When starting to learn more about all the information collected on us, it can get overwhelming.
We might be tempted to unplug entirely and stop sharing anything with anyone online. But this approach risks other dangers that shouldn’t be downplayed either.
Keeping our data safe shouldn’t mean staying isolated online.
There are plenty of tools and practices we can adopt to protect our data online, while staying connected with our communities.
And this is especially important for the queer community.
YOUR SOCIAL HEALTH AFFECTS YOUR MENTAL & PHYSICAL HEALTH
Thank you for highlighting this very important issue. As someone who finds it hard to participate in online communities for fear of compromising my privacy, I needed to hear this. For some people, the internet is the only place where they will find kinship with others and it’s sometimes their best chance at meeting similar-minded people in real life.
In recent years, a lot of studies, articles, and books have been published about friendship and its decay in society at large. It’s been a deep interest of mine. A new concept I learned from Harvard social scientist Kasley Killam is the one of social health, which describes the overall well-being that stems from connection and community, i.e. relationships.
I couldn’t agree more. Another thing to consider is to avoid managing multiple accounts simultaneously in the same app or browser. Apps and websites like Twitter/X, Instagram, Reddit, and Google allow that, making it easy to switch between accounts, i.e. selling surveillance as convenience!
If you use different aliases, phone numbers, and IP addresses for 2 separate accounts in the same app, it is likely that the platform will make a connection between those two accounts, assuming they have the same owner, and therefore are the same person.
One thing I am curious about is if websites can make that connection when I use the same VPN IP address for 2 accounts that I use in different browsers. For example, one Reddit account on Brave, and another on Firefox.
This can also happen with aliases, but it’s definitely the case with VPNs. If you are going to use a VPN, make sure that you have 2FA enabled on your account first. From my experience, you are far less likely to trigger alarm bells if you use a VPN with 2FA enabled, because if you can confirm your identity via 2FA, you usually don’t encounter any problems, but it can still happen.
Recently, I got my Reddit account suspended out of nowhere. I believe it’s because I use an alias and VPN. I’ve had that account for years, and it was set up that way from the start.
I was prompted to reset my password, but when I tried, it didn’t work because I couldn’t receive the verification email at my alias address. I haven’t been able to speak to a real person from Reddit support team to fix the issue. It’s been over a month, and I’m not sure what other recourse I have.
All this is to say, even with 2FA enabled, you can still trigger alarm bells for using a VPN or an alias, even if it happens years after using them every day for a long time. So be mindful of that. That does not mean aliases and VPNs are not worth using. They absolutely are.
METADATA PRIVACY:
I would also recommend visibly watermarking and password protecting any document you send to a company or person when it is destined for a single purpose.
For example, if you need to send a copy of your ID to your employer, watermark it with the company’s name and date so that if it’s ever used for a different purpose or with a different party you did not consent to, there is proof.
I am still looking for a good free and privacy-friendly watermarking app/service. If anyone has any recommendations, please let me know. I have yet to find a one that watermarks exactly how I want it to.
I have never had to send watermarked documents so far. However, my experience with password protecting PDF documents has been mixed. Two of my previous employers asked me to send it back without the password, even though I gave it to them, which was frustrating.
If you have experience with this practice, please share.
RSVP PRIVACY:
This is something I had very little consideration for until quite recently, when I was invited to an event and had to RSVP. I wasn’t just required to confirm my presence, but also provide additional info like my job, company I work for, and my dietary preferences. Although the invitation was sent to my Proton email, the RSVP was on Google Calendar.
Do you have any real life examples of when an RSVP had bad consequences?
I want to be able to use it as a reference if I ever have to justify myself for not officially RSVPing. I also think that if I am in a vulnerable situation, I shouldn’t have to divulge it to the event planners.
FINAL THOUGHTS:
I wholeheartedly agree. It’s a question of finding the right balance and going at your on gradual pace in your privacy journey.
We want people to protect their privacy, but also thrive. Rightly or wrongly, part of me believes that it can be very hard to persuade people to be more privacy conscious, or even just support your decision to do so, if they don’t see you thriving in life or don’t perceive you as a success.
