Is your private online content really private? Not if you do something stupid

It doesn’t matter if it’s on Instagram, Facebook, Pinterest, or Twitter. The biggest, most preventable threat to the privacy of your online content may be your own stupidity.

As more of what we create as individuals is digital, how we choose to secure that content is critical. Especially as we store and share more of it on other people’s platforms instead of on our own websites. Yet it can all be undone by doing one thing that you might mistakenly think better protects your privacy.

I’m not talking about choosing the right privacy settings inside a service. That’s always important.

That one thing is registering for a online content service using a “fake” email address. An email address that you don’t control. An email address which actually belongs to another real, human being.

How do I know this? Because, for a short while, I controlled what apparently was a teenage girl’s private Instagram feed.

This is a small, personal story. Consider it a cautionary tale for a particular type of self-inflicted social media wound.

It began innocently enough. I recently decided it was time to re-start my Instagram account. I’d bailed on Instagram several years ago due to (yes, wait for it) potential Instagram privacy issues after it was purchased by Facebook. Instagram was going to change its terms of service in December 2012 to allow it to use usernames, likenesses and photos for commercial purposes. The only way to opt-out was to delete your account. Which I did. Instagram later reversed itself, but I was already gone.

In the six years that had passed, my original handle was no longer available. So I picked a username that was close and went to sign up with my email address. “Another account is using” that address, the inhuman registration engine declared. Thinking that, somehow, my six-year-old account was in virtual suspended animation, I requested a password reset, clicked on the email link — and discovered that I was apparently a teenage girl from Kiev.

The hijacked-email Instagram profile’s public view, privacy artfully protected.

Not just any teenage girl. One with a private Instagram account who only let approved followers view her photos. Now, before you go there, this was apparently a legit account, under its own user name, with no salacious images. It hardly seemed to be active, either. Only 21 photos or videos had been posted, some with comments in Russian, mostly between August and October 2016.

Ah, the social fickleness of youth, both off and online. Assuming this really was a teenager, or a girl, or from Kiev.

I left all of that alone (including the mobile phone number in the profile), removed my associated email address from her account, and signed out of the account. But had I wanted to be mean or cause someone hell, I could have made the account public. I could have removed photos, or added some from other websites that wouldn’t be as family friendly. I could have, as I once did with my own Instagram profile, deleted the entire account.

I didn’t. Instead, because I had deleted my address from her account, I was able to use that address to set up my new Instagram account. I immediately enabled Instagram’s two-factor authentication (so my verified mobile phone would receive a numeric log-in code each time I entered my email address and password). And I reflected on just how clueless or careless people can be with their “private” content.

The recaptured-email Frank Catalano Instagram profile.

I don’t know why this particular Instagram user chose to enter an email address that was not her own. I can speculate based on other experiences.

My personal email is on a popular web mail domain. As I’ve written before, the leading, before-the-domain part of the address could be considered a pretty common word. This email address has been subscribed to many services by others over the years either by mistake (mistyping, for store receipts) or on purpose (misdirection, for dating sites).

Yet my email address bore no obvious relationship to the displayed username or profile on the Instagram account. It clearly had never been verified by Instagram itself. But — and this is the most important observation — it was being used to help secure someone else’s private content.

Perhaps the Kiev girl thought that this supposedly random email address was different enough from her own, while appearing real, that Instagram would allow it. Perhaps she and others who try this trick think a fake email address will obscure their true selves from online services, masking and protecting their identities even more.

What appropriating others’ email addresses actually does is unwittingly open a back door to those accounts and all of their private content.

Instagram is second most popular among teens. (Pew Research Image)

Instagram is popular, notably among teens. A recent survey from Pew Research Center finds that 72 percent of U.S. teens ages 13-17 use Instagram. Other top online platforms for teens are YouTube at 85 percent and Snapchat at 69 percent. Even Facebook, which is falling in favor among teens, still garners 51 percent.

Likewise, my email provider is popular. Because of that, finding a common word or name that isn’t currently being used by someone else for an email address at that web mail domain is hard. Probably impossible.

So by using an email address you don’t control to sign up for any website, you’re betting the person who owns and does control that address never gets a confirmation email from the service, nor tries to sign up for the same service later.

And if that service is for digital content, whether it’s social media, photo storage, or document backup, you are putting a lot of potential online content at risk of not staying private, if you choose to restrict access to approved friends or followers.

It’s a good thing that more online services seem to be verifying provided email addresses before creating accounts, rather than just relying on a username or mobile phone number and password.

As I said, this is a cautionary tale. While many people are rightly focused on what internet companies and marketers can do to us — Facebook’s recent bug that publicly exposed private posts of up to 14 million people comes to mind — we also need to think hard about what we might do to ourselves. In this case, “fake” contact information may be fake for contacting you, but not for contacting someone, and giving that unknown someone full access with just a few clicks.

Sure, it may appear to be a clever way to prevent an online media service from knowing too much about you. It could also make all of your personal digital content far more social than you intended.