In the end, it is only you who decides what level of risk you're willing to take, but the point of LifeSec is to live in a way where your risk is lower by default – not just against risks today, but whatever comes around the bend. Without it, you may not be prepared for how an adversary may come at you like in the unfortunate case of Ena Matsuoka:

Trigger Warning: Stalking, Assault

Pop-idol Ena Matsuoka had many fans, but Hibiki Sato was obsessed with finding her. So he studied everything she posted online. Checking details like which way the sun fell through her apartment window. What kind of window-dressings did she use? What features were visible outside?

He finally got his chance when he noticed, in a high-resolution selfie she took on her commute home, a sign for a train station in the reflection of her eye. It was enough for him to stake-out the station, wait until she showed, then follow her home. She survived, but some aren't so lucky.

Idol hunted from an eyeball reflection

Whether you are minding your business, trying to build a business, being an ally, or end up in an argument with a neighbor/online troll, having too much available information puts you at risk. Depending what you say, who you say it to, in what venue, under what circumstance, you could be volunteering to be an aggressor's new pet project.

Sometimes the only thing you need to be safe is to be a hard target.

The bottom line is to be hard to attack. Post generically. Fudge unimportant details. Use fake information (where legal and appropriate). Guard your photos. Deny websites/stores/etc. information they don't strictly need. And carry these principles of data protection with you in real life too.

A lot of ID theft prevention is making sure people don't have your information who don't need it (see my Data Defense articles for more).

When making conversation, when at the store, filling out a form at the dentist – like a martial art, use the minimum motion and force to get the job done. Use the least information possible at all times and in all ways.

Then, even if someone becomes interested in you for the wrong reasons, if the amount of effort it takes them to harm you exceeds their level of interest/time, you win.

Loose information makes you a target and it makes you an easy target. It's up to you what to share, but do so aware of the consequences and risks. Most importantly, adopt LifeSec principles all the time and it becomes easy to:

1. Remember that what goes online, goes everywhere; forever. Don't post anything that you're not willing to have dragged back up and used against you later.
2. Learn to be evasive and general. Not only does this make you a better conversationalist, it's safer too!
3. Evade accidents with separation. Separate emails, browsers, accounts – whatever you can work into your life makes keeping separate information separate.
4. Resist elicitation. Just because someone asks doesn't mean they have any right to know the data. Give as little information as practical at all times.
5. Think about how your data can be combined. Don't fall into the trap of thinking "this will be ok because it's just a little bit of information". People and AI can line all the different data up into one clear picture.
6. Especially beware of photo risks. A photo is worth 1000 words and some of those words might say things you don't want people to know!

If I wasn't clear, this isn't 'do this sometimes', but a way of life. Adopt LifeSec as a way of life and you'll be safer not just online or offline, but all the time. For you, for your loved ones. You become, by nature, a hard target.

The only limits to my ability to hurt you are how much data I have on you and my creativity.

When I was teaching OPSEC in DC, the class started with an announcement from a coordinator. "If there are any security events, everyone needs to gather at the center building column." After they finished and introduced me, I told the class "knowing what we were just told as an attacker, the center column is where I'd plant the second bomb…

"But hold on", you say. "You'd still need to know ways to access the building, plant explosives unnoticed, and so on", and you'd be right but that's the point.

Some dangerous information can't be acted on without additional details. Some very innocuous-seeming data can become very dangerous with additional details. Basically, the aggregate of data is a force multiplier. Information in aggregate tells me:

• When to hit you.
• How to hit you.
• How to make it hurt to the maximum degree possible.
• How to ensure success in doing all of the above.

The concept of aggregation is well established in National Security. You have terrorist organizations working to get every detail of their target that they can and on the other side, you have OPSEC programs to teach forces the importance of information denial.

I spent years trying to find the right way to get this point across and, in doing so, learned that people find it hard to connect with examples at the Nation-State level. Instead, what about a little real-world thought experiment?

Trigger warning – some seriously dark possibilities

Assume that want to destroy your life and have at my disposal only two pieces of information: your address and…

I love you, Brad! We should be together!

… a post online I saw where you explained how your wife, due to a misunderstanding, thought you might be cheating on her. How hard would it be to drop some scandalous love letter in the mail adorned with a girl's name as the sender and a bright red kiss mark? What happens then?

… information that you participate in alcoholics anonymous or online support groups for alcoholism. What if I sent you a "complimentary bottle of wine" sometime? Or, better yet, I wait until I see your post talking about how the wife and kids were going out of town for the weekend?

… details of your parole after serving 10 years for possession. I hide a package of incriminating evidence in a conspicuous spot of your side yard then call your parole officer claiming to be a neighbor who saw you burying something suspicious.

