Anyone who has been a follower of SurvivalBlog for any time understands the distaste that the editors have for Facebook and other forms of social media. We make no secret of the fact that we know the primary purpose of these sites is to produce a viable database that can be mined for marketing purposes (and ofttimes other nefarious reasons). We have long stayed away from these OPSEC nightmares and have encouraged our readers to do likewise. However, we have watched these social media sites become giants in the communications industry, and it became obvious to us that we had to do something to protect our intellectual property rights. In addition, these platforms provide the ability to spread our message to potential readers who would not normally seek access to our website.
As a result, SurvivalBlog has started a social media presence. We would like our readers to understand that SurvivalBlog does not keep “lists” of people, even for marketing purposes. The only contact information we retain is that which is necessary for the operation of the blog. If you submit an article to the contest, we will keep your email so that we have a way of contacting you if we need you to make changes to the article, to be able to contact the winners of the contest, and to forward any correspondence that our readers may wish to send to the authors of those articles. We also keep contact information for our advertisers and those with whom we correspond regularly. SurvivalBlog does not keep a list of who reads or accesses the blog, and we operate on the principle that it is not a crime to refuse to turn over what we don’t have or keep to any entity who demands access to it, legally or otherwise.
With those caveats in mind, understand that contact information is a large part of social media networking. While your “liking” the Facebook page or “following” us on any of the social media platforms that we may participate in helps us, in terms of gaining control of our intellectual property and/or spreading the word to those who would not normally visit the website, you would be putting yourself on a list that we have no control over. With regards to social media, every post you view, every video you watch, every response/comment you make, and even every “private message” you send or receive is tracked in their database and is available to whatever entity gains access to that database. The most common accesses are for marketing purposes, but we also know that government entities (both domestic and foreign), corporations, and yes, even criminals use this information to make decisions about you. Social media has become such a large part of our culture that many feel that they must use social media. For that reason, we have prepared some guidelines for you to help you minimize OPSEC violations that can put you, your family, or your business/home at risk.
SurvivalBlog’s Social Media Footprint:
We will add more to this list if we decide to participate in them.
OPSEC Issues
If you are being targeted, constant updates to your social media account can alert the observer to your location as well as other critical information:
- Are you gone from your home on vacation? If a burglar is following you on social media, he knows exactly when to break in and guarantee that you are not there to greet him.
- Are you a government official on travel? Do you have a spouse deployed in the military to a sensitive area? If so, updating social media can compromise security.
- Did you know that it is common for viruses and trojans to utilize social media to compromise computers, cell phones, and tablets?
- Were you aware of the fertile breeding ground that social media presents to identity thieves? Information that a census worker couldn’t pry out of a person with threat of jail is often just given away for free on social media.
- Do your kids have social media accounts? Do you know what they are posting and who they are talking to? Do you know who can see what they post?
- Did you know that by their own admission, terrorist organizations actively utilize social media to investigate persons of interest and all matters related to them (work, family, residence, travel, and schedules).
Even though many people believe that they don’t give any critical information away, it can be considered a case of “death by a thousand cuts.” Each individual piece of information may be meaningless in and of itself, but taken within the context of all of the information available, grievous breaches of OPSEC are easily obtained.
What can you do?
- Be cautious when accepting friend requests. Yes, it is the socially acceptable thing to have lots of friends, but do you really know these people that you are allowing access to your life? (We are not even talking about the system administrators whom you don’t know, have never met, and don’t even know anything about.) You should never accept friend requests from someone you don’t know, even if they are friends of one of your friends. Check out this Washington Times article on one example of why this is a bad idea.
- Don’t share information you don’t want to become public. Once it’s “in the wild”, you have no control over it. Even if you post it privately to another person, at a minimum, the system administrators have access to you (need I remind you that you don’t know them). You also have no real control over who the other person will repeat the information too. Our modern society is notorious for it’s gossip. Just look how popular “reality TV” is.
