Back

Topics

Homedesignlocationmobiledataprivacysocial media
February 19, 2021

Copied!

Jennifer Chen

What can be discovered through a “private” social media account?

Illustration for What can be discovered through a “private” social media account?

When I first started browsing the internet, my parents always warned me about giving out real information about myself. I always made up names and birthdays, hobbies and interests were kept as general as possible, and there were no actual photos whatsoever. The internet, and especially social media, is vastly different today. Birthdays are on auto-reminder from Facebook, we can easily tag our friends in group selfies, and there’s a growing movement to normalize putting your preferred pronouns somewhere visible. There’s no denying this shift in available information is useful, and even for a good cause. Plus we have lots of data protection laws in place, so there’s nothing to worry about, right? Not to mention you can always private your social media account, which means nobody can see your posts...right?

The good news is that turning on these private modes and settings do help limit the amount of personal content you share. You can control who sees your personal thoughts and choose who to share what with. Additionally, the content of these private posts aren’t searchable. (Though this might not apply to posts made before you made your account private). But a piece of data floating around on the web is still a piece of information about you. And while those individual pieces might not reveal much, those pieces combined can reveal more than you might be comfortable with.

Even if your posts are private, aspects like your profile are almost always public to some extent: your name and/or username, profile picture, and even the content of your little blurbs and bios can give telling clues.

newscreen_a.png

newscree_b.png

Notice that even though this (okay, I’ll admit it: my) account is listed as private, you can guess a few details: preferred gender, age range, and where I might be located. Of course there’s a chance that all these data points could be false; but there is an equal chance of them being real. And in that case if they are real, there is a chance someone with nefarious purposes could take those pieces of data and put them together to create a profile about you, or use that information for identity theft, or even track you down.

Though it may not be obvious, when each individual piece of data is combined it becomes exponentially easier to create a very accurate profile about you. These pieces of information are called quasi-identifiers: information that, when combined together, form unique or semi-unique fingerprints of a particular user. By themselves, each quasi-identifier isn’t very revealing: for example, if you only know someone’s 24, there are millions of 24-year olds in the world; similarly, knowing that someone is female doesn’t reveal very much by itself, either. However, when you combine the two pieces, you then have a narrower scope: a 24 year-old female. Now this scope is still fairly broad, but let’s say then we add in another piece of information—she’s a resident of Eureka, California. Now our scope is quite narrow; and in this case, Eureka isn’t a giant city (population in 2010 was about 27,000*), so there may not be hundreds of 24-year old women living there, making it easier to narrow down to a specific person. Each addition of a quasi-identifier increases your ‘uniqueness’ among others multiplicatively**.

Even if your posts are private, aspects like your profile are almost always public to some extent: your name and/or username, profile picture, and even the content of your little blurbs and bios can give telling clues.

Let’s take a look at how this applies on your accounts. Many people use the same or very similar usernames across many different social media or online accounts. If each account contains more unique information, someone could use that username to piece together a highly specific and accurate profile of you.

Let’s say you have the same username across LinkedIn, Twitter, and Instagram. You use your real name on LinkedIn, which also specifies your current and previous occupations and your location. On your Twitter profile, you may list your age, your preferred pronouns, and city. If your profile is public, the content of your tweets can help someone assume a variety of information about you like political affiliation and interests. Again, if your Instagram is public, your posts can reveal what you look like—and with enough effort, specific locations you‘ve been to. If it’s private, any information in your bio can still be used to build that profile of you.

Since all three accounts share the same username/customized URL, someone could deduce a wealth of information about Jane Doe, who is a 25 year old female that lives in Seattle, WA, and appears to be an outdoorsy young woman with blonde hair and brown eyes.

innocently-oversharing-profile-diagram2.png

Is this really a serious problem? Most of the time, probably not. But it’s also easier than ever for chances of unscrupulous behavior to happen: identity theft, online harassment, cyberbullying, and releasing private information onto online message boards encouraging and inciting others to harass and attack them. So it’s important to be conscientious of what you post and include in your profiles, and not get lulled into a false sense of security. Here are some tips:

  • Use a nickname in your profile or only part of your real name (e.g. only going by your first name online)
  • If you post pictures of yourself, be aware of other things in the background that could potentially reveal more than you want—for example, if a license plate is visible, blur it out or cover it up
  • Show off an outfit or a room without showing your face by with stickers or icons
  • Consider “fuzzing” your data: instead of posting your exact age, you can say 18+, 20-something, or anything else that makes it difficult for someone to figure out your exact age
  • Try different usernames across different social media accounts and not linking them (e.g., linking your Instagram in your Youtube account)
  • Think about how much personal information you might be sharing when making that next post or update. Is it that important to point out how much you spent on a set of clothes, or the exact store you bought it at?
  • Leave your location out of your bio (or at least one level up from city)

Realistically, it’s very difficult to remove all traces of our identities from the internet, especially as it becomes an increasingly integral part of our life. However, that doesn’t mean we should blindly trust privacy controls to be perfect. There are definitely simple ways to limit your risk of sharing more than you want, and hopefully this gave you a better idea of what can happen with the bits and pieces of information you share—without being at my own “early internet” level of complete parent-enforced anonymity.


*https://web.archive.org/web/20120907193835/http://quickfacts.census.gov/qfd/states/06/0623042.html

**https://dataprivacylab.org/projects/identifiability/paper1.pdf