Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 (U) UPDATE - Social Media Security for Public Safety Personnel (U//FOUO) This product was originally disseminated in April 2020. (U//FOUO) This update is being provided to facilitate situational awareness amongst public safety personnel, with the intention of highlighting what doxxing is, what potential implications may arise from doxxing, what publicly available and free resources individuals may leverage to dox another person, and how to pre-emptively secure existing social media platforms. (U) All new, or updated information appears in text boxes such as this one. (U) Overview (U//FOUO) Public safety personnel are urged to use caution when sharing information via social media. Due to the public nature of the position, and potentially higher profile, individuals in public safety positions may be at heightened risk of having their social media accounts exploited. (U) Doxxing Overview (U) Doxxing (U//FOUO) Doxxing occurs when malicious actors expose the personal or sensitive information of other individuals online for everyone to see. Such sensitive information may include full names, dates of birth, phone numbers, social security numbers, credit card information, and anything else individuals may use to target an individual. Motives for doxxing another person can range from boredom to malice, including harm, harassment, extortion, shaming, coercion, aiding law enforcement, or vigilante versions of justice. (U) Examples of Doxxing Incidents • (U) 2015: CIA Director John Brennan’s personal email was allegedly hacked and the hackers released a list of alleged intelligence community employees, along with their alleged personal emails and social security numbers. • (U) 2014: Amid the unrest in Ferguson, Missouri, hackers threatened to release the personal information of a Missouri Police Chief’s daughter. • (U) 2011: In response to a controversial law, hacker group released the sensitive information of dozens of officers in Arizona, including their personal emails, names, and phone numbers. Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 (U) Perpetrators (U//FOUO) While cyber criminals, hacktivists, trolls, hacking groups, and vigilantes commonly employ doxxing as a tactic, any individual can dox another. Generally, individuals facilitating doxxing hide behind Internet anonymity and make it difficult for law enforcement to identify. (U) Victims (U//FOUO) Anyone can be a victim of doxxing. The likelihood of victimization increases based on a variety of factors, including but not limited to an individual’s: • (U) Existing digital footprint and implementation of security settings. Digital footprints exist on a spectrum, where the extremes range from an individual not having any account for social media platform, to an individual having multiple accounts with completely public information. The more accounts a person has and the extent to which the individual has employed security settings directly affect the amount of information available for criminal actors to exploit. • (U) Current or past employment. The nature of an individual’s may affect their likelihood of doxxing. Frequently targeted individuals may include public officials, journalists, law enforcement officials, judges, and/or celebrities. In terms of employment, these individuals may: o (U//FOUO) Have access to sensitive information; o (U//FOUO) Be involved in politically-charged, controversial or high-profile events, legislation, criminal cases, and/or policies; and/or o (U//FOUO) Appear in the media for purposes related to their employment, specifically resulting from decisions made or actions taken during their employment. Examples of media exposure that can elicit the public’s response and result in doxxing may include how the individual executed their job or how the justice system prosecuted the individual, should they commit a crime themselves. (U) Implications (U//FOUO) Doxxing can have serious short- and long-term consequences for both the victim and criminal actor(s) involved. Victims of doxxing, or their families, may experience emotional trauma, fear, depression, humiliation, property damage, physical violence, and/or death. (U//FOUO) Doxxing may also directly involve law enforcement punishing someone the doxxer wants targeted, as it may lead to “swatting,” or calling 911 and faking an emergency to elicit a response from law enforcement, usually a SWAT team. Doing so draws first responders, and diverts their resources, away from real emergencies, potentially placing both law enforcement and victims of swatting in harm’s way. (U) Legal Information related to Doxxing • (U) Doxxing is illegal if an individual obtains information through illegal means, such as hacking. Criminal actors attempting to dox another person through illegal means may obtain the target’s email address. Once obtained, the email address provides the criminal actor with a way to uncover passwords, obtain more personal information, and locate additional online accounts. • (U) Civil lawsuits and criminal charges, such as harassment, intimidation, invasion of privacy, stalking, and/or assault, may result; however, the legal ramifications of doxxing are ultimately case specific. Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 (U) Publicly Available Resources Used to Dox (U) A variety of publicly available resources is available online for individuals to exploit and leverage when doxxing another individual. In addition to social media accounts, criminal actors may use the following resources to facilitate doxxing: • (U) Public records, such as county property tax records, meeting minutes or voting records for local government; • (U) Online games; • (U) Chat forums; • (U) Blogs; • (U) People search sites; • (U) Family ancestry sites; and/or • (U) Real Estate Listings. (U) People search sites enable the public to search names and other personally identifiable information. Returns from these searches include property addresses, points of contact, family members, aliases, and more associated with the searched information with varying degrees of accuracy. The table below identifies several people search sites and ways to opt-out of them. People Search Site Addresses Archives BeenVerified Cubib FamilyTreeNow FastPeopleSearch Instant Checkmate Intelius Lexis Nexis Peek You People Finders People Smart People Wiz Pipl Radaris Social Catfish Spokeo SpyFly ThatsThem TruePeopleSearch USA People Search White Pages USPhoneBook Opt Out Method https://www.addresses.com/optout.php http://www.archives.com/?_act=Optout https://www.beenverified.com/f/optout/search https://cubib.com/optout.php https://www.familytreenow.com/optout https://www.fastpeoplesearch.com/removal https://www.instantcheckmate.com/opt-out/ https://www.intelius.com/optout https://www.lexisnexis.com/en-us/privacy/for-consumers/opt-outof-lexisnexis.page? https://www.peekyou.com/about/contact/optout/ https://www.peoplefinder.com/optout.php https://www.peoplesmart.com/optout-go https://www.peoplewhiz.com/remove-my-info https://pipl.com/help/remove/ https://radaris.com/ng/page/removal-officer https://socialcatfish.com/opt-out/ https://www.spokeo.com/optout https://www.spyfly.com/help-center/remove-info https://thatsthem.com/optout https://www.truepeoplesearch.com/removal https://www.usa-people-search.com/manage/ https://www.whitepages.com/data-policy http://www.usphonebook.com/opt-out Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 (U) Additionally, you should consider removing pictures of your home from real estate services’ online listings. These often display both exterior and interior images of your residence. Further privacy can be achieved by suppressing curbside images of your home from showing in Google Street View and Bing Curbside. For additional advice, click here and/or consult the table below. Service Privacy Settings Zillow https://zillow.zendesk.com/hc/en-us/articles/218578357-Owner-Dashboard https://zillow.zendesk.com/hc/en-us/requests/new Trulia https://support.trulia.com/hc/en-us/requests/new Realtor Sign up, control of listing Redfin https://support.redfin.com/hc/en-us/articles/360013247432-Removing-Photos-on-a-SoldHome Movoto Contact customercare@movoto.com Homesnap Contact support@homesnap.com Google Street View https://www.wikihow.com/Opt-Out-of-Google-Street-View https://support.google.com/websearch/answer/4628134?hl=en Bing Streetside https://www.bing.com/maps/privacyreport/streetsideprivacyreport?bubbleid=198628406 (U) Recommenda�ons for Securing Exis�ng Social Media Accounts (U//FOUO) The following information consists of recommendations for minimizing indicators of your public safety affiliations on social media to better protect you and your family’s identity and Personally Identifiable Information (PII). (U) Basic Recommendations for Securing Digital Footprint • (U) Enable two-factor authentication for all social media platforms that have the option. • (U) Use different passwords for each social media account. • (U) Create an email account specifically for social media. Do not associate any social media account with a primary personal or official email account unless required to do so. • (U) Remove any content from your social media accounts that reference your involvement or affiliation with the public safety sector. • (U) Have all content that references your involvement with the public safety sector removed from family and friends’ social media accounts. • (U) Do not list employment information on any social media platform. • (U) Do not use your work email address to sign up for any social media accounts. • (U) If signing into a social media account on a shared or public computer, be sure the password is not saved after signing out. • (U) Always sign out/log off when finished. Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 (U//FOUO) MNFC Analyst Comment: Photos and/or comments referencing affiliations with public safety are commonly posted to social media via family and friends. Be sure to un-tag yourself or request photos to be removed. (U) Pla�orm Recommenda�ons for Securing Facebook (U) Initial recommendations include: • (U) View your profile as “friends” and “public” to see what informa�on is readily available for each viewing op�on. • (U) Restrict the informa�on you share with others in the “About” sec�on (i.e. remove your loca�on, hometown, employment, etc.). (U) Adjust your se�ngs so you can review posts and photos that other people tag you in before they appear on your �meline. • (U//FOUO) MNFC Analyst Comment: This will help you ensure no posts or photos affiliating you with public safety are posted online without your consent. Although it is not foolproof, it will assist in lowering your risk. • (U) Adjust your settings to disable search engines from pulling your Facebook profile if someone searches your name. (U//FOUO) MNFC Analyst Comment: If your name has been released as a public safety official, the public may be able to find you on Facebook by searching your name in a search engine. (U) Facebook Security Settings (U) How to view your Facebook page as your friends or the public will see it: (U) 1. Log in to Facebook and view your profile. (U) 2. Click on the three dots located just to the right of “Activity Log” on the background photo. (U) 3. Click “View As” and then, in the black tool bar, select to view your profile as a specific person or the public sees it. (U) How to restrict the information you share with others in the “About” section: (U) 1. Log in to Facebook and view your profile. (U) 2. Click on the “About” section. (U) 3. Click on a category from the left (i.e. Work and Education), then scroll over the information there. (U) 4. Click “Edit” and change the setting on the right from “Public” to “Friends,” “Only Me,” or “Custom.” (U) 5. Repeat steps 3 & 4 for each category on the left. (U) How to adjust your settings so you can review posts and photos that you are tagged in: (U) 1. Log in to Facebook, click on the drop down arrow to the right on the top (blue) Facebook toolbar, then select “Settings.” (U) 2. Click on the “Timeline and Tagging” tab on the left. Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 (U) 3. Under “Review,” there is an On/Off toggle for “Review posts you’re tagged in before the post appears on your timeline?” Click “Edit” and switch to “Enabled”. (U) How to adjust your settings to disable search engines from pulling your Facebook page in search results: (U) 1. Follow Step 1 above to get to “Settings”. (U) 2. Click on the “Privacy” tab on the left. (U) 3. Go to the “Do you want search engines outside of Facebook to link to your profile?” (U) 4. Click “Edit” and uncheck the box. (U) Pla�orm Recommenda�ons for Securing Twiter (U) Initial recommendations include: • (U) Enable “Tweet Privacy” and disable all “Tweet Location” accessibilities. • (U) Disable the “Discoverability,” “Personalization,” and “Data” options for additional security. This will stop people from being able to search you by your email address and will disable Twitter from “remembering” your web searches if they are work-related. (U) Twitter Security Settings (U) How to shut off all geolocations for your future twitter posts and delete previous location information: (U) 1. Log in to Twitter. (U) 2. Click the “Profile and Settings” icon on the top right, then click “Settings and Privacy.” (U) 3. Select the “Privacy and Safety” tab. (U) 4. Check the “Tweet Privacy” box and uncheck the “Tweet Location” box. (U) 5. Click “Delete All Location Information.” (U) 6. Click “Save Changes.” (U) How to keep people from successfully searching for you by your email address and how to disable Twitter from “remembering” your web searches: (U) 1. Log in to Twitter. (U) 2. Click the “Profile and Settings” icon on the top right, then click “Settings and Privacy.” (U) 3. Click the “Privacy and Safety” tab. (U) 4. Uncheck both “Discoverability” boxes. (U) 5. Click “Edit” next to “Personalization and Data”. (U) 6. Uncheck all three “Personalization” boxes and both “Data” boxes. (U) 7. Click “Save Changes.” (U) Pla�orm Recommenda�ons