Should I keep going? Or do you see how little bits of information can create opportunities to absolutely destroy someone? And lest you think this is only a thought experiment, Facebook has been caught using their vast data on people to manipulate their mood as an "experiment". Best Buy was caught data mining to label customers as either "Angels" or "Devils". And the examples go on and on…

It's not a fun exercise, but it's valuable to learn to think like a bad guy if only to better protect yourself and the people you care about. And it also helps you understand why you should learn the LifeSec skill of providing the most vague and least-detailed information possible in all situations.

You would be stunned if I told you how frequent data breaches are. So much so that they don't even make the news anymore. Instead of counting on negligent organizations to keep your data safe, we must practice information denial at all times, in all ways because it's hard for them to lose or abuse information they don't have.

Step 1: No more than necessary.

When you see a web form, do you fill it in? Why? Is every field you see necessary? Usually there's some kind of indication, but not always. To find out for sure, try pressing "sign up" or "go" or whatever and it will highlight all the necessary fields.

Everything is necessary? No worries. There's a strategy for that too.

It goes without saying that you should rarely fill in any details of your "profile page" in games, on websites, or in apps. Why provide even more data for them to lose or abuse?

Step 2: Ask why

If you're being asked for information that you can't see the reason for, ask why (when able). For example, when I go to the dentist, they might ask for my Social Security Number. I ask, "why?"

You get only what's necessary and no more.

They will say that it's necessary for billing, but this isn't my first rodeo. I always check when I change insurance to see if they every require SSN and (so far) the answer is always "no". And so I tell the dentist the same, "No. You can't have my SSN because you don't need it. I called and checked so process me without it or I'll find someone else."

Not once have I ever been turned away for withholding my SSN in medical situations. Why not try it? What's the worst that could happen? You don't end up doing business with someone who's careless with your data?

Step 3: Get creative

Sometimes there's not another dentist. Sometimes the site your need access to is the only one that will serve your purpose. Sometimes there isn't another good option and you're forced to make a decision… or are you?

To the best of my knowledge, it's not illegal to put fake answers for challenge questions (stuff like, "what's the name of your first pet"). Your phone will still get you home if you set your "home" location to somewhere NEAR your address (instead of using the real location). Most websites don't need YOUR birthday, they need A birthday. And those store discount codes work just as well with a generic phone number (Pro tip: use your area code and 867-5309 – it never fails).

"An" address...

"A" birthday...

"A" phone #...

Important! It's up to you to determine what is legal and what isn't when using this advice. For example, if you fake a SSN that belongs to someone else, that could be problematic. But there's nothing that stops you from being creative in low-stakes situations:

When you sell the phone, if it's stolen, if the data protection allows apps to peek at the data, there are so many ways that data can be taken. So why not give them nicknames instead (something you'd never actually call them to their face) so it's easy for you to know who's who, but no attacker would be able to call them and address them by name?

It's simple, safer, and fun! ("Hey Google, Call Aardvark!")

The best way to get the right answer on the internet is not to ask a question; it's to post the wrong answer.

Cunningham's Law (named after the inventor of wiki software), states that the the most effective means to convince someone to give up information is to confidently post false information. This principle is based on the human reflex of wanting to share which is, itself, a noble thing, but can be exploited by people who want your information.

Make a tank expert mad in a game and you might trick them into spilling national secrets.

In OPSEC circles, it was common knowledge that foreign adversaries found it much more effective to convince people to volunteer their data rather than try to steal it. For example, send highly attractive agents to woo the scientists and engineers at NASA and suddenly Russia has a space shuttle that looks remarkably similar to the NASA one.

But it's not even necessary to entice people with tantalizing beauties; most people will volunteer sensitive information on demand simply because they were asked.

A discussion starter or an elicitation attempt?

How many posts have you seen online that show a list of photos or characters and then say "your birth month is X" or "your birth day is Y"? Or the cleverly-worded discussion-starters that involve both your birth day and birth month?

Do you give it a second thought before participating or do you jump in assuming no one who sees it might be interested in the data you're giving away?

Time to hunt!

I'm not saying these posts are nefariously attempts to harvest data, but if I really did want to ruin someone who ticked me off on Reddit, it's not hard to see which communities they post in and plant a few similar posts to see if they respond. I could target birthdays, general location of your home, schools, friend names…

It's surprisingly simple some times to trick people out of their data and if you're still not buying it, here's an example where I tricked someone into handing me their IP address.

I'm not sure why, but all hell breaks loose when I travel for work. On this occasion, I had settled into the hotel before the conference when my wife called.

Apparently, a good friend of her was being cyber bullied by someone with an ax to grind. The friend, "Becky" let's say, had a Facebook page for her side hustle, but the aggressor ("Aggy" for convenience) expended immense effort to plaster the page and posts with lies about her character, bogus service reviews, and basically doing everything she could to take Becky down.

I say "she" because Becky was near certain this was the work of the woman her ex-husband had married, but she couldn't prove anything and Facebook wouldn't cooperate by providing account information. Having only comments to go on, there was little she could do, but my wife had a suspicion I might have an idea and she was right.

A great book about defending against deception. Also useful as a guide when the circumstances warrant.
(See online!)

