How do I know if I have a cyberstalker?

A lot of people out there seem to be creeped out at the thought that they might have a stalker following their online activities. They want to know who is viewing their profiles, looking at their photos, reading their status updates and how often.

On Facebook, there have been many applications advertised to let you find this information and all of them are fakes. It’s a good thing, too. These applications may satisfy your curiosity, but they treat all of the friends that you added to your profile as potential stalkers. Even if it were possible to find a Facebook application that reveals your profile views, by using that application to find stalkers you would become the very thing that you were trying to avoid. You’d be stalking your friends’ online activities and snooping on actions that they believed were their own, private actions.

Recently, professional site LinkedIn have removed anonymity from profile views, based on a user setting. MySpace have a similar feature: if you want to see who views your profile, you must let them see your activity. If you consider how frequently Facebook is changed, it seems that there is every chance that Facebook will add the same feature in the future. Facebook also have a disturbing policy of enabling new settings by default. It hasn’t happened yet, but it is a reason to be vigilant. If you want to sacrifice your privacy in order to satisfy your curiosity it should be your choice and the choice of those who do not want to sacrifice their privacy should be respected as well.

So, do you have a stalker?

The first thing to get clear in a discussion about stalking is what stalking actually is. That way we can avoid persecuting and humiliating innocent people with the reputation-damaging label “stalker”.

A stalker is not someone who views your social profiles. It is not someone who views your page a lot. It is not someone who views your photos and it is not even someone who downloads them. None of these activities automatically make someone a stalker.

If you are really being stalked it is a serious matter. It is illegal in at least some countries, as a form of threat and harassment.

The US legal definition states that not only do you have to be followed, but it is “with the intent to place that person in reasonable fear of death or serious bodily harm” (I suggest you read the whole definition here).

Cyber stalking also involves high levels of harassment, distress and the intent to track down and meet a person in the physical world. To reduce the chance that someone can trace you in the physical world you can read our guides on using location-based Facebook and how to use Twitter safely.

I have to suggest that before you accuse someone of being a stalker you should think very carefully. Are you really under threat of death or injury just because someone views your photos online? Photos that you published yourself? Because when you put things online, your social profiles, your location, your pictures, your thoughts, your job description, you are publishing it.

If you are reading this and you do have a real stalker, if you are living in fear of physical harm, then contact local law enforcement.

Now that I have that warning out of the way, I can give you some practical tips in case you are curious about how much your profiles are getting viewed. I know that a lot of people have encountered this blog by searching for ways to discover so-called stalkers or to find out how to track people online better. I know because I can see how searchers came to this site. Yes, I can see that.

If you look around you can find there are several sites and services that give you viewing statistics. I already mentioned the features in MySpace and LinkedIn, which allow you to see the details of your viewers so long as you are willing to reveal your details to them. That’s a nice way to do it.

Blogging sites offer statistical views of how many views you have for each post and where the posts have been linked. This is still somewhat anonymous, but that should be fine. It is still a lot of information.

YouTube even have a little statistics area that can be opened up from underneath each video that tells you the age, gender and country of the video’s viewers and which link or search brought them to the video.

Facebook? The best advice I can give you is this: Why don’t you just ask?

Ask your friends and they might even tell you. You can also use common sense: Find out who comments most often and who ‘likes’ the most photos and status updates; the chances are that they view your profile the most often and that they are also very active Facebook users.

Of course, going through your Facebook Friends’ list and removing anyone you do not trust personally is always a good idea.

Here on Safe and Savvy we have a lot of posts related to online privacy. If you are still curious then take a look at our archives and subscribe to our RSS Feed.

More posts from this topic

Lee Rigby

Whose job is it to catch terrorists, MI5’s or Facebook’s?

