Tuesday, April 12, 2016

Four Commandments From a Cyberparent

These four "commandments" form a solid foundation for teaching kids to be safe online.
"Children at School" by Lucélia Ribeiro, used under license CC BY-SA 2.0 / modified from original
One recent evening I spoke to a home school parents group about keeping their kids safe online. Having worked in the cyber security industry professionally for over 15 years, I've seen far too many ways that computers and their users can be abused. But panic isn't a healthy or productive response. Disconnecting from modern technology would mean giving up the amazing things technology has made possible, such as:

  • Amazon created the Dash Button - stick one near a place where you use consumables. Running low on laundry detergent? Just press the button, and more will be delivered tomorrow. (Keep out of reach of children!)
  • A recent Twitter conversation discussed how Skype is being used by hearing-impaired people to communicate in sign language, from their mobile devices, anywhere in the world. Wow.
  • Two-factor authentication using Apple Watch means you can log into an account on your phone or laptop, then click a button on your watch to say "yes, it's really me."
  • A paralyzed soldier is able to walk thanks to an exoskeleton (okay, okay, this one's not strictly Internet-related, but it's an amazingly cool piece of the future!)

Instead of letting paranoia take hold, I prefer to take a few precautions and enjoy the benefits of living in the future. I teach my children the same.

At the elementary level, the goal is to get kids thinking about the Internet as more than just a vague concept - to think of it as a street or city with many doors (web sites, apps). Some of the doors are generally safe - libraries, the mall, a restaurant. Other doors might be appropriate in certain settings but not in others (a college anatomy class might be suitable for an adult but not for a second-grader; as one child brought up, a wanted fugitive's house might be an appropriate place for a sheriff but not for a child). Still other doors are distinctly dangerous (a drug dealer, a stranger's front door). Each of these has parallels in the online world.

Middle school and high school students often already grasp that the Internet isn't just a void. They grew up being connected, and in many cases are more aware of the most blatant cyber threats than you or I am. They understand that their personal data has value, though they might not see the longer-term consequences of what they are giving up. In a recent survey, nearly half of UK teens would consciously trade their personal data for the price of a pizza. For this age group, the goal is to get them to think beyond right now, and to consider how today's decision could affect them tomorrow.

The First Commandment: Thou mayest talk to me without needing fear my wrath.

Kids will make foolish choices. Their actions may have consequences, but they need to feel safe talking to parents, even if (especially if) they have made a foolish choice. I've given my sixteen-year-olds a blank check that says, if they find themselves in a situation where they or their friends have consumed alcohol, don't get behind the wheel of a car. Call me and I will come get them, no questions asked. No yelling, no shaming, no punishment. It's a get out of jail free card with no strings attached.

Internet choices may not be quite so clear, but the same idea holds true: I would rather help my child deal with an unpleasant situation, than have them stay quiet and suffer irreversible harm.

In October 2014, a third-party add-on for saving posts to social sharing app Snapchat was breached, revealing thousands of supposedly private messages and photographs. Snapchat is heavily used by younger people - in fact, roughly half of all Snapchat accounts belong to children under 17 years old. The selling point behind Snapchat is that messages and photos can be seen by the intended recipient only, for a brief time only, and then disappear forever - much like old Mission: Impossible assignments ("this message will self-destruct in 10 seconds..."). As such, it has been used by many teenagers for "sexting" - sharing indecent photos of themselves, never suspecting that the photos might not actually disappear.

A month earlier, photos stolen from celebrities' personal iCloud accounts were made public. These weren't even photos the celebrities had necessarily shared with others - these were private photos stored on their personal iPhones, and backed up to Apple's cloud service.

The Second Commandment: Thou shalt not photograph any body part that is ordinarily clothed.

As embarrassing as it would be to have indecent photos of oneself shared with strangers, for our kids there are even more serious implications. Sexting between two teenagers may run afoul of child pornography laws. An even stranger scenario: in 2014, a Virginia teenager was charged with distribution of child pornography - for posting nude pictures of her 16-year-old self.

If indecent photos don't exist, there is no chance of a website breach or an unhappy ex- boyfriend or girlfriend sharing them with the world.

