April 28, 2020
Contact: Eric Stann, 573-882-3346, StannE@missouri.edu
The views and opinions expressed in this “for expert comment” release are based on research and/or opinions of the researcher(s) and/or faculty member(s) and do not reflect the university’s official stance.
As more people turn to social media for their social interactions during the COVID-19 stay-at-home orders, a University of Missouri researcher suggests oversharing on social media can give hackers additional opportunities to steal a person’s personal information.
“We cannot go out and socialize during this pandemic, so people are turning to social media to share what is going on with their lives,” said Dan Lin, an associate professor of electrical engineering and computer science, and director of the I-Privacy Laboratory at the College of Engineering. “But it can be risky.”
Before a person decides to play along with the latest social media challenge, or post a picture of their family home, Lin said to consider the following three tips:
Beware of online challenge games
Online games that challenge people to answer a few questions about themselves, or post an image, seem innocent enough. But these games can often extract sensitive information about a person, such as their first job, their first car or their mother’s maiden name — all of which can give hackers answers to commonly used security questions used on other websites such as online banking.
Lin notes two recent challenges as opportunities for hackers to steal a person’s information. Recently, social media users were asked to post their senior photos as a way to support the Class of 2020. But hackers can use those photos to gain the name of a person’s high school and graduation year. Additionally, social media users have been asked to share photos of their mothers for Mother’s Day. But those images could put a person’s mother at risk by revealing identifiable information and provide clues as to whether the mother lives alone.
“If you want to celebrate with your mother, talking to her is better than sharing her picture with strangers,” Lin said.
Consider photo backgrounds
Images taken with digital cameras contain metadata that can provide information about the photo, such as where and when it was taken. While many social media platforms automatically remove that information when a photo is posted online, Lin warns that publishing images without first deleting the metadata can provide hackers with information a person did not intend to share, such as the GPS location of the place that the photo was taken. She suggests removing metadata by opening the photo file and deleting this information, or using existing metadata removal software.
Lin said people also should be aware of what is present in the background of their photos. She suggests avoiding posting images that show a house number, vehicle or unique decorative household items that can help hackers locate a person. It can also reveal personal information that a person may not want to have shared in the public realm.
Privacy settings matter
While privacy settings from social media providers have improved over the last several years, it’s still easy for hackers to bypass that security, Lin said. Even if a person has blocked someone from seeing their information, another user connected with that person can save their information and pass it along to people outside of their connections — sometimes without their knowledge.
Therefore, Lin said if a person does not want something to be publicly seen by everyone, including strangers, it’s best not to share it at all.
Using artificial intelligence to strengthen online privacy
Lin is currently researching how artificial intelligence can help social media providers offer more advanced levels of privacy.
One strategy involves predicting what type of photo is being posted and alerting the user to how that image may be used by others. For instance, if someone wants to share an image with a select group of friends, the system could warn the user that their photo could still be viewed by friends of those friends, including people they intentionally excluded from the group.
A second strategy would allow social media channels to automatically recommend privacy protections for a particular image based on the type of photo and past user behavior. A family photo, for instance, could come with automatic privacy settings blocking others from sharing or downloading it. However, a funny picture of a pet might come with fewer security recommendations.
A more advanced method involves facial replacement in group photos. Rather than blurring out someone’s face in a photo of a class or public setting, which draws the attention of a hacker, this method allows social media providers to replace a person’s likeness with a synthetic facial image based on the person’s privacy needs obtained from his or her past behavior. The change would be subtle enough that those looking at the photo would not be able to tell it had been altered, Lin said.
Ultimately, Lin said it’s up to social media companies to determine whether to implement new security strategies. Until then, people should be cautious about what they choose to post on social media. Anything posted online never fully disappears — even if it’s deleted immediately.