I noticed that you didn’t link to any guides to strengthening privacy on Discord. Is there any?
I personally don’t like Discord, but a lot of support groups for a variety of communities have a presence there. Even though this post is primarily aimed at the privacy conscious, I think people who are not sensitized to these issues need to be more aware so they can protect their privacy.
There are popular mental health Subreddits that have Discords, and I have seen many members share pics of themselves, including minors, because people share their age too. Although I understand why they did it (agoraphobics showing themselves being outside), it was very irresponsible in my opinion.
That’s why we not only need to build and advocate for better platforms, but we should work on building communities on the platforms that respect our privacy.
Hey, that tip on watermarking single-use documents/media is extremely handy! Thank you very much for that. On that note, would signing it cryptographically also help if the way to verify its authenticity can afford to be more discreet?
Also thanks for the article Em, it was very thoroughly written and accurate
I don’t know. If I’m being honest, I’m not familiar with cryptographic signing, but you might be onto something. I welcome anyone who has knowledge about it to please share.
Seconding the question about Discord. A lot of my social and work connections use it, so I kind of have to be on there. I know Discord says their video feature is E2EE now, but are there ways to mitigate privacy and security concerns around the texting portion (DMs and groups)?
Thank you so much PurpleDime! I’m very glad you liked it!
I love this concept of social health! Indeed, this is absolutely essential, and too often neglected as a factor of health.
And yes indeed about managing multiple accounts using the same app or browser, this is very true! Thanks for the referral to my other article hehe
For extreme cases, it’s also important to consider correlation in time. So yes, in some cases, using the same VPN IP address could create a link. Even just suspiciously be discussing a similar topic in a similar way around the same time, could also create a link between separate accounts. I talk a little bit about this in this section of the In Praise of Tor article.
Thank you for sharing your experience with Reddit. I am not surprised this happened. I’ve had similar problems with other social media and accounts. The VPN server you use can make a big difference on this, but it’s hard to determine in advance. Some servers have been flagged and some other haven’t. I regularly get blocks from YouTube asking me to sign in to continue, but when I change my VPN server I don’t get this block anymore.
The tragedy is this increase in security triggers and account locks while having no way to reach out to a reasonable human to fix access. This often also removes the Right to Delete from users, which is incredibly problematic!
I was able to recover an account and finally delete it by contacting my local Privacy Commissioner (Data Protection Authority), perhaps this could help you too.
I had not heard before of this practice of adding a unique watermark for official document scans before sharing them! THIS IS GENIUS! Thank you for sharing this technique with us! I’ll definitely use this myself if I ever have to share document scans.
I’m not aware of any watermarking app (and I wouldn’t recommend using any online service for this, as they could keep/use this very sensitive data), but simply using the free, offline, and open-source vector design software Inkscape should be easy enough for this.
Unfortunately, I couldn’t cover every social app in the article, but Discord is an important one that’s true.
Sadly, Discord has recently implemented an age verification system in the UK and Australia and, if they decide to expand this verification everywhere, there will not be many options to stay protected on Discord besides deleting the account. Discord also generally requires phone number to create an account now. You are correct, sharing pictures of others without consent (or of minors) is incredibly unethical to say the least, possibly even illegal in some cases.
Absolutely! You are right! “Building communities on the platforms that respect our privacy” is key! Thank you for your incredible insight on this!
Hey, I’ve actually developed a very rudimentary program that’s free to use and that does exactly that: watermark your files. But it is more like a demo/prototype than an actual commercial app, plus, it requires python and a bit of tweaking to make it work. However, if you have any suggestion on what a regular user like you would need in order to run this program like any other, please let me know and I will certainly update my code to comply with your recommendations. Btw I’m a junior software engineer, I graduated not so long ago. Here: GitHub - MahoganyTown/OpenWatermark: Simple program to quickly watermark PDF and image files.
Yes, this is the most frustrating part. I personally think that part of the reason these billion-dollar tech companies make so much money is because they refuse to invest money in human customer support. As far as I know, unless you personally know someone at Meta, it’s practically impossible to get a real person to inquire about a suspended Instagram account.
