Security stories: surveillance databases, unlocking apps, unexpected photo booths, and evolving data

In a special holiday episode, Liz and Geoffrey take a look at some recent security stories in more detail, from surveillance databases facilitating identity theft to unexpected facial recognition at concerts to changes in the meaning of social network activity. They also discuss how to properly secure high-value apps on your phone and some of their own plans to improve their security over winter break.

Security stories: surveillance databases, unlocking apps, unexpected photo booths, and evolving data episode art

Timeline

  • 1:09 - Identity thieves using TransUnion database
  • 3:11 - Biometric authentication to phone apps
  • 13:16 - Secret surveillance at concerts
  • 22:01 - Twitter likes and changing data

Show notes & further reading

Identity theft using surveillance databases

Forbes has the story of the FreeBandz Gang and their identity theft scheme, including how they were caught in the end by the government getting video from their own Google Nest cameras.

ZDNet reports on a French intelligence officer arrested for selling confidential data on the dark web.

Phone authentication and fingerprint risks

In 2014, cryptography professor Matthew Green spoke to CNN about how he woke up to find his 7-year-old son unlocking his phone with his thumb one morning, defeating a security mechanism that has foiled even the FBI. It's a very good example of differing threat models: the right way to protect yourself from government or corporate surveillance (and especially illegitimate users of them, as mentioned above!) is likely very different from the right way to protect yourself from other people who live in your home.

If you're using fingerprint or facial recognition to unlock your phone, be aware that they're not the strongest methods - in our last security stories episode, we talked about techniques for cloning a fingerprint, and Forbes had a recent article about using a 3D-printed head to fool some facial recognition mechanisms on Android (although not Face ID on iOS). Depending on what kind of risks you anticipate, you might want to avoid using them for unlocking your phone and only use them to unlock apps, or even avoid them entirely.

Both Android and iOS have mechanisms for allowing certain features or "widgets" to be available from the lock screen, without authentication. You might find that these mechanisms make it easier for you to set a stronger authentication mechanism for the rest of your device.

Facial recognition at concerts

Rolling Stone reports on the surveillance kiosk at Taylor Swift's recent Pasadena concert, as well as Ticketmaster's recent investment in Blink Identity, a startup that wants to use facial recognition to identify ticketholders at concerts at high speed. The Verge also looks at the legal aspects of surveilling attendees at a concert.

The Outline discusses in detail the finding that Juggalo face paint defeats common facial recognition technology, and why it works. Other work along these lines includes CV Dazzle, which targets the popular and open-source OpenCV library's face detection algorithm. In 2014, a reporter for The Atlantic described walking around Washington, DC using this style of face paint.

The South China Morning Post reports that Hong Kong pop star Jacky Cheung has actually become quite famous for the number of arrests made at his concerts, mostly as a result of his immense popularity. As The Verge reports, the man arrested in April traveled 56 miles to the concert, and never would have gone if he thought he would be recognized. Another one in May, also identified via facial recognition, was arrested for allegedly stealing $17,000 worth of potatoes.

Security firm RiskIQ investigated the Ticketmaster breach from earlier this year, and found that it was part of a larger campaign by a group called "Magecart" to steal credit card numbers and other data. WIRED UK calls Ticketmaster's breach, in particular, a "perfect storm of bad IT and bad comms" - a result of a poor decision to embed a third-party customer service chat widget, Inbenta, on a payment page, and also a lack of response when bank startup Monzo alerted them that a disproportionate number of their customers who used Ticketmaster had suffered credit breaches.

Hearts, stars, and data, bookmarks and old likes

In November 2015, Twitter changed "favorites", with a yellow star, to "likes", with a red heart, saying that favorites were "confusing, especially to newcomers". A week later they reported that hearts were six percent more popular. The Atlantic has a deep investigation of the change, including the observation that journalists used favorites as a bookmarking feature, and the semantics of saying that they now "like" tweets by the subjects of their reporting may be wildly wrong. Earlier this year Twitter introduced a Bookmarks feature, which in the words of Mashable, "takes the ambiguity out of likes" - and is also private. Late this summer Twitter experimented with showing the tweets you liked to your followers, which was widely disliked and cancelled - but we're sure this will not be the last time Twitter changes the meaning of your data.

Tech consultant Melissa McEwan has a long post on how to delete all your Twitter likes using a Python program she wrote, your data download, and unfortunately a lot of unexpected push notifications to people whose tweets you've liked. Beyond the last three thousand or so likes, the fact that you've liked a tweet is stored in some type of archival storage, so you need to re-like a tweet before you can un-like it.

