“Hannah, pleased to meet you. So, you’re a writer and a singer,” said my interviewee as I sat down to grill him at RSA, Silicon Valley’s largest conference for cyber security professionals.

Barry Hensley, chief threat intelligence officer of security group Secureworks, had — I figured — visited my Twitter or LinkedIn profile, where I mention my musical interests. Or perhaps his press officer had pulled the information together into a briefing note, as they often do for clients.

But there was more to come. Who, he asked, was the man I had cropped out of my LinkedIn profile picture? A former boyfriend turned enemy, perhaps? Hensley appeared to have figured out who this person was — but, he said, was still trying to work out the connection between the two of us.

I was spooked: From the crop of the picture, there was no way to know that the person next to me was a man, let alone his identity. I soon learnt that Hensley’s team, either for fun or to give him an edge in the interview, had gathered what is known as open-source intelligence — or Osint — on me.

Osint involves scouring publicly available sources to collect information on a target. This typically means examining social media and the dark web, enabled by some deep Google searching and an array of free, whizzy online tools.

Such sophisticated internet stalking has long been part of the playbook of spy agencies, law enforcement and even jealous lovers. But it is also blossoming as a service offered to corporations by a new crop of cyber start-ups as well as some larger organisations.

To provide “digital risk protection”, these IT security experts will analyse the public digital footprint of companies and their top executives to establish if any of that information could be leveraged by potential hackers — and if so, to lock it down so that it is no longer accessible.

According to data by the US market research company Forrester, these services cost an average of about US$45,000 for a small business and US$150,000 for a larger one.

Cyber security is understandably a twitchy, paranoid industry, and covering it as a reporter has rubbed off on me. (Within weeks of starting in this role, I found myself standing on my chair in the office inspecting a small white device on the ceiling that turned out to be a smoke detector.)

So, naturally, I raced to enlist a trusted cyber security researcher to pull together all the dirt on me, floating there in the ether and waiting to be found.

I had prepared for the worst. But, in the end, it was fairly rudimentary; most notably, she located my Facebook page, which I thought was hidden, and knew I used an iPhone.

There were other unexpected vulnerabilities, though. In one public tweet, I had posted a screenshot of a conversation with a colleague on WhatsApp.

The colleague’s WhatsApp profile picture was visible — so an attacker could potentially clone the picture, and message me pretending to be them on a newly bought phone.

It sounds rather inventive, but this is no time for complacency: Several governments allegedly used the Pegasus spyware to target journalists using WhatsApp, and more than one source I met during RSA spoke of helping news organisations handle recent hacking attempts by outsiders.

Scarier still is that profiling — pulling together a portrait of someone and their patterns of behaviour through their data — may already be taking place on a far grander scale, albeit with stolen data sets.

Recent thinking, common in intelligence circles, is that China in particular is gathering personal information about individuals through big breaches, such as the hack of consumer credit agency Equifax in 2017.

If cross-referenced against each other, these data sets could be used to build detailed profiles, exposing people to blackmail, for example. Our easier-to-access digital footprint is just another set of data that could be added to this melting pot.

So, what of the man in my profile photo? As it turns out he is just a friend. I’m not trying to make a statement of revenge — I just like the photo of myself.

If our digital lives are increasingly being used against us, we can at least take hope from the fact that there are some truths that can’t be gleaned from our online behaviours alone. FINANCIAL TIMES

ABOUT THE AUTHOR:

Hannah Murphy is Financial Times’ technology correspondent in San Francisco.