I won’t bemoan the the right-wing exodus from Twitter, Facebook, and various other social networks over the past few months. (The fewer people sharing messages of support for armed insurrection or coddling Nazis on my social networks, the better.) But the fact that many of of these people fled to the “free speech” social network Parler has created a learning opportunity even for the more level-headed among us — particularly now that the service has turned into a complete security nightmare.
Here’s a short summary of the current chaos: Over the weekend, Apple, Google, and Amazon Web Services announced they were removing Parler from their app stores/servers. Meanwhile, a hacker began archiving all the posts (“parlays”) ever made to Parler before it went down — including deleted/removed posts, because Parler’s back-end configuration is terrible. Accounts differ as to how much and the types of information being mined, as shown by this tweet from @donk_enby, the architect of the operation:
since a lot of people seem confused about this detail and there is a bullshit reddit post going around:
only things that were available publicly via the web were archived. i don't have you e-mail address, phone or credit card number. unless you posted it yourself on parler.
— crash override (@donk_enby) January 11, 2021
The aforementioned Reddit post, which has been upvoted quite a bit, suggests that Parler itself was breached. Attackers were allegedly able to create all sorts of administrative accounts on the service and, as a result, capture every bit of information ever uploaded to Parler — including scanned images of users’ drivers licenses and any social security numbers they submitted.
I haven’t seen these claims corroborated anywhere else, so I’m not about to conclusively state Parler was hacked and everyone who used it is SOL. However, that kind of a post should scare anyone who ever signed up for the service. And it makes me think of everything else Parler’s many failures can teach us.
Just because an app exists doesn’t mean it is safe
This should go without saying, but is also probably the best security advice I can give anyone, regardless of their technological expertise: Apps that you find on the Google Play Store or Apple’s App Store are generally safe, in that they probably aren’t loaded with malware that will mess up your phone and/or your life. However, that doesn’t mean that you can, or should, blindly trust an app simply because it’s downloadable from an official storefront. These companies get a lot of app submissions, and their teams aren’t going through and using each of them for a few weeks to get a feel for their security and privacy practices. They simply can’t. In most cases, automated systems are checking for malware and other catastrophic code.
That’s why you’ll regularly read reports of malicious apps downloaded by millions — apps, for example, that attempt to conceal the fact that using them requires you be suckered into buying a super-expensive subscription (after which the apps still offer only limited functionality). In the present case, neither Apple nor Google have much control over what Parler does with the content posted to its service. Sure, they can ding the app for being vague in its public security and privacy statements, but generally speaking, this is something that is more likely to occur after there’s been an issue than when an app first launches.
In other words, Parler’s simple existence on the app store doesn’t mean it was ever trustworthy or secure. As many of its users are now finding out, you can’t always trust that a company’s data practices are sound.
Social network anonymity is worth its weight in digital gold
Quite a few of my friends have gone the “pick a fake name on Facebook and delete all identifying information” route lately, which is great. That doesn’t do much for the data Facebook already has stored on its servers about you, but it does make it a lot harder for others — coworkers, acquaintances, and randos — to find and friend you.
If you’re joining a new social network and you don’t have to provide real identifying information — don’t. There’s no reason to provide your real name unless you’re required to. Don’t post your location. Don’t talk publicly about your job (or indicate where you work). Hell, I’d even upload a test photo and then download it to see if said social network deletes EXIF data on my behalf. (Even if it does, you never know; perhaps it’s worth anonymizing photos and then uploading them to the service, rather than uploading them directly).
In short, why give up information about yourself if you don’t have to? Save that for LinkedIn, where it matters. Where it doesn’t, be whoever you want to be — not yourself.
Consider that your online actions, even when anonymised, can have an unpleasant impact on the real people on the other end of your rage. Telling someone to “kill themselves” online isn’t yelling into a void; you’re talking to an actual person, and your words might in fact trigger them to consider some kind of bodily harm. You never know a person’s tipping point, so it’s worth not getting worked up fighting people you don’t know.
In a perfect world, more of us would keep intense political discussions off of social media altogether — politics tending to be the most reliable source of the comment wars of late, at least on my Facebook feeds. I don’t see that happening, unfortunately, even though I have yet to meet anyone who was convinced of the other side’s argument via a sharply worded Facebook comment.
Parler, cesspool for right-wing zealots that it is (was), is a great example of social media at its very worst; the site’s unwillingness to moderate violent rhetoric from users is what got it banned by Amazon, Google, and Apple. We can’t trust Twitter, Facebook, or YouTube to do the cleaning for us either, though; all we can truly be responsible for is our own actions (and a healthy use of the “report” feature when confronted with others who can’t act right online). Again, maybe social media isn’t the place to have drawn-out fights over controversial topics; it’s definitely not the place to congregate with other like-minded people and make threats.