Transcript

Liz Denys (LD): Today's episode of Loose Leaf Security isn't focused on one single topic - instead, we're going to talk about some juicy security news that wasn't quite practical enough to make it into any of the security news segments.

Geoffrey Thomas (GT): Yeah, Liz and I often find news stories that are pretty interesting, and Liz will be like, "Hey, Geoffrey, did you see this thing happen?" And I've said, "Yeah, I don't really know what to talk about it because there isn't anything really practical." But I think all of our stories today have sort of broader concepts about, how is my data being used? What should I do to protect myself? And where are we going as a society with this whole security thing?

LD: Also, Geoffrey and I will talk about some of our personal security decisions, and there are a bunch of practical takeaways.

Intro music plays.

LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,

GT: and I'm Geoffrey Thomas, and we're your hosts.

LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.

GT: In every episode, we tackle a typical security concern or walk you through a recent incident.

Intro music fades out.

LD: In October, a group of amateur rappers in Charlotte, North Carolina bought iPhones and luxury cars using stolen credit cards, which doesn't sound like much of a security story until you hear how they pulled off the identity theft.

GT: They somehow had access to TLO, the private surveillance database of US credit reporting agency TransUnion, with social security numbers, employment history, and address records of approximately everyone in the US.

LD: TransUnion sells access to this database to the federal government, local police, debt collectors, private investigators, and apparently a few people who shared access with these rappers.

GT: Court documents say they had a friend with a part-time job at a debt collection agency, who sold them data on promising victims for $100. TransUnion says four legitimate accounts abused their access to TLO.

LD: The US Postal Service investigator on the case had used TLO himself, and he said that it offered, quote, "unlimited access and resources to commit identity theft and fraud."

GT: In another case in France, also from October, a police officer with the French intelligence services was arrested for selling confidential data on the dark web.

LD: In addition to secret documents, he also offered his services tracking mobile phone numbers, and investigators believe that he was doing this by using a police tool. He would also look up what information the police had on you.

GT: I think the takeaway from both of these stories is that even legitimate surveillance databases are being abused, and there's so much risk with digital information that it will end up in the wrong hands. It only takes one bad person with access to copy data, and copying large amounts of data is easy to do and not always easy to notice.

LD: There's not much you can do directly about the risks of either of these stories, but if you're concerned about them, a good step would be to talk to your elected officials about the risks of these kinds of tools. Regardless of your views on government surveillance in general - after all, they caught the rappers by getting a warrant for video from their Google Nest cameras - it's a general truth in security that it's safer to have systems that don't give out more access than necessary, because things do go wrong.

Interlude music plays.

LD: Last episode, we talked about an iOS app that scams users into holding the home button to activate Touch ID to make a large in-app purchase, and one of the things we made sure to touch on was where Touch ID was a sensible thing for an app to be asking you to use versus when it was just kind of something sketchy, like why should you be holding down the home button here? There's no reason for the app to have your fingerprint.

GT: Right, and Liz and I got to talking after that, and we were thinking a bit that when you originally set up your phone to use Touch ID or Face ID or whatever kind of biometric authentication, you typically do that a long time before you start getting these apps that say, "Hey, I can unlock this app using Touch ID or your fingerprint scan on Android or whatever." And you might not think through, actually the same mechanism as I use to unlock my phone, is this providing the security level that I want?

LD: You know, in general, we've been recommending that at the level of unlocking your phone, you shouldn't be using these biometric options because it's possible for someone to copy your fingerprint or if you take a nap, you know, someone could use your fingerprint or even a kid might unlock your phone - like that's actually a thing some security CTOs or CSOs have been talking about. One of the reasons we think it's really important for your lock screen to have a strong form of authentication to unlock it is because a lot of apps don't give you that option. Like, most email clients are just going to be completely there and ready to use, and there's no second layer of I need to re-log into my email every time, because they want it to be convenient for you.

GT: Right, I think the apps I have on my phone where it does say "Would you like to do additional authentication" is Signal, which is a messaging app we've talked about in past episodes which is pretty secure and pretty good; my password manager; and my bank and credit card apps. And out of those I care pretty strongly about Signal; I care pretty strongly about my password manager. I actually don't care quite as strongly about my credit card, because there aren't many things you can do, at least through the app, that aren't reversible. If someone tries to read my account statement, I don't really care, and it's very hard for them to spend money in a way I'm not going to notice, in a way I can't call my bank and say, hey, something happened, can you reverse this charge or can we cancel this charge. And I do care very strongly about my email client, like Liz was saying, and my web browser where I'm just logged into a bunch of stuff. And those don't have any option for saying, you need additional security before you log in here.