Google is one of the few Big Tech companies that has phone customer support if you are a paid subscriber to one of their services, like Google Drive. I’ve used it before years ago, and it did make a positive difference to be able to speak to someone.
With regard to Reddit, my last resort is to create a new account and try to reach the mods with it to enquire about my suspended account.
Although I am very skeptical about getting results, I will definitely look into that. Thank you.
You’re welcome! I think it should become common practice for people who care about their privacy.
hanks for the recommendation. I had never heard of Inkscape, but I will look into it.
Do you know if it’s possible to create tiled watermarks with Inkscape (like in the illustration I shared)?
Yeah, I had heard about that. I need to create a new account before it becomes a universal.
Is this a universal rule? Or only in some regions?
I had something super creepy happen the first time I created a Discord account years ago. Discord asked for my phone number, which I refused to give. I used VPN, email alias, and had MFA via authentication app enabled. I did all this without giving Discord my number.
But when I looked at my account profile, I saw that they already had my number. This was incomprehensible to me. I never gave it to them.
Could they read my SIM card and somehow get my number, the same way TikTok can guess your real location even if you use a VPN?
Just for clarity, in the example I gave, no one was sharing pictures of others, minors or adults. It was a minor (17) sharing a picture of himself, in a mental health discord where most of the people were grown adults. Nobody ask him to share a picture of himself either.
I think there was channel in the discord where people shared pictures of themselves, and they were sharing it to show that they were trying to get out of their rut. In the example I gave it was an agoraphobic showing a picture of himself being outside.
Even so, it’s not a very wise thing to do IMO.
This is what you guys are doing here, which is why I appreciate PG’s work so much!
As stated this only applies to UK and Australia, if you live in any of thosse sure, but I think been discord may realize and try to ask you to verify still if applicable. Otherwise I wouldn’t worry
Discord doesn’t require you a phone number after you sign up with an e-mail in my experience, however most discord servers unfortunately enforce that requirement, making it kind of a necessity
If it violates ToS of any kind, report it, otherwise leave it as is, this is a common opsec problem on discord. But they should realize messages are not private on servers, especially with how easy it is to scrape discord messages. (Outside of DMs and Group DMs).
It should work, the companies like discord like reddit etc. have to comply, if they refuse that’s what they’re here for.
Although I could be wrong, I don’t think it did in the example I gave. A lot of support communities on Discord have people sharing pictures of themselves. There’s a disabled/healthcare community I follow on Discord, and people share pictures of themselves there, too. There was one adult who shared a picture of herself with her niece who is a minor, but she was smart enough to cover her nieces face with a huge smiley face.
All that being said, even if it’s all adults, I don’t think it’s wise to share pictures of yourself on Discord. I personally didn’t say anything because I don’t want to “kill the vibe” of a community who are trying to support each other in what is supposed to be safe space. Especially if I’m new to this community.
I really appreciate how helpful you’re trying to be, @Margueritte! Thank you so much!
Unfortunately, I cannot use your software, because I absolutely suck at CLI!
I find it extremely intimidating. It’s like gibberish to me.
I pay for online subscriptions that allow CLI access, and I have never used it. Some features are only accessible via CLI and I simply can’t use them, because I don’t understand the instructions and am afraid of messing it up.
I’m actually looking for a paid online course that teacher CLI to total newbies like. If anyone has any recommendations, I’m open to them.
The reason I specifically ask for a paid online course, is because I find that in general, when it comes to learning a new software, paid courses are better structured and presented. They are easier to understand than free videos on YouTube made by regular people. At least for me. I’m a very slow learner.
To verify file integrity, a hash will be great. Before you send a file to someone, you can also send the hash + the alg you used. If the file is tampered, the hashes won’t line up. On some sites you will see the hash published, i.e. the Debian Download mirrors. But the consumer has to still do the work to verify the hash.
PDFs are a gnarly format. It’s possible to alter a pdf without changing visuals. You can embed entire Python scripts in a PDF without changing anything seen, except a notable size increase check it out.
