It was Safer Internet Day 2018, a day designed to “promote the safe, responsible and positive use of digital technology for children and young people”.
Like any technology, the internet and the software that runs on it has plenty of bugs, and there is much that could be fixed or improved in the service of keeping young people safe. But that’s only half the story. The internet and its social networks are driven and shaped by how we use them. Our children aren’t just inheriting some technology, they’re inheriting culture and behaviour too.
That’s why we have taken a look at both sides of the coin – as with a more collaborative approach between the technology and the users, we can create a safer internet for all.
3 things you can do for your social networks - Mark Stockley, Senior Security Advisor
1. Turn on 2FA
2FA (two-factor authentication) keeps your account safe and secure even if your password is guessed or stolen. In exchange for putting up with the minor inconvenience of entering a one-time code alongside your password when you log in, you’ll get an instant, permanent security upgrade that makes your valuable accounts much harder to hack.
At this point you might be thinking that this sounds a lot like something you can do for yourself rather than something you can do for the others on your social network.
It is, but losing control of your Facebook or Twitter account to some crooks doesn’t just affect you. You’ve lost an account but the friends and colleagues in your network have a fox in their hen house, disguised as you, with all the PII they need to pass themselves off as you.
The most popular social networks like Facebook, Twitter, Instagram and Snapchat have all done their part and made two-factor authentication available, but it’s up to us to actually use it.
2. Behave yourself
A wiser person than me once said “Before you complain about being stuck in traffic remember, you are the traffic”. And so it goes with social media: you are the social network and how you choose to behave matters.
It’s easy to come up with lists of things that social networks should do to make our lives easier by controlling and regulating other people’s behaviour (indeed Paul Ducklin’s got something to say on that). It is far harder, but perhaps even more important though, to look critically at ourselves and ask how we might control and regulate our own behaviour.
“Controlling and regulating” might sound onerous but it shouldn’t because it’s exactly what we do all day, every day, in the real world. Of course it’s easier in the real world where we’ve been swimming in a sea of almost constant non-verbal feedback for about 200,000 years. Online we’re all still figuring out the very basics of what used to be called netiquette.
Teachers will tell you: if you want to connect kids with the consequences of what they say online, just have them say it aloud. That seems like a good enough place to start so I suggest this: if you wouldn’t say something to a person’s face, don’t say it to their avatar.
3. Log out
Want to model some good behaviour for your kids, protect your account and put a stick in the spokes of your social network’s giant track-o-matic machine? Just log out.
I know, I know – if you log out then next time you want to use your favourite social media you’ll have to log in again. With two-factor authentication enabled that could take several seconds, time you could have better spent watching 1/8th of a cat video.
Logging in when you start and logging out when you’ve finished is a little inconvenient, it’s true, but it stops two kinds of attackers in their tracks. The first is the kind of person who pretends to be you by sitting at your desk when you’re not there, or by stealing your phone if you leave it somewhere. The second is a hacker using an attack called a Cross-Site Request Forgery (CSRF) to trick you into doing something bad, like giving them access to your account, without you realising.
Logging out also stops the social networks from tracking your movements around the web. The tracking beacons they use to do this, which are present on a huge number of websites, feed information about what you’re doing on the web into their giant data-collection apparatus, but only if you’re logged in.
Staying logged in after you’re finished with something is the same as writing your password on a post-it and sticking it to your screen when you go to make a coffee. You wouldn’t do that and you wouldn’t want your kids to either.
3 things your social networks can do for you - Paul Ducklin, Senior Technologist, Sophos
1. Turn on 2FA when you login
Mark’s article urges you to adopt two-factor authentication (2FA), also known as two-step verification.
When you login, you have to put in your usual password, which typically doesn’t change very often, plus an additional login code, which is different every time.
These one-time login codes are typically sent to you via SMS (text message) or voicemail, or calculated by a secure app that runs on your mobile phone.
It’s not a perfect solution, but it does make it much harder for a crook who has just bought stolen usernames and passwords on the Dark Web: your password alone isn’t enough to raid your account.
Most mainstream online services already have 2FA, but it’s typically not turned on by default, because a lot of us still don’t like it – logging in takes a little longer, it’s marginally more hassle, and there’s more to go wrong.
So we’re suggesting that social networks should up the ante and try using a stick and not a carrot:
We’re inviting all social networks to make 2FA an opt-out setting that will be just about as much hassle to turn off as it would be to start using it instead.
Anything to raise 2FA’s takeup higher than the 10 per cent recently reported by Google.
2. Behave yourself while you’re logged in
Even those of us with modest lives and mild pastimes have experienced disquieting behaviour online.
We often hear cries along the lines of, “They should do something about it,” based on an expectation that social networking sites can and should police their users, monitor their behaviour and corral it to conform to various norms.
However, we think it’s unreasonable to expect online services themselves to become so self-regulated that they end up as suppressed, uninventive, stuck-in-the-mud, uncritical, self-serving, anodyne communities of, well, of participants who are robotically in tune with the algorithms that direct them.
Nevertheless, we’ve probably all heard stories of, or even experienced, battles to get content taken down even though everyone would agree it violated the terms set by the site involved.
Sometimes, the explanation given is that the sheer scale of today’s online services – hundreds of millions or billions of users – makes reliably rapid response impossible for any incident that requires a truly human touch.
But we’re saying that this is a cop-out: the big social networks chose to expand to the scale they did, so they could equally well choose to scale up their community support infrastructure, too.
We think that reacting to realistic complaints rapidly is something users ought to be able to rely upon:
We’re inviting all social networks not only to set out their community guidelines very clearly but also to enforce them quickly and effectively.
You don’t need page after page of rules and regulations, but you do need to be speedily consistent about the rules you do have, so your users can avoid unpleasant surprises.
3. Log off when you’re done
Mark is urging us all to log off when we aren’t using services like Facebook, Twitter and others, so that we can’t like things by mistake, don’t leave our accounts open for misuse, and don’t end up with all aspects of our digital life “open for business” all the time.
One problem here, though, is that even if you decide you want to log out and back in regularly, it’s not always easy to do, especially via mobile apps.
For example, we can’t find an “automatically log out when closing the program” option in Facebook’s iOS app – we have to remember to pop up the hamburger menu every time, and then scroll all the way to the end of the list and tap on ‘Log Out’.
We understand the concept of frictionlessness – where interacting with a vendor or service is engineered to require a convenient minimum of clicks – but it should be equally convenient to introduce “account friction” whenever we want:
We’re inviting all social networks to make it really easy to set up your account to log off automatically when it’s not being used.
We’re also suggesting that all those “stay logged in” and “remember me” options should be opt-in (i.e. off by default), rather than turned back on automatically every time you log back in.
Collaboration is key
If we forward inappropriate or risky links; if we display, or even tolerate, unacceptable behaviour ourselves; if we do things that put other people’s computers at risk because we don’t care about our own. All of this amounts to a sort of “race to the bottom” that ends up in an internet where creeps and crooks can thrive, and the rest of us are left to watch our backs all the time.
In this article we’ve suggested you consider adopting behaviours to make things better for your own social networks, but we’ve also invited social networking sites to do their bit too. In order to work, we need both parties to work collaboratively to create a safer internet now and in the future.
Mark Stockley, Senior Security Advisor, Sophos
Paul Ducklin, Senior Technologist, Sophos
Image Credit: Andrea Danti / Shutterstock