- Don’t post personally identifiable information. A business posts its location, hours of operation, and other information that is expected in the normal operations of that business, but there is no reason to let the world know what your home location is, who your spouse is, what time you get off of work, and other such critical information.
- Please think about what you post before you hit send! You can’t get it back once it’s out there!
- Be conscious about posting critical information about others as well.
- Remember the “death by a thousand cuts” issue. Too many small pieces of information can be assembled into a fairly complete picture if the attacker is determined.
- Make sure you are regularly reviewing the security settings in your account. You can’t do anything about the system administrators knowing whatever you post, but you sure can keep strangers from seeing it! The default settings may not be enough and some social media are infamous about changing settings or what the settings mean.
- Remove the geotags from your pictures! This is, of course, after you have determined that there is no critical information that is being given away by the contents of the pictures themselves. But if you don’t remove those geotags, there is a clear record of where and when you were there. If you don’t know how to do this, look it up on a good search engine. Do not post a picture unless you know they are not there or have been removed. (You should disable the GPS function of your phone anyway. Google doesn’t need to know where you are all of the time.)
- Remember to watch not just your OPSEC but the OPSEC of those around you. Take care of your neighbors and friends!
- If you are a company, make sure you have designated only a few (or one) qualified person whom you trust to speak for your company. Many dissenting voices produces problems.
- Monitor your media presence. You will have friends tag you in photos that have geotags enabled or descriptions that shouldn’t be there. They may write about something you are doing. It is up to you to make sure your OPSEC is not violated, even by others.
- Teach your family/friends/employees what is and is not “okay” to post.
You can go on the offensive with your OPSEC as well. Some things you can consider go beyond just managing what you post on social media. You can make sure that your OPSEC is maintained quite simply:
- Never login from insecure/risky locations. These are prime targets for those who snoop for this kind of information.
- Always update your computer. Yes, we know you’re a cheapskate and you might be proud that your Windows 3.1 computer is still running after 20 years, but it’s a security risk. If you can’t update it and fix the security issues, get a new one. If the operating system is no longer supported and has security issues, get rid of it. It’s not worth the hassle, and computers are a commodity now. It’s an inexpensive fix.
- Search for yourself online. If too much information comes up, modify what you’re doing and what your security measures are doing.
- Keep your password secure. Don’t use the same passwords over and over, and never use identical passwords on different systems.
- Treat links and files carefully. Don’t open it if you don’t know who it’s from. Look at the source of emails, and if you don’t know how to verify if it’s real, ask someone to teach you.
- Don’t trust add-ons. Games, download engines, and plugins are not written by the social media sites; they come from third parties. You may think playing that new popular game is fun or finding out what color describes your life is neat, but do you know what information you just allowed the application to access by participating?
- Review your “friends” profiles. What they post may affect you.
- Always verify a “friend” by other means (phone, person-to-person) before allowing access.
- Use VPN access and/or Tor whenever you can. If you don’t have a VPN, get one, even if you have to pay for it!
It is also important to remember that if you post “it” and then have second thoughts and delete “it”, “it” still exists. You just can’t see “it”. The records in the database still have the original posting, any changes made to the posting, who posted “it”, who deleted “it”, and who saw or interacted with “it”. That information is then available at any time to anyone with access to the data. In this day and age, it is not inconceivable that this now deleted post could be used against you years into the future. There may come a time when “guilt by association” comes into play. Has someone else posted on your Facebook page, after which you deleted the post? You may be judged by the company you keep.
Beginning with these simple measures, you can start taking control of your digital life. Most important of all – Don’t post critical information! This can’t be repeated enough. Search engines make it super easy for adversaries to find it. If you just have to have a social presence, make it a habit to watch Enemy of the State and Minority Report at least on an annual basis. It is fiction, but so was a significant portion of Jules Verne’s fiction…right up to the point where it became reality. (See Twenty Thousand Leagues Under the Sea and From the Earth to the Moon)