Sometimes I like to take pictures of myself—pictures that could be described as "morally comprised" or "medical in nature" or "graphically disturbing." I often erase these pictures when my occasional body dysmorphia goes from wriggling to raging. My fear, of course, is that somehow clicking the little trashcan icon beneath my anatomically explicit selfie doesn't actually get rid of the scandalous shot. Somehow, I fear, the "erased" pictures can be retrieved by hackers, trolls, or malevolent ex-boyfriends. So I spoke with Jessy Irwin, a cyber security researcher/specialist/evangelist with an interest in women protecting their data, their dignity, and their butt cleavage.
Watch: How One Matchmaker Changed Online Dating for Women Everywhere
BROADLY: Why should women be interested in their operational security (in tech slang as OpSec)?
Jessy Irwin: If we've learned anything over the past few years, it's this: women are more likely than men to be the target of online abuse. Technology is disproportionately used to harass women. In some cases, it's better to have an anonymous online persona instead of having our thoughts and opinions attached to our identities. As ladies, we live in a world where spurned romantic interests, former friends, abusive partners, people who disagree with what we have to say on the internet, or anyone with a vendetta might one day decide to do their worst.
Having strong OpSec, or operational security habits, is the best way to minimize some of the risks that present themselves online— and it's a way for women to be in control of their identities, their data, and their privacy. Being aware of some of the bad things that you might run into is vital in this day and age, because, when it comes to your security and privacy, an ounce of prevention is truly worth a pound (or ton) of cure. There are too many examples to count of former lovers sending nudes to bosses, family members, friends, classmates, and revenge porn sites in attempt to take someone down a notch by ruining their reputation or career.
While it would be nice to live in a world where ladies or just people in general didn't have to worry about their intimate photos and communications being used against them, we just aren't there yet. Security is a two-way street: we expect companies to safeguard our data, but it's important for us to do everything within our power to take responsibility for our own security, too.
What is the best way to keep intimate data—like pictures, sexts, etc.— that may only live on my phone away from the internet/ strangers/reddit? Is this something only celebrities should worry about?
Some people might say that the best way to keep intimate information safe is to never share any of it at all, but we've seen time and time again that telling people not to do something just does not work. So if you're a person and you're sending nudes to anyone, you should be actively working to make sure those nudes—and any nudes you've gotten from anyone else—are secure. As part of their OpSec for sexting, some people refuse to send nudes that show their faces, but it's important to remember that birthmarks, tattoos, piercings, and even objects around you in a photo can be used to identify you.
To take care of your devices and your data, nudes or not, at the very least you should:
- Use a strong, unique passcode or password for both your phone, your computer, and your online accounts
- Encrypt your phone's hard drive (if it isn't already!) to fully protect its contents
- Regularly update your software, because that's how the security updates get on your devices
- Turn on two-factor authentication for any cloud services or apps you use for naughty photos
- Consider only backing up your mobile device to your computer, and not using cloud-based backup services unless they encrypt your backups for you.
The absolute most important thing to keep in mind about protecting your intimate information is this: the majority of breaches happen when someone gains physical control over a device, not through brute-force hacker wizardry like you see in movies. You are more likely to have your privacy and trust compromised by someone who is close to you, not some nameless, faceless, mythical hacker-type in a basement wearing a black hoodie. This is why it is important to not share passwords to your email or private accounts with anyone else. Follow these steps is a solid start to preventing someone from gaining unauthorized access to your most intimate moments, or to keep someone from installing apps that spy on your location and communications.
The majority of privacy breaches happen when someone gains physical control over a device, not through brute-force hacker wizardry like you see in movies.
Is there an app that you recommend as the best for encryption and self deleting stuff? Snapchat? WhatsApp? Telegram?
Recently, there's been a huge explosion of apps that promise privacy and security to their users, but there is no easy way for the average person to evaluate from the outside whether these apps are living up to their word or not. The best apps for exchanging your most private chats and photos are those that provide end-to-end encryption by default. (In some apps, the end-to-end encryption features are buried in the settings.) This kind of encryption is designed to prevent third parties from ever being able to eavesdrop on or crack the messages you're sending to someone else. Some well-known, easy-to-use apps that use end-to-end encryption include Signal, Wire, but even more mainstream apps like iMessage and WhatsApp have it too.
If you really want to up your OpSec game, especially for intimate communications, the most important thing you can do is make sure that you're not using regular communications apps to swap intimate photos or to share naughty thoughts. Instead, designate a specific app where you and bae do these things, and use nothing but that. Keeping your secrets in a secure, private app is the way to go—this should prevent you from embarrassing slip-ups like accidentally sending intimate messages to a friend, relative, or coworker by mistake.
What about messages that "self-destruct?"
