How Secure is your Twitter Account?

Who can see my Tweets?

Although most people realise that Twitter is a public platform, some do not realise that their tweets can be viewed by anyone, anywhere in the world, and can often notify complete strangers as to what they are doing and where they are going.

 

Tracking what you Tweet

Use the Tweet Machine below for an example of how exposed people's tweets and details are on the web, and how easy they are to find. The tweets below belong to people tweeting about "Occupy". Try searching for a controversial/trending hashtag, or even your own Twitter user id to see how easy it is to view public tweets.  If you don't want your tweets or use of hashtags to be visible if you are working in a sensitive situation, then it is highly recommended that you make your account private:

 

 

How do I protect my Tweets?

If you are an activist or working under cover, you may want to protect who can see your Tweets. Twitter has a privacy policy, and you can change your privacy settings through your Twitter account panel.

Twitter explains that the difference between public tweets and private tweets are:

  • Public Tweets (the default setting) are visible to anyone, whether or not they have a Twitter account
  • Protected Tweets may only be visible to previously approved Twitter followers

This is what an account with protected Tweets looks like to someone who is not an approved follower:

Screenshot of a protected Twitter account

 

How to protect your Tweets:

  1. Go to your account settings by clicking on the person icon at the top right of the page and selecting Settings from the drop-down menu.
  2. Scroll down to the Tweet privacy section and check the box next to Protect my tweets (shown below).
  3. Click the blue Save button at the bottom of the page. You will be prompted to enter your password to confirm the change.

 

Screenshot of a protected Twitter account
 
Note: When you navigate to your home page after protecting your Tweets, you'll see a notice reminding you that your Tweets are now protected. The box shown above will be checked in your account settings.

 

Am I still protected if I sign up with another social network?

What most people don't know is how even if you have a protected or "private" account, the transparency of the image settings can still make you and the people you are connected to, very vulnerable in certain situations - especially when data from Twitter is shared with other social networking tools like Youtube, Google+ and the FourSquare check-in service (that allows you to share your whereabouts with friends and colleagues).

It is a growing trend now, that when you sign up for a new social network tool, one of the easy registration options is to sign-up via your Twitter account, where you give the service access to your twitter username and connections in return for a new free account with your new service. Sounds easy enough, right?

The problem is that 3rd party software can potentially go on to automatically tweet about where you are, what you are looking at, and your comments and thoughts on any number of topics across the web. This could have dangerous implications if you are out on an assignment or an activist mission in the field, as your exact location will be automatically tweeted, any research you do on Youtube or Google+ in relation to videos about the Syrian uprising, Occupy demonstrations, or any news reports you "Like" or share via Google+ will all be tweeted - thus exposing your mission, research and entire network.

But what if you're pretty clued up on all this stuff, and have already set your Twitter account to private, and have shut down all your location settings, you tweets, photos and anyone who follows you are safe right? Right? Not necessarily.

If you are tweeting and sharing photos to your closed network - even though a first glance at your Twitter account shows that your account is locked, your images may not be. If you're using a 3rd party image service like YFrog, or Instagram - there are many ways to find your images and effectively reveal your whole Twitter network and all the other networks you are using.

 

How can I check how exposed I am?

One way to check how exposed you are is to use a service called Namechk.com.  Here, you can add a username you use across different social networks, and check the list to see how many accounts this is visible on.

So, remember the user that had his/her account protected on twitter?

 

Protected Twitter account

 

Well, if you perform a Namechk search on that username, you get a list of all the social network sites that have been setup using that same username:

 

 Namechck

 

A quick click on the Yfrog account setup with the same username shows that although this user is very smartly not sharing any images, all their followers, whom you are restricted from viewing on Twitter, are suddenly exposed via Yfrog:

 

 Yfrog followers exposed

 

So, if you are using image services such as Flickr or Yfrog, and those accounts are not private/protected, every image you share on those networks will be traceable.  The best thing to do in terms of Flickr is to hide your images from search engines.  However, Yfrog unfortunately does not protect your images, so these will always be visible.

 

Can people see where I am when I tweet?