The sad killing of British soldier Lee Rigby has been in the headlines lately after release of a report about how authorities handled the case. Publicity was boosted because the committee thinks Facebook is responsible for the killing. They think the social media giant has a clear obligation to identify and report people who plan attacks like this. Just like the fact that phone companies report everybody who are talking about terrorism and the postal service sends a copy of all fishy letters to the Scotland Yard. I’m sure you get the sarcasm. What happened is that British agencies, MI5, MI6 and GCHQ, had identified the killers, Michael Adebolajo and Michael Adebowale, as interesting persons before the attack. They did however fail to investigate properly and apparently made no attempts to get the suspects’ communications from Facebook. There would have been several ways for them to do that, by a direct request from the police to Facebook or by the secret intelligence connections between GCHQ and NSA. Meanwhile Facebook's internal controls had flagged the killers’ communications and automatically closed their accounts. Facebook did however never report this to the British agencies. Which gave the Brits a convenient scapegoat to focus on instead of the fact that they never asked for that data. Ok, so the Brits blame Facebook. Let’s take a closer look at some numbers and what they really are demanding. There’s about 1,6 billion users total on Facebook. 1,3 billion monthly active and about 860 million daily active users. These users share around 5 billion items and send over 10 billion messages every day. This creates a total stream of around 10 million items per hour and 173 000 per second. Quite a haystack to look for terrorists in! Facebook has some 8 300 employees. If every single one of them, Mark Zuckerberg included, would spend their full working day monitoring messages and shared items, they would have to do over 60 items per second to keep up. Needless to say, any kind of monitoring must be automated for volumes like this. Facebook is monitoring its content automatically. Some keywords and phrases trigger actions, which can lead to closure of accounts. This is understandable as no company want to be a safe haven for criminals and many kinds of harmful activities are prohibited in the user agreement. But Facebook is walking a thin line here. Their primary task is not to be a law enforcement agency but to provide a social media service. They must also be well aware of the fact that reporting innocent people to the authorities is highly irresponsible. Commonly accepted practices of justice are not obeyed anymore when dealing with potential security threats and there is no transparency. There are numerous cases where western authorities have detained and even tortured innocent persons, apparently based on some very vague indications. Maher Arar’s case is a well-known example. So the bar for reporting someone must be high. It is easy for an Internet service to throw out a suspected user. They are after all not paying anything and Facebook have no obligation to let them be users. This ensures compliance with the user terms, no criminal activities allowed. But the threshold to report someone is naturally a lot higher. Especially when the volume forces Facebook to make automated decisions. This is not a sign of carelessness from Facebook’s side, it’s because people by default are entitled to communication privacy. It is also a direct consequence of the fact that terrorism suspicions are handled outside the normal justice system in many western countries. You carry a heavy responsibility if you feed innocent peoples’ data into a system like that. Let’s face it. There’s a large number of criminal conversations going on right now both on Facebook and other social services. Many terrorists are also on the phone right now and some are picking up deliveries with items related to planned attacks. Nobody is expecting the phone company to routinely listen in to identify potential terrorists and nobody is expecting the post to check parcels randomly. Facebook may not report every flagged conversation, but they are at least doing something to not be a safe haven for terrorists. Still they are the only of these services that the Brits call a safe haven. Not very logical. The simple reason for this apparent inconsistency is naturally the need for a scapegoat. The British agencies failed to investigate so they need someone else to blame. But there is a more dangerous aspect hidden here as well. Snowden made us aware of the privacy threats on Internet. The wide-spread mass surveillance has so far to a large extent been secret and even illegal. Pandora’s Box is open now and authorities all over the world are racing to get legal rights to mass surveillance, before the large masses understand what it really would mean. Putting pressure on Facebook fits that agenda perfectly. To be fair, one can naturally also ask if Facebook could have done more. A calm and balanced debate about that is welcome and beneficial. The flagged messages is probably quite a haystack too. To what extent is Facebook reviewing those messages manually, and could this process be improved to catch more potential killers? And at the same time avoid reporting any innocent users. To illustrate that this isn’t as simple as many think. People are asking why Facebook didn’t react on stuff containing the phrase “let’s kill a soldier”. Well, this blog post contains it too. Am I a killer because of that? Should this post be flagged and given to MI5?   Safe surfing, Micke    

Nov 28, 2014
BY 
network

What is a supercookie and why is it more important than you think?