When it comes to self-destructing photos, the truth hurts: there is just no secure way to make the photos you send disappear without a trace. Digital forensics experts and security researchers have continuously torn the apps that do this to pieces. They would be the first to tell you to never, ever use Snapchat to send nudes or sensitive information. Apps that send self-destructing photos can easily be circumvented in ways that don't require you to even learn how to code, usually through third-party apps that can retrieve images. Even then, the recipient of a self-destructing photo could take a photo of its with another device or figure out the right combination of taps and settings necessary to bypass screenshot notifications. If you still want to be part of the self-destructing photo fun, the best of the apps out there for this is Wickr, which does give you some control in the settings over how difficult you'd like to make it to recover an image from your phone. But once you've shared your intimate photos with someone else, self-destructing or not, that's it: you have lost control over who sees them and how they are used.
When it comes to self-destructing photos, the truth hurts: there is just no secure way to make the photos you send disappear without a trace.
I have, uh, sensitive images and words on my email. What can I do to make sure it stays private? I don't want to encrypt because it's no use when so few other people do. Is two-step verification the answer?
If we learned anything from the Sony hack, it's that once you send an email, you can't get it back and you can't make it go away, no matter how much you'd like to make it disappear. Email has never been a secure form of communication, but protecting your inbox is the best way to keep someone from using the contents of your inbox against you. If your email account has private, sensitive information tucked within, secure it by:
- Using a strong, unique password,
- Setting up two-factor authentication as an extra layer of security,
- Being careful about clicking links or downloading attachments, because malware and phishing can cause you to lose control of your account,
- Minimizing the number of places you access your email (i.e. only check it on your laptop and phone, but not your tablet), and avoid checking it on computers or devices that don't belong to you.
These steps will make it harder for someone to break into your email account, but also make sure that you never, ever store or share passwords in your email account. (Passwords are the first thing an attacker would look for!) And as a general rule, don't send an email about something that would embarrass or harm you in some way if it were to be made public. If private information has to be communicated, it can be done through another channel or even face-to-face.
I always feel uneasy about giving apps my data. What do they with it? How can I know which app to trust with my info?
When you create an account with a new app, at bare minimum you'll be giving up an email address, a username, a password, and a device identifier number. But for most app makers, the data collection doesn't stop there. Popular mobile apps contain analytics tools that track and monitor how you use and interact with them. Social networks ask for detailed profile information that they can sell to marketers to better target ads to their intended audiences. Free game downloads often include invasive trackers that collect whatever information they can about you, the sites you visit, and the other apps you've installed all to better maximize their ad revenue.
Unfortunately, there's no one reliable way to figure out whether to trust an app with your data or whether you should give it all of the permissions it asks for the first time you open it. Checking to see if the app developer is running a legitimate business can be helpful, and so can looking at download numbers and app store ratings. However, these signals alone don't provide enough information for users.
Is the iCloud safe? Dropbox? What cloud service is safe for all my boob pictures??
If you do not want it to unexpectedly start raining nudes at inopportune times in your life, it's best to avoid the cloud entirely. But if you absolutely must use the cloud, use SpiderOak. Their encrypted, zero-knowledge system means that neither they nor third parties can peek into your files and see what you look like in your birthday suit, and you'll get 2GB of free storage for life.
I want to nuke my email. I want a totally clean slate. What's the best and most reliable way to get rid of all of it?
If you want to nuke an email account, selecting all and deleting everything is a good place to start.... but there's truly no guarantee that email you sent from it will never, ever completely go away. Why? Email is inherently not private—everyone who has ever contacted you, and everyone who you've ever contacted from an email account, has a piece of your email history in their inbox. Plus, even if you cannot access your data after deleting an email account, there is no way to know if a backup of everything you've ever sent is sitting on your email provider's server. There is no effective "Out, damn spot!" command to get rid of your email for once and for all.
Email is inherently not private.
Are fears about people taking over my webcam legitimate?
I always tell people to put a sticker over their laptop's camera when it isn't in use, but most people think I am paranoid when I start talking about it. If it sounds crazy to you, though, here's a cautionary tale: thousands of women across the world have been made to feel like they are prisoners of their computers by technologies that allow a hacker to take control of their machine without their knowledge. Some of these women, like the former Miss California, have even been subjected to blackmail by those who were able to infect their machines with remote access terminal. The criminals who targeted her took pictures of her while she was getting dressed, and tracked everything she did on her computer.
Are my pictures filled with information I can't see?
Digital images taken from phones and cameras include EXIF data, which can contain sensitive information about your exact location. Apps like Facebook, Instagram, and Twitter scrub this data from your photos, but if you're sending something directly from your device (even a selfie!), be sure to explore your device's privacy settings and turn off location sharing in your EXIF data to prevent this info from being shared. This may not seem that important if your lover has been to your place and knows where you live, but it could be the difference between a peaceful evening and trouble showing up on your doorstep.
Final words of wisdom?
If you're dealing with a stalker, a vengeful ex, revenge porn, an abusive partner, or online threats, one of the first resources you should turn to is Violet Blue's Smart Girls' Guide to Privacy. In addition to giving invaluable advice for cleaning up your Google results and serving takedown notices to get images removed, her book takes on the challenge of helping anyone work through the emotional experience of having their trust and privacy breached.