If you are tweeting from your mobile phone, then the default setting for Twitter is to post your location. See below for screenshots and a map of tweets that people have shared via their mobile phones about the Syrian uprising around the world. If you tweet with your phone, then your tweets and those that you tweet to could be tracked by the authorities:

Some automatic tweets from Syria via smartphones - these reveal the location of individuals using 4 Square near the Syrian border (the individual's identities have been blurred so that they remain anonymous):

 

Syria auto tweet via 4 Square #1

Syria auto tweet via 4 Square #3

Syria auto tweet via 4 Square #4

 

A map created using the geo-location revealed from the above 4Square.com tweets (the usernames have been omitted to protect anonymity):

 

 

More on using 4Sqaure

If you use the popular social network 4Square to share your location with your friends, then this may open you up to location tracking. By default, if you sign up with your Twitter details, 4Square will automatically tweet where you are. You can find out if your account or a friend/colleagues' account is visible by using the service below.  It is unfortunately called ˜Please Rob Me˜, after the case of a man who messaged that he was away from home, and was burgled because of this. The goal of the service is to to raise some awareness on this issue and have people think about how they use services like Foursquare, Brightkite, Google Buzz etc. Everybody can get this information.

 

 Auto tweets

 

So how do I disable geotagging?

The easiest way to stop posting this information for all to see it to disable geotagging on your smartphone.

Disabling on your phone

There are many phones out there on the market that geo tag their pictures. The Apple iPhone is one of them:

iPhone (iOS 4.x - 5.x)

Apple greatly simplified the way to turn off location services on a per-application basis. To see your settings, go to Settings, General, then Location Services. From there you can set which applications can access your GPS coordinates or disable it entirely. However, please note that unless you disable all of your notification services, your use of your smartphone map, camera and other apps will still be traceable. To remain completely secure in covert operations, it is best to temporarily disable all.

 

 iPhone location services

 

Other smartphones

BlackBerry

The process can differ between BlackBerry OS versions, but in general terms, open Options > Advanced Options > GPS and then alter the Location Aiding setting to Disabled.

 

Android

Open Menu > Settings > Location & security and clear the Use wireless networks and Use GPS satellites options under My Location.

 

Windows Phone

Open Settings > Location to disable all localisation data sharing; alternatively to disable a specific app from sharing data collected from GPS or cellular triangulation, go to Settings > Applications and find the app in question, flicking the Use my location switch to disable.  If the app you're looking for is not listed, open it as normal and use the app's own settings menu.

 

Summary

Here is a quick summary of security on Twitter:

 

How safe is your Twitter account?

 

Alternatives to Twitter

If you are worried about using Twitter, there are some alternatives that you can use:

Identi.ca is a microblogging service.  Identi.ca describes how it is different from Twitter:

Like Twitter, Identi.ca is a light service with a stream-oriented interface. It uses @-replies, hashtags, provides search, and has private messages. It provides an API, and can be integrated with SMS systems. You can create lists.

Unlike Twitter, Identi.ca allows more data than just plain text and links to travel across the network. You can install the StatusNet software that runs Identi.ca on your own servers, since it™s Free and Open Source software. You can make groups, and share privately with those groups.

You can make your site available only to people you choose. You can customize it with your own themes and plugins, or download plugins from the StatusNet site.

See more at: http://identi.ca/

  • Friendica (formerly known as Friendika) is open source software that implements a distributed social network. It has an emphasis on extensive privacy settings and easy server installation. It can be used as part of Identi.ca.
    See more at: http://friendica.com/
  • SecureShare is a framework for sufficiently safe social interaction. it covers safe communication such as:
    1. updates, comments, postings, messages, files and chat are only visible to the intended recipients (not the administrators of any servers or routers)
    2. the type and content of a message cannot be guessed at by looking at its size
    3. communication between parties cannot be measured as they may have none to several routing hops in-between. an observer never knows if a communication came where it came from and ends where it is going to.
    4. automatic responses and forwarded messages can intentionally be delayed so that an observer cannot tell two communications are related
    5. communications cannot be decrypted weeks later, just because the attacker gained access to one of the involved private keys (forward secrecy)
    6. even if an attacker gains access to a cleartext log, there is no proof the material was actually ever transmitted by anyone (for a case in court mere data would not suffice, you need actual testimonies)
    7. the list of contacts is never managed on potentially unsafe servers, it is only visible to those it should be visible to
    8. the infrastructure is robust and resilient against attacks

    See more at: http://secushare.org/

 

Prevention