A time-honored proverb from a Boston politician on how to be discrete goes something like this: “Never write if you can speak; never speak if you can nod; never nod if you can wink.” Today, in sharp contrast, a growing number of digital natives are throwing such discretion to the wind as they flock to a new category of so-called anonymity apps. Some illustrative examples include the following:

  • Yik Yak: “Share your thoughts with people around you while keeping your privacy.”
  • Secret: “Secret posts come from friends and people in your community, but you won’t know who.”
  • Whisper: “The best place to express yourself online.”
  • Streetchat: “A live photoboard for schools and colleges.”
  • Confide: “Your off-the-record messenger.”
  • ANSA: “Communicate off the record, so no trace of your conversation is left behind.”

The basic concept? You can express whatever you like in writing and make it public, but you will be protected behind a cloak of technology-provided privacy.

Although these apps have been growing in popularity since 2013, the idea of combining information security technologies and social media in nontraditional ways goes back to at least 2011. For example, a blog post titled “Shredded Tweets” described an early vision for how encryption could be used to let users take full advantage of social media sites while retaining complete control over their own content. This includes restrictions on who sees it (both now and years from now) and the ability to change their minds and take it back. This is a user-centric application for privacy implemented in a positive way.

Unfortunately, user-centric privacy can also have less-than-positive results. The following are three things about anonymity apps that should be of concern:

Anonymity Apps Provide a Platform for Social Abuse

Setting aside the inherent narcissism behind a culture of status updates, selfies and check-ins, anonymity apps have become a ready-made platform for social abuse. Add hurtful and inappropriate comments about classmates (aka cyberbullying) and threats about bombs, shootings and other types of mass violence to the many titillating or merely humorous observations, and one can easily comprehend how apps such as Yik Yak have “become a force” on high school and college campuses in the United States.

Such abuse has led many schools to try to block access to anonymity apps, at least through their own information technology infrastructure. However, this course doesn’t prevent them from being accessed by mobile devices and independent networks that users have with them at all times. Unfortunately, this doesn’t relieve the administration (in an educational setting) or management (in a corporate setting) and law enforcement from their obligation to protect students or employees from harm or abuse. Many organizations have already adopted technologies to monitor social media to protect their brands, so it should be expected that these capabilities will be expanded to protect their users, as well.

Anonymity Apps Provide a Conduit for Corporate Abuse

From a traditional enterprise perspective, these apps also provide a ready-made conduit for the unauthorized exposure of sensitive corporate data, such as fraud, intellectual property theft or sabotage. These are the three primary types of insider abuse, as described in Aberdeen Group’s recent report on insider threats. Understanding the motivations, opportunities and behaviors that correlate with insider threats helps organizations outline some of the following obvious and straightforward strategies they can adopt to minimize it:

  • Address the motivations for insider misuse, at least for employees, temporary employees and contractors that are more directly under the organization’s control. This could include pre-hire assessments, executive-level attention to company culture and regular assessments of workforce morale.
  • Minimize the opportunities for insider misuse by implementing policies and controls designed to address the most common exploits.
  • Monitor the behaviors of end users for indicators of potential insider misuse. Marry enhanced visibility to the online behaviors of the organization’s insiders with business intelligence and analytics as part of a complementary big data approach to fighting fraud, waste and insider abuse.

Here again, the key capability calls for adding anonymity apps to the social channels that are being proactively monitored to protect the organization’s brand and sensitive data.

Not Really Anonymous

Most users probably don’t appreciate that anonymity apps are not really anonymous at all. They are more like “anonym-ish,” to use the brilliant term coined by AP columnist Barbara Ortutay. For example, app providers such as Yik Yak routinely cooperate with legal requests from law enforcement officials to provide information such as mobile phone numbers, which help officials track down the individuals behind threatening or abusive posts. Anyone who thinks their posts are truly anonymous should disavow themselves of this notion by taking the time to read the end user license agreement.

Moreover, the Wall Street Journal has reported that app providers such as Secret and Whisper proactively “send information to law enforcement if users said they planned to do something illegal or hurt themselves or others” and “are interested in the news value of aggregate posts, for example, from people participating in a protest demonstration” for potential relationships with news organizations.

At its very foundation, making posts under the assumption of privacy or anonymity that is provided by a third party is a bad idea for users. Moreover, in a society of laws, it creates a new class of problems and risk for users and organizations that need to be addressed.

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…