Throughout your busy day, have you ever stopped to wonder what you had for lunch, where you were 4 hours ago, or what article you read from the Washington Post? It may shock you, but these small details about your life can actually harm you.
A post on Facebook that says I’m out eating lunch at Pepe’s Pizza, says much more than where I like to order a stuffed crust Hawaiian special.
It implicitly reveals all the places I did not order pizza from, and even worse, it reveals all the other places in the world that I could be at but am not at right now. I am at Pepe’s Pizza, which means I am certainly not at home. Seizing his opportunity, any thief with access to this information has a small window of time to rob my home. Magnifying the situation, what if I post a picture of Stonehenge during the middle of my vacation to Europe from my smartphone? Leaving the lights on will simply not suffice.
Because of our newfound love for pouring every detail of our lives over the internet, we can now document the smallest details of our day to day routine. This may not seem like much, but Facebook and the internet reveal much more than what we ate for lunch; they reveal our likes and dislikes, birthplace and current location, employment and interests, and so much more.
This information by itself is not necessarily bad. If you say on your LinkedIn account that you graduated from Yale University in ’96, earned your Masters in Computer Science from MIT in ’00, and worked at Google from ’03-’05, you probably wanted that information to be accessible, especially to future employers. However, you fail to realize that that information allows people to see more than your education and work experience.
Our online footprint leaves much more information than we can first imagine. Privacy settings give us the illusion of control, but these are no more than smoke and mirrors. They may control who sees your photos and what information non-friends can see, but let’s be honest. We all have many friends that we have either never met, or only shook hands with once at a party. We add friends fairly indiscriminately, and we fail to realize what we are showing them. The Facebook app Take This Lollip easily demonstrates (although exaggerated but still possible) the possible ramifications from posting too much information on Facebook.
For example, let us consider someone who wants to see your transcript, but has no legal right to do so. Whether it’s a competitive classmate or a nosy parent, they can easily access the information needed to order one directly from the registrar’s office. Here are Yale’s requirements for ordering a transcript through mail (directly from its website, http://www.yale.edu/sfas/registrar/#transcripts):
Let’s walk through the requirements. A full name can easily be found on Facebook, LinkedIn, etc. The actual date of birth can usually be found on Facebook (many people don’t make their birthday private, even to non-friends). Student ID number does not need to be provided if it is not “available”. School and year of graduation are both found on Facebook and LinkedIn, and the dates of attendance are likely to be the four years preceding graduation. The only protection against fraud that the registrar requires is a signature, but is that really secure? Any Joe-Shmoe working a cash register can see your signature when you sign for a credit card purchase. The only other requirements necessary to steal a transcript are a temporary address and a small fee. (And yes, you may pay mail orders in cash, thus hiding the thief’s identity. Ironic, isn’t it?)
Now for argument’s sake, you may say that process simply takes too much effort for someone to steal a transcript. Sure, they can do it, but who is actually going to put up with that JUST so they can get someone’s transcript? And I’d agree; it is somewhat trivial. But it illustrates my point: it is possible and the information is accessible.
However, let’s raise the stakes a little. What if it were possible for someone to break into your bank account without ever meeting you or without having any physical interaction with you or the bank? The truth is, it is possible. Because of our bad habits of presenting information on Facebook and other websites, we are at serious risk of identity theft and some fingerprint-less robberies.
Consider what information an online bank asks for when you log in: only a username and a password. To a responsible internet-user, this may be enough protection, at least to stay moderately safe. However, what if you don’t know your password? The website asks you to submit your social security number and maybe a date of birth. It will then email your password to your email account, so you can then log in.
We assume that this system protects us from others accessing our account, but does it really?
A social security number (XXX-XX-XXXX) isn’t as secure as you think. A random sequence of 9 digits is a hard code to crack, but anyone who wants to know your social only needs to guess 2. That’s right, 2. So a hacker can essentially break into your bank account once every hundred tries. This may not sound like much, but entering a social security code 100 times doesn’t take relatively long at all, even considering when the site temporarily shuts down its login after too many failed attempts.
So how are social security numbers chosen? The first 3 digits are assigned by area. For example, anyone born in Alaska after 1973 until 2011 will have a social that starts with 574. Anyone can go on Facebook, see your hometown likely posted next to your name at the top of your profile, and find the first 3 digits with ease. The middle two digits are labeled the Group Number. They are harder to predict than the first 3 or the last 4. The last four digits, which are random, would likely be the most protected part of your social. Since they are random, no one should be able to guess what your number is. However, these four numbers are often used on bills and other payment information as identification. Therefore, someone would only need to steal a bill from your mailbox or email account to have a good shot at cracking your social security number.
These are all simple requirements to fulfill. It is very plausible that someone can find discover your social security number in less than hour. Once this is done, the only thing stopping him from hacking into your bank account is a password protected email address, which is probably not the safest thing on the internet. A simple phishing scam or one email with a misleading link to keystroke capturing software is all it takes to hack an account. Once inside, the hacker can look at bills that contain the last four digits of a social, find the bank’s email containing its login information, and much, much more. So, only with a bit of extra computer knowledge and effort, a hacker can find your social security number, hack into your email, and login to your bank account without ever meeting you. (The government has begun to help the cause by randomizing all digits of social security numbers as of June 25, 2011).
Even worse, if someone were to physically steal your laptop, all those saved passwords on your browser that have offered you the convenience of logging in quickly will allow your personal hacker to steal whatever information you do not want made public.
With all this being said, there are many ways to protect your data and ultimately yourself, but the most secure way to do so is through self-restraint. HTTPS and SSL encrypted websites may make your data marginally more protected, but you can make sure no one knows your location or birthplace by not posting your location on Facebook. Even as secure technology becomes more sophisticated to meet the demands of Web 2.0 users, the safest and simplest ways to maintain privacy are not through the “Privacy Settings” page of Facebook, they are maintained through time honored, tried and true web practices. Create a long password, not a short complicated one. Log out of websites after you have finished using them. Do not let your browser save your passwords. Limit the information you post about yourself. With these rules of thumb and more, we may maintain our privacy. Be smart, and don’t let your data destroy you.
Yale Law Tech 