620 --> 00:05:35,279 are in order of preference 154 00:05:35,280 --> 00:05:38,930 for limiting the reveling of personal information. 155 00:05:39,290 --> 00:05:41,549 So first is the avoidance strategy. 156 00:05:41,550 --> 00:05:44,389 This is the best strategy for reducing risk 157 00:05:44,390 --> 00:05:47,110 related to giving out personal information. 158 00:05:47,400 --> 00:05:49,439 And the avoidance strategy is simply 159 00:05:49,440 --> 00:05:52,299 avoiding using certain social media, 160 00:05:52,300 --> 00:05:56,879 not posting, not filling in forms, simply not registering, 161 00:05:56,880 --> 00:05:59,430 just not giving out that information. 162 00:05:59,790 --> 00:06:01,709 This is often unrealistic 163 00:06:01,710 --> 00:06:03,949 and deprives you from the advantages 164 00:06:03,950 --> 00:06:06,220 of the internet and modern living, 165 00:06:06,360 --> 00:06:08,859 and just may simply not be possible 166 00:06:08,860 --> 00:06:10,330 in some circumstances. 167 00:06:10,750 --> 00:06:12,700 But a common example might be 168 00:06:12,960 --> 00:06:15,099 not having social media accounts 169 00:06:15,100 --> 00:06:18,090 and limiting your accounts to the bare minimum. 170 00:06:18,160 --> 00:06:19,919 This way, you release 171 00:06:19,920 --> 00:06:22,109 the least personal information. 172 00:06:22,110 --> 00:06:23,359 It’s recommended to use 173 00:06:23,360 --> 00:06:26,260 the avoidance strategy where possible. 174 00:06:26,420 --> 00:06:28,360 The less information that is out there, 175 00:06:28,400 --> 00:06:30,010 the less vulnerable you are. 176 00:06:30,500 --> 00:06:32,300 Where avoidance isn't possible, 177 00:06:32,500 --> 00:06:34,839 you can use compartmentalization. 178 00:06:34,840 --> 00:06:37,439 This is having contextually separate identities 179 00:06:37,440 --> 00:06:40,040 from each other and your real identity. 180 00:06:40,170 --> 00:06:41,599 For example, you could maintain 181 00:06:41,600 --> 00:06:44,199 a social media account under an alias, 182 00:06:44,200 --> 00:06:47,129 so you could have a Facebook as John Smith, 183 00:06:47,130 --> 00:06:48,719 or whatever name, and you might 184 00:06:48,720 --> 00:06:50,880 reveal information about you, 185 00:06:50,940 --> 00:06:53,580 but it’s separate from your real identity. 186 00:06:53,900 --> 00:06:57,259 So if your adversary or a HR department 187 00:06:57,260 --> 00:06:59,309 do a search on you, there is nothing 188 00:06:59,310 --> 00:07:01,410 linked to your real identity. 189 00:07:01,700 --> 00:07:02,909 I have a number of friends, 190 00:07:02,910 --> 00:07:05,879 who both in the real world and online, 191 00:07:05,880 --> 00:07:07,830 are known only by an alias, 192 00:07:07,880 --> 00:07:09,870 it’s an effective strategy for them 193 00:07:10,070 --> 00:07:13,560 to separate their social and professional identities. 194 00:07:13,920 --> 00:07:15,839 Next is the content strategy 195 00:07:15,840 --> 00:07:17,289 where you’re only giving out 196 00:07:17,290 --> 00:07:19,289 carefully considered information 197 00:07:19,290 --> 00:07:20,730 against your real identity. 198 00:07:21,040 --> 00:07:22,860 This is effective if you manage to 199 00:07:22,950 --> 00:07:25,770 always put out carefully considered information, 200 00:07:26,040 --> 00:07:27,890 but this strategy is risky as you could 201 00:07:28,020 --> 00:07:30,139 inadvertently reveal information 202 00:07:30,140 --> 00:07:31,970 you didn't intent to release. 203 00:07:32,280 --> 00:07:34,069 A simple example could be 204 00:07:34,070 --> 00:07:35,679 you download an app, you register 205 00:07:35,680 --> 00:07:38,500 under that app as your real identity, 206 00:07:38,820 --> 00:07:40,979 and not realize the default settings 207 00:07:40,980 --> 00:07:42,679 are revealing your location 208 00:07:42,680 --> 00:07:45,056 or some other personal information. 209 00:07:45,888 --> 00:07:47,624 Then you have the audience strategy, 210 00:07:47,625 --> 00:07:50,440 which is a step a little bit more risky. 