My teenage son has used Instagram for several years. At first he used it like any other teenage boy: he posted pictures of his dog, his room, concerts he went to - the stuff of boyhood.

A public social media account can quickly gain a large number of followers that you or your child do not know in person. He is also an aviation nut (I'll admit he gets that from me!), so we have gone to quite a few airshows. He began posting pictures he took at airshows, and pictures he got from Google's public domain search. A few months ago people started noticing. He went from a few dozen followers, to a few hundred followers almost overnight.

As I write this, his Aviation1903 Instagram account is approaching 6,000 followers and continues to grow. 6,000 followers, of which 5,950 are complete strangers he has never met. Most of them simply enjoy pictures of airplanes - but some could be child predators, or scammers.

His younger siblings saw his unexpected "Internet fame" and wanted to follow in big brother's footsteps. That led me to my next rule.

The Third Commandment: If thy social media account is public, thou shalt not post anything personally-identifying.

For my middle-school kids, that is a hard-and-fast rule. For any social media account that allows random followers, they are not to post photographs of themselves or their or siblings, photographs of home or school, real names, or anything else that could be used to identify them. I give the older ones a bit more leeway - as they grow in maturity and experience, my goal is to instill them with the common sense to make wise choices about what they share publicly.

Internet security company Sophos published a bizarre story just this morning: a woman posted a public status update to Facebook about her mother's surgery having gone well. Shortly afterward, as she would have been driving her mother home from the hospital, a scammer called her husband screaming that his wife had caused a car wreck and claiming to have kidnapped his wife until the man paid for "medical expenses." Of course, the wife (and mother) were not involved in a wreck. It was all a creative scam based on a public social media post.

Even with a private account you can never be 100% certain that you know who is on the other end of an online conversation. The friend request from "a cute boy that saw you in the cafeteria" may well be a dirty old man looking for someone to prey upon. Accounts belonging to real friends can be compromised. I've warned my children not to friend someone online that they don't know in the real world, and to be suspicious of any message coming from a known friend's account that seems out of character.

I have long suggested using social media strategically. The old adage that on the Internet no one knows you are a dog is absolutely true: with social media you only know who someone claims to be. Different social media platforms offer different audiences, as well as different degrees of control over who sees your posts, so my advice is to tailor what you share to that audience.

This is second nature for many teens: many have what they call "finstagram" accounts. They may have a public account to which they share very little personally-identifying information, and a second "fake" account that they only allow trusted friends to follow, on which they will share more personal things. Which leads to my last rule.

The Fourth Commandment: Thou shalt not post anything that thou woudst be embarrassed to have seen by thy brother or sister, or by thy mother, or by thy pastor.

Once you share something, it's out of your control. Privacy settings help, but you no longer have any real control over what you just shared. Sometimes you may have a parting of ways with a trusted friend or significant other. Or maybe the person you shared with is so impressed they want to share it with their buddies or girlfriends.

Even if the other party proves completely trustworthy, can you be certain the other party is as security/privacy-savvy as you? Might they make a mistake, choose an easy-to-guess password, or use a service that (through no fault of their own) is compromised? Assume that anything you share digitally might be seen by your parents, teachers, pastor, siblings, and the person at school you would be mortified to have see it. If you don't want what you are about to share to be seen by everyone, DON'T SHARE IT!

Bonus device security tips

Those four rules form the foundation of my approach to "cyberparenting," but I would be remiss to not talk briefly about device security. There are a myriad things one can do to, but these two alone will make a world of difference:

  1. Keep programs up-to-date. Android OS, Apple iOS, Windows, Mac, and many software products have automated update features. Turn them on. Software developers make mistakes - that's what the updates fix. If your car had a factory defect that might leave you stranded on the side of the road, and offered a free fix, you'd take them up on it, right? This is the same thing.

  2. Change the phone book. DNS, or Domain Name Resolution, is how your computer knows that www.google.com is actually “” It happens silently in the background and is usually ignored unless it stops working. OpenDNS and Norton among others offer free services that simply don’t resolve website addresses that go to known undesirable content (more accurately, they resolve such websites to a benign address that says “you can't go there.”) In my opinion this is one of the strongest controls you can add to the security of your network.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen