I’ve been concerned about this issue for some time now. As a resident of California, I’m entitled under the California Consumer Privacy Act (CCPA) to ask about the data that companies have mined from me. Recently, I did just that. Even though I closely follow cyber risk and privacy topics for a living, I was stunned by what I received in return. Both the sheer volume (we’re talking dozens of pages of spreadsheets) and the depth of the data points (e.g., the current phone numbers of friends I have not called since high school) rudely reawakened me to the reality of how our personal data has been commodified, sold, and traded without our full knowledge.
Yet, perhaps out of denial (“it won’t happen to me”) or cynicism (“they already have all my data”), too few of us take the steps needed to protect ourselves. It’s never too late to mitigate risk and doing something is better than oversharing your personal information with strangers and big data companies. Here are some easy ways to reduce your vulnerability across social media platforms:
The risks of social media use are real and frightening: Identity theft, phishing, and now deepfakes can be perpetrated with the information we’ve willingly exposed about ourselves. From just a few small clues, a threat actor can target you or your business, open a credit card in the name of your child, or commit wire fraud.
We all enjoy the benefits of social media, and with a degree of caution, we can continue to use these valuable tools without inviting trouble. You can’t control all your data everywhere it lives, but if you control it where you can, you decrease your risk of getting hacked.
- Check haveibeenpwned.com to see which of your accounts have already been compromised. This can be a good wakeup call and a reminder to change your passwords. (See number 2.)
- Practice good password hygiene. Regularly change passwords to your most-used accounts and make them unique to each site. Adopt two-factor authentication wherever possible.
- Keep your profile simple. Only post or list the most necessary information and avoid key data points like your birthday, phone number and address. If you must include your birthday, change it by a few years. Consider using only your first or middle names as your username, or maybe a nickname. Don’t use a cropped, straight-on profile picture that can be easily turned into someone’s fake I.D.
- Never post photos of personal documents like a driver’s license or reveal when and where you’re going on vacation. Avoid posting any information about or photos of your children.
- Screen your contacts list. Do you know all of your contacts personally? If there’s any doubt, disconnect. An exception might be LinkedIn where professional networking sometimes depends on contacting strangers. Still, it’s a good idea to review your connections for suspicious profiles. And always be skeptical of links or attachments anyone sends you directly via social media.
- Never respond to surveys, quizzes, or memes that request personal information such as “my top ten favorite concerts” passed around on social media. Tempting as they may be, these are often used for datamining, including your list of contacts.
- Adjust privacy settings so that only your friends or possibly friends of friends can see your posts and photos.
- Don’t use the apps, instead access social media platforms from your browser whenever available. For example, go to LinkedIn.com instead of using the LinkedIn app on your phone or tablet. These platforms all have mobile versions of the site. They can be a little clunky compared to the apps, but you don’t have to give them permission to own all of the data on your device. Why give them access to your contacts, text messages, microphone, camera, location, and more?
A Privacy Piece by Micah Howser, CIPP/US, CIPM