On supporting science journalism
If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.
Online identity is quickly becoming more crucial to personal and professional success than in-person communications. Yet most of people don't understand this new digital frontier and the dangers that lurk around every corner. Many are unaware of the digital bread crumbs that people leave behind with every social media post, and how easy it is for a person with malicious intent to do harm. Tyler Cohen Wood, a senior officer and a cyber branch chief for the Defense Intelligence Agency within the Department of Defense, writes that the "digital puzzle pieces" left behind in the form of online information—such as exchangeable image file (EXIF) data, cookies and information shared in peer-to-peer (P2P) networks—can put one’s personal security at risk. She also explains how we can protect ourselves.
Here are some examples of data trails excerpted from her new book, Catching the Catfishers: Disarm the Online Pretenders, Predators and Perpetrators Who Are Out to Ruin Your Life, that you may not even know existed.
Excerpt reprinted, with permission of the publisher, from Catching the Catfishers: Disarm the Online Pretenders, Predators and Perpetrators Who Are Out to Ruin Your Life, by Tyler Cohen Wood. Copyright © 2014 Tyler Cohen Wood. Published by Career Press. All rights reserved.
EXIF data
The other concept we need to discuss is EXIF data. EXIF data stands for Exchangeable Image File and is the metadata captured by your camera. Most phone cameras or digital cameras have EXIF data turned on by default. If EXIF data is turned on, when you take a photograph, the EXIF data comes along with the photograph, but we can’t see it unless we use special tools, most of which are free and available to anyone on the Internet. EXIF data contains information about the photograph such as where the photograph was taken (with exact GEO coordinates), what camera (including its serial number) took the photo, and many other details that give away information about you.
In 2012 a Burger King employee in Mayfield Heights, Ohio, posted a photograph of someone stepping in a tub of lettuce with their shoes on, with the caption, “This is the lettuce you eat at Burger King,” to the website 4chan.com, an image-based social media site where users can post pictures and make comments. The posters thought that they were anonymous because they showed no identifying details in the photo- or so they thought. The photograph contained EXIF data and GEO coordinates, so furious users were able to track down the exact Burger King where the photo had been taken. Once the local media was contacted, the three workers responsible for taking and posting the photograph were identified and quickly fired.
Cookies
Cookies also collect information about you. A cookie is information placed on your devices by an app or Website that keeps track of information about you, such as your e-mail address, what you search for and buy, or information unique to the device you are using to enhance data correlation. Some companies use software to reach others companies’ cookies to gather even more information about you. The software looks for what you have been searching for or buying as well as your e-mail address so that ads from that company can be targeted to you. These are called supercookies, Flash cookies, and/or zombie cookies. Theses supercookies are not kept in the same location on your devices as regular cookies, which makes them hard to find and remove. Even if you regularly use your browser’s function to remove cookies, browser removal will not work. As Ebezine.com claims:
The new Web language and its additional features present more tracking opportunities because the technology uses a process in which large amounts of data can be collected and stored on the user’s hard drive while online. Because of that process, advertisers and others could, experts say, see weeks or even months of personal data. That could include a user’s location, time zone, photographs, text from blogs, shopping cart contents, e-mails and a history of the Web pages visited.
This is what happened when I was searching for the baby presents and then received ads targeted to me from other baby apparel sites that I had not even visited. Web-based mail sites such as Google and Yahoo can also collect information on you. Search engines, Web mail, and social media all build profiles on you based on the things that you search for in a search box to target ads to you on that page or keywords from your mail. For example, if you are on a message board or using your Web mail and talking about cars, the Web mail or search engine site can pull keywords and, based on the text, target car ads directly to you in real time on that page. Such sites can also search for keywords in your mail and collect the data to piece together a profile on you to sell things to you or to other advertisers. By collecting and parsing your content and applying predictive analytics, they can personally tailor search results based on learning your life patterns. If you Google the word “puppies,” chances are Google will give you back results that are local to your area, or in some other way tailored to your search or mail behavior. You can easily test this yourself. Go to a search engine and search for a particular topic. Ask a friend in another location to search using the same search engine for the same topic and compare your results. You might be surprised at how different and personally targeted the results are.
The Art of the Possible: Just How Good Are They at Getting Your Data?
Back in the early days of peer-to-peer networks (P2P), some people using P2P who wanted to share information from their hard drives failed to use the proper access controls on the software and allowed their entire hard drives to be shared with anyone who was using the same P2P program. This is still going on. Programs and apps could potentially have access to other programs or apps on your system. For example, if you don’t like the standard SMS interface on your smartphone and choose to use another application to view and send your SMS messages, for the program to work, you have to give that secondary SMS app access to your SMS program, message history, and contact list. The makers of that secondary app could potentially collect your messages, history, contact list, and other items associated with SMS. Combined with your GEO coordinates and other information gleaned from your device, that secondary company could glean a lot of information about you. Most apps will tell you what they collect and do with your data in their terms of service, but they are not necessarily obligated to do so, especially if the company developing that app is in a country outside of the United States. This company might also have the ability to sell your data.
Applications are not necessarily stand-alone or self-contained. Other applications, depending on what access they have to your device, could potentially read and collect from other applications. A browser could potentially (like the mis-configured P2P mentioned previously) have access to other areas of your hard drive or device to collect information from other services or apps. For example, if you have sensitive documents open on your computer and you have your browser open, too, it is technically possible for the browser to read those documents. I am by no means stating that social media apps or browsers currently do collect or bleed into other areas, but it is feasible and not technically difficult to do, depending on what access they have other areas of the device. I was using a social media app on my smartphone and got an SMS message from a friend of mine that she also sent to three other people whom I had never met and did not have in my contact list. I began a private conversation with one of the other people on the SMS due to some similar interests. At the end of the private conversation, I added the person and her phone number to my contact list. After I went back to the social media app, the name of the woman I had just added to my phone’s contact list, and whom I had never met or spoken with before, was suggested to me by the social media app as someone I might know and want to friend. This could have been a coincidence, and I am not saying it wasn’t; however, it was a pretty strange coincidence! Moreover, because I know that it is technically possible and easy for the social media app to collect information from my SMS app and device, and then use it to suggest a connection, I immediately that that this is what happened.