No, I didn't hack Facebook. I didn't need to. Using the tried and true principles of "Social Engineering" (proven effective by the world's first hacker to reach the FBI most wanted list, Kevin Mitnick).

If we couldn't get her IP address (to give to the police) from Facebook, all we needed to do was lure here somewhere else. Like this website for example!

Every person who leaves a comment has their IP recorded automatically by WordPress – this is no secret, though most people aren't aware. And leveraging that general unawareness, I set the trap.

Step 1: I wrote a private article about how I was thinking of working with Becky Industries(tm), but I was worried about whether they were trustworthy and a good risk. I asked anyone who was aware of them to leave comments to let me know.

Step 2: I instructed Becky to bait the lure by posting on her Facebook. The post would talk about how she really wanted to form a partnership with The Geek Professor and how that would really turn things around if everyone reading could just go to the page and leave some good comments (along with a link to my private access-by-link-only post).

Less than 20 minutes later, a comment was dropped using the same wording, the same character as everything from the Facebook posts only, this time, on a page where I had access to the IP. I gave it to Becky and she handed it to the police.

We love to share

But that's MY name...

I stumbled on a Reddit post where the question was "What's your favorite character who has the same name as you." Two things immediately came to mind.

The first was how my dad took me to see the Secret of Nihm when I was kid. And when the crow came on screen and introduced himself, I stood up and yelled across the theater, "HEY! That's MY name!". My dad tried to shush me as an amused audience tittered at the outburst, but I was insistent. "But Dad, that's my name!".

The second was the reason I declined to participate in the discussion and tell the charming story of my youth: every person that responds loses the anonymity of their username and self-identifies with their real name.

As much fun as it might be to answer these kinds of questions or share delightful stories, think twice when doing so means giving up information. You might think "What's the harm? It's just a little bit of detail; it's not like they have any more" but don't be complacent. Let me teach you about Aggregation Risk

In what I came to call "Old man disease" after my cartoonishly repellent professor, I learned that people tend to spew unwanted detail about themselves (especially online). You have to fight that impulse and learn now how important it is (both as a conversationalist and for safety) to be as vague as reasonably possible.

Omitting unnecessary detail is better for conversation and for safety!

As an example, let's say you're traveling and someone asks, "where are you from?" I'd bet you know better than to give turn-by-turn directions to your address and telling them "the key is under the mat!". That's a good start, but what do you say? How much detail should we withhold?

That's exactly backwards. From now on, instead of thinking about what you shouldn't say, consider what you should (if anything). Start by deciding if you want to answer at all and, if yes, ask yourself what is the least amount of detail I can reasonably provide in this context?"

I've lived this way for a long time and it's never harmed my conversations or made things awkward. I'm simply offering still-correct but more vague answers with limited detail.

For example, for the purposes of this article, I'll volunteer that I live in the Seattle Area. Knowing that, here's how I'd change my answer to fit the context at hand:

• I'm at a conference in London and an attending asks, "Where are you from?" I say "America"
• I'm in San Antonio eating at a restaurant with friends. The waitress asks and I say, "Washington State"
• I'm at a townhall at the Capitol Building in Olympia. Another Washingtonian asks so I say, "Seattle Area".

If overseas, America

If out of state, Washington

If Washington, Seattle-area

At times, I might make a judgement call that it's safe to share more to people at work, the other parents at the sports match, etc., but that's the exception. Even then, I'm still purposely vague about details, because, not only does being vague keep me safer, but the listener most likely didn't want more detail in the first place!

Why publicly post family names, ages, interests, and other details? Why not just say "my wife", "my kids" (assuming there's a reason to bring them up at all). Instead of age, "baby", "young", "teens", and "adult" are specific enough. Why list genders? Why be specific about how many?

It's distressing how often someone might be safe with THEIR data, but careless with others. For example a UK sniper was praised by his command for his record-breaking kills on key Afghan rebels. But it turns out that naming him only put a target on him and his family.

Sniper's cover blown by his command

When I worked in OPSEC, I found a State Department directory listing names, titles, work locations, and phone numbers of hundreds of their employees posted openly online (60 pages worth). I've seen church bulletins listing private details of parishioners. Schools and colleges with unprotected student directories.

Or consider if a stalker sees you talking to their target because you're friends/co-workers/etc. So they ooze up to you with some story about how they "found something" their victim dropped or that they're "good friends from high school" and they really want to catch up!

They'll try to convince you to share the target's phone number, address, or schedule, but there's essentially zero cases where that's an OK thing to do. Instead, you can tell them, "Wow Stalker, you found their thing! Thanks, I'll get it back to them." or "You're friends? That's great! I'm sure they'll be happy to hear from you so leave me your contact information and name and I'll give it to them when I see them next!".

Similarly:

• Never upload photos of friends, their kids, or anything else without asking first.
• Never "tag" someone by name. If they're good at LifeSec, you might be ruining it by naming them, their spouses, and their kids in your posts.
• Never tell someone else's stories or rants without asking fist. Just because they freely ranted about their boss to you doesn't mean you can share it online.

