In this section, follow us as we explore, illuminate and expose different aspects of the digital shadows cast by our online activities.
Me and My Shadow Flipcards
We have created a set of 7 cards that you can download, print out and distribute to friends and colleagues. These cards are aimed at raising awareness about our 'digital shadows' and providing information about how to protect your privacy.
Their topics are:
- What are Digital Shadows?
- Nothing to Hide
- Assessing the Risks
- Endangering Others
- Does Encryption Still Work?
What are Digital Shadows?
Posting pictures on Facebook or sharing views about movies is part of what makes the internet fun. We can keep track of old friends, find obscure food recipes and share photos. But every service we use keeps information about us and some keep information about our friends and contacts.
Our digital shadow is the collection of information about ourselves that we leave online. This can be useful as it helps us to remember things we might forget, but it can also be difficult to control.
We give some information knowingly. For example:
- giving our location to get information about services around us
- entering our credit card information to buy things
- uploading pictures of conferences for others to enjoy
What if some of this information gets into the wrong hands and lets others know where we are, who we are with and what we are doing? The good news is that we can choose the kind of information that we leave behind. It’s important to know the difference between the information we leave behind that’s a problem, and the information that isn’t. Find out more at:
The internet collects information that we may not know about, or pay attention to, such as:
- the exact location of where we are when we upload a picture
- the history of the web searches and websites we visit
- a list of everyone we sent messages to on any given day
When the internet is used for sharing sensitive information, digital shadows can be problematic. If you are a rights or a transparency advocate, an activist, a journalist, a blogger, or any other kind of active individual trying to increase accountability and address injustice, digital technology has great potential for mobilising, organising and campaigning.
Often people post videos, pictures and reports which show the same event from different angles. These images and videos can show more information than what is initially apparent:
- information about where and when they were taken
- more detail about the backgrounds or the contexts of situations than was originally intended
However, it is not just sympathisers and allies who look at this information - and the digital shadows behind it. Adversaries do too. And since the internet ‘never forgets’, trouble can also come at a later time, when the political situation has changed.
Keep your information safe and your unintentional traces to a minimum. There are many online tools to help you including:
Nothing to Hide
“Why shouldn't I be public about what I do – I'm not doing anything wrong!” is a typical reaction by most of us when being asked to protect our privacy. But “nothing to hide” is not the same as “everything for show”.
Have you wondered why anyone would want to log information about your life, distribute parts of it, use it without your permission, or use it in a way that misinforms others about you? Sometimes you might like to keep some pieces of information private even though there is nothing bad, wrong, shameful or illegal about them. Here are a couple of examples:
- a serious illness, or pregnancy – because you want time to think about it privately first and you might not want people to know.
- details about your children – because they depend on you for their security.
Perhaps without realising it, we share some of our intimate information online. Your status update could include your location and alert people to the fact that you're away from home; did you want to let everyone know?
Just as it's your choice to share, it's your choice to be private. Once you have shared something online it can be difficult to delete it later. Think carefully about the personal information you share and where you share it - some networking sites consider anything you post to be their property. Should it be?
Sometimes it's clear why you need to hide information, even if normally you would prefer not to. For example:
- members of minorities can be discriminated against when it becomes apparent who they are.
- the safety of victims of domestic violence depends on being able to stay private.
What passes as 'illegal' activity can change. Sometimes, people who want to bring about change in their society face threats which make sharing their personal information particularly risky. Redefining what is legal and what is not can be a way to persecute people, and previously collected information about them is often used to support this.
It is sometimes said that we need to give up some of our freedom or privacy to be more secure. But reducing our privacy can also make us less secure. The feeling of being watched changes the way we behave, making us want to avoid negative reactions from those who are observing us. Trading our privacy for the sake of security may end up with us having less of both.
Assessing the Risks
It can be overwhelming to read about the dangers of online activity almost every other week:
- thieves can break into your house by combining your address (Facebook) with the fact that you're not at home (Twitter)
- an email you receive could have a link to a video showing human rights violations and when you click on the link, your computer becomes infected with malicious software
- your online communication can be intercepted by third parties.
It is possible to minimise the risks you face. Sometimes we choose to take a risk because we think the chances of something going wrong are too low for us to change our behaviour. On other occasions we may decide we don't want to take a risk – we may even realise that others could be affected by our actions.
To be able to make a good decision about a risk we need to know what our options are, what the consequences of taking those options are and what we can do to manage the consequences. Here are some places to find tools that will help you reduce risks:
- the privacy settings of your software and social networking sites
- Passfault where you can learn about making more secure passwords
- HTTPS Everywhere where you can learn about using secure online connections
Activists are often willing to take risks. However, the problem with using digital tools is that sometimes you don't know the risks you are taking. It can be hard to know how to manage the risks of using particular digital tools. Will it do more good not to expose anyone or to seek as much public attention as possible? How can we avoid unintentionally doing harm? Looking back, it is easy to decide, but when you encounter a situation for the first time, it rarely is.
There are things you can do to minimise the risks:
- what or who is it that you want to protect? If, for example, it is unlikely that someone will physically enter the place where you are – because you work from another country for example – you may need to think more about how to secure your online communication.
- what kind of threats are you likely to encounter? Could the data you are collecting be compromised, copied, or destroyed? Are you the one in danger, or are the people who share information with you more likely to be at risk? Try to prioritise possible dangers as this will help you find the right solutions.
- what digital security vulnerabilities could be exposed from the threats you face? Identify the methods and tools that can protect you.
