Glassdoor’s trust violation is just the start
Fresh off the news that Glassdoor has began de-anonymizing users without their consent, some users are understandably angered and upset. I say some, because most people will not even know that their past posts are now showing more info than they intended. They wont read this article or any others and will just carry on living life, none the wiser. The email they signed up to glassdoor might not even be monitored anymore.
This type of data exposure is the danger we dont think about. Its a very simple threat model to understand when a website that did not previously expose a piece of information now does. But what about the other things lieing in wait to expose you?
One of the most insidious threats, that has not been taken seriously enough is Gravatar. A while back, There was a enumeration ‘hack’ of gravatar which exposed the information of over 100 million users. Gravatar countered the significance of this at the time by saying
Gravatar was not hacked. Our service gives you control over the data you want to share online. The data you choose to share publicly is made available via our API. Users can choose to share their full name, display name, location, email address, and a short biography.
https://twitter.com/gravatar/status/1467769312064815105
The issue is, Gravatar never fully explained to the users that it could expose your email address regardless of your privacy settings. Gravatar in short worked by making a md5 of your email address and letting you set a image for that hash. So the process was as simple as registering your email with gravatar and choosing a image. Then, any blog in the future that you commented on would display a avatar for you based on what you set.
The issue is, md5 simply lacks any meaningful security in the days of 4090s and GPU farms. Any email address that was used by common providers ( gmail, hotmail, etc.. ) and is under 12 chars can be cracked in a day or less. This has enormous impact for political dissidents, whistleblowers or early crypto users who may have commented on blogs anonymously that used the gravatar feature. Previously, only the blog owner would have access to their information. Now, any person or bot can simply view that users gravatar and extract the email address by either using a online tool or running hashcat on a rented AWS GPU instance. This can happen either intentionally ( a individual trying to identify a specific poster ) or automatically ( an AI catalogging the web, mapping all posts from a specific email to its other online personas )
With that said, Lets forget about gravatar for a second. What other dangers lie out there, based on the data we have willingly submitted? One thing that is almost never spoken about is our search history on Social media.
The damage that could be done by making everyones search history public could be catastrophic on a level never before seen. We are not just talking about users searching for their ex girlfriend or other jobs. We are talking about massive data exposure. Twitter could expose guilt across all sorts of elements its almost pointless to list. I suggest you go check your search history on twitter or facebook and ask yourself if you would feel comfortable with that data being public.
Most think its just the embarassment of searching for specific accounts or topics related to sexuality and having that be public. Its already huge news when a user likes a tweet of a frisky nature , But imagine if instead, that users search history was exposed with exactly what frisky terms they were looking for. A bit more difficult to explain.
Sites like twitter have a “clear search history” function but little is written in their Terms of Service or privacy policy of what pressing that button does. It certainly removes the search history from being on your device, but what about in their internal logs or database. What happens when Elon or a rogue employee decides to expose AOC’s search history to shut down some legislation or influence a political action. Even the chaos of “everyones search history is now public” would cause so much insanity it has to be seen as a near national security matter. The blackmail that can be achieved from search history is unfathomable.
Some might think this might never happen, but the risk is out there, intentional or not. In May 2023, Twitter decided to publicly show every account that you paid/subscribed to, With no opt-out and no pre-warning for users to stop that behavior. I’m sure there were many incidents of users who subscribed to content they thought would be private, only to be exposed publicly with no way short of deleting their accounts to stop the exposure.
The bottom line is that the services we are using day to day operate with a level of trust that is not earned from us. At any point, either by hack, accident or intentional action our most intimate data can be exposed. The worst part is it isnt always from something you are still using today. If twitter makes a privacy related change and has a switch to turn it off, you might be quick on the draw to change the setting to protect yourself before any damage is done.
However, can you say the same thing for xyz123forums.com, that you used to be a active member on back in 2014? They recently updated their forum software and are now showing email addresses publicly and you talked pretty extensively about how you were cheating on your masters thesis by faking some data that didnt matter. You dont even check the email that account is used with because its tied to your old school email, so the notice of the change wasnt even available to you to act on. Not good.
As our data rots out there in the wild, it becomes a danger to us of unknown proportions. Many users think nothing of their content from years ago, but the effects that can be felt are astronomical if its not removed, edited or anonymized.
The solution: Delete it all with Redact. Dont just delete the account, but have redact go in and mass delete the posts, tweets, comments and messages you have made. Our software, Redact, was made to address this issue specifically. We support over 30 different services and add more every day. Regardless of your motivation for deleting your content, there is no easier way to protect your digital footprint and reclaim your privacy. Deleting yourself from databrokers is nice and seems to be all the rage today, but the real damage is not what other people have written about you, or having your address on peoplefinderusa123.com. The danger is what YOU have written about you.