Don't be the kind of person who is careless with the information of others! Before posting, stop. Make sure the photos and details you're posting aren't giving away information of others! Make sure you don't fall for Elicitation

If you just got a high-paying offer from a tech company, would you go online and brag about the pay while lamenting how boring it would be to work for them? Connor Riley did, perhaps not realizing that most companies monitor their brand online.

The famous case of someone losing a job before it even started. Now known to history as the case of the "Cisco Fatty"

I'd guess most people know better than to badmouth a prospective employer online, but it's not always so clear cut. Most of the things we say and post are only heard by people in the same room as you (and sometimes not even then), but that can change in a heartbeat as Comedian Jocelyn Chia learned:

"On June 5, a comedy club posted a clip from a show I had done in which I depicted Malaysia as the ex who broke up with Singapore—the country I grew up in—and Singapore was now having a "glow-up".

The clip was performing very well, but when I posted the same one on my social media on Tuesday morning, things started to take a nasty turn."

Comedian Jocelyn Chia faced threats for her joke about Malaysia

The people of Malaysia took exception to the comparison. To the point where she was threatened, events and shows she'd booked were canceled due to the outcry, and several attempts were made to hack her social accounts. There was even a report that Malaysian police attempted to recruit Interpol to have her arrested and extradited.

After the initial wave of shock and panic, she chose to take a stand and face the accusers' wrath directly. Given her existing platform plus a media boost from CNN and the BBC who both covered her story, she managed to build a counter-protest in her support. Her bookings started to reappear and the heat online settled down.

Things turned out fine for her, but not everyone can weather that kind of storm.

Not everything you share will come across the way you hoped. Sometimes it's a good idea to pause, rethink, or get someone else's opinion before committing. Better a delay than regret.

As her example shows, what you share may spread far beyond your intended audience to people who are unreceptive… or hostile. That doesn't mean you can joke or post ever, but unless you're prepared to face the horde, take your best shot at ducking their attention.

Before sharing, ask:

• What if the people I love see this?
• What if people who hate me see this?
• Is there a history here I should know about? Am I stepping on landmines?
• What if the news picks it up? What if this goes viral? What if every hater in the world sees this?
• When I'm dating or job-hunting in the future and they dig this up, am I ok with that?

Bottom line, if you can choose between two types of expression (both of which make the point you're trying to make) and one is much harder to take offense to, that's the safer choice.

Just ask David Howard:

David's poor choice

In 1999, the Associated Press covered the story of David Howard, a Washington DC official who, during a town meeting, chose to use a word meaning "miserly", but sounds a LOT like a racial slur.

Howard explained the word had no racial connotation or history, but countering outrage with etymology is like trying to un-drop a cake. The mob couldn't be convinced and he had to resign his post.

It's hard to imagine he thought that word wouldn't create confusion, but then again, in 2025 during the darkest of the GOP/trump anti-Transgender sentiment, scientists were surprised by massive outcry to their research into "transgenic" mice (which has about as much to do with Transgender as the Trans-Siberian Orchestra).

In that context, it's easier to see how he might have thought people wouldn't confuse the words, but he still erred. If you're using words that you know might be confused and you don't want your intentions or character to be questioned, pick the one that doesn't sound like any slur (let alone that one).

Until now, we've only talked about easy choices. Not posting complaints about your boss. Being careful with your jokes. Choosing words where a completely viable alternative is available. What if the only way to stay safe is to hide who you are?

Religion, expression, lifestyle… each has been a historical foil for violence by people who hate things that are different. Even when it's none of their business. Even when it harms no one and nothing, people are forced to hide their traditions, their faith, their heritage, their sexuality, and even their gender.

And even if you're not part of the affected group, you may still face backlash for having darker skin ("must be an illegal immigrant!"), having pink hair ("must be LGBTQ+!"), or having a head wrapping ("must be a terrorist!").

To a racist, a head covering means you're not only Muslim, you're also a terrorist!

Even something as simple as an accent or displaying a symbol can be confused and make you a target. I remember an old story of a college student having a video call with his grandmother when a roommate noticed a prominent swastika displayed on her wall.

Certainly anti-Nazi outrage is justified, but no one wins when it's aimed at innocent Bhuddists displaying a symbol of their religion (which is not the same as the Hakenkreuz Nazi symbol).

If you want to avoid the issue, make sure things that could be easily misunderstood aren't easily seen. For example; using a background filter. Turning off the video. Taking the call in a different (less-decorated) room.

There is something to be said for standing up and fighting against hate and misplaced outrage, but not everyone has the fortitude/finances/safety to do so. Sometimes, we just don't have the space to play on "hard mode".

In what is referred to in the Intel Community as "Imint", images can be scoured for details to find information people didn't realize they gave away. As a public example, Shia LaBeouf constructed anti-trump performance art consisting of a 24-hour livestream that garnered some decent attention both positive and negative.