LD: So maybe you're someone unlike Geoff who thinks that I do want my bank to have additional security. And maybe you think it would be annoying to have to go into your password manager and get your password out of it, so you're just like, Touch ID, that's a good other measure. It's convenient, and I think it will provide more security. That's not actually true in all cases: a lot of the time, if you don't authenticate successfully with the fingerprint, it'll fall back onto your device's passcode. So you should make sure you know what happens if you don't get the fingerprint right. Like just touch the button with like a glove on or something so it thinks you're trying to do Touch ID or fingerprint authentication, and you don't successfully authenticate it, and see what it backs up on. If you have to enter your bank's password, that's great, because that is a separate thing from your phone's passcode. But it's possible that it will just default back to your phone's passcode, in which case an attacker who gets your phone's passcode could unlock your phone, go to the app, fail at the Touch ID or fingerprint authentication, and then re-type in that same passcode, and you're not actually getting that additional security you thought you were.

GT: So the other way you could do this, and Liz, I guess you do this, is you don't actually enable Touch ID in your bank apps, you just say, I want to use my password manager. I guess you type in your password manager's master password?

LD: Right. I do prefer to either go into my password manager myself and pull out the password if I want to put it somewhere, or, you know, now that iOS has password manager integration, I'll just click on the password field and then it'll prompt me for my master password and I'll type that in and I'll then get my password that way. So I actually don't use Touch ID for my password manager at all. So part of it is that I'm just paranoid about it and it's not too frequent an action for me. But part of it is also just, it wouldn't really matter for me because I turn my phone off very often because I'm at a play or a music concert or something, and I'm really afraid of being that person that ruins the show with my cool ringtone. But it is kind of annoying to type in my long passcode to unlock my passwords.

GT: Right, as we discussed in our episode on password managers, all your data and all your passwords are secured by a key that's derived from your master password or secured by your master password, and so without your master password, there is no way that this app - if it's designed correctly, at least - should be able to get into any of your passwords. And so if you restart the phone entirely, it doesn't have that memory anymore of the unlocked credentials needed to decrypt any of your passwords. And so it actually does need you to type in your master password. So, if you're a person who shuts off your phone regularly, or maybe you're just like me and you let your phone run out of battery very quickly, it's going to end up prompting you for your password anyway.

LD: This isn't necessarily the default behavior. Password manager apps might also prompt you, when you set it up, to have it be that you can use Touch ID to unlock it once it's already unlocked, in which case you should look very carefully at the settings of how long the password manager will have to go before re-prompting you to actually put in your master password instead of using Touch ID to unlock it. And you should also just consider whether or not you think this is a good tradeoff for you. You know, like I said, it's possible you're not really logging into things too frequently, in which case, you might not want to ever let it use Touch ID just to be paranoid, because, you know, if you're doing it once a week, it might not be too annoying.

GT: Yeah. I find myself using my password manager app often enough, and I'm not entirely sure why, where it is annoying to type my master password. And I think part of it is that I have a very long master password that is perfectly fine for me to type in on desktop when I'm using the extension in my browser, but more annoying to type in on my phone. And so I've decided the tradeoff for me is that I'm okay with having it stay unlocked and only use my Touch ID. But again, that's okay because my phone itself is protected with a passcode. I don't allow fingerprint logins to my phone. So, if you have access to my fingerprint, then you can't actually get to my password manager: you can't do anything if my phone is locked. So, I'm comfortable with that. Usually it's just me holding it in my hand, and I'm happy to have a little more security than nothing, but I don't need it to be very strong.

LD: Yeah. In this case, what essentially happens is that once you've unlocked your password manager with your master password, any time after that within the amount of time you're allowed to unlock it with Touch ID, the only two things protecting it are your phone's passcode and then, you know, the Touch ID on top of that. So you really want to make sure that that initial passcode to unlock your phone is very strong. And when Geoffrey says that his master password is really annoying to type in, a good solution to this is not to weaken your master password. You want that to be strong, you want someone who is going to be able to, you know, maybe access it from your computer to still have to face a strong password, and, you know, when I say, like, I'm okay entering my master password, it's not because I have an easier master password, it's just because I'm happy to make a couple mistakes or have to slow my typing down because it's just such an infrequent operation for me.

