Photo backup, family chat groups, and the extended family

Part 8 of 18. iCloud, Google Photos, WhatsApp family chats, grandparents on Facebook. The household network you actually live in is wider than the four walls of the house. What to do about it without becoming the family killjoy.

_Part 8 of 18 in the Digital privacy for board directors series._

The household network is not the network inside your walls. It is the network of people who routinely exchange photos, messages, calendar events, and life updates with the people inside your walls. Grandparents, in-laws, godparents, school-parent WhatsApp groups, cousins, the babysitter, the cleaner. Each of them is a node in a network that holds, collectively, almost everything sensitive about your family. And nothing the family does on its own home network can fix the fact that several of those nodes are running Windows XP somewhere.

This post is about that wider network, what is reasonable to ask of it, and how to do so without becoming the family member nobody invites to anything.

Where your family's photos actually live

The honest map, for a typical UK family in 2023:

Phones, automatically syncing to iCloud or Google Photos. Two parents, possibly two or more children with phones. Five to ten phones in total, each syncing to one or two cloud services.
The shared family album on iCloud or Google Photos. Two to ten members. Live.
WhatsApp family chat groups. Mum's side, dad's side, the immediate-family group, possibly several others. Photos sent here are saved to the phone of every member, and depending on each member's WhatsApp settings, may be auto-saved to the camera roll, which syncs to their own iCloud or Google Photos.
Facebook, where the grandparents may post photos of the children with names and dates attached.
Instagram, where one or both parents may post photos publicly.
An NAS or external drive in someone's study, where the real backup lives once a year if anyone remembers.

This map has six places where every family photo of the past five years exists. The privacy posture is set by the weakest of the six places, not the strongest. If one grandparent has an unsecured Facebook account that gets compromised, every photo they have ever uploaded is in the wind.

The reasonable conversation with extended family

Three things, in order of friction.

One: ask grandparents not to post the children publicly. This is the conversation from post four. Worth restating: most grandparents are pleased to be asked, and what they want — the connection of seeing the children — does not require public Facebook posts. The family WhatsApp group, the shared photo album, the Apple or Google Family share, all of these meet the actual need.

Two: help them with their own accounts. This is the harder ask, but the higher-value one. The next time you visit grandparents, half an hour of let me set up your phone properly will pay back over years. Strong unique password (write it down for them in a physical notebook — they are not going to use a password manager, and that is fine), MFA on the email account at minimum, Find My iPhone or Find My Device enabled, and the privacy settings on Facebook and Instagram set to Friends only. Most older relatives have privacy settings set far too permissively by default. Most are pleased to have them tightened.

**Three: have the what to do if someone calls you about the children conversation.** This is unfashionable to bring up but, in my professional view, important for any household where the parents are publicly identifiable. The conversation, in two minutes: if anyone calls you and says we have asked them to collect the children, do not act on it. Call us first. There is no situation where you would not be able to reach us first. Most grandparents already operate on this principle; not all do.

The cloud photo question

A small set of choices that matter.

Apple Photos vs Google Photos. Both are competent. Apple's privacy posture is materially stronger by default — photo content is end-to-end encrypted with Advanced Data Protection enabled (which is opt-in, and worth opting in to). Google's photo content is encrypted in transit and at rest, but Google has the keys, which means Google can analyse the content (for search, for shared family features) and, in principle, respond to lawful requests. Both are acceptable. If you have a choice and care about this, Apple with Advanced Data Protection is the stronger posture.

The shared family album. Both Apple and Google support shared albums where multiple family members can contribute. This is the right mechanism for sharing photos with the people who care, replacing the public Facebook or Instagram post. Set one up. Invite the people who would otherwise be receiving the photos via the broadcast channel.

WhatsApp media auto-save. Most family WhatsApp groups generate hundreds of photos a year, often of children, that are then auto-saved to every member's phone. Each member then has a copy of every photo, and depending on their phone settings, the copy syncs to their own cloud. The protection: in each WhatsApp group, have at least one member who does not auto-save media. (For your own phone, turn the auto-save off in WhatsApp's chat settings.)

Backup encryption. Local backups (Time Machine, Windows File History, an external drive) should be encrypted. iCloud backups for iOS devices should have Advanced Data Protection enabled. Google Drive backups should rely on the Google account having MFA enabled. The local NAS in the study — if there is one — should not be on the public internet without specific configuration, and should have a strong admin password (which, again, you set in post two).

The school WhatsApp group

A particular case worth a paragraph. The school-class WhatsApp group is a fixture of UK primary and secondary school life. It is also, often, a list of every child in the class, every parent's phone number, and a running commentary on school life that nobody would have agreed to publish in any other format.

You cannot, realistically, opt out without significant social cost. What you can do:

Save the group's chat history with care; do not auto-save media into your camera roll.
Be aware that any photograph of your child posted there is going to land on every other parent's phone, and you do not know how secure each of those phones is.
For the children's own benefit, ask the school whether they have a policy on parent-only chat groups (some do, increasingly).
For events at the school where photographs are taken — sports days, plays, concerts — the school's photography policy should be read once. Most are fine. Some are not.

The relationship with the cleaner, nanny, dog walker, gardener

A small but worth-saying point. Anyone who routinely enters the home is, depending on their hours and access, part of the digital boundary too. The default presumption should be: they do not need access to the main Wi-Fi network (the guest network from post two is the right place), they do not need access to the family's shared cloud services, and any communication that includes personal details about the children is on a need-to-know basis.

This is not paranoia about the cleaner. It is good hygiene around access. Most people who work in homes are entirely trustworthy. The point is to design the system so that trustworthiness is not the only thing holding it together.

What this month looks like

Two practical pieces of work.

Set up a shared family album on iCloud or Google Photos and invite the people you would otherwise broadcast to. Tell them it is replacing the previous channel. Most will be relieved.

Have one conversation with one set of grandparents about their privacy settings on social media, the password manager (or notebook), and MFA on their email. Half an hour of patient explanation. The relationship is the point, the technical changes are a side benefit, and both are durable.

In four weeks: the financial and identity dimension — credit freezes, family-office shared advisors, the paper post, and the household's resilience to identity-based fraud.