Due to some hostility, the livestream was relocated to an unknown location showing only a flag labeled, "He will not divide us". Not long after, despite the video showing only the sky and a flagpole, 4chan users were able to deduce its location using flight patterns and mapping stars. The flag was removed and replaced with a Maga flag instead.

While a video offers more clues than a photo, you'd still be surprised what you can learn from a photo with only a little bit of training. Things like…

A lovely glass heart and also fingerprints!

It's wild how often I find copies of peoples' fingerprints online. Someone selling a coin or button. A farmer showing off a growing berry. Or this artistic photo of a glass heart.

But what's the risk? Would people frame you for crimes with your fingerprint? Probably not. But what about unlocking your phone or laptop? With phone/computer access, it becomes trivial to get into every account you have – email, messages, social page, banks… everything.

Of course, they'd have to be able to translate an online photo into something that can defeat print scanners, but that only requires a 3D printer (or Gummi Bear candies in a pinch)

Are you dating someone really paranoid? Do you have a pissed-off 'ex' who might get access to your phone? Could your family use your phone to get access to your bank accounts and credit? Maybe, maybe not. What is certain is that it's hard to abuse someone's prints when you don't have them.

Whenever you're taking a picture of something in your palm, it's worth taking a second to make sure your fingertips aren't in the shot!

You'd be surprised how frequently people post themselves semi-nude because they didn't check reflections.

Long ago, I checked a work trading board for some furniture and found a decent hutch for a good price. Because I'd learned to scan reflections, I noticed that the woman who sold it to me was in her underwear when she took the photo.

Of course I never said anything (I didn't want to embarrass her), but I have told several thousand people since then!

People are constantly putting themselves in compromising positions by not checking reflections. Like the guy I found on LinkedIn who posted a "motivational talk" while apparently in the passenger seat of a car. Except, if you looked at the reflection in his sunglasses, you could clearly see him holding the wheel with one hand, and the phone in the other.

If I was someone who knew him and didn't like him, I could easily post that to the church board, send it to his family, or share it with the police. It wouldn't be the first time something like that happened:

This is a famous example that I've used for years teaching OPSEC.

I have no sympathy for people who film while driving, but what about people who's various states of undress or nearby toys and medicines might not be things they want people to see? Check your reflections, people.

Hint, check the upper-right

The things people forget to check for in the background can occasionally be hilarious. A selfie where the dog is pooping or drinking out of the toilet or maybe your poor friend who's still in the shower… generally there's no harm done.

But what if you have private medical information visible? Passwords or security information? House keys that can be easily copied (even in a photo at an angle or from up to 200 feet away)? Concerning evidence of hoarding, filth, or other mental care concerns?

Giving away a pre-marriage pregnancy (Photo Credit)

Visible password? That's embarrassing. (Photo Credit)

JK Rowling's profile photo showed an apparent black mold infestation

A key where you can see the ridges can be copied. (Photo Credit)

It gets worse; what if the details people find in your background lead to more serious consequences? This is a scary world where people are judged, ostracized, attacked, or killed for:

Trigger warnings: abuse, violence

• Pregnancy before Marriage
• Not following tradition
• Being the 'wrong' religion
• Being the 'wrong' sexual orientation
• Being the 'wrong' gender
• Dating the 'wrong' people

Keeping yourself and others safe means checking the background. What do you see? Are you "outing" yourself? Someone else? Are you giving away more than you realized? Will the visible details put you or anyone else at extra risk? Check every time before you upload.

Remember in the Accidental Oversharing page when I talked about the risk of sharing your screen or taking screenshots at work without thinking about what's the background? This is why you need PhotoSec skills! For video chat, try splitting the important tabs off to a new browser instance and sharing only that. If uploading screenshots to Tech support, crop out anything that's not strictly relevant.

Sometimes the only thing that stops evil people from acting is not knowing where to find the target of their obsession (or A target of their obsession – a.k.a., a target of opportunity). But what good is caution about reflections and details if the photo itself blabs about your exact location?

Do you notice the 'Show settings' link over there on the right? Try clicking it. What happens?

In this very nice selfie that I found on Flickr, you might notice location information on the right; something often seen on photos uploaded to Flicker or Google or Facebook or whatever. It's not that people are taking the trouble to tag their location; the phone does it for them.

The phone records all the settings for the photo, but also other details it has access to. Maybe your name and sometimes your exact location.

Maybe if you're hiking and want to remember exactly where you saw that cool blue lizard, geo-tagged photos are helpful. If you go missing, the search party might find your last known location by the last cloud-uploaded photo you took. But the rest of the time, what does location information do except put you at risk?

Trigger warning: dark possibilities If you post about solo-night since the spouse and kids are out, if you're a battered spouse on the run whose safety depends on not being found. Or if someone simply finds your lifestyle/religion offensive. In all these scenarios, having photos that are GPS tagged directly to your location is not going to end well.