Interesting recommendation for deterring unauthorized sharing. I have tagged documents with identifiers to allow tracking, but not as visibly as your example shows. Do you have any data or experience about how well watermarking works in practice?
Interesting reaction by those employers who requested unprotected documents. Is it to allow scanning with their document scanning applications? HR often runs people’s resumes through various applications. A few times, I’ve sent sensitive documents using Proton’s or Tuta’s password-protected email, and that worked fine. Another option may be a password-protected archive/zip containing plain PDF files.
Just be aware watermarking needs to be difficult to strip away, or else a malicious person can strip it away and then share. This difficulty may be more difficult to achieve with vector images (which Inkscape is purposed for) than with raster images, unless the end result is rasterized. I suggest (the also free/open-source) GIMP for watermarking raster images, such as photos, but be sure to flatten all layers so that watermarking cannot be stripped easily by deleting layers.
Yes, cryptographic signing would help establish integrity and authenticity, and this is (I believe) the main and original purpose of cryptographic signing.
As another post mentions, hashing works just fine if only data integrity is a requirement, so long as the communication channel is secure. If the channel is insecure, the hashed data and hash can be altered in transit.
To be clear, because the question was posed in the context of watermarking, I don’t think it would help deter unauthorized sharing. Depending on the data and signature formats, signatures can be easily stripped from the signed data, and most normies don’t expect to receive signed data or bother checking signatures. Watermarking, on the other hand, is clearly visible and is (or should be) difficult to strip.
Watermarks are outdated with upcoming AI generative image software did you know? Sometimes I am really astonished to see the amount of naivity (or lack of knowledge) in here…
Interesting, I did not know it was possible to send malicious PDFs.
If it’s safe, and you get permission, why not. But like I said, I like to tile documents in a specific way. Like the illustration shows, I want to tile text so that it appears many times and cannot be unseen.
I have literally no experience with it. I got this tip from an article I read months ago. I haven’t had the opportunity to use watermarks yet.
I don’t know, but I doubt it. Remember we’re talking about passwords here, not watermarks. I gave them the password to open my PDF documents, but they still requested that I send it back withou it. I didn’t ask questions and complied for fear of jeopodizing my job. That was probably a mistake.
If I had to guess, the reason they wanted me to remove the password is because they find it annoying to have to enter a password every time. Or, and perhaps more likely, they know that other people within the company, or maybe even outside the company, may need my documents and the password is a hurdle.
Even so, if they have the password and can tehcnically share the password with anyone who needs to access that document, what is the issue?
Now that I think about it, I am getting more suspicious. Imagine if months after sharing my ID via protected PDF with the password, I get an email from one of my superious asking for the password again. That would make me very curious. It would make me wonder what they need to do with my ID 6 months after I gave it to them. It would also suggest they forgot or lost the password.
On a loosely related note, I have stopped writing password in emails, and sometimes even messaging apps. What I mean by that, is that I no longer actually write the password in the email/message. I share a link from my password manager where I have written the password. That way it is not saved in the email. The link has an expiry date, and I advise the receiver to write it down somewhere.
I have never tried this in a work context. Not only is it more secure, but it promotes privacy and security.
I strongly advise people to do this, especially when they are exchanging with a complete stranger on the internet. I know I could ask them to exchange on a more private platform, but it’s generally very hard to convince people to do that. They don’t have the patience.
Are they really? Is that common knowledge? Because I don’t think it is. Even if what you say is true, I don’t think it’s useless to use them. If I send a company a copy of my ID with a watermark, and they remove it and use it for something else, I still have proof that I sent it with a watermark.
Correct. Hashes can help, but few manually check it. It must be part of a process that requires no intervention. This can be a protocol or software.
In this case, I don’t know software that will do this off the bat. Best mitigations for this I’d imagine are…
Send an encrypted file, and share the password through a secure channel. I see this tactic where a private forum posts the decryption key, but publishes the encrypted file on public hosting.
Store on encrypted file sharing, send the link in a secure channel. Aka, use ProtonDrive to share a link to a friend. Optionally use a password.
It depends on your threat model how much of this is a concern. I typically don’t worry about this with friends, but for spam emails that send PDFs, don’t click them.
