Infosec: When in Doubt, Leave it Out

Allow me to intro­duce one of my biggest peren­ni­al pet peeves: the act of shar­ing way too much infor­ma­tion.

Call it pro­fes­sion­al­ism, para­noia, or com­mon sense, when it comes to the abil­i­ty to share infor­ma­tion about each oth­er and our­selves online, the old adage applies: “With great pow­er comes great responsibility.”

At the low end of the spec­trum, giv­ing the world too much of your­self may be mild­ly enter­tain­ing (or in oth­er cas­es annoy­ing) to the oth­er users who stum­ble across your Face­book page and can sud­den­ly fig­ure out how many times in a day you go to the wash­room or re-blog embar­rass­ing pho­tos. On the oth­er side of things, if you’re not care­ful it’s fright­en­ing­ly easy to end up shar­ing infor­ma­tion that could cause direct and seri­ous harm to rep­u­ta­tion, finances, and fam­i­ly mem­bers. A com­mon phe­nom­e­non to all parts of this is the per­sis­tence of data, where hurt­ful com­ments and regret­table dis­clo­sures can come embar­rass­ing­ly home to roost at a much lat­er time, some­times years or decades down the road thanks to today’s per­fect storm of auto­mat­ed archiv­ing ser­vices and unpre­dictable human interfaces.

Con­verse­ly, giv­en the immer­sive nature of the Inter­net and mul­ti­tude of users online at any giv­en time, as well as the sheer vol­ume of web pages and con­tent, it can be said there’s a cer­tain amount of back­ground noise that needs to be over­come when deal­ing with the desire to estab­lish and main­tain a vir­tu­al pres­ence or dig­i­tal iden­ti­ty. If you’re look­ing to make more con­nec­tions with oth­ers, be it for busi­ness, knowl­edge, or plea­sure, then just how far should you take it? How much is too much?

First, I’ll indulge my read­ers with the Big Ten, a list of things you will prob­a­bly nev­er want to have float­ing around online. This is a meta study based on the hun­dreds of web pages, sur­veys, and reviews I’ve encoun­tered over the years. As always, your own mileage may vary.

The Big Ten: What you Nev­er Want to Share Online

1. Any­thing relat­ed to your pass­word. You’d think this one speaks for itself, but there are still peo­ple out there who naïve­ly post login cre­den­tials or reminders for their friends or co-work­ers to use on shared blogs, accounts, or services.
2. Any­thing you don’t want the pub­lic to know. Don’t fool your­self into believ­ing that just because some­thing is rel­e­gat­ed to a sin­gle uncon­nect­ed pro­file, it’s going to elude the pry­ing eyes of search engines. The Inter­net is rife with tales of oth­ers’ false sense of secu­ri­ty gone hor­ri­bly wrong. If you don’t think you can deal with the con­se­quences of some­thing going viral and becom­ing avail­able to a gen­er­al audi­ence, maybe you should­n’t be post­ing it in the first place.
3. Dirty laun­dry and atten­tion-seek­ing. Whether it’s work­place pol­i­tics, angsty crit­i­cism, gos­sip, feuds, or booze-fuelled rants, hav­ing any lev­el of involve­ment in these things is like­ly to make you look like a tremen­dous ass in front of oth­ers, espe­cial­ly online. First impres­sions last a long time and any­one look­ing to grow their friend­ships, social oppor­tu­ni­ties, or careers is well advised to steer clear. The Inter­net is one of the first places most man­agers and new con­tacts look for rea­sons to exclude some­one from the selec­tion process.
4. Finan­cial infor­ma­tion. Besides the fact that the Inter­net has rov­ing gangs of orga­nized iden­ti­ty thieves scour­ing pages for any­thing that might be use­ful, do you real­ly need anoth­er rea­son not to share your port­fo­lio or cred­it card details online? Deal only with sites from rep­utable com­pa­nies whose prac­tices you know well, and don’t reveal your infor­ma­tion to any­one else for any rea­son.
5. Med­ical infor­ma­tion. This is almost nev­er a good idea, even if you’re doing some­thing pos­i­tive like run­ning a can­cer aware­ness ben­e­fit. Reveal­ing a per­son­’s med­ical his­to­ry online makes the infor­ma­tion freely avail­able, and can come back to harm them in the form of bul­ly­ing, dis­crim­i­na­tion, or career prob­lems. The same is true of shar­ing one’s own med­ical details before an audi­ence. As broad­cast­ers, we have absolute­ly zero con­trol over what our audi­ences do with the mate­ri­als we disseminate.
6. Pho­tos or infor­ma­tion of chil­dren. By putting these mate­ri­als online, it’s pos­si­ble to inad­ver­tent­ly vol­un­teer enough to not only per­mit a total stranger to track down your child, but also to pick the child out of a crowd, appeal to their per­son­al­i­ty, groom them, abduct them, and maybe even know where to send the ran­som note. More often though, groom­ing ends offline with molesta­tion, arrest, rape, or mur­der. Put safe­ty first and make it your point to ensure chil­dren are edu­cat­ed in media aware­ness.
7. Move­ments, rou­tines, and events. Just like you would­n’t put a note on the front door say­ing you’re away on vaca­tion, it makes even less sense to broad­cast the same details world­wide through your social net­work pages. Are you keep­ing in touch with friends, or beg­ging to be bur­glar­ized? You may want to con­sid­er this point espe­cial­ly well before post­ing your MyTracks logs or oth­er geolo­ca­tion data to a blog. To your eyes it’s innocu­ous data; to a crim­i­nal’s eyes it’s gold.
8. Address and phone num­ber. In one case, groups of trolls tak­ing part in a cyber-bul­ly­ing mob sent stacks of piz­zas to the vic­tim’s home. In anoth­er, SWAT teams were sent to the res­i­dence of a promi­nent cyber-bul­ly­ing expert. Any questions?
9. Talk­ing work. If it’s day to day details of what goes on in the work­place, or worse, com­plaints about work, there’s prob­a­bly no good rea­son for putting it online. Apart from being a fer­tile bed for secu­ri­ty breach­es or dis­ci­pli­nary action to take root, it’s unflat­ter­ing to the image of the per­son who posts it.
10. Sis­ter sites. Unless you have a spe­cif­ic strat­e­gy for inte­gra­tion of mul­ti­ple sites to pro­mote your online per­sona, it’s a bad idea to tie com­part­men­tal­ized social media pro­files to one anoth­er. For most peo­ple, the audi­ence that’s view­ing each pro­file is dif­fer­ent from the ones view­ing oth­er con­tent, as one pro­file may be ded­i­cat­ed to friends, anoth­er to fam­i­ly, and per­haps a third tai­lored to employ­ers. There­in lies the real­i­ty of tak­ing your life online: it’s mul­ti­fac­eted, and you have to under­stand a lot about the right time and place to con­vey spe­cif­ic infor­ma­tion. Tying every pro­file togeth­er only works if it’s aimed at a very gen­er­al audi­ence and the con­tent is clear and inof­fen­sive. Oth­er­wise, you may risk con­fus­ing every­one and draw­ing lots of neg­a­tive feedback.