Many techie terms in the headlines lately. Supercookies, supertrackers, HTTP headers and X-UIDH. If you just skim the news you will learn that this is some kind of new threat against our privacy. But what is it really? Let’s dig a bit deeper. We will discover that this is an issue of surprisingly big importance. Cookies are already familiar to most of us. These are small pieces of information that a web server can ask our browser to store. They are very useful for identifying users and managing sessions. They are designed with security and privacy in mind, and users can control how these cookies are used. In short, they are essential, they can be a privacy problem but we have tools to manage that threat. What’s said above is good for us ordinary folks, but not so good for advertisers. Users get more and more privacy-aware and execute their ability to opt out from too excessive tracking. The mobile device revolution has also changed the game. More and more of our Internet access is done through apps instead of the browser. This is like using a separate “browser” for all the services we use, and this makes it a lot harder to get an overall picture of our surfing habits. And that’s exactly what advertisers want, advertising is like a lottery with bad odds unless they know who’s watching the ad. A new generation of supercookies (* were developed to fight this trend. It is a piece of information that is inserted in your web traffic by your broadband provider. Its purpose is to identify the user from whom the traffic comes. And to generate revenue for the broadband provider by selling information about who you really are to the advertisers. These supercookies are typically used on mobile broadband connections where the subscription is personal, meaning that all traffic on it comes from a single person. So why are supercookies bad? They are inserted in the traffic without your consent and you have no way to opt out. They are not visible at all on your device so there is no way to control them by using browser settings or special tools. They are designed to support advertisers and generate revenue for the mobile broadband provider. Your need for privacy has not been a design goal. They are not domain-specific like ordinary cookies. They are broadcasted to any site you communicate with. They were designed to remain secret. They are hidden in an obscure part of the header information that very few web administrators need to touch. There are two ways to pay for Internet services, with money or by letting someone profile you for marketing purposes. This system combines both. You are utilized for marketing profit by someone you pay money to. But what can and should I do as an ordinary user? Despite the name, this kind of supercookies are technically totally different from ordinary cookies. The privacy challenges related with ordinary cookies are still there and need to be managed. Supercookies have not replaced them. Whatever you do to manage ordinary cookies, keep doing it. Supercookies are only used by some mobile broadband providers. Verizon and AT&T have been most in the headlines, but at least AT&T seems to be ramping down as a result of the bad press. Some other operators are affected as well. If you use a device with a mobile broadband connection, you can test if your provider inserts them. Go to this page while connected over the device’s own data connection, not WiFi. Check what comes after “Broadcast UID:”. This field should be empty. If not, then your broadband provider uses supercookies. Changing provider is one way to get rid of them. Another way is to use a VPN-service. This will encapsulate all your traffic in an encrypted connection, which is impossible to tamper with. We happen to have a great offering for you, F-secure Freedome. Needless to say, using Freedome on your mobile device is a good idea even if you are not affected by these supercookies. Check the site for more details. Last but not least. Even if you’re unaffected, as most of you probably are, this is a great reminder of how important net neutrality is. It means that any carrier that deliver your network traffic should do that only, and not manipulate it for their own profit. This kind of tampering is one evil trick, throttling to extort money from other businesses is another. We take neutrality and equal handling for granted on many other common resources in our society. The road network, the postal service, delivery of electricity, etc. Internet is already a backbone in society and will grow even more important in the future. Maintaining neutrality and fair rules in this network is of paramount importance for our future society.   Safe surfing, Micke   PS. The bad press has already made AT&T drop the supercookies, which is great. All others involved mobile broadband providers may have done the same by the time you are reading this. But this is still an excellent example of why net neutrality is important and need to be guaranteed by legislation.     (* This article uses the simplified term supercookie for the X-UIDH -based tracker values used by Verizon, AT&T and others in November 2014. Supercookie may in other contexts refer to other types of cookie-like objects. The common factor is that a supercookie is more persistent and harder to get rid of than an ordinary cookie.   Image by Jer Thorp  

Nov 18, 2014
BY 
IMG_3395

5 ways to get ready to ask Mikko anything

It's like a press conference anyone can join from anywhere. And even if you don't have a question, you can upvote the ones you don't like and downvote the ones you do. President Obama did one. Snoop Dogg/Snoop Lion did one. An astronaut did one from outer space. And our Mikko Hypponen will sit down for his second Reddit AMA on December 2 at 9 AM ET. If you have something you've wanted to ask him about online security, great. If not, here are five resources that document some of Mikko's more than two decades in the security industry to prod you or prepare you. 1. Check out this 2004 profile of his work from Vanity Fair. 2. Watch his 3 talks that have been featured on TED.com. [protected-iframe id="7579bbf790267cc081ac7d92d951262c-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="fdf818f4afa2f7dcb179c5516c44918c-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_three_types_of_online_attack.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] [protected-iframe id="54be2fe9bce28ae991becbe3d4291e56-10874323-9129869" info="https://embed-ssl.ted.com/talks/mikko_hypponen_how_the_nsa_betrayed_the_world_s_trust_time_to_act.html" width="640" height="360" frameborder="0" scrolling="no" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""] 3. Check out his first AMA, which took place just after his first talk at TEDglobal was published. 4. Take a trip to Pakistan with Mikko to meet the creators of the first PC virus. [protected-iframe id="8c0605f62076aa901ed165dbd3f4fcd7-10874323-9129869" info="//www.youtube-nocookie.com/v/lnedOWfPKT0?version=3&hl=en_US&rel=0" width="640" height="360"] 5. To get a sense of what he's been thinking about recently, watch his most recent talk at Black Hat "Governments as Malware Creators". [protected-iframe id="54b24406f022e81b15ad6dadf2adfc93-10874323-9129869" info="//www.youtube-nocookie.com/v/txknsq5Z5-8?hl=en_US&version=3&rel=0" width="640" height="360"] BONUS: Make sure you follow him on Twitter to get a constant stream of insight about online security, privacy and classic arcade games. Cheers, Sandra

Nov 14, 2014