GT: Right. I would love some situation where I had a different password on my phone that was easier to type but still pretty strong, but I guess due to the way that it secures the password that's not an option, and it's just, do you want to use the device to unlock it - I guess it's probably going through hardware security on the device - versus do you want to just use your master password to unlock it, and those are my two options, and I've decided this is fine. I do also pay attention to timing out and making sure that it times out at least at some point and so it doesn't stay unlocked forever.

LD: So one last thing that I want to touch on briefly in here is that, you know, we've been talking about this as though the two options are using a fingerprint-based authentication method like Touch ID, or using a passcode or a password, and there are, again, a few other options for how to unlock your phones depending on what kind of phone you have. One other common one on Android is to use a pattern to unlock it. And you should sort of think of your pattern unlock method as even weaker than Touch ID, because the pattern is something that, if someone has your phone, they can see where your finger has been tracing on the screen because your finger leaves oils behind. They're going to be able to break past that with a little more ease, even, than cloning your fingerprint, or, you know, finding you when you're asleep and having you unlock it yourself.

GT: Another thing you can think about is, what sort of actions do I want to enable while my phone is locked? And Android and iOS both let you customize this and say, I want to reply to text messages without having to unlock my phone, or maybe you don't, or I'd like to be able to use Android or Apple Pay without unlocking my phone but just by using my fingerprint. So that's one option I have is, with my fingerprint but not with my passcode, I can use my credit cards on my phones and do tap-to-pay. And again I'm comfortable with that because credit card transactions are reversible. If something goes horribly wrong - I'll probably cancel my credit cards if my phone gets stolen, but - I will certainly be able to reverse them. And so there's two directions I'd suggest thinking about here. One is, do you actually want to enable these things, or are there some things like replying to messages that you want to protect against if someone gets to your phone. And the other side is, if you're comfortable with a couple of things, you can actually set a stronger password for unlocking your phone, if you're comfortable with seeing some things on your lock screen. Like, I have a weather app where it just shows up on my lock screen, and so I don't need to unlock my phone, and so that makes me a lot happier having a stronger passcode.

LD: And kind of to circle back to the beginning of this, you know, we mentioned that you probably were making a lot of these security decisions at separate times. Like you probably set up your phone and figured out how you wanted to unlock it then, and you probably didn't think about the app until you were like, I need this app. So one thing you also can do is just take a little time and look at all the things on your phone and just go through and open each app. Between each app, lock your phone, unlock your phone, and just think, start to finish, what do I need to do to get into this app? And if you're comfortable with what you need to do and you feel like it's a good level of security for you, great! And if not, take some action based on that. It's a little bit of housekeeping that's kind of annoying but could make the difference if your phone gets stolen.

GT: You know, I'm actually going to go, right after we finish recording this, make my passcode stronger because I made it weaker a while back because I was biking frequently, and I don't recommend this either from a digital security or a personal physical security standpoint, but I will sometimes open Google Maps on my phone, and I got annoyed at having to type a very long passcode while I was stopped at a red light and trying to figure out what turn I want to take, and I figured, it's probably safer for me physically if I have a shorter passcode. But it's the winter now, I'm not biking very much, it is perfectly safe for me to go make a longer passcode, so I'm going to go do that.

LD: Sounds great!

Interlude music plays.

GT: So Taylor Swift isn't just headlining concerts these days, but also making headlines in security news. During a recent concert in Pasadena, kiosks that were showing a glimpse into her tour rehearsals were also secretly taking photos of whoever was looking at them, and sending them off to a, quote, "command post" in Nashville where they were checked against photos of her known stalkers to make sure they weren't attending the concert.

LD: From a legal perspective, The Verge reports that Swift is in the clear - the concert is a private event, which means the organizers can subject attendees to surveillance.

GT: I mean, I'm sure that's on the fine print somewhere when you check the ticket, but you expect - it feels like a public venue and people aren't actually taking photos of you, especially with thousands and tens of thousands of people showing up to concerts.