Next are the oth­er impor­tant ques­tions: what do you want to have float­ing around online, and how exact­ly do you inte­grate mul­ti­ple pro­files suc­cess­ful­ly across mul­ti­ple sites?

To the first, I gen­er­al­ly advise a con­ser­v­a­tive approach: share only as much of your­self as is absolute­ly essen­tial to do the things you need to accom­plish online. Unless social exper­i­men­ta­tion and shar­ing are specif­i­cal­ly what you seek (are you look­ing to befriend strangers and find new friends?) there’s usu­al­ly no good rea­son to move beyond this stage for the time being.

Like­wise, if you’re new to cyber­space and only just becom­ing famil­iar with how infor­ma­tion is man­aged and how peo­ple inter­act online, you’d do best to keep it sim­ple until you’ve earned your stripes and boost­ed your over­all aware­ness. The cur­rent incar­na­tion of the Inter­net is even more of an elec­tron­ic Wild West than it was ten years ago, and there are many cus­toms and nuances with which one should first become acclimated.

As far as the sec­ond ques­tion goes, when link­ing pro­files you should pro­ceed with cau­tion. You don’t want to alien­ate your core audi­ence, but at the same time, you don’t want to close off the user expe­ri­ence for new or return­ing read­ers. Estab­lish a gen­er­al pol­i­cy on how you plan to deal with the shar­ing, col­lec­tion, and pub­li­ca­tion of all infor­ma­tion and media. This can take many forms, rang­ing from a basic list in point form to the most com­pre­hen­sive TOS agree­ment. Next, deter­mine what each of your audi­ences looks like, and their gen­er­al demo­graph­ics? Once you have a bet­ter grasp of that, things will fall into place more eas­i­ly as you can bet­ter deter­mine how much crossover would be appropriate.

In my own life, I’ve found it use­ful to main­tain com­part­men­tal­iza­tion of the more pri­vate cir­cles (i.e. Face­book, which I use only for fam­i­ly and friends), and incor­po­rate some over­lap from my gen­er­al sites. This way, pri­vate cir­cles remain in their own space but receive reg­u­lar updates from the pho­to blogs and oth­er pub­lic con­tent I release. This is most eas­i­ly admin­is­tered from an inde­pen­dent cen­tral site like CrimsonHalo.com, because thanks to the cur­rent gen­er­a­tion of blog soft­ware and APIs, it’s rel­a­tive­ly easy to add syn­di­ca­tion tools.

In the end, the rule to remem­ber is that over-shar­ing is as coun­ter­in­tu­itive as under-shar­ing. Do what is essen­tial to meet your needs, make it per­son­al but not exces­sive­ly so, and expand your explo­rations cau­tious­ly with an eye to the Big Ten. What you post today could have a huge impact in the future, so endeav­or to be human in your deal­ings, but above all else be a decent one. If you doubt the redeem­ing val­ue of con­tent, some­times it does­n’t hurt to leave it by the wayside.