Stop sharing personal data no one needs to have
I respect that Parler attempted to tie accounts to real-world information — namely, if you wanted a verified account with the social network, you had to cough up scans of your driver’s licence or passport. I honestly think that every social network should have some way to tie a user’s account to data that’s difficult to replicate, such as a personal phone number or work email address. It’s important to be able to stop people from creating 20+ anonymous accounts to harass others even after their primary account(s) are banned.
It’s a double-edged sword, however: I’m absolutely dumbfounded that anyone would agree to provide scans of something as personal as their driver’s licence, passport, or social security number to a service they know nothing about. Never, ever do this. The only places that need this information are entities like your bank, which have verifiable procedures for safeguarding your personal data.
This advice couldn’t be any more commonsense, but clearly some people threw caution out the window when signing up for Parler. So, I’ll say it plainly: Do not give up your social security number unless you have complete trust in the entity you’re giving it to. Do not scan your driver’s licence or passport when asked unless you are absolutely sure of who is going to have that information and how they’re going to use/store it.
Generally speaking, you should never give up this sort of information unless it’s obvious it’s critical to the service provided — if asked for by your tax servicer, perhaps, and certainly not a social network. Don’t cough up personal data when asked for it by a third-party app you’re trying out for the first time, and consider the reputation of the app or service making the request. I’d be more comfortable with TurboTax asking for sensitive information to complete my annual tax return than I would “David’s Tax Helper 2021” that just joined the App Store a week ago.
No one is “entitled” to digital access
The First Amendment has nothing to do with private industry. Facebook could say right now that it doesn’t like the colour blue, and every post related to the colour blue on its service could be deleted without infringing on anyone’s guarantee of free speech.
If you don’t like how a private entity controls speech, that’s completely fine. You aren’t entitled to use Facebook on your terms, nor does the First Amendment guarantee you the right to do anything you want when a private company is providing the service. (Nor does the First Amendment allow you to do whatever you want, period — that whole “yelling ‘fire’ in a crowded theatre” thing.)
The First Amendment is as beautifully written as it is (supposedly) easy to understand:
“Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.”
Nothing in there indicates that tech companies must allow any and all speech on their services; they might provide a platform for public speech, but they don’t become government entities simply by doing so. They’re within their rights to limit what’s said on their services in whatever ways they want. If you don’t like it, you can use a different service that lets you spout off how you like. (Relatedly, companies aren’t obligated to provide services to social media networks if they don’t want to.)
Beyond that, you don’t have a God-given right to an account on social media, period, nor are your First Amendment rights being infringed upon if you act like a jerk on Twitter and get banned. Again, it’s a private-industry thing: If Twitter decides that what you post violates its guidelines, it’s free to remove you from the service; the social network doesn’t owe you access.
In fact, it’s the First Amendment that expressly prohibits the government from cracking down in instances like these. Entities like Twitter are allowed to police their own platforms how they see fit, free of government intervention. If that enforcement targets you, it’s the First Amendment that makes your case completely moot, not the other way around.
I enjoyed watching the Parlor app rocket to the top of the Google Play Store this weekend. That’s Parlor with an “o,” not Parler with an “e.” While they’re both social media apps, the latter is the one full of far-right extremists. The former is a “social talking app” that’s been around for a decade, though not many people really seem to use and/or know about it.
While this seems silly, it’s a helpful reminder that you should always verify that the app you’re downloading is exactly the app you’re intending to download. Nothing bad would happen to you if you grabbed Parlor instead of Parler from the Google Play Store, but I see a future where a unofficial “Parler” app makes the rounds on the web that, when sideloaded onto your device (since you can’t install it from an app store), will infect you with malware.
Spelling matters. Sourcing matters. Don’t put apps on your device unless you’ve triple-checked that they’re legitimate versions of the exact app you are looking to install. If you’re not sure, or you can’t verify whether that’s the case, don’t install them.
To circle back to an earlier point: Just because an app is on an official app store doesn’t mean it’s legitimate. It’s also possible that a copycat app won’t get thoroughly reviewed, reported, or taken down before you’re tricked into installing it. Check an app’s publishing dates, reviews, descriptions, and screenshots before downloading it. Run a quick web search to confirm that the link you’re using is actually pointing at the official version of an app. Visit the developer’s website and use their links, rather than one you were sent in a message or an email. And if you have any doubts, don’t download the app. Don’t sign up for the app. Don’t pay for the app. And certainly don’t send incredibly sensitive personal information to the app.