There is an irony deeply embedded in today’s social media culture: the issue of privacy. Many sites require your legal name, physical address and/or payment information to make an account, and then do very little to keep that information secure from possible exploitation. The entire fight surrounding things like age verification comes down to this issue at its heart. It’s a form of control, a legal loophole for surveillance couched in terms that masquerade as a desire to protect users, usually younger ones, while keeping a file on what everyone does and enabling the censorship of ‘adult material’ by whatever metric those who hold the power deem that to mean.

Regardless of the actual intent, by requiring a legal ID to verify one’s self, the door is left wide open to have that data harvested by outside actors. The mountain of personal data now available online has created a whole ecosystem of vulnerability. Even things as simple as location can be exploited for monetary gain, like targeted advertising and spearphishing campaigns (phishing aimed at specific individuals or demographics). How many stories are there about smart devices ‘overhearing’ conversations and then offering purchasing options related to those conversations? How much social engineering exists with the express purpose of compromising trust and security? No matter how you slice it, surveillance sells. The irony lies in how much noise gets made when someone else does it instead of the ‘trusted’ source.

Six years ago, Meta filed a legal complaint against the NSO group, known for being surveillance for hire, after a campaign of video calls released malware into WhatsApp user accounts, whether they answered the calls or not. The attack was developed in such a way that it bypassed end to end encryption by accessing messages after decryption on compromised devices, according to their own report on it. The complaint alleged that NSO violated the Terms of Service of WhatsApp, as well as US laws. Meta sought an injunction to prevent NSO from targeting their product ever again.

Fast forwarding to last year, Meta announced that a jury decided in favor of NSO paying damages incurred by the attack. The trial that rose from that initial complaint exposed how NSO’s Pegasus system works, covertly compromising people’s phones with spyware capable of harvesting information from any app installed on the device. The company testified that it does indeed spend tens of millions of dollars annually to develop malware installation methods including through instant messaging, browsers, and operating systems. That spyware is capable of compromising iOS or Android devices to this day. And WhatsApp is not the only target. The conviction set a precedent for fighting back against spyware and securing the privacy rights of users. In an update posted yesterday, Meta is asking for the court to hold NSO in contempt of this injunction, as they have disrupted another campaign attempt.

Having the legal recourse is nice and all, but it wouldn’t be necessary if so much of our Personally Identifiable Information (PII) was not required to exist online in the first place. Meta talks about holding their users’ privacy to a high standard, but actually respecting it would involve not asking for the data to begin with. They, and other social media sites like them, in essence created this problem. But I suppose that that’s milk already spilled, isn’t it? It is increasingly impossible to be anonymous online, which itself is a double edged sword. We are less able to keep our privacy, but so are threat actors.

I don’t use social media all that much (my cross-posting for this blog notwithstanding). The idea of letting strangers on the internet know who and where I am is just not something I’m interested in. Even my LinkedIn is as private as I can make it, with my icon being a caricature and the name I use on it not being my legal one. I can remember a time when Facebook allowed users to have pseudonyms, often for identity protection. To this day I have the barest minimum of PII attached to my account. The email it’s linked to is one that carries no PII as well. I’ve never used WhatsApp; I don’t have Messenger linked to my phone number. I’ve never turned on the location of my computer. Or enabled any of the tools that run in the background collecting all my actions, like Copilot. I use Firefox, set to delete all history upon closing, keeping no login information, passwords or even site visits. I maintain MFA on all my financial accounts, despite how inconvenient it can be.

It’s not about hiding who I am for any nefarious reasons. It’s very simply that threat actors cannot exploit what they don’t have. And neither can anyone else.

So, it turns out the robot dogs being bought up by police to harass patrol low income neighborhoods are not only super easy to hack.