Our breadcrumbs on the Internet

Almost a decade ago, I spent a few months during university working for Kroll, one of the world’s biggest corporate intelligence firms.

And before you ask, no, I wasn’t dumpster diving for shredded confidential documents in order to find dirt on someone.

Because there was no need for that.

A lot of what we wanted to know about a person or a company could be found online - and this was well before the prominence of popular social media platforms like Facebook and Instagram. Public directories, a simple google search, and subscription-only databases were usually enough to give us a good idea of what (or who) we were dealing with.

This has only become more prevalent in the last few years, and will continue to do so. Almost all of us are leaving daily breadcrumbs of our behaviour all over the Internet: from our LinkedIn profiles, to our reviews of the restaurant we ate at last week, to the things we search for online in the sanctity of our own home.

Should we all be leaving WhatsApp?

I was asked this question recently by a friend (on WhatsApp, of course).

For those of you who’ve missed it, WhatsApp (owned by Facebook) recently sent a message to a segment of its users (note that this doesn’t apply to European and United Kingdom users) asking them to accept their latest privacy policy updates, which would share data like IP address, internet service provider, browser information, mobile network, phone number, and (in the future) payments through WhatsApp, with Facebook.

(Sidenote: the deadline for accepting the new policy has since been delayed by WhatsApp to 15 February 2021.)

When the news was announced, Elon Musk took to Twitter to tell people he uses messaging service Signal. Even ex-NSA employee and whistleblower, Edward Snowden, chimed in with why he uses Signal.

What is fascinating about all this is that the people I’ve spoken to don’t seem to realise that WhatsApp and Signal actually use the same end-to-end encryption technology to ensure that messages sent are, well, encrypted. On the other hand, competitor Telegram does not offer end-to-end encryption by default - and yet, it still attracted almost 2.2 million downloads in the days following WhatsApp’s announcement.

At a time when people are becoming more aware of online privacy, the European Union is leading the charge in protecting civil liberties from infringements by big tech, and Apple and Facebook have been embroiled in a very public PR spat relating to Apple’s new privacy protection measures (where Apple retaliated against Facebook by pointedly saying it was “standing up for our users”), it’s remarkable that WhatsApp (and by association, Facebook) has made this decision.

The optics, in the current circumstances, are not ideal - especially in comparison to what is circulating around the Internet about Signal (full disclosure: I don’t think the ad below is real, but it’s gotten lots of traction).

The good news for WhatsApp is that, at least for now, it appears that some users will continue using the platform purely because of the inconvenience in trying to move friends, family, and chat groups to anywhere else.

This is known as consumer inertia - where customers continue paying for and/or using a product, even when superior options exist. And it may very well work. In the case of WhatsApp, consumer inertia is particularly high because it requires moving not just ourselves, but our entire network, to a new platform. For example, in my case, it’s not just about getting me and my mother off WhatsApp - it’s about getting the entire network of Asian aunties and uncles that she communicates with to agree to move as well.

Interestingly, the traditional model of capitalising on consumer inertia usually follows the pattern set out in this article:

Companies often internalize consumer inertia by setting pricing strategies that offer discounts to new customers. Both established firms and new market entrants frequently use introductory offers to accumulate customers and then raise prices later on, assuming customers will choose to stay over the cost of switching again.

But this isn’t quite the same here. I remember paying US$1 for WhatsApp when I switched to an iPhone, many years ago (and grumbling about it because it had been free on Android). In this case, unlike traditional models of, say doubling the subscription price the year after they’ve hooked you in, WhatsApp is instead asking us to pay the price of a sliver of our data. Naturally, to a company like Facebook that makes millions of dollars off advertising, this is worth more than the US$2 they could have gotten from me.

The Downfall of Parler

So we’ve touched on platform encryption - but how important is it, really?

Headlines last week came out about big tech’s shunning of the social media platform Parler, which had become a safe haven for those who were not welcome on other platforms such as Twitter, due to its lack of moderation and regulation.

Most media reports seem to have focused on the expulsion of Parler from the world of tech - but what is interesting about this is that the platform holds a lot of evidence that could potentially be used in building a case against some of the rioters in the recent Washington mob attack. By taking the platform down, such evidence could be lost…if it wasn’t for the fact that Parler was so shoddily built, and a bunch of quick-thinking archivists jumped in to scrape 99% of posts (and a whopping 80 terabytes of data).

This great read talks about how Parler failed to scrub the metadata from uploaded images and videos (meaning things like geolocation and date/time were available for anyone to read), ids were numerical and chronological (one of the very first things I learnt as a software engineer was to use UUIDs so people can’t just guess the next id by incrementing upwards!), and posts were not actually deleted but just had a deleted flag added to them. 🤦🏻‍♀️

The data that has been scraped from Parler has led to some of the perpetrators being identified and apprehended, and it’s not hard to imagine that this will happen more in the coming days as the terabytes of data are analysed.

Ironically, what was once a safe haven for extremists may very well become the key to locking them away.

Does Mutiny Know Who You Are?

What really blew my mind when I was working at Kroll was how people thought that the things they said and did that was posted on the Internet would just disappear over time. I remember reading a report that someone very wealthy had attempted to hire Russian software developers / cyber security specialists to scrub the Internet of mentions of him and his family - attempted, and failed.

The reality is that more and more data is being collected, and with storage costs getting cheaper and cheaper, it’s easier than ever to have your own private stash of information that you’ve scraped from the Internet. Want to go back in time and see what MySpace looked like back in 2001? There’s the Wayback Machine website for that. Want to see where an image has popped up across the Internet? Welcome to reverse image search.

As I was listening to this podcast (which I highly recommend for anyone starting a Saas business), the platform Mutiny HQ was mentioned. It’s a platform that personalises your website for each visitor that lands on it. I was curious, so I jumped on to have a look around, and to my surprise, I was met with this:

In the request invite field, they had a placeholder that said: “you@complispace.com.au”. (Note: this only happened after I’d refreshed the page.)

Now, I currently work at CompliSpace as a software engineer - and even I was pretty impressed (and mildly disturbed).

Where had they pulled this info from? I found a reference on their website about them matching IP addresses to those of companies, but I was browsing from home - and on my personal laptop, which I had intentionally not associated in any way with work.

Now, let’s put aside the issue of whether you are happy about having your identity known by websites you land on - I know plenty of people will be uncomfortable with that.

But as a customer considering using Mutiny HQ for my website, this is a clear example of where trust is built early on. Case studies, images, and testimonials are all well and good, but nothing sells like actually using the customer to prove - to the customer - that the product works. The golden rule is to show, don’t tell.

Want to see if they know who you are? Check them out here (and don’t forget to try refreshing after you land). Let me know if you get any interesting results!

(Btw, I have zero affiliation with Mutiny and haven’t used their product, but at the time of writing, they are hiring a US-based Product Lead, in case anyone is interested.)

Final thoughts…

Before I left Kroll, I wanted to sell my laptop second hand. I asked one of my colleagues in the Computer Forensics department how I could make sure I left no trace of who I was on the device.

He reached down into a cabinet drawer by his feet, pulled out a hammer, and passed it to me.

“Smash it into tiny pieces, and then throw them into the harbour,” he replied.

For better or worse, that’s not quite possible on the Internet.

x Carmen (@carmenhchung)

PS. You subscribed to this newsletter because you’re an amazing human being who is interested in tech (or you’re my mum - in which case, hi mum!). If you enjoyed it, please feel free to share it using the button below - yes, you can even send it over WhatsApp. 😉 If this was forwarded to you, get your own copy here:

Subscribe now