Travel
Holidays and privacy: the threat model you forget in a swimsuit
On holiday, you drop every guard at the moment you expose the most: real-time geolocated photos, hotel Wi-Fi, children's devices, empty house announced publicly. The leisure threat model, handled without paranoia.
Last reviewed:
An acquaintance posts, from the beach, a photo of her children with the caption “finally two weeks of peace in [village name].” The photo is beautiful. It also says, to anyone paying attention: the main house is empty, here is what the children look like, here is where they are, and this for the next fifteen days. None of that was the intention. All of it was said anyway.
Holidays are the moment when we conscientiously drop every guard we have painfully maintained throughout the rest of the year. That is the point, after all: we go away to switch off. The problem is that mental relaxation is accompanied by digital relaxation, and it occurs at the precise moment when our exposure is greatest.
This is not a call for summer paranoia. Nobody should spend their holidays encrypting postcards. It is an observation about a few reflexes that cost little and change a lot, and about a category of exposure we overlook entirely: that of children.
The common trap
The received wisdom is that digital security is a professional matter. At the office, you are careful. On holiday, you are with family, among friends, in a private setting, so you relax. Digital leisure would be a zone without stakes.
It is exactly the opposite. On holiday, three things change at the same time. You publish more, and in real time, because it is the moment you want to share. You use networks you do not control — the hotel’s, the campsite’s, the restaurant’s. And you bring the whole family, including children whose data is even less protected than yours, and whose image ends up published by adults who do not stop to ask the question.
A private setting does not reduce exposure. It reduces vigilance. And a burglar, a stalker, or a scammer does not distinguish between your professional data and your beach data.
The real threat model
The actors must be named, because they are not the ones you imagine. No secret services here, no industrial espionage. Ordinary threats, precisely because they are ordinary.
Informed burglary comes first. A publicly announced empty house, with dates, is directly exploitable information. Social media has become a reconnaissance tool for burglars, and the “we’re away for two weeks” photo is as clear a signal as a sign on the door.
Involuntary geolocation comes next. Photo metadataData about data: who wrote what, when, where, to whom., the well-known EXIF dataMetadata attached to images: date, GPS, device model, capture settings., often contains the exact GPS coordinates of where the photo was taken. Some platforms strip them at publication, others do not. And simple real-time publication, independently of metadata, reveals your location to your friends list, which is not always as closed as you think.
The uncontrolled network rounds out the picture. Public Wi-FiOpen or shared Wi-Fi (hotel, cafe, conference) — specific threat model. at hotels or campsites presents the same risk profile as at an airport: operated by a third party, poorly configured, sometimes imitated by a fake access point. With widespread HTTPS the risk has diminished, but it has not disappeared, and we connect to it on holiday with a carelessness we would never apply at work.
The blind spot of children
This is the part we address least, and it may be the most important. A child has not consented to their presence online. Every photo published by a parent builds, without their agreement, a digital footprint that will follow them and that they did not choose.
Beyond the principle, there is the concrete. A geolocated photo of a child, with their first name as a caption and the school mentioned elsewhere on the profile, is a reconnaissance dossier. Most parents who publish these elements have never looked at them as a whole. Put together, they draw a precise map of a minor’s life.
The right approach
The structuring rule is simpler here than elsewhere on this site: defer rather than broadcast. Almost all the risk associated with holiday sharing disappears if you publish after you return rather than in real time. The photo will be just as beautiful in two weeks, and it will no longer say “my house is empty right now.”
For the rest, three reflexes are enough to cover the essentials.
Turn off photo geolocation on your phone, once and for all. It is a setting, not a habit to maintain. On both iPhone and Android, you can disable the recording of location in photos.
Enable a VPNEncrypted tunnel between your device and a server, masking your IP and traffic from your ISP. on accommodation networks, with the same reflex as during a business trip. A local data eSIMIntegrated reprogrammable SIM card supporting multiple carrier profiles., outside Europe, even avoids depending on the hotel’s Wi-Fi.
Check, once, who actually sees your posts. Most people publish to a far wider audience than they realise. A privacy setting reviewed before the holidays is worth all the reflexes maintained during them.
What this means in practice
Angle de lecture
For you, as an individual
You are going on holiday, you want to share, that is legitimate and that is the point. It is not about depriving yourself, just shifting the cursor.
The only real behavioural change to adopt: publish after you return, not live. You keep all the pleasure of sharing, you eliminate most of the risk. The empty house is no longer announced, your real-time location is no longer broadcast.
The three settings to configure once, before leaving: turn off photo geolocation in your phone settings, check who sees your posts on your social networks, and install a VPN you will activate on hotel Wi-Fi.
For children, the rule is even simpler: less is more. And if you do publish, never put the first name, the location, and the school together in the same place. Taken separately it is nothing; put together it is a dossier.
For you, CISO / CIO
The holiday period is a blind spot in most awareness programmes, which focus on business travel and forget that your colleagues also go on leave with their devices — sometimes their work ones.
Two points deserve your attention. First, work devices that go on holiday: a professional phone taken abroad on leave remains an access point to your information system, on uncontrolled networks, with reduced vigilance. A clear policy on the use of work devices during leave — neither an unrealistic ban nor a free-for-all — prevents many back-to-school incidents.
Second, executives and sensitive roles on holiday. Their personal exposure does not take time off. An executive who publishes their holiday location in real time opens a window for anyone planning a CEO fraud or a social engineering approach: “I know they are in the Seychelles this week, the assistant is alone, now is the moment.” Pre-summer awareness, targeted at exposed profiles, has an excellent cost-effectiveness ratio.
Mistakes we see all the time
Posting in real time “we’ve arrived!” with a photo of the holiday home and the name of the village. It is all there: you are not at home, here is where you are, and for how long.
Leaving geolocation active on photos, and publishing images whose metadata gives GPS coordinates to the metre.
Publishing photos of children without thinking, accumulating first name, face, location and habits on a profile whose real audience has never been checked.
Connecting to the campsite Wi-Fi to check your bank accounts, through the relaxation reflex that makes you forget you would never have done that at work.
Before you leave, and during
- N1 Decide on the principle: publish holiday photos after the return, not in real time
- N1 Turn off photo geolocation in phone settings (one-time setting)
- N1 Check who actually sees your posts on your social networks
- N1 Decide as a family what you will and will not publish about children
- N2 Install and test a VPN to activate on accommodation networks
- N2 For a stay outside Europe: arrange a local data eSIM rather than relying on hotel Wi-Fi
- N2 Never combine a child's first name, location and school on the same profile
- N3 For work devices: apply the same vigilance as on a business trip
Further reading
This article is part of the Travel axis. For the uncontrolled network, see Public Wi-Fi: reasonable paranoia. To measure your own exposure, Defensive OSINT. For connectivity while travelling, Travel eSIM.
Sources and further reading
- EFF — Surveillance Self-Defense [official]
- CNIL — Partir en vacances avec son smartphone [official]
- NCSC UK — Protecting your devices when travelling [official]
- ENISA — Privacy and data protection [official]