Often people are safe because finding and harming people is hard, but "helpful" technology trivialize it to the point that the risk becomes higher simply because it's "easy". Especially now that AI tools that help analyze photos for location indicators are becoming more and more proficient.

For example, here's a test I did with GeoSpy.ai

It got it within about 18 miles

Using only a Google Streetview picture at random from the Seattle area, it was able to narrow it to about 18 miles of the actual location – and that's just one photo. What if I had 10 or 100? Some people are very prolific posters and every photo gives bad guys more to work with.

Watch your timing! If you're at a restaurant and taking a picture of your food, if you upload it immediately, people will know where you are for the next 20 to 30 minutes. Maybe post later or the next day instead!

It's easy to say "be careful" without offering any specific advice for actually doing so. But anything that's complicated or takes a lot of effort isn't something we'd actually do in practice. With that in mind, here are some simple tips for improving your risk posture:

1. Crop – Easy – just remove the parts of the photo that have any problematic content. Sure, you can meticulously go through the visible papers on your home office desk; you can check with everyone in the photo at the party before posting. OR, you could just crop out that stuff instead.
2. Shrink – There's rarely a time when it makes sense to upload a giant 20 megapixel photo directly to a social site. Why not shrink it by half or more? Even a photo only 1000 or 1500 pixels wide is plenty large for online sharing while making it next to impossible to see fine details like what's in the reflection of someone's eyes.
3. Disable Geotagging – I mentioned there are some legitimate reasons to geo-tag, but those don't apply to almost anyone. If you want them there for something specific, so be it, but unless that applies to you, disable the "feature" and eliminate the risk entirely.
4. Meta stripping tools/apps – These remove META DATA – the geo-tags, your name, and all that other information that I showed you before. All of it is dumped and gone. I don't have any recommendations because I don't upload near enough to use one of these, but if you're prolific, you might want to "clean" tons of photos all at once and then not worry about it.
5. Screencap hack – On a computer, view the photo at about the size you'd want to see it online, then press WIN+SHIFT+S. This is a quick-capture shortcut that lets you snag a portion of your screen which is auto-saved in your screenshots folder. Then you can upload that screen capture which will be drastically size-reduced (but still large enough and have ZERO meta data attached).
6. Caution and diligence – Check backgrounds, zoom in, check reflections, scour each photo carefully for anything that someone might be able to learn. Make sure you don't have any unique and identifiable features near by like street signs or addresses. If you find something or can't tell for sure, maybe reconsider posting.

Keep in mind this is all about risk. If you're not worried, so be it, but if you're at high risk because of your lifestyle, activism, have some measure of notoriety, or have been directly threatened or bullied, the key is to make sure you don't hand your enemies the weapons they use to bludgeon you with. Be smart, be safe.

In what is referred to in the Intel Community as "Imint", images can be scoured for details to find information people didn't realize they gave away. As a public example, Shia LaBeouf constructed anti-trump performance art consisting of a 24-hour livestream that garnered some decent attention both positive and negative.

Due to some hostility, the livestream was relocated to an unknown location showing only a flag labeled, "He will not divide us". Not long after, despite the video showing only the sky and a flagpole, 4chan users were able to deduce its location using flight patterns and mapping stars. The flag was removed and replaced with a Maga flag instead.

While a video offers more clues than a photo, you'd still be surprised what you can learn from a photo with only a little bit of training. Things like...

A lovely glass heart and also fingerprints!

It's wild how often I find copies of peoples' fingerprints online. Someone selling a coin or button. A farmer showing off a growing berry. Or this artistic photo of a glass heart.

But what's the risk? Would people frame you for crimes with your fingerprint? Probably not. But what about unlocking your phone or laptop? With phone/computer access, it becomes trivial to get into every account you have - email, messages, social page, banks... everything.

Of course, they'd have to be able to translate an online photo into something that can defeat print scanners, but that only requires a 3D printer (or Gummi Bear candies in a pinch)

Are you dating someone really paranoid? Do you have a pissed-off 'ex' who might get access to your phone? Could your family use your phone to get access to your bank accounts and credit? Maybe, maybe not. What is certain is that it's hard to abuse someone's prints when you don't have them.

Whenever you're taking a picture of something in your palm, it's worth taking a second to make sure your fingertips aren't in the shot!

You'd be surprised how frequently people post themselves semi-nude because they didn't check reflections.

Long ago, I checked a work trading board for some furniture and found a decent hutch for a good price. Because I'd learned to scan reflections, I noticed that the woman who sold it to me was in her underwear when she took the photo.

Of course I never said anything (I didn't want to embarrass her), but I have told several thousand people since then!

People are constantly putting themselves in compromising positions by not checking reflections. Like the guy I found on LinkedIn who posted a "motivational talk" while apparently in the passenger seat of a car. Except, if you looked at the reflection in his sunglasses, you could clearly see him holding the wheel with one hand, and the phone in the other.

