The Social Media Dichotomy - Public Privacy
Elon Musk has begun his tear-down of Twitter. TikTok is a punching back for politicians who want to appear tough on privacy. There are options.
Between the renewed hand-wringing over TikTok and Mr. Musk's new side hustle as Twitter Owner and active CEO, social media is in the spotlight in a way it hasn't been for some time. We've had a number of years of relative stability between Facebook, Instagram, and Twitter as being the systems people think of when they think of "social media." But that has changed. Mastodon, Post, Hive, and others are suddenly in the spotlight. These three, in particular, are nascent, just starting to grow. The infosec.exchange on Mastodon itself has gone from ~200 users to ~40,000 in less than 2 months. Post has a huge wait-list, and Hive is having security issues that have caused them to shutdown the site temporarily, and even remove their app from app stores for a time.
This relative immaturity may not make these any less secure than the big players - just do a search for any of the big ones and the words "security" or "breach" and you'll quickly recognize that your data was probably not as well protected on those sites as you may have hoped. (Observant readers will note I haven't specifically brought up this site - infer whatever you wish from that) But that's the dichotomy isn't it? We want to share, but we want to control who we share with - at least for some of our data.
There's an old adage that if two people know something it isn't a secret. And yet the point of social media is to share. It is the life-blood of these platforms, and is the intoxicating draw for so many of us to them. So whether you choose to stick with the old guard, embrace the up-and-comers, or hedge your bets by hanging around on several, I wanted to hit on the push-and-pull between public and private on social media sites.
For starters, let's recognize that security is crucial to privacy. An insecure site is most definitely not private - as the deluge of breach notices from sites have demonstrated time and time again. But a secure site may not be private either - at least not as private as you might expect or hope. Meta, as an example, has a well documented history of sharing user data with advertisers as well as with other groups that paid well enough. TikTok is alleged to be sharing everything it collects with the Chinese government. (An allegation I'd assume is levied against US based social media sites in reverse, but let's set that aside for the moment)
Privacy also requires a reliable means of verifying who you allow to access your data. Identity and Access Management (IAM) is critical here. Twitter had one of the best solutions in the world for validating high profile uses - the infamous "blue checkmark" served as a public indicator of that validation until late 2022, when it became something that meant you were either validated OR you had just paid to get that mark. But even as that system worked well it was designed only for high-profile accounts. There was no particularly good way to validate the the Bill Bernard you found on one of these sites was really me, something we see taken advantage of daily by people creating doppelganger accounts on systems like Facebook. So how confident are you that you're sharing your private data with the person you think you are?
So if we can agree that existing social media is far from private, then we can allow for the fact that these new companies may have similar issues - even though they may be trying to improve on the security and privacy records of their predecessors. So what to do about it?
- Assume your communications are public. Pretend your posts and conversations are at least going on at a busy event, like a sporting event or an airport. While not everyone can hear you directly, the people nearby can, and who knows, they might be recording you. None of that means that you stop talking, but let it guide your discussion.
- Validate who you're communicating with. Not so important for innocuous conversation, but extremely important for sensitive topics. If you can't trust the validation available from that social media service, then don't share sensitive information.
- Pick another solution for having important, private conversations. A web meeting, a phone call, or an end-to-end encrypted solution like Signal are often far better choices for communicating sensitive information, unless you're absolutely confident that your social media solution is really protecting your most sensitive conversations.
- If you don't want companies selling access to your data, choose not-for-profit apps. As I've already pointed out bad security leads to bad privacy, but so do draconian EULAs that allow the for-profit company to share all sorts of info about you with other companies for money. Several from this newer crop of social media solutions eschew this idea all together, cutting down on "legitimate" sharing of your data. Even better, some of them allow you to host your own "node" on the network, making you ultimately responsible for both your own security and your own privacy (as well as a bunch of legal requirements). Be warned though, not-for-profit doesn't mean "doesn't cost anything to provide this service." Without the income generated by selling your data, these apps will need donations to run - making them likely to cost you actual dollars to use. Or said differently, you get to put a price on your own privacy.
There's no doubt none of these solutions are ideal - they all have their privacy and security concerns. And that doesn't even take into account online stalking and other dangers in our online communities. So as you're choosing either to stay with your existing providers or move to others, keep these privacy and security thoughts in mind to limit your exposure and manage your personal risk online. And as you learn more about the platform you're on, you can choose to adjust accordingly. I hope to interact with you out there as you do.
Originally published on LinkedIn on December 22, 2022