LD: Yeah, there's definitely like a perceived anonymity and I don't think many people are reading the fine print here. But I kind of wish there was a lot more detail into like what's going on with these photos once they're taken. I personally can't really relate to having the risk of many known stalkers possibly trying to attend my events or something like that, but I understand why it's useful to know if her stalkers are at these events. At the same time, we also have no idea what's happening with these photos. You know, once they're sent off to Nashville where, I guess, they're being checked by a team of people, are they being stored? You know, are they being deleted? Like, how were they sent there in the first place - was it secure? Was it just some open connection?

GT: Yeah, there was a case in China recently, actually, where there was someone who was at a pretty large concert with tens of thousands of people, and they did face recognition and arrested him because he was wanted for some financial crime or something. So, there is apparently the technology out there to identify people who are coming up in mass at large events and track down where they are.

LD: But it's a little bit disingenuous to have a kiosk that's like a glimpse into a little bit more of how this tour was structured - I guess I wouldn't expect that that is taking my photo. I feel like I would almost be more comfortable if just up front they were like, "Everyone who comes into this concert, we're going to take a picture of you and send it off," and detail how they're going to use that data. But kind of tricking people into getting a bit more behind the scenes in order to get their photos feels kind of weird to me!

GT: Right. I don't want to take this too much of a tangent, but if you think about airport scanners, part of the reason I always opt out of the millimeter-wave scanners is, I just don't know what's going to happen to those images. If they say they're going to get deleted, who knows if that actually happens. But, at the same time, you're walking into this machine, it's scanning you, you know you're at an airport, you know this is happening - it feels more comfortable, honestly, to me, than showing up to a concert and there is this, basically, camouflaged device that is tricking you into standing in front of it for long enough that it can take your picture.

LD: Yeah. There is definitely something about covert surveillance that just makes me feel a little more uneasy. You know, whether or not I have something to hide, I am really sensitive about controlling my data and making sure that especially things about location, like I was at this place at this time, is something that I control. You know, I've talked about this on the pod before, and so maybe if I go to a Taylor Swift concert in the future, I might think twice about whether I should take my sunglasses off or have some sort of large winter scarf that kind of obscures part of my features.

GT: Right, so, speaking of covering your face with sunglasses or a scarf, so it's harder for people to recognize you or harder for algorithms to recognize you -

LD: Which, by the way, isn't totally foolproof, there's a lot of different ways they do facial recognition -

GT: Right. So, humans tend to recognize based on different characteristics from how facial recognition software works, which looks at sort of the dimensions of the distance between your nose and your mouth, or the sides of your mouth, or things that, I guess, humans pick up on a little less but are also very immutable. But it turns out that someone found that one of the popular facial recognition algorithms gets very confused by the sort of face paint makeup worn by fans of the group Insane Clown Posse. The fans call themselves "Juggalos" and they paint their faces in this white and black, sort of solid white and solid black patterns that don't line up well with where contours on your face are. And so it's very hard for an algorithm to pick out, okay, so this is kind of the fold that leads from your nose to your mouth, and I can make sense of this, and that's a face. And whereas humans with, you know, the way we see things will recognize it as a face, and we might even recognize it as the same person, it turns out that algorithms are very confused by that. So that's one effective, if kind of weird, way to hide from this algorithmic software, is you put on face paint. There's actually a couple of projects along these lines where they say, if you put up makeup that breaks up your face in certain ways, algorithms aren't going to be able to detect that. It's kind of cool!

LD: We'll link to some of those in our show notes, but that's only going to work as long as they allow that. It's very likely that if this is a technology that keeps coming up and artists keep wanting to use at their concerts, they might ban heavy face paint as one of the things that you can't wear into a concert. The Verge article actually also talked about something else that seemed even scarier to me. It wasn't anything Taylor did, but apparently Ticketmaster, at least at some point, had suggested that they might want to do tickets just through recognizing your face. You know, instead of bringing in a physical ticket or something on your phone that's a barcode that they scan, you might just walk up, the kiosk will look at your face and be like, you know, "You're Liz, you purchased a ticket to this, come on in!" And that's really scary to me.

GT: Yeah, there's so many problems I have with that, and I mean, of course the sort of privacy implications here of you've got to give like - how, how is this supposed to work? Like when you buy the ticket online you turn on your webcam? Like what -

LD: I mean, whatever it is, though, Ticketmaster is definitely storing this for long-term storage if they're going to be using it, you know, to actually match against your face at the place.

GT: Right! What do you think the chances are that they won't hold onto that for advertising, and they'll set up more kiosks, and they'll be like, oh, this person really likes buying concessions from here, or oh, I saw this person walk in with this brand of, you know, clothing or jewelry or backpack or whatever, and they're just going to use this for ad targeting.