211 00:07:50,760 --> 00:07:52,524 This is keeping, as an example, 212 00:07:52,525 --> 00:07:55,622 your personal and professional network separate 213 00:07:55,623 --> 00:07:57,899 by using Facebook for friends and family, 214 00:07:57,900 --> 00:08:00,373 and LinkedIn for your personal network. 215 00:08:00,550 --> 00:08:04,160 This can limit the exposure of your personal information, 216 00:08:04,253 --> 00:08:05,493 but it is still out there. 217 00:08:05,586 --> 00:08:07,779 You know, do you own that information? 218 00:08:07,780 --> 00:08:10,499 Can you remove it? Will someone copy it? 219 00:08:10,500 --> 00:08:12,540 Will your adversary be able to find it? 220 00:08:12,660 --> 00:08:15,460 Do you trust your audience with that information? 221 00:08:15,700 --> 00:08:18,420 Ultimately, if you have put personal information out 222 00:08:18,466 --> 00:08:21,634 to an audience, it can be passed onto another audience 223 00:08:21,702 --> 00:08:24,034 or viewed potentially by another audience. 224 00:08:24,354 --> 00:08:25,782 This is where you get into 225 00:08:25,783 --> 00:08:29,111 your privacy settings on those sites. 226 00:08:29,217 --> 00:08:31,182 You configure your privacy settings 227 00:08:31,210 --> 00:08:33,710 to attempt to reduce the audience, 228 00:08:33,810 --> 00:08:36,031 but obviously, if one person can view it, 229 00:08:36,032 --> 00:08:37,440 one person can pass it on. 230 00:08:37,952 --> 00:08:39,536 And then the most risky strategy 231 00:08:39,537 --> 00:08:40,989 is the open strategy. 232 00:08:40,990 --> 00:08:42,879 This is using your real identity 233 00:08:42,880 --> 00:08:44,903 and being transparent and authentic. 234 00:08:44,904 --> 00:08:47,423 Some people do live their lives like this 235 00:08:47,424 --> 00:08:48,543 and in the public eye. 236 00:08:48,544 --> 00:08:51,440 This is suitable for certain situations and cultures, 237 00:08:51,533 --> 00:08:54,813 but this is obviously risky and makes you vulnerable. 238 00:08:54,853 --> 00:08:56,732 Even though you’re using an open strategy, 239 00:08:56,733 --> 00:08:59,946 you should still restrict the personal information you give out, 240 00:09:00,093 --> 00:09:03,374 and generally an open strategy is not going to be suitable 241 00:09:03,375 --> 00:09:05,320 for someone who is interested in privacy 242 00:09:05,360 --> 00:09:07,213 and their anonymity and security. 243 00:09:07,386 --> 00:09:10,240 And the final strategy is the custom strategy, 244 00:09:10,333 --> 00:09:13,339 which is probably the best general strategy 245 00:09:13,340 --> 00:09:16,360 for most people that will allow you to exist 246 00:09:16,440 --> 00:09:17,333 on the internet 247 00:09:17,386 --> 00:09:20,026 and limit information disclosure 248 00:09:20,133 --> 00:09:22,732 by using a combination of the strategies 249 00:09:22,733 --> 00:09:24,491 that we’ve gone through: avoidance, 250 00:09:24,588 --> 00:09:27,405 audience, content, compartmentalization. 251 00:09:27,680 --> 00:09:29,509 When information is custom to the audience, 252 00:09:29,510 --> 00:09:30,424 there is less risk. 253 00:09:30,520 --> 00:09:32,763 When identity is custom to the content, 254 00:09:32,764 --> 00:09:33,942 there is less risk. 255 00:09:34,388 --> 00:09:35,948 Whichever strategy you choose, 256 00:09:36,269 --> 00:09:37,999 you should post only the amount 257 00:09:38,000 --> 00:09:40,653 of personal information as is necessary. 258 00:09:40,933 --> 00:09:43,960 Even if you don't care about privacy or anonymity, 259 00:09:44,226 --> 00:09:47,146 you are better protected against identity theft, 260 00:09:47,200 --> 00:09:48,693 phishing attacks, spam, 261 00:09:48,694 --> 00:09:53,529 conman, social engineering, hackers, etc, etc., 262 00:09:53,530 --> 00:09:54,633 if you limit the amount 263 00:09:54,634 --> 00:09:56,390 of personal information you give away. 264 00:09:56,898 --> 00:09:58,458 Another good site that provides information 265 00:09:58,459 --> 00:10:00,937 on how different companies protect you 266 00:10:01,280 --> 00:10:03,988 from government requests is this one here, 267 00:10:04,457 --> 00:10:05,611 Who Has Your Back? 268 00:10:05,612 --> 00:10:07,760 Another site from the EFF 269 00:10:07,988 --> 00:10:09,931 and if you check this out here, you’ve got: 270 00:10:10,331 --> 00:10:12,992 “Follows industry-accepted best practices, 271 00:10:13,056 --> 00:10:15,760 Tells users about government data demands, 272 00:10:16,368 --> 00:10:19,280 Discloses policies on data retention, 273 00:10:20,064 --> 00:10:23,264 Discloses government content removal requests, 274 00:10:23,968 --> 00:10:27,168 Pro-user public policy opposes back doors”. 