The Thing You Gave Away for Free
You’re reading The Next Evolution by Neil Catton. Based on his book The Shadow System, explore how criminality has evolved into today’s cyber world. If someone forwarded this to you, you can subscribe free at neilcatton.substack.com.
Alex posted the photo on a Sunday afternoon.
It was a birthday — someone in the family turning seven. There were balloons, a cake with candles, and a golden retriever doing its best to get into the frame. The caption named the child, named the dog, mentioned the village they were in, and tagged the school. Twenty-three people liked it. Four left comments with the family surname. It sat in a public feed, visible to anyone.
Nothing about that moment felt dangerous. It felt like a Sunday.
Somewhere else, someone was working.
Not a hacker in the cinematic sense, no dark room, no green code on a black screen. A professional. Someone who spends their working day doing what any careful researcher does: gathering information, cross-referencing it, building a picture. Professionals call this OSINT — open source intelligence. It does not require any system to be broken. It requires only that people share things, which they do, constantly, because the platforms are built to encourage exactly that.
The birthday photo was the last piece. By the time Alex saw it on a Sunday afternoon, someone else had already seen it for a different reason entirely. The child’s name. The dog’s name. The school. The village. The surname in the comments. A security question answered. A password reset initiated. A life reorganised without permission.
No code was cracked. No password was guessed by brute force. The only thing that was exploited was the entirely reasonable human impulse to share a happy moment.
We tend to think about digital risk as something that happens to other people, in other circumstances. A lapse in judgement. A mistake. Something you would have caught, if it had been you. What the professional knows, and what the platforms will not tell you, is that there is no mistake in the scenario above. Alex did nothing wrong by any ordinary measure. The photo was warm, the intention was generous, and the only error was not knowing what that information was worth to someone who wanted to use it.
That gap between what we understand we are sharing and what we are actually making available is not an accident. It is the architecture.
The platforms are designed to make sharing easy, fast, and rewarding. A like, a comment, a small pulse of connection. They are not designed to show you what your post looks like from the outside, who can see it beyond your immediate circle, or what a motivated person could build from it in an afternoon. That information exists. It is simply not shown to you, because showing it to you would slow you down, and a platform that slows you down is a platform that loses.
You didn’t lose your data. You gave it away. And no one told you what it was worth.
This is where the three questions matter.
Was the platform assistive — did it genuinely help Alex do something? Yes, in one narrow sense: it made sharing easy. But it also made exploitation easy, and it did not distinguish between the two. The same feature that put the photo in front of twenty-three friends put it in front of anyone else who cared to look.
Did it augment anything — did it genuinely add something? The connection was real. The warmth was real. But something else was added too, silently: a piece of a profile being assembled without Alex’s knowledge. The platform added to the criminal’s picture of Alex’s life just as efficiently as it added to the friend’s experience of the birthday.
Was it adaptive — did it respond to Alex’s individual context? Not at all. The platform treated that post the same way it treats every post: a unit of content to be distributed, a data point to be retained, a signal to be monetised. The fact that it happened to be a child’s birthday, or that the comments contained a surname, or that the location was specific enough to matter — none of that was visible to any system that might have said wait.
The platform was built for scale, not for the person. That is not a bug that crept into the design. It is the design.
Consent in the digital world has been decoupled from consequence.
The consent to share, to make public, to allow tagging, happens in a moment, in good faith, without meaningful information about what that consent enables. The consequence arrives later, sometimes years later, sometimes never in a visible form, sometimes all at once on a Tuesday when a bank account is empty and a series of accounts you do not recognise have been opened in your name.
We talk about digital literacy as though the answer is education. And awareness does matter, this article is itself an argument for it. But awareness places the entire weight of a structural problem on the individual who is least equipped to carry it. Alex did not design the platform. Alex did not choose the default privacy settings - the defaults were chosen by someone else, optimised for someone else’s purposes. Alex was not shown, at the moment of posting, a plain-language summary of what that post made visible and to whom.
The platform knew all of that. It simply did not pass it on.
The birthday photo is still up.
That is not a horror story. It is just how things work, and how they are designed to work, and how they will continue to work until the design changes. The professional who assembled a profile from it has moved on to the next one. The platform has logged the engagement and retained the data. Alex is going about an ordinary life, unaware that a Sunday afternoon became something else for someone else.
There is no villain in this story. There is only an architecture that extracts value from the individual while returning almost none of the risk information that individual would need to make a different choice.
That is what the system was built to do.
Now what — four questions
Do you recognise this moment? Think about the last time you posted something publicly — a photo, a check-in, a comment on someone else’s post. What did it make visible, and to whom?
Have you experienced something like this or do you know someone who has? What happened, and what did it take to understand where the exposure had come from?
If you could change one thing about how platforms show you the consequences of sharing, a plain visibility summary, a real-time view of what is public, what would you want to see?
And the harder question: is this a problem of individual awareness, or a problem of how the platforms were designed? If the answer is the latter, who has the power to change it and why haven’t they?
The architecture extracts value from the individual while returning almost none of the risk information that individual would need to make a different choice.
If this connected with something for you, share it with one person who might not have thought about this before.
This essay is informed by thinking developed in The Shadow System — and its companion volumes The Next Evolution and The Cognitive Crucible — available on Amazon.