LD: I mean, also hasn't Ticketmaster gotten breached kind of recently?

GT: Yeah...

LD: Ticketing companies are often the subject of breaches because they have information about your preferences as well as lots of credit card stuff on hand, and your address, and it's not just going to be something the company holds, like whatever venue, they're going to have this information in some way, or there's at least going to be people who are representing the ticketing company with the device that has this information, or will scan it and send it to the place that has this information. Like, there's just so many possible holes.

GT: Right. We've talked about, a few times on this show, how sometimes the right tradeoff is to say, it's better for a major tech company to hold onto your account security because they can defeat attacks, they're better at securing systems, and like, for all that, you know, Facebook is definitely trying to mine and advertise with your data, Facebook has a pretty good and pretty competent security team to hold their data the way that - I mean, within the confines of what they want to do with it. But Ticketmaster, or your local concert venue, is definitely not going to have the same sort of security team. And they're just going to like have the data somewhere, it's going to be handed out to some contractor, and no one's going to keep good track of it.

LD: Yeah. Hopefully we don't actually get to that world.

GT: I mean, the other concern I have here is, what happens if your face just doesn't scan? Because, like, even if you're using Face ID on an iPhone, it does give you the option of saying, your face is not scanning today because, I don't know, your nose is very swollen, or -

LD: Yeah, or maybe you've just put on different makeup, maybe you took your picture without any makeup on and, you know, you've put on some kind of kind of heavy contouring or you tanned a lot -

GT: - and I'm sure that Ticketmaster's motivation here is that they want to cut down on people reselling tickets or duplicating tickets or whatever it is, and they're not going to say, okay, you can opt out of the face scan and you just enter, you know, some code or show us your barcode. It's going to be mandatory, is the way I feel they're going to do this, and that doesn't make me comfortable.

LD: Yeah, well, hopefully we won't get to that world. Hopefully people will see the downsides of this, and even the best facial recognition technology doesn't always work. So, it's possible that just from that perspective it's never going to catch on.

GT: And I think that, maybe this is idealistic of me, but people pushing back against this is going to have a meaningful effect. I think that there was a lot of public outcry when the airports started introducing these scanners, and the fact that there is an opt-out option is basically just due to, they keep metrics of how many people opt out, and they can say people actually care about this or they don't, and if people continue to care about buying tickets and they say, "I would prefer not to use facial recognition to get into this concert," they're going to say customers don't actually want this. Maybe that's idealistic of me but I think it's going to have some impact.

LD: But I think also if you go to the airport in the US, you have to do something with the TSA. There's not really a way around this. But there are many different places that a venue could choose to partner with to handle ticketing. So if Ticketmaster is doing this and people aren't interested in providing their face so they can have their face-ticket work, you know, they might just go to one of their competitors who is more interested in pushing kind of the normal traditional tickets with like a barcode to scan.

GT: Right! Talk to your favorite band and say, hey, please stop selling tickets using this service because we don't feel comfortable with it. I think a lot of bands are going to be sympathetic to that and say, this is not what our fans want. So there's some opportunities there.

Interlude music plays.

LD: Our last story today isn't directly about security, but more about data and how it can change over time. So, many years ago, Twitter just allowed you to tweet, or to retweet, or to reply to people. And then they introduced this idea of a "favorite". You could interact with it by clicking a little star button.

GT: And a few years ago, Twitter decided - I guess this was easier for new users or whatever their rationale was - they wanted to change that favorite button to a like button, and they changed that little yellow star to a red heart.

LD: Yeah, and this was kind of weird because the things I've been favoriting from my friends aren't necessarily things that I would say I like. Like I know that sometimes people would be talking very openly and being really vulnerable about how they were feeling sick, or how they were tired, or how they were just having a very bad day, and it's one thing to kind of say, "Here's a favorite, I'm going to star this, I think this is a cool thing to be talking about," and another thing to say, "I like this content." I don't like it when my friends have terrible days! I want them to always be in a good place! So suddenly this whole thing where I was just showing them support felt like I was giving them a very different reaction and maybe wasn't feeling as supportive any more.

GT: Facebook actually went through this, where Facebook's original option was just likes, and you would say, hey, you know, my family member got sick, and it would say "A hundred people liked this" and no, I don't think a hundred people actually liked this. And eventually Facebook decided to have multiple reactions, and Twitter just stuck with redefining the original favorite, the star, this like "I see you and I support this post in some contextual-dependent way" is going to be "I like this!"

