Everything you post on the Internet and social media can be exploited to identify and track you. This is what the CNIL recalls in an instructive and worrying document on Open Source Intelligence.

Everything you post on the Internet and social media can

Everything you post on the Internet and social media can be exploited to identify and track you. This is what the CNIL recalls in an instructive and worrying document on Open Source Intelligence.

Everything we publish on the Internet, even the most innocuous content, can be used to identify us and obtain very precise information about us, such as our name, our address, our job or even our favorite places. Publishing under a pseudonym on different networks and taking care not to disclose sensitive information are not enough to prevent a sufficiently determined actor, with the right techniques, from discovering our identity and collecting a large amount of information about our private life. . However, while many of us are careful not to publish very personal data such as a physical address or a telephone number, we forget that other information can be used to identify us and even defile us.

And it is as part of its mission to inform and raise awareness among the general public about the use of digital tools that the National Commission for Information Technology and Liberties (CNIL) has just published an article on Open Source Origin Intelligence (ROSO), better known by its English name OSINT, for Open Source INTelligence. A very informative publication accompanied bya video which explains the mechanisms exploited by these investigation methods.

© CNIL

OSINT: the art of cross-referencing public information

These acronyms cover a very diverse set of research techniques, all of which are based on the principle of exploiting publicly accessible sources in order to collect and cross-reference a large number of data, with the aim of obtaining precise information about a person or an organization. As the CNIL explains, these investigative methods are used in particular by journalists, activists, actors in the fight against fraud and corruption, and are particularly useful to help deconstruct false information or reveal false facts. public interest, such as financial embezzlement, serious failures of public authorities or illegal practices of companies. But like all tools, they can be used for malicious purposes against people or organizations, to compromise them, blackmail them, steal their identity or even physically harm them.

39489876
© CNIL

The strength of these research techniques does not lie in stealing documents or confidential information by hacking into sensitive databases, but in the ability to cross-reference and cross-check seemingly harmless and easily accessible data. For example, a photograph posted on a social network, even if it does not show any identifiable person, can make it possible to locate the place where it was taken, thanks to elements present in the image such as recognizable buildings or monuments. , or using the geolocation metadata of the file if it contains any. A pseudonym, which theoretically offers relative anonymity on the Internet, can make it possible to determine that several accounts belong to the same person when used on different platforms and networks. In the same way, today there are freely accessible IT tools allowing you to instantly find all the sites and online services on which the same email address is used.

39489877
© CNIL

These methods, which do not require particular technical skills as shown in the CNIL video, are becoming more and more effective and easy to implement, as open sources of information multiply. Alongside digital social media itself, many businesses or organizations rely on social media features to generate buzz around their products and services. Thus, most sports applications, in addition to offering simple tools for measuring and monitoring physical activity, now include functions for sharing user performance, such as the geolocated route of a race for example. These possibilities are not directly linked to the purpose of the application, to help an individual master their sporting activity; they are only marketing levers allowing the company which markets the service to make itself known, by exposing sensitive data on its customers in the process.

39489880
© CNIL

These functions can of course have virtues, such as helping a user to maintain their motivation to practice a sporting activity by sharing their progress, and in this specific case it will often be possible for them to restrict the visibility of the data exposed to their friends or relatives only. , in order to limit the risks. But other applications, whose primary function is precisely to publicly expose users, can be easily exploited for these insidious investigative purposes. This is particularly the case of LinkedIn, the social network designed to help its users create and expand their network of professional relationships and which makes it very easy to retrieve complete CVs, with numerous details on their background, their experiences, their passions or even their opinions. An almost essential network for those looking for a job in certain fields and which encourages its members to create an attractive profile and to be as active as possible by multiplying publications, and therefore information…

39489881
© CNIL

Online identity protection: advice from the CNIL

Even with all the good will in the world, it has become almost impossible to be completely absent from the digital space and these injunctions to overexpose oneself are not going to diminish. Faced with this trend, information work such as that of the CNIL or other organizations is therefore beneficial, and offers some good advice and useful reminders to limit the risks to which one exposes one’s identity and one’s private life on the Internet.

First of all, separate your activities on the different digital platforms as much as possible, by publishing different content on each of them and using unique login identifiers if possible. In this regard, the alias creation function can be particularly effective if your email provider offers it.

Then, adjust the confidentiality settings available on each platform to their strictest level, to limit the visibility of your publications to only people you really know (exit “friends of friends”). And to share personal content with family or loved ones, such as the video of your little one’s first steps or vacation photos, choose private communication applications rather than social networks, such as secure messaging services.

Finally, the best way to limit the risks to your privacy is simply to publish less data and content online. Never forget that “publish” means “to make public” and therefore accessible to everyone. And on the Internet, “all” really means “everyone.” Especially since the network has infinite memory.

ccn5