This post has been modified to reflect new information since its original publication.
Along with the rest of the population, the United States military has discovered that the Internet, especially social media, can be a double-edged sword. On one hand, social media serves as a quick and reliable communication tool and helps boost the morale of deployed troops. On the other hand, however, social media exposes the military to a number of serious security risks. Read on to learn more about the key issues surrounding social media, online privacy, and the US armed forces.
US military changes policy on social media use
The Department of Defense (DoD) has always worried about operations security (OPSEC), which is the process of protecting critical military information. Prior to the digital revolution, the Pentagon monitored all wartime letters to and from service members, reading each one and blacking out sensitive information. This was very intensive, time-consuming work, and it wasn’t always successful in preventing the spread of potentially damaging information.
The problem of controlling information has only grown more daunting with the rise of social media. To counteract the increased risk to information security, the military has taken a number of steps, including banning 13 social media sites from military computers and requiring soldiers to register their personal blogs and submit the content for approval.
In February 2010, the United States military released a new social media policy after researching the risks and benefits of allowing its members to make use of the emerging capabilities of the Internet. This policy unblocked the use of key websites such as Facebook, Twitter, Flickr, personal blogs, and YouTube, which the DoD had previously banned.
The new guidelines outlined responsible Web use for all members of military organizations, as well as for all users of Sensitive but Unclassified IP Data (formerly called NIPRNet). Although the policy allowed expansion of Internet usage, it also made provisions for privacy protection that gave commanders authority to defend against any activity that posed a threat to military operations, defense secrets, or DoD networks.
What are the risks of social media?
In the civilian world, when someone violates your electronic privacy, it can result in hassles such as identity theft. For service members, however, lapses in information security can also put lives at risk. This is worrisome because online scammers, as well as enemies of the United States, often target military personnel and their families.
In November 2014, an FBI bulletin warned soldiers that ISIS militants were directing their supporters to attack the US military and their family members. According to one law enforcement officer involved, “The concern in the FBI and intelligence community is that ISIS members overseas are tracking personal information about ‘specific’ US soldiers—such as their addresses and even their relatives’ addresses—based on their social media posts.” One month earlier, ISIS sympathizers bombarded the Facebook pages of an Air Force member and his teenaged son with threats after identifying the father through pictures on a military website.
While not as immediately alarming as a terrorist threat, online scams aimed at service members have the potential to be just as deadly. Scammers often compromise the security of service members by using a fake online persona to “friend” or otherwise “connect” with them. Because these requests come through social media networks, the victim mistakenly believes that he or she has some kind of personal connection with the requestor. As a result, military personnel feel safe giving away personal information that can lead to financial loss or identity theft, or even worse, compromise a military mission.
In July 2010, several news outlets reported the case of Robin Sage, an attractive cyberthreat analyst at the Naval Network Warfare Command in Norfolk, Virginia. With accounts on Twitter, LinkedIn, and Facebook, Sage quickly developed a network of nearly 500 military personnel, defense contractors, and intelligence agency staffers.
Between December 2009 and January 2010, Sage gained access to information such as bank account numbers, email addresses, and private and classified documents. She even learned the location of several secret military units based on photo metadata found on pictures posted on soldiers’ Facebook accounts, as well as by analyzing connections between military personnel and organizations on social networking websites.
However, Robin Sage, it turned out, didn’t exist. She was the invention of cybersecurity specialist, Tom Ryan, who was performing a 28-day social media experiment. Ryan presented his findings at the 2010 Black Hat Technical Security Conference in Las Vegas.
The Robin Sage experiment clearly illustrates how easily and inadvertently service members can compromise their Internet privacy without realizing they’re doing so. How, then, can military personnel protect their electronic privacy in order to avoid providing information that can jeopardize military security?
What steps should I take to protect my online privacy?
Beyond the obvious steps, such as using strong passwords and maintaining current antivirus software, there are several effective ways to protect your online privacy. Essentially, you need to verify who you are interacting with, limit what you share, configure your social media accounts to be as private as possible, and teach your loved ones about online privacy best practices for military families.
Verify the people in your network
Are you sure you know everyone in your network? Take a look at your friends and connections on your social networking accounts. If you find people you don’t know, then how can you know who will ultimately gain access to your private information, posts, and photographs? Remove any social networking ties to people you don’t recognize, and don’t accept a friend or connection request from someone without first verifying the person’s identity.
Control the information you provide
Although the DoD has security measures in place to protect classified information, given the vast numbers of service members, their families, and civilians who connect via social media, there is always the possibility that something important could slip through the cracks. Therefore, it’s essential that you carefully monitor what you post on social networks to assure that you aren’t inadvertently giving away sensitive data.
