Careful with LinkedIn, dammit
The careerist's platform can be useful to hostile actors
The following was co-authored by Natalia Antonova and James Griffin, check out more of his work here.
Social media has created a wealth of platforms for us to act stupid on. Stupidity, of course, is part of the human condition and all serious opsec analysis should filter that in (even if people donโt like to admit this in mixed company).ย
However, when stupidity intersects with national security concerns, it is time for someone to be blunt: NETWORKING ON LINKEDIN COMES WITH UNIQUE RISKS.ย
If youโd like a succinct example of what is meant by unique risks, please check out this thread:
Now look, plenty of people under 40 use LinkedIn โ because weโre trapped into doing so by DC culture in particular โ but the point still stands.ย
If you have a sensitive job, talking about your current workplace on LinkedIn could be a bad idea.ย
It doesnโt just expose you, it can expose the people who work around you, and who are more vulnerable.ย
In order to show you what we mean, letโs take a look at a couple of Central Intelligence Agency profiles that are supposed to be very public-facing (weโre not going to highlight anyone whoโs unaware of potential risks, weโre not playing gotcha here, weโre creating a quick case study):
https://www.linkedin.com/in/jennifer-ewbank/
https://www.linkedin.com/in/randy-nixon-814973205/ย ย
Deputy Director Jennifer Ewbank is the Central Intelligence Agencyโs lead for digital innovation, and Randy Nixon is the head of their relatively new OSINT wing.ย
Itโs not so much their presence thatโs the problem, but the larger conundrum created by LinkedIn. On this social network, employees (in this case IC officers) invariably connect with their bosses and other potential patrons for the sake of advancing their careers.ย
Lower level analysts and officers may leave out their current occupations, but will still use their full names and are visibly connected on LinkedIn with their more senior patrons.ย
At the risk of pointing out the obvious, if your name is publicly available, youโre connected with senior leader(s) on LinkedIn, you donโt have a recent publicly available career history AND your address shows up in the DMV [thatโs the DC-Maryland-Virginia area for laypeople], itโs not difficult to infer that youโre employed by one of the three letter agencies, which makes you a potential mark.ย
Keep in mind that some potential targets are more vulnerable than others.ย
Furthermore, LinkedIn data can be cross-referenced and/or combined with other datasets to detrimental effect.ย
Hamfisted attempts by Chinese intelligence officers (who are known for using LinkedIn to look for potential turncoats) are significantly less of a national security risk/danger than the mountains of publicly accessible data possessed by data aggregators.ย
If, say, Wikileaks had attached the addresses of the thousands of ICE employees exposed in a 2018 leak (which it couldโve done for about $15), itโs quite likely that ICE would have been instantly paralyzed.
Itโs worth pointing out that there are quite a few obvious work-arounds to the issue of LinkedIn if you have a sensitive job. Think of it as adding numbers and letters to a password.ย
First, donโt use your last name on LinkedIn (last initials are fine, the search engines used by data aggregators struggle to fill in those gaps), and for the love of all that is holy, donโt use the geographic location of whatever office you work for.ย
If you need to keep a presence on LinkedIn and want to get extra creative with your profile without listing your actual job, consider saying that you work for some small business that doesnโt have a LinkedIn profile itself way out in the Midwest (just pick a random store from google maps). If your colleagues and references have any questions, you can explain.ย
Hereโs another tip: Donโt use a photo that has popped up elsewhere as your LinkedIn picture. This is especially true for people who are on dating apps (what? People in sensitive jobs have personal livesโฆ or semblances of them). Use a unique photo, or just leave it blank. Itโs LinkedIn, no one cares.
The bottom line is that LinkedIn exposes professional networks far too efficiently for it to not be a concern. Again, weโre not asking you to go live in a bunker โ just consider potential risks, and mitigate them as needed.ย
And if you donโt need LinkedIn, if it does not advance your career, stick to easier social media platforms. Theyโre more fun anyway.
The fact that you and your colleague felt compelled to post this drives me to despair.