Man I hate it when people uncritically promote ‘security’ which is not security.

Brian Barrett over at wired blithely tells people who use Instagram to turn on 2FA because ‘[i]t’s especially important if you store and share sensitive images on Instagram…’

Let me get this straight: you have just taken a ‘sensitive’ image, and you want to share it via Instagram, so you want to be authenticated by an SMS message which will, incidentally, tell Instagram when and where you are on the planet by two methods instead of only one. Oh, wait, almost everyone who sends things via Instagram has already installed the app on their phone, and omgoodness does that app spy on you! the only thing it seems to be missing is a swab and DNA test.

So clearly Brian’s audience does not ‘…care greatly about [their] personal security hygiene…’ online or via cellphone, and he is just making fun of them. He also seems to have not noticed that SMS msgs are sent in clear tear text over the airwaves – an attacker could just listen in, they would not need to spoof your SIM, but I agree with him that even this would be far more effort than any average individual’s instagram account would be worth.

Or he really believes that 2FA is not a cynical campaign to get people to volunteer data about themselves which undermines their attempts to protect their privacy, in the name of protecting their privacy.

Hey Brian, here is what 2FA does for Instagram: it proves you have the phone with you, and they can log you physically where the phone’s GPS believes it is located at a specific time. And it ensures you have the app running, which could allow Instagram to track your physical movements amongst other things. It may also tell Instagram that you use an anonymizing service or vpn. If you are paranoid and have GPS turned off, are using an anonymizing service, and have somehow managed to sandbox the app from all the OS permissions it demands, it can still tell Instagram approximately where you are physically located based on cell towers.

And what does it do for you? it says you have your phone, and Instagram has your number.