275 00:10:27,632 --> 00:10:29,032 And you can have a look through here 276 00:10:29,088 --> 00:10:32,079 and see what it says about the social site that 277 00:10:32,080 --> 00:10:33,613 you may happen to be using. 278 00:10:33,614 --> 00:10:35,072 So here we can see Facebook 279 00:10:35,392 --> 00:10:37,008 and it doesn't have a star here 280 00:10:37,009 --> 00:10:40,784 for disclosing government content removal requests. 281 00:10:42,096 --> 00:10:43,096 So check that out. 282 00:10:43,808 --> 00:10:46,705 In the section on passwords and authentication, 283 00:10:46,706 --> 00:10:49,377 we discuss two factor authentication. 284 00:10:49,564 --> 00:10:53,359 Enable this on any social sites that you use 285 00:10:53,360 --> 00:10:55,359 where you disclose personal information, 286 00:10:55,360 --> 00:10:56,360 wherever possible. 287 00:10:56,544 --> 00:10:58,214 So see the sections on passwords 288 00:10:58,215 --> 00:11:00,285 and authentication for more details on that. 289 00:11:00,325 --> 00:11:03,440 Some social sites will allow two factor authentication, 290 00:11:03,600 --> 00:11:05,105 others may not, 291 00:11:05,309 --> 00:11:07,265 but we detail that in that section. 292 00:11:07,760 --> 00:11:09,963 Depending on what social sites you use, 293 00:11:10,101 --> 00:11:13,679 they will potentially have privacy settings. 294 00:11:13,680 --> 00:11:16,089 So you should investigate the best options 295 00:11:16,090 --> 00:11:18,520 for you based on your identity strategy. 296 00:11:18,640 --> 00:11:20,339 Here is a good guide, 297 00:11:20,340 --> 00:11:21,853 one of the best guides I have found 298 00:11:21,960 --> 00:11:24,059 on Facebook privacy settings. 299 00:11:24,060 --> 00:11:25,826 Facebook obviously is one of the most 300 00:11:25,866 --> 00:11:27,893 popular social media sites. 301 00:11:28,613 --> 00:11:29,799 Another good read here 302 00:11:29,800 --> 00:11:32,293 is on Twitter's privacy settings. 303 00:11:32,426 --> 00:11:34,359 If you’re using Twitter, I suggest 304 00:11:34,360 --> 00:11:38,332 you investigate the privacy settings on whatever social sites 305 00:11:38,333 --> 00:11:41,360 and forums and things that you use and visit, 306 00:11:41,426 --> 00:11:44,426 and make them in line with your identity strategy. 307 00:11:44,826 --> 00:11:47,573 Another consideration is you can use 308 00:11:47,600 --> 00:11:50,133 decentralized social networks 309 00:11:50,200 --> 00:11:51,813 where you control the content, 310 00:11:52,013 --> 00:11:54,293 and where they are happy for you to not use 311 00:11:54,294 --> 00:11:57,933 your real identity, and do not own your data. 312 00:11:58,280 --> 00:12:02,133 Here are three decentralized social networks that I recommend. 313 00:12:02,453 --> 00:12:04,960 The first one is this one, Diaspora 314 00:12:06,466 --> 00:12:08,506 the second one is this one, Friendica, 315 00:12:09,800 --> 00:12:12,480 and the third one is GNU’s social network. 316 00:12:13,160 --> 00:12:15,546 So check those out as alternatives. 317 00:12:15,693 --> 00:12:18,621 Some of these integrate with existing social media sites, 318 00:12:18,640 --> 00:12:20,804 while you attempt to migrate away 319 00:12:20,805 --> 00:12:24,520 from those centralized sites to these decentralized sites, 320 00:12:24,680 --> 00:12:26,853 so you can slowly move away 321 00:12:26,960 --> 00:12:28,080 and bring your friends 322 00:12:28,160 --> 00:12:32,666 to these more privacy-focused decentralized social networks.