If I was someone who knew him and didn't like him, I could easily post that to the church board, send it to his family, or share it with the police. It wouldn't be the first time something like that happened:

This is a famous example that I've used for years teaching OPSEC.

I have no sympathy for people who film while driving, but what about people who's various states of undress or nearby toys and medicines might not be things they want people to see? Check your reflections, people.

Hint, check the upper-right

The things people forget to check for in the background can occasionally be hilarious. A selfie where the dog is pooping or drinking out of the toilet or maybe your poor friend who's still in the shower... generally there's no harm done.

But what if you have private medical information visible? Passwords or security information? House keys that can be easily copied (even in a photo at an angle or from up to 200 feet away)? Concerning evidence of hoarding, filth, or other mental care concerns?

Giving away a pre-marriage pregnancy (Photo Credit)

Visible password? That's embarrassing. (Photo Credit)

JK Rowling's profile photo showed an apparent black mold infestation

A key where you can see the ridges can be copied. (Photo Credit)

It gets worse; what if the details people find in your background lead to more serious consequences? This is a scary world where people are judged, ostracized, attacked, or killed for:

Trigger warnings: abuse, violence

• Pregnancy before Marriage
• Not following tradition
• Being the 'wrong' religion
• Being the 'wrong' sexual orientation
• Being the 'wrong' gender
• Dating the 'wrong' people

Keeping yourself and others safe means checking the background. What do you see? Are you "outing" yourself? Someone else? Are you giving away more than you realized? Will the visible details put you or anyone else at extra risk? Check every time before you upload.

Remember in the Accidental Oversharing page when I talked about the risk of sharing your screen or taking screenshots at work without thinking about what's the background? This is why you need PhotoSec skills! For video chat, try splitting the important tabs off to a new browser instance and sharing only that. If uploading screenshots to Tech support, crop out anything that's not strictly relevant.

Sometimes the only thing that stops evil people from acting is not knowing where to find the target of their obsession (or A target of their obsession - a.k.a., a target of opportunity). But what good is caution about reflections and details if the photo itself blabs about your exact location?

Do you notice the 'Show settings' link over there on the right? Try clicking it. What happens?

In this very nice selfie that I found on Flickr, you might notice location information on the right; something often seen on photos uploaded to Flicker or Google or Facebook or whatever. It's not that people are taking the trouble to tag their location; the phone does it for them.

The phone records all the settings for the photo, but also other details it has access to. Maybe your name and sometimes your exact location.

Maybe if you're hiking and want to remember exactly where you saw that cool blue lizard, geo-tagged photos are helpful. If you go missing, the search party might find your last known location by the last cloud-uploaded photo you took. But the rest of the time, what does location information do except put you at risk?

Trigger warning: dark possibilities If you post about solo-night since the spouse and kids are out, if you're a battered spouse on the run whose safety depends on not being found. Or if someone simply finds your lifestyle/religion offensive. In all these scenarios, having photos that are GPS tagged directly to your location is not going to end well.

Often people are safe because finding and harming people is hard, but "helpful" technology trivialize it to the point that the risk becomes higher simply because it's "easy". Especially now that AI tools that help analyze photos for location indicators are becoming more and more proficient.

For example, here's a test I did with GeoSpy.ai

It got it within about 18 miles

Using only a Google Streetview picture at random from the Seattle area, it was able to narrow it to about 18 miles of the actual location - and that's just one photo. What if I had 10 or 100? Some people are very prolific posters and every photo gives bad guys more to work with.

Watch your timing! If you're at a restaurant and taking a picture of your food, if you upload it immediately, people will know where you are for the next 20 to 30 minutes. Maybe post later or the next day instead!

It's easy to say "be careful" without offering any specific advice for actually doing so. But anything that's complicated or takes a lot of effort isn't something we'd actually do in practice. With that in mind, here are some simple tips for improving your risk posture:

1. Crop - Easy - just remove the parts of the photo that have any problematic content. Sure, you can meticulously go through the visible papers on your home office desk; you can check with everyone in the photo at the party before posting. OR, you could just crop out that stuff instead.
2. Shrink - There's rarely a time when it makes sense to upload a giant 20 megapixel photo directly to a social site. Why not shrink it by half or more? Even a photo only 1000 or 1500 pixels wide is plenty large for online sharing while making it next to impossible to see fine details like what's in the reflection of someone's eyes.
3. Disable Geotagging - I mentioned there are some legitimate reasons to geo-tag, but those don't apply to almost anyone. If you want them there for something specific, so be it, but unless that applies to you, disable the "feature" and eliminate the risk entirely.
4. Meta stripping tools/apps - These remove META DATA - the geo-tags, your name, and all that other information that I showed you before. All of it is dumped and gone. I don't have any recommendations because I don't upload near enough to use one of these, but if you're prolific, you might want to "clean" tons of photos all at once and then not worry about it.
5. Screencap hack - On a computer, view the photo at about the size you'd want to see it online, then press WIN+SHIFT+S. This is a quick-capture shortcut that lets you snag a portion of your screen which is auto-saved in your screenshots folder. Then you can upload that screen capture which will be drastically size-reduced (but still large enough and have ZERO meta data attached).
6. Caution and diligence - Check backgrounds, zoom in, check reflections, scour each photo carefully for anything that someone might be able to learn. Make sure you don't have any unique and identifiable features near by like street signs or addresses. If you find something or can't tell for sure, maybe reconsider posting.