In general, it’s best to avoid mentioning the following on social media:
- Base descriptions
- Future operations
- Operation results
- Areas (even off-base ones) where service members congregate
- Daily military activities and operations
- Technical information
- Details of weapon systems
- Equipment status
- Deployment dates or locations
- Home phone number or address
It’s also a good idea to ask your friends to avoid tagging you in their pictures. These tags not only make it easy to locate you, but they also help antagonists identify the friends, family members, and coworkers in your social network.
You should also be very careful about what pictures you decide to post. The places and objects visible in your photographs might reveal more information than you think. Over time, these pictures can help someone create a comprehensive profile of you. Remember, once you post something online, you can’t control who sees it, and there is little you can do to delete it.
It’s also smart to keep vacation schedules and daily routines to yourself. This way, you can thwart people looking to target you or your family members. Further, advertising the days that you will be away from your house or out of town will make you vulnerable to theft.
Turn off geotagging and location-based features
A key component of operations security is protecting information regarding troop movements. Therefore, you should never use location-based apps or services, like check-ins, when deployed or in a classified area.
Similarly, you should do your best to avoid geotagging, which is information embedded in a photograph that lets viewers know exactly where and when you took the picture. This information could make it easier for enemies to target military installations or personnel, as well as the homes of family members. In most smartphones, this feature is turned on automatically, so you will need to turn it off. If you want to post photos that might contain sensitive material, then you should use a JPEG or PNG stripper program to eliminate any metadata prior to uploading the photo.
There are several recent examples of antagonists using geolocation technology to attack troops. In 2007, Iraqi insurgents leveraged the data embedded in pictures that US service members posted on the Internet to determine the precise location of a fleet of new helicopters at an airbase in Iraq. The enemy was then able to conduct a mortar attack inside the compound that destroyed four AH-64 Apaches. Reversing this scenario, the US Air Force used an ISIS militant’s selfie to locate and bomb an ISIS command post in 2015.
Even noncombatants are taking advantage of this technology to pinpoint troop movements. In June 2015, reporters and researchers proved that Russian troops were located in eastern Ukraine—contrary to what the Kremlin asserted at the time—by combining the social media posts of Russian soldiers and geolocation analyses.
Wearable devices that connect to the Internet also pose operational security risks. An article in The Independent recently revealed the existence of a publicly available heat map showing the accumulated exercise patterns of people around the world wearing Fitbit-style devices. In contrast to the brightly lit pathways covering Europe and America, the highlighted pathways that appeared in otherwise dark war zones, like the Middle East, essentially outlined secret US military bases.
Take advantage of social media privacy settings
It’s important to change the privacy settings in your social media accounts to “Friends Only” to limit who can see your posts, but don’t rely on this step to completely protect you. The best way to keep your personal information safe is to avoid posting it in the first place. Remember, even when you share a post with only a small circle of friends, your friends can then forward that post to a wider audience.
Adjusting your social media privacy settings is easy. Facebook, for example, offers a handy Privacy Checkup tool that quickly takes you through the main areas you’ll want to secure: your posts, your apps, and your profile. You can also manage the audiences for your posts by clicking on the Audience icon on each post.
To further protect your privacy, it’s a good idea to avoid using one social networking site to log into another site. Instead, you should always create a unique account on the new site.
Educate your friends and family
Friends and family members can inadvertently post classified or damaging information on the Internet. Therefore, you need to discuss with them the sensitive nature of some of the knowledge they receive, such as your location or movements. Ask friends and family members not to mention any such material on their social networking accounts.
For example, they should avoid posting detailed information like the following:
- My daughter is in ABC unit at XYZ camp in XXX city in Iraq.
- My brother is serving on ABC ship and is heading back to XYZ city or country in X days.
- My family lives in Sacramento, California.
Instead, they should use more general terms like these:
- My son is serving in Iraq.
- She will be coming back home soon.
- I’m from the West Coast.
What more can I do to reduce the risk of leaking secure information?
For more information about how to responsibly use social media, you should go the DoD’s Social Media Hub, which provides education, training, guidelines, and policies designed to help reduce the number of unintentional leaks of secure information. The hub features six individual portals, one for each branch of the armed services.
If you need any assistance keeping your online information safe from prying eyes, you can contact ReputationDefender to learn about its ExecutivePrivacy product. This tool helps you reduce your online footprint by removing your personal data from sites across the Internet. The advanced version of the product also monitors your social media accounts and provides you with customized threat lists, thus giving you an edge in securing your information.