How posting personal and business photos can be a security risk

Marketers in every industry enjoy evidencing their reach to their superiors and providing tangible examples of their width and breadth of influence via social networks, media, and other means of engagement. Photos of both customers and employees engaging at hosted social events, trade shows, conferences, and direct one-on-one encounters are often viewed as gold. Couple this with the individual employee’s or customer’s photos working their way onto social network platforms for others to see and admire, and the value of that gold increases, success being quantified by impressions, views and individual engagements.

Harvesting photo data for competitive intelligence, targeting attacks

The value of that gold doubles when not only does the company harvest data and call it a success, but their competitors also analyze such photos capturing a plethora of useful data points, including geotagged data, metadata of the photo, and identity of the individuals caught in the frame. They, too, call it a success. Yes, the digital engagement involving location data and or location hints within photos is a double-edged sword.

It isn’t just competitors who harvest the data. Criminal elements and nation-state intelligence and security elements do as well. Francis Bacon’s adage, “Knowledge itself is power,” applies. With location, time and place, and identity, competitors, criminals, and nation-states are given their initial tidbits of openly acquired information from which to begin to build their mosaic.  

Warnings on physical and digital targeting galore

The State Department’s Overseas Advisory Council (OSAC) in a publicly available warning notice highlighted the physical and digital targeting that can take place via location sharing. OSAC’s audience is predominately U.S. companies conducting business abroad. They mince no words, “Location sharing is the easiest way for malicious actors to find you in real life.”

Similarly, as far back as 2012, the U.S. military has been warning personnel of the security risks associated with posting information that provides the location of personnel, specifically calling out applications that access an individual’s precise location. (Are there apps that don’t do this?) For this reason, many travelers opt to use travel phones, essentially a burner phones, for use to communicate with both office and family, but without the risk of being directly associated with the individual, thus providing pieces into the targeting mosaic which may be in the process of creation by a third party.

For years privacy advocates have been advocating for individuals to tame their desire to let the world know what they are doing and where they are doing it, cataloging this as TMI (too much information). When identifying where you are, you are also highlighting where you are not. Information is monitored and exploited by those investing a few moments of their time to monitor the social media flow of a targeted individual or entity. Corporate travel programs should be addressing the need for discretion in their annual and pre-travel briefings for executives.

Canada’s Royal Canadian Mounted Police (RCMP) have also issued warnings to individuals concerning their desire to share and tag themselves and others. Their recommendation is to turn off the geotag function on your devices, so as to reduce the likelihood of being targeted.

Yet, when on vacation the urge to share is overwhelming and has unfortunate results, not always for the individual sharing, but for the people, place and things which are located within the frame of the photo. A few examples:

• Ukraine: It is well known that Ukraine is pulling out all stops to own the cyber information space, which includes harvesting data off images posted by those in Russia on various online forums. Most recently a Russian tourist took a selfie of himself and a Russian S400 missile system. Ukraine’s Ministry of Defense posted a mocking video of Russian tourists in Crimea, suggesting that it was not a place to visit.
• Ukraine again: Similar to the harvesting of openly available information, the enterprising Ukrainians have taken to catfishing Russians online. A group called “HackControl,” a.k.a. “Hackyourmom,” has a cadre of personnel managing multiple personas on social networks such as Facebook and Russia’s Vkontakte (VK) which they use to induce Russian soldiers deployed in the Ukraine to share photos of themselves, often photos that contain useful geotags, metadata and other information of use to the Ukrainian defensive effort. Mykhailo Fedorov, Ukraine’s minister of digital information, was quoted in the Washington Post, “We’re getting thousands of reports per day. They’re very, very useful.”
• Africa: On nature preserves, rangers have placed signs in strategic locations imploring tourists to do their part in saving their animals. “Please be careful when sharing photos on social media. They can lead poachers to our rhino. Turn off geotag function and do not disclose where the photo was taken.”

What CISOs should do about photo sharing?

The bottom line for all CISOs is to educate through awareness training how seemingly innocent behavior may inadvertently place individuals and the company at risk, simply by wishing to be social or to demonstrate their entity’s marketing reach. OSAC’s advice is to never check-in, avoid advertising where you are going, only post where you’ve been, and avoid revealing businesses or locations you visit frequently.