Keep in mind this is all about risk. If you're not worried, so be it, but if you're at high risk because of your lifestyle, activism, have some measure of notoriety, or have been directly threatened or bullied, the key is to make sure you don't hand your enemies the weapons they use to bludgeon you with. Be smart, be safe.

From the first days I taught Operations Security (OPSEC) for the Inter-Agency OPSEC Support Staff, selling the idea of OPSEC was hard. People saw it as another chore: try to remember your list of critical information and don't talk about it. Yawn…

But the military and Intel Agencies take this very seriously Because seemingly unimportant information that is shared carelessly is dangerous.

Purple Dragon - the original OPSEC program for the USA.

For example, during the Vietnam war, the US military inadvertently leaked their plans to the Viet Cong spy network by having their planes visibly on the runway with the supplies staged nearby.

In a more modern example, reporters in the 90's discovered that they could predict major world-events based on the number of late-night pizza delivered to the Pentagon and other key agencies – a phenomenon now playfully referred to as "the pizza meter".

Basically, by operating in the open with no care for who was watching and what they might learn, US forces suffered data leaks of their own making. But who cares about the government, right? Why should regular people should care?

The crime of disbelief

Do you believe in Zeus and Poseidon? Do you legitimately believe they're real and must be respected and feared? If not, you are a non-believer… just like the rest of us. There are many major religions and branches and we are all non-believers to one or the other… and that shouldn't be anyone's business or concern. But not everyone agrees.

Trigger warning: violence, death

I was raised Christian, but learned early that there are "right kinds" and "wrong kinds". Catholics, Baptists, and others who claim to have the same beliefs, but will still argue and judge each other. It's one reason separation of church and state is so important – even if people could agree on the religion, there's just too much disagreement about details.

A 2017 Netflix Special about an activist murdered for her cause

Luckily, brave people like Madalyn Murray O'Hair advocated against forced prayer and Bible readings in public schools as early as the 60's. Through a lifetime of court cases and advocacy, she made schools a safe place for those of a different denomination, a different religion, or no religion at all.

A 2017 Netflix special details O’Hair’s life, her struggles, her victories, and (ultimately) her kidnapping and brutal murder in 1995. By making an effort to make the USA more respectful and inclusive for people of different beliefs, she, her son, and granddaughter paid the ultimate price.

The crime of being "girly"

The crime of freedom

More than ever these days, it's become vitally important for vulnerable populations and advocates to learn how to speak without drawing undue attention from aggressors OR to be a 'hard target' if you do.

In an ideal USA, bigots and abusers would face scorn, shame, and, most of all, repercussions for their hate. But at the whims of society and politics, they not only might escape any consequence; they may be cheered and applauded. Whatever our ideals, we have to live in reality and that means sometimes being judicious about the amount and kind of attention we draw to ourselves.

Bottom line, whether it's serial killers, child molesters, haters, abusers, creeps, or con artists; strangers or people you know – it's in your best interests to learn about risks and countermeasures so you can make an informed choice about sharing information.

But first a disclaimer!

Why bother?

Commander biographies far too often publicly list family names, ages, sexes, schools and more

When I worked for the Inter-agency OPSEC Support Staff, a co-worker shared the story of a military commander who didn't think they needed an OPSEC program. In his view, "we're careful so all that extra effort is a waste."

To prove the point, my co-worker looked up his public profile online. There he found a bit of background on the commander, his wife, and his kids. It also mentioned his oldest daughter was a student at the nearby University of Maryland.

Minutes later, he'd found the daughter's profile on Facebook where it listed several photos, details of her life, and her class schedule. He grabbed a camera, a buddy, and printout of the schedule and went down to the school.

At the expected time, she came out of the Chem building, crossed the quad, and then sat at a long bench to check her bag. My co-worker sat down on the other end of the bench and did a "V" sign while his buddy took the shot. Later, he tossed the photo down on the commander's desk and said, "THAT is why you need an OPSEC program."

The good news is that the commander didn't take it personally and implemented the program, but not everyone has a team to handle this stuff for them. And even if they did, trying to trying to stay aware of (and defend from) every new type of scam, hack, or trick is impossible. But giving up isn't the answer either. There needs to be a third option and that option is LifeSec.

Like a martial art, LifeSec is a lifestyle. Not a series of steps and processes, but a set of general rules to internalize and make part of your every day life. While this could never be 100%, adjusting your mentality about personal information has a much better chance of protecting you not just from the attacks of today, but whatever new con is waiting right around the corner.

First up, The Risk of Visibility.