Account details and user activity visible to others: improve the security of your online platform
If your users’ account details and activity are visible, it means that some or all of them can be seen by other users or by the general public. These details may include:
- personal details, like their name, age or location
- comments they made
- content they viewed
This page will help you understand how making account details and user activity visible on a platform can create a user security risk, and how to manage those risks.
New online safety legislation is underway and will aim to reduce online harm. If you own or operate an online platform under future legislation, you will have a legal obligation to protect users from illegal content. You will also need to put measures in place to protect children if they are likely to use your service.
Damage caused by visibility of account details and user activity
Example of harm that could arise if account details or user activity is visible
On an app that allows users to interact with each other, users must check a box to confirm that they are over 16. birth, place and biography – are publicly visible.
Since users can verify their own age, the app is used by children whose personal data could be exploited by offenders.
What damage can occur if account details and activity of your users are visible
When a user’s activity and details are visible to other users or to the general public, they are more likely to be tracked, targeted, or cured. Their personal information can be shared without their permission, and it is easier for strangers to contact them offline as well as online.
The most likely damages related to visible account details and activity include:
How to prevent damage to visible account details and activity
1. Know your users
If you allow your users to create accounts, you can:
have users verify their accounts when creating the account – for example, using two-factor authentication (2FA)
establish the age of your users, using age assurance technology such as age verification
Learn more about security technology providers
2. Set the security settings to high by default.
Doing this when a user creates their account will prevent their account details and activity from inadvertently being visible. If you do this, you should do it for all users.
The highest level of security you offer should ensure that:
user content, contacts and activity are visible only to friends
users cannot share their location with strangers
automatic facial recognition is disabled
For users under the age of 18, you may want (any of the following):
prevent them from reducing their security level
require additional permission before they can lower their security levels – for example, from a parent or verified guardian using parental controls
You can use it to invite or push users to change their security settings. You should also ask users to confirm that they understand the risks associated with their change before allowing them to continue.
Part of online safety tips if you own or operate an online platform