Last Saturday I presented to students taking part in the brilliant Young Journalist Academy.
The topic was “New Media” (not my title) and the primary aim was to get them up and running with their own blog and learn to publish online.
However, I also knew it would be the perfect opportunity to gauge just how aware a group of bright, 16 and 17-year-olds were on the issues of web privacy and of just how easy it is to track down information about people online.
The case study I included shocked them, especially when it came to Facebook privacy.
I won’t be publishing it online in order to protect the identity of the individuals involved. However, I have been asked to explain the process I went through to obtain the information that I did. This is the purpose of this post.
It frightens me how simple it was to get all that I did.
I chose a few keywords “gunfire, shot, attack, missile” and ran them through Twitter search. Most of what I get back is utter rubbish. However, a few genuine tweets shine out. One in particular is particularly interesting: it references the first name of a person and says they were coming under attack. It also uses some army jargon that seems genuine.
I check the Twitter profile of the tweet. It provides me with what looked like the real name of the person tweeting, a profile picture, the town they live in and a profile description which connects them to the US military.
I use Google to search for their full name and the town in which they live. This brings up two results on White Pages. One of these is associated with a person who had the same first name as the person mentioned in the original tweet. It looks like I may now have their home address and phone number (I haven’t called to check though).
I use Google again to search for the full name of the person mentioned in the tweet and find a Linkedin profile that matches the name and location. It also provides a military job title that makes perfect sense in the context of the tweet.
I conduct a number of Google searches that include the name of the person mentioned in the tweet, their location and their job title in an attempt to find out more information about where they might be.
This is not so easy, but thanks to a local military historian and an interview with someone else on a military history website I can make a very good guess at the regiment they serve in and where they are currently stationed. I imagine if I hadn’t come to this topic cold, I could find more ways to search or, indeed, could make a few useful phonecalls at this point…
Google again. This time I search for both the name of the person in the tweet and the name of the tweeter. This brings up a profile on the website of a small business.
The “About Us” section has an entry about the tweeter. They are a member of staff. There is a profile picture (the same one used on Twitter), job title and some friendly information about them confirming: that they are married to the person mentioned in the tweet, how long they have been married, the names of their children, their email address and the organisations that they volunteer with in their spare time.
I Google (again) the name of an organisation I now know the group the couple volunteer for. It has a public Facebook page. One scan for the tweeter’s first name on that page uncovers comments left by a Facebook profile that the couple share.
Clicking onto the couple’s Facebook profile reveals that they must have Facebook’s recommended privacy settings. This means that all their past profile pictures are publicly visible. So, I now have a lovely family photo to go with the names of the couple and their children.
The couple have also been fantastically diligent with linking up with family members on Facebook. This means I now also get to see a list of profiles for the extended family. I learn the maiden name of the wife. It also turns out her mother has no privacy settings on her profile at all – her wall and all her photos are available to browse.
However, I don’t browse them.
I’ve gone from one tweet to knowing an entire family’s names, location, address, contact details, what they look like, how they are connected to the military and, potentially, where a part of the US army is coming under fire.
I stop there because I am already completely freaked out by just how far I’ve already got from a few Google searches.
It’s easy to say it’s incumbent on the individual to protect their own privacy, but it’s hard to see how we can always stop this type of jigsaw identification of people online. Sometimes people are mentioned online without them even knowing. Certainly having stricter default Facebook privacy settings would help, but it’s not the only answer.
The PCC has started to issue guidelines to journalists about how they use information from social media profiles in their stories and anything obtained online is still subject to the “public interest” test. However, the “reasonable expectation of privacy” guidance doesn’t feel that well tested yet – especially when you can easily build up a picture of someone from fragments from numerous public websites. I’d be interested to get some more information about the law in this area.
Even if it had, I am sure there are those who would still be interested in using this type of technique for their own purposes and would not feel bound by any ethical code…