A time-honored proverb from a Boston politician on how to be discrete goes something like this: “Never write if you can speak; never speak if you can nod; never nod if you can wink.” Today, in sharp contrast, a growing number of digital natives are throwing such discretion to the wind as they flock to a new category of so-called anonymity apps. Some illustrative examples include the following:

  • Yik Yak: “Share your thoughts with people around you while keeping your privacy.”
  • Secret: “Secret posts come from friends and people in your community, but you won’t know who.”
  • Whisper: “The best place to express yourself online.”
  • Streetchat: “A live photoboard for schools and colleges.”
  • Confide: “Your off-the-record messenger.”
  • ANSA: “Communicate off the record, so no trace of your conversation is left behind.”

The basic concept? You can express whatever you like in writing and make it public, but you will be protected behind a cloak of technology-provided privacy.

Although these apps have been growing in popularity since 2013, the idea of combining information security technologies and social media in nontraditional ways goes back to at least 2011. For example, a blog post titled “Shredded Tweets” described an early vision for how encryption could be used to let users take full advantage of social media sites while retaining complete control over their own content. This includes restrictions on who sees it (both now and years from now) and the ability to change their minds and take it back. This is a user-centric application for privacy implemented in a positive way.

Unfortunately, user-centric privacy can also have less-than-positive results. The following are three things about anonymity apps that should be of concern:

Anonymity Apps Provide a Platform for Social Abuse

Setting aside the inherent narcissism behind a culture of status updates, selfies and check-ins, anonymity apps have become a ready-made platform for social abuse. Add hurtful and inappropriate comments about classmates (aka cyberbullying) and threats about bombs, shootings and other types of mass violence to the many titillating or merely humorous observations, and one can easily comprehend how apps such as Yik Yak have “become a force” on high school and college campuses in the United States.

Such abuse has led many schools to try to block access to anonymity apps, at least through their own information technology infrastructure. However, this course doesn’t prevent them from being accessed by mobile devices and independent networks that users have with them at all times. Unfortunately, this doesn’t relieve the administration (in an educational setting) or management (in a corporate setting) and law enforcement from their obligation to protect students or employees from harm or abuse. Many organizations have already adopted technologies to monitor social media to protect their brands, so it should be expected that these capabilities will be expanded to protect their users, as well.

Anonymity Apps Provide a Conduit for Corporate Abuse

From a traditional enterprise perspective, these apps also provide a ready-made conduit for the unauthorized exposure of sensitive corporate data, such as fraud, intellectual property theft or sabotage. These are the three primary types of insider abuse, as described in Aberdeen Group’s recent report on insider threats. Understanding the motivations, opportunities and behaviors that correlate with insider threats helps organizations outline some of the following obvious and straightforward strategies they can adopt to minimize it:

  • Address the motivations for insider misuse, at least for employees, temporary employees and contractors that are more directly under the organization’s control. This could include pre-hire assessments, executive-level attention to company culture and regular assessments of workforce morale.
  • Minimize the opportunities for insider misuse by implementing policies and controls designed to address the most common exploits.
  • Monitor the behaviors of end users for indicators of potential insider misuse. Marry enhanced visibility to the online behaviors of the organization’s insiders with business intelligence and analytics as part of a complementary big data approach to fighting fraud, waste and insider abuse.

Here again, the key capability calls for adding anonymity apps to the social channels that are being proactively monitored to protect the organization’s brand and sensitive data.

Not Really Anonymous

Most users probably don’t appreciate that anonymity apps are not really anonymous at all. They are more like “anonym-ish,” to use the brilliant term coined by AP columnist Barbara Ortutay. For example, app providers such as Yik Yak routinely cooperate with legal requests from law enforcement officials to provide information such as mobile phone numbers, which help officials track down the individuals behind threatening or abusive posts. Anyone who thinks their posts are truly anonymous should disavow themselves of this notion by taking the time to read the end user license agreement.

Moreover, the Wall Street Journal has reported that app providers such as Secret and Whisper proactively “send information to law enforcement if users said they planned to do something illegal or hurt themselves or others” and “are interested in the news value of aggregate posts, for example, from people participating in a protest demonstration” for potential relationships with news organizations.

At its very foundation, making posts under the assumption of privacy or anonymity that is provided by a third party is a bad idea for users. Moreover, in a society of laws, it creates a new class of problems and risk for users and organizations that need to be addressed.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…