On a recent afternoon, I took a stroll down memory lane and visited my Friends Reunited account.
Now say what you want about password management, but I was successful in logging in and reading my last update from 2006. Having not logged on in over eight years, I decided to make the call to cancel my account and this led me to wonder, how many other “live” accounts do I actually have, giving me an ever-increasing digital footprint?
Earlier this year, I introduced you to one of the hottest new UK start-ups, and the rather unique offering of Digital Shadows. I tasked the company to turn their data analytic and collection powers on to me, and after handing over my name, home and work addresses, email addresses and phone numbers via their PR guy, they were set to work in mid November.
Fast forward to 11am this morning (8th December), and the full glory of their search on me became clear. The good news was that I have an eight of ten score when it comes to online exposure, something that initially made me rather concerned, but which I was told by one of their researchers was very much consistent with what they see.
However the front page of their 18 page report said: “the exposure of Dan Raywood is significantly above average.” Well in a way, I want my details to be known so that I am visible to wannabe story- tippers, to marketing people and to those who want to visit this and other websites I contribute to.
The report broke down my digital footprint into four categories: work data, basic personal, sensitive personal, and soft data. Work data contained a fairly low risk I was told, as only my office address, email address and phone number could be detected, so was rated with a green flag.
The basic personal information worryingly raised a red flag, we’ll get on to that. I was told by Digital Shadows that the sensitive data could mostly be found via a Freedom of Information Act request. Finally, the soft data is what could be used for a social engineering attack.
I was told that the “Basic Personal Data” turned around my home address, home landline and full name and mostly from blog posts I have written, Twitter account and a local forum I joined. The next page proved to be the first eye opener – my date of birth, place of birth, two previous addresses and more sensitive information via a data aggregator website.
The team told me that a lot of the details were readily available and was found quite easily, but can also be removed fairly easily. “Password reset questions can use any one of those details,” they told me. “If anyone was looking into you they would be able to find any information.”
In the section titled “sensitive personal data”, my wife’s name was found, as was her email address and the football stadium that we had recently met, and members of her extended family. “Things start to appear when you connect all of the sources together,” they said. “It was actually quite a small amount, compared to some.”
One of the searching capabilities was down to open Facebook profiles and while mine is closed, the Facebook Graph Search feature was described as a “privacy nightmare” which allows third party connections and tags to be identified. “It is a goo
d tool for us to use for these searches, but it is quite a concern otherwise, as there has been a lot of criticism of it,” they said.
Into the Soft Data, data was found on my football team of choice, my wedding reception, and the running ventures I have undertaken in the past couple of years. “A lot of people are on giving websites and people do not realise how many connections you can make from what is on these,” they said. “It is another avenue that other people do not think of.”
The final section was on Social Media profiles. I am aware of my profiles on the more common social networks, but Digital Shadows found no fewer than 26 social networks which have harvested my data. On one local forum, the assessment was determined as “although little information is provided on the page, the road on which Dan lives is disclosed, as well as the bus he takes, which is information that may prove crucial to an attacker”.
They said: “There are a few services which show you the usernames that you have used, and you can find accounts that you have forgotten about. This is by far the most social accounts we have ever come across.”
I asked them what the threat could actually be, and as my geographical movements could be determined there was the possibility of a physical attack, but my exposure was graded as “high”. Thankfully there was a “medium” chance of exposure to a cyber threat, but mainly because of my publicly available work contact data.
The company works with companies as well as members of Parliament and celebrities, and I asked what they thought of my level of risk compared to those with a higher profile.
CEO Alastair Paterson, said: “In terms of your level of exposure, it probably doesn’t matter, but if you were a controversial public figure then that is very significant as we are working with some individuals who face physical attack and if their home address is accessible, that would be an issue. It depends on who you are and what you are worried about.”
What I really wanted to understand was how visible I was and compared against previous reports, I was told it was not unusual and there was nothing critical, but the generation I am in is online more and for some people, so having personal and contact details available is not as big a concern.
“I think severity-wise you are in the same place as a lot of people who have their details and the problem is that a lot of places don’t advertise that they have the details so you wouldn’t know that the electoral roll is on a website, so yours is quite common,” they said.
What I wanted to learn about in this instance was how big my digital footprint was, what there was out there and most importantly, how to cloak or remove those details that are out there. I’m working on that now.