- what are your capacities? If encryption is illegal where you are, you may have to consider hiding encrypted data; a better choice might be to not use encryption at all.
- situations are constantly changing, even more so in unstable environments. Take the time to regularly re-evaluate.
Attaching names to pictures you post online is an easy way to share who else attended the same workshop or gathering as you did. Tagging pictures is a nice way to attribute an inspiring talk at a conference to the person who gave it -or share who else was there.
Social networking sites give us the opportunity to share who we were with, meet new friends and then maybe also their friends. Sometimes we are asked to enter our email address so that we can find out which friends are using the same service. When we share information about others within a social network we may be giving away information that was given to us in confidence. So it is important to make sure that you:
- always ask whether it's ok to share information about others online
- don't accept someone as a friend in a network without actually knowing them
- don't let applications access your email account by giving away your email password
Reporting about Human Rights advocates or communities at risk is a great and important way to support those in danger. It's important, however, to realise that you are carrying a huge responsibility for those you write about. So think very carefully whether you are unintentionally giving away information that could help adversaries to identify those you are writing about.
In some situations, high visibility can help to protect individuals who face threats. Public attention can ensure that their rights aren't violated while no-one is watching. However, the identities of fellow activists, friends or family may be exposed this way too. Things you can do to help:
- choose secure ways to communicate even when you are in a hurry
- protect your contacts by encrypting the data you keep about them
- make sure that videos or pictures you publish are not indicative of a context that shouldn't be public
Companies that run websites often keep information about us to deliver what we 'need' more effectively. Advertisements on web pages are often related to our previous searches and other online activities.
But the companies keeping this information know a lot more about us: where we are, what computer or mobile device we use, what we have been looking at online. If we log into an account, they know our name, mail address and more; even if you use a different name to log in, your computer and browser will probably still identify you.
Sometimes information left behind from your online activities can be used against you:
- searching online for information about cancer or other serious health problems may result in an increase in your health insurance contributions in some countries.
- banks are starting to use information gathered through social networking sites for decisions about whom to give credit.
This may not even be information about you: it could be a friend using your computer which is associated with your identity, and mistakenly attributing the online behaviour on a device to its primary user. But these are not the only possible negative consequences of your online behaviour being tracked.
If you are doing sensitive or investigative work, the risks are greater. Adversaries can paint a better picture of your activities and who you are, using tools that combine online information available about you from a variety of your activities, including:
- social networking
- online file storage
- online shopping
- photo sharing
- general browsing
You may think that information about you online is private, uninteresting, or hard to find, but with the help of simple tools, individual pieces of information can be combined to create quite an extensive profile, including:
- details of your whereabouts (current and in the past)
- history of your activities and interests (online and offline)
- proof of your presence at certain events
- list of your friends and allies
- records of your correspondence and other documents
To mitigate this, consider limiting the information connected to you that appears online. You can also browse anonymously, take steps to minimise online tracking and use different account names and platforms.
In 2013, the world learnt that American telecommunications companies had been submitting their phone call and email metadata to the USA's intelligence gathering apparatus, the NSA. Some argue that if the content wasn't being harvested, what was the harm?
What is metadata?
Metadata is information that comes into existence when a phone call or an email is created:
- the phone numbers and locations of the caller and the receiver of the call
- the time and duration of the call
- the serial numbers of the phones
- email addresses
- time and location of where the email was sent
- the contents of the subject line
You can unwittingly give away information - for example, the fact that you were part of a protest - through the metadata of your calls and emails. People watching you don't need to know precisely what you said, they can draw conclusions by analysing the metadata that your communications produce over time.
Another form of metadata can be found stored in images, videos, pdf files and word documents, including:
- the time and date a file was created
- the username of the person who created or edited it
- information about the device that created it
Publishing pictures of police officers who are doing something illegal can expose the photographer if it includes metadata of when and where the pictures were taken and identifies which type of camera or phone was used.
The same is true for a flyer that calls for a protest or educates the neighbourhood about a local problem. Word documents or PDF files can give away information about the author. To learn how you can remove the metadata of files read:
Does Encryption Still Work?
It is not easy to know if it is still possible to secure our communication. During a question and answer session hosted by the Guardian shortly after Edward Snowden started leaking the ways the NSA and other secret services are surveilling us, a reader asked “Can encryption defeat NSA surveilllance ? Is my data protected by standard encryption?“ Edward Snowden replied:
"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on."
While perfect security is and will remain unachievable, with the right tools and tactics we can still protect our digital privacy and security:
- encrypt your email by using GPG
- encrypt your instant messages by using OTR
- encrypt your browsing by using TOR
We have also learned that many commercial providers such as Google, Facebook, Apple, Yahoo and Microsoft, co-operate with the NSA. Sometimes these companies are forced to remain silent about their collaboration. It is hard to tell what systems, standards, services and tools the NSA and its allies have attempted to undermine, but security researchers assure us about the core technology behind most of the secure communication software.
Here are also some general principles to keep in mind when using digital communication:
- where possible, avoid using the software and services mentioned above.
- choose open source software as this is the only software that can be verified by independent experts.
- use local providers instead of services that are hosted in the cloud or in countries known to co-operate with the NSA.
- use strong keys: for GPG, use at least a 2048 bit RSA key.
Download a pdf of of all seven cards for print (2.8MB)
Feel free to download, print and distribute them as they are published with a Creative Commons License.
Illustrations by Leo Koppelkamm