for Securing Instagram (U) Initial recommendations include: • (U) Secure your account by making it “private”. This will only allow people you have approved to see your photos and videos. • (U) Do not allow story sharing. This will disable the ability for followers to Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 share your story as messages. • (U) Avoid geotagging photos/videos. (U//FOUO) MNFC Analyst Comment: Profile captions always remain public. Avoid including PII or any other information that may reveal location or connections. (U//FOUO) Geotagging items is a feature presented for each post and allows people to know your current location. Enabling this feature and posting often may allow someone to analyze your habits and patterns to identify how often you may be at certain locations, when, and with whom. (U) Instagram Security Settings (U) How to make your account private and disable story sharing: (U) 1. Log in to Instagram and view your profile (click on the person-shaped icon). (U) 2. Click on “Edit Profile.” (U) 3, Select “Privacy and Security.” (U) 4. Check the box next to “Private Account.” (U) 5. Uncheck the box next to “Allow Sharing.” (U) Pla�orm Recommenda�ons for Securing Tik Tok (U) Data collection and dissemination of propaganda by the Chinese Government are two of the security concerns associated with this application. For this reason, several branches of the US Military have banned the use of Tik Tok. If an individual feels they must use this application, it is recommended it not be used in association with any official accounts or business. (U) Conclusions and Resources (U) This bulletin does not cover all social media platforms available for use; many others exist and have similar security options. Users should determine where and how to apply the same security protocols referenced in the previous sections to other social media not discussed in this reference aid. If such security options are not available, use of such platforms is highly advised against. (U) Additionally, the security options may be located in different sections of the platform, depending on whether or not an individual is using the application from a browser, mobile browser, or an application made by the organization. However, similar paths listed above should lead to the security options listed. (U) Additional Recommendations for Public Sector Personnel (U//FOUO) Public figures, politicians, and political appointees often use a Facebook Public Profile Page. Individuals in these positions are highly encouraged to maintain two separate social media personas: one for personal use, and one for professional use. (U) Facebook has privacy options that will allow an individual to “lock-down” a personal page, and only allow close friends/family the ability to interact with a profile, to include viewing pictures, posts, and write comments. Using these security features can protect the private information of a high-profile individual, while also ensuring the privacy of the individual’s family. (U) Follow the recommendations above, in the Facebook section, to restrict the public settings of the Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019 personal profile page. (U//FOUO) As a public figure, politician, or political appointee, individuals may be required to maintain a public persona, and restricting a Facebook profile to family and friends may sound drastic and “out of touch.” There is an option to create a “Public Figure” Page, separate from your personal Facebook profile. The security/privacy settings for this page are separate from the personal profile established. (U) To do this, from your personal profile: (U) 1. Click the “carrot” in the top right drop down, and select the option to “Manage Page.” (U) 2. Select the option to create a “Community or Public Figure Page” by clicking the appropriate “Get Started” option. (U) 3. Enter in the Page Name (i.e. John Smith, Minnesota Commissioner of Sandboxes) and use the category of “Government Official.” (U) 4. Continuing following the steps to create this Public Figure Page, to include your picture and cover photo, as your deem appropriate. (U) 5. The new “Public Figure” page is then managed through the personal Facebook profile. Once on the page, you can edit and include or exclude as much or as little information as desired. (U) Resources – attached to original email • (U) Personal Data Removal Workbook & Credit Freeze Guide Version 2.5 • (U) Digital Exhaust Opt Out Guide For LE Partners and Their Families.V 1.0 • (U) A Guide to Doxxing Yourself on the Internet Minnesota Fusion Center//Unclassified//FOUO//Minn. Stat. § 13.37 MN Security Information Declaration dated 16 January 2019