LD: And then after this switch to likes, Twitter also decided that if enough people liked it, maybe it would show up in the feed, kind of like a non-deterministic, slower sort of retweet situation, which is a completely different thing! Sometimes there's things that I would like that I don't necessarily think my followers would want to see, so what do I do? Should I stop liking it?

GT: You chose - you just like genuinely chose not to retweet them, you were like, "This makes sense for me to hit fave on, but this does not make sense for me to hit retweet on," and it's weird for Twitter to just switch that over. It's not that the data wasn't public - you could go to someone's profile and go see all of their likes - but it wouldn't be there in your face, and a lot of people just felt uncomfortable with this change in intention, when they knew that whenever they would like a tweet, there was a pretty high chance that their followers would just see that when they were scrolling through their Twitter history in addition to their retweets.

LD: And one of the things that I find really hard on social media in general, Twitter included, is if I find a post that I want to find later, it's really hard to do this. Like I could put it in my web browser's bookmarks, but that's not the most searchable thing, because my web browser is only going to know whatever I named the bookmark and the URL of it. So a lot of people had been using likes as bookmarks because it was an easy thing to search. And this also was kind of odd because someone favorited something, kind of starring it: that's something that people will commonly interpret as "I want to see this later." But now suddenly journalists were getting problems with some of their likes being interpreted as endorsements.

GT: Right. And you have this standard Twitter thing of putting in your profile, "Retweets are not endorsements," it's, I would like my followers to see this but I don't necessarily agree with this, and it's even worse for journalists when they're reporting on someone which they may absolutely not be on their side politically, or not want to represent whether they're on their side, they're just reporting the story neutrally, and some politician in their town posts something and the journalist goes and their favorite has now turned into a like, a statement of support, and then their like now gets shown to their followers, and their followers are like, "What are you thinking, why are you liking this?" And the journalist is just like, "I don't actually like this, I just wanted to make a note for myself so I could report on this later and put some context and put some criticism in, and I'm not liking this and I hate that Twitter is doing this to me."

LD: Yeah, and actually this isn't even the start of my beef with Twitter likes. The thing I hate most about Twitter likes is that you can't reliably delete them. I haven't been trying too hard to do this, but I've put a little thought into deleting likes, and I haven't actually liked any new tweets for about a month, because one of the things that happens is, the last three thousand or so likes, you can just go to your likes page and you can see them and they'll still have the heart filled in and you can just click that heart, it'll un-fill in, it'll go out of your likes. But past that you're not going to deterministically see all of the tweets you've liked. And in order to actually un-like those tweets, you have to re-like them first, and then un-like them. Which is really annoying, because it notifies people!

GT: It goes and sends - right, it goes and sends a notification, I've gotten these notifications where someone's just like - "So-and-so liked this tweet from three years ago," and I'm like, what are they doing on my... oh, they previously liked this tweet three years ago when it was current, and Twitter takes older likes and they move them to some sort of more permanent storage where you can't just get rid of them, you have to re-mark them as liked. It's kind of like on a dry-erase board if something dries, you take the marker and you write over it and only then you can erase it. It's the same sort of thing and you're like, "Why are they notifying me of this," and it's still a push notification even if they go and un-like it immediately afterwards once it's fresh.

LD: Yeah, and I stopped unliking tweets I've liked before when I hit this, because I don't remember who I've all liked tweets from. I don't know if I want to remind people that like my Twitter account exists!

GT: They're people you've just fallen out of touch with and it would be real weird for you to go and -

LD: Right!

GT: - start faving things from them again and pushing notifications, and then they start saying, "Hey! How are you, haven't talked to you in a while, I'm glad you liked my tweet," and you're just like, "What."

LD: So there's some other eccentricities I've noticed about this. So, the way that Twitter's supposed to give you a download of all your data - and they'll do this, I think, you know, I'm not a lawyer who's really up on the GDPR exactly -

GT: Certainly not a European lawyer...

LD: Right, not a European lawyer at all - and one of the things that they'll do is that you will get a set of all of the things that you've liked. And these are reported as just like the URLs of the tweet. There's no content of them, and so if you want to then click on them and un-like them, you can do this programmatically, but, you know, you're going to send a lot of notifications to people. Now, because you have to re-like them before you can un-like them, if there's any protected account that you're no longer following, you're not going to be able to do that because you won't be able to access that tweet in the first place. So that tweet is just forever part of your likes. But then, also, another weird thing I noticed - and this is even before you get to those kind of older likes - is that any account you have muted doesn't actually show up to you in your likes page when you're logged in. So, I went through and I deleted all of the likes that I could see without having to re-like them, and then I was like, "Oh, I wonder what happens with muted accounts. I feel like I haven't seen any from this person," and then realized that I didn't un-like these tweets - they were still there. And, you know, there's a lot of reasons that I mute people, which aren't necessarily that I don't want to see what they're saying. Some people just use Twitter a lot more than other people, and it will clog up my feed, so I'll go to their profile intentionally on my own.

GT: Oh yeah, one side thing that I just think is weird about the way that Twitter handled the likes-sometimes-show-up-in-your-feed is that I don't even reliably see all of the tweets from people I follow, and I think the answer to that is just, I follow enough people who tweet enough stuff that it just drowns out my feed and Twitter just doesn't load enough tweets. It's already the case that if you retweet something, you're not guaranteed that your followers see it. And so now there's this other you're-not-guaranteed-that-your-followers-see-it mechanism, which is nonsense. I guess one of the practical takeaways here is that you should stay up-to-date with the platforms you have accounts on. Like if you have stopped using Twitter actively, you might want to go and see, do I still want to represent myself the way that my Twitter profile looks. Like maybe I was comfortable with it five years ago when Twitter was less popular and when some of the norms around it were different, but if that's not really representative of me, is it better for me to just update my profile and say, go check out my - I don't know - website, my Facebook, my whatever else you use instead, and lock your account, so that data just isn't as visible there.

LD: And one other thing besides the fact that I just have all these likes that I haven't figured out what I want to do with yet: I mentioned earlier that I have stopped liking tweets because I don't trust Twitter to do something competent with them. I expect that whatever I like, in a couple of years, is going to be used in a completely different way than both the "I'm putting this little heart here" and also that it might kind of slow nondeterministically retweet to some my followers. And it's really weird using a platform this way! It's weird for Twitter to make this decision because they're just never going to get this engagement from me again unless I change my behavior. I'm just not going to like tweets. And it makes me feel bad as a user because, you know, my friends will post something cool, like maybe they've got a cute selfie, or maybe they just finished a project and they're really proud of it, and I'm not clicking like. And so sometimes I'll reply, and other times if it's just your selfie, and talking to every single selfie someone posts is kind of a lot and, you know, maybe more of a reaction than I think either of us would expect me to have to it! It's odd because my use of Twitter feels kind of stunted right now.

GT: Yeah. One thing I've seen a couple of people do is move to basically anonymous accounts where, if you know the person, this is my account, but there's no way to publicly link it - it's not under their name, it's under a username. And I think that's going to make more of a comeback as people start to realize all of the social media over the past like ten or so years has been getting increasingly public and going from this sort of fun, "Oh, my high school friends can write on my wall on Facebook," to just like, "Oh, literally -"

LD: "Literally now there's this public record of everything I've ever said, and, like, employers are looking at it."

GT: Yeah. That thing where employment profiles are just like, "Can you please list your Twitter account and Facebook account so we can look at them" is just like a lot. And I think people are going to start trying to find ways to do more anonymous social media, or more pseudonymous social media. And it's probably a good practice.

LD: That wraps up our security stories for this episode. We'll do these again in the future, and we'll be back with a new episode of Loose Leaf Security in the second week of January.

GT: I'm planning on using some of my free time this holiday to brush up on my security - I've got a bunch of accounts that I made several years ago that are just not in my password manager, and I think one of my goals is to try to make sure everything that I have is in my password manager, at least everything I can find. And everything that I can find that has two factor, has it enabled.

LD: Oh, that reminds me - one of my goals is to make sure that every account that has two factor in an authenticator app is both on my current phone and on an old phone. I want to make sure that if something goes wrong - I lose my current phone or it gets wiped or something - that I still have the ability to get into my accounts without having to go use those backup codes.

GT: Oh yeah, that's really important. I've finished doing that for at least all my important accounts, and it's a great peace of mind. We'll see you in January when we come back, and in the meantime, stay tuned to our Twitter feed where we'll try to post some interesting stories about security happenings while we're offline.

LD: Have a happy New Year!

Outro music plays.

LD: Loose Leaf Security is produced by me, Liz Denys.

GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.

LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.

GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.

Outro music fades out.