Monthly Archives: January 2012

You Can’t Assume That Big Companies Are Protecting Your Privacy

O2, a wireless telecommunications company in the United Kingdom, caused privacy problems for its customers this week when it “mistakenly” started sending out the phone number from mobile handsets to every website the user visited over 3G. According to O2, some routine maintenance had the unintended effect of exposing the phone numbers.

It is standard industry practice for telecommunications companies to share a user’s cell phone number with “selected trusted partners.” Mobile network operators say this is so that these “selected trusted partners” can bill users for premium content such as downloads or ring tones and to identify customers using the network’s special services. What happened is O2’s case is that the routine maintenance changed the white list of trusted third parties to include almost every site on the Internet.

There are two important lessons here. The first, is that every time you use an Internet enabled device, be it a computer, tablet, cell phone or Internet enabled TV, you leave behind a digital finger print. Some devices intentionally send data, about you, to the service provider. As in the case of cell phones, the mobile operators deliberately send out your phone number so that you can be identified and billed. The second lesson is that when a company makes a mistake there is the potential for all of your data to be exposed.

It is the second point that merits further consideration. I will assume that O2 made a genuine mistake. And maybe in this case the harm done was minimal. According to its blog the only information websites had access to was the phone’s number and that could not have been linked to any other identifying information. However recent months have shown that service providers and web sites can fail spectacularly to protect users privacy. Back in December, Facebook performed routine maintenance on its site and upgraded its software. As a result a flaw opened up which allowed people to start downloading private pictures from other people’s accounts. Because of this Facebook’s founder Mark Zuckerberg had pictures from his private collection downloaded and posted publicly. Luckily for Mark all the pictures were nice and friendly. Although Facebook quickly fixed the mistake, don’t be fooled for one moment in thinking that this is the last time private information will be exposed online – on Facebook, or anywhere else.

At the end of last year hackers broke into the website of Strategic Forecasting, a publisher of global intelligence analysis. As a result of the security breach personally identifiable information and related credit card data was taken and posted onto the Internet. Then to add injury to insult, the hackers started to use the credit card information to make donations to charities! As a result of this Stratfor offered all of its affected customers one year of free identity protection coverage with identity protection company CSID.

The real question is this: who will pay if your identity gets stolen or your credit cards get used by online criminals? The management of Stratfor  acted professionally and indemnified their customers. But there are millions of websites in the world, and a large portion of those hold private information about their users. If one of them gets hacked or performs routine maintenance that exposes your data, who will protect you?

The answer, of course, is no one! You need to take action to ensure that your private information does become public. First, think before sharing any private information – from personal details like your address, phone number and SSN details to photos, video clips, financial information and documents. Second, be discriminating about how and with who (meaning websites as well as people) you share personal information. Third, use  a privacy tool like Firewall Fortify (which secures your Internet connection by monitoring your sensitive information) to protect your online privacy.

Internet Blackout Day Starts in Protest Against PIPA and SOPA

Today, Wednesday January 18 2012, is Internet Blackout Day, a movement which has caught the attention of the world’s media, that aims to raise awareness of legislation known as PROTECT IP Act (PIPA) and Stop Online Piracy Act (SOPA) and how this legislation is a threat to online privacy, threatens freedom of speech, and hampers Internet innovation.

Scores of websites from personal blogs to big sites like Wikipedia, Mozilla, Reddit, Tucows, and BoingBoing have joined the campaingn to protest against SOPA and PIPA by blacking out their websites for 24 hours. Today’s visitors to the English Wikipedia site will be presented with messages intended to raise awareness about the proposed legislation, and encouraging them to share their views with their elected representatives, and via social media.

So what is the problem? In a nutshell it is Hollywood versus people downloading films and music for free. These big media companies and their allies in Congress are billing the legislation as a new way to battle online copyright infringement. But it will do little to stop infringement online. What it will do is compromise online privacy and inhibit online expression.

Under the proposed legislation government and private parties would be granted unprecedented power to interfere with the Internet’s underlying infrastructure. The government would be able to force ISPs and search engines to block users’ attempts to reach certain websites. But the USA doesn’t own the Internet, it is global. As Tucows wrote on their site “a ‘Made in the USA’ solution will no more work to stop the problems talked of than would one made in any other single nation state. Worse, the US has been at the forefront of ensuring that the Internet has remained free and a platform for innovation for the last fifteen years.” Even the White House has stated that it “will not support legislation that reduces freedom of expression, increases cybersecurity risk, or undermines the dynamic, innovative global Internet.”

First Amendment expert Marvin Ammori points out, “The language is pretty vague, but it appears all these companies must monitor their sites for anti-circumvention so they are not subject to court actions ‘enjoining’ them from continuing to provide ‘such product or service.” And according to the Electronic Frontier Foundation (EEF), venture capitalists have said en masse they won’t invest in online startups if PIPA and SOPA pass.

Under PIPA the government will have the power to make US Internet providers block access to infringing domain names as well as have the ability to sue US-based search engines, directories, or even blogs and forums, to have links to these sites removed. To the wrong judge (one who probably hasn’t even used the Internet), innovative sites like Tumblr, SoundCloud, even YouTube in its early days, could be seen as piracy heavens because mixed in with the self expression, art and calls for freedom of speech will be TV footage, movie clips and music.

The recent social uprisings in Tunisia, Egypt, and Libya all used the Internet and social media to allow citizen to speak out against injustice. If the US passes laws like SOPA and PIPA then it looses any right to criticize freedom of speech in other countries and it provides a model for unscrupulous governments to adopt similar laws and hinder free expression.

Please take action by contacting Congress through the Electronic Frontier Foundation’s action center. It only takes a moment and it can make a big difference.

Other sites of interest are: http://americancensorship.org/ and http://fightforthefuture.org/pipa/.

New AOL Instant Messenger Raises Privacy Concerns

AOL recently released a new Beta version of its popular Instant Messenger program known as AIM (AOL Instant Messenger) but its new features are raising some privacy concerns. First of all, AIM now logs all of your conversations on AOL’s servers and keeps them there for up to two months (and maybe for ever if AOL have some kind of archiving system, which wouldn’t be unusual). The rationale behind this is that now AOL users can see a history of their chats from any device running the software, a great convenience apparently! But what it means is that all your chats are now recorded and stored and could be made available to any law enforcement agency with the right paper work. And bizarrely AOL might not have to tell you if the Feds have been taking a peak at your conversations. Anyone remember the Bill of Rights?

Although AIM does have an “off the record” mode, this is can only be applied on a per contact basis and users of alternative (but compatible) clients like iChat or Pidgin can’t access this “off the record” mode. Worse still, there is “no off the record” mode for the group chat feature with all group chats being automatically logged.

Another privacy concern with the new preview version of AIM is that it now scans all private IMs for URLs and pre-fetches any URLs found in them. The word “private” in private IM is obviously lost of AOL. As is often the case, the new feature is meant to aid and help the end user. In this case AOL have added the ability to embed pictures and videos into instant messages. But to do this they scan the text of EVERY message for ALL links then download the content of the link to see if it is a picture or a video. Rather than adding support for the popular services like YouTube (which all have easily recognizable links), AOL are trying to be too smart and the resulting solution is way to broad and potentially dangerous. Rather than letting the individual users download the content of links sent to them, now AOL will do it for you and store the results on their servers. Lesson to be learned… Be careful what links you send in your IM’s as AOL are watching.

Worse still, if a link sent via an IM points to a private server (not publicly listed in the search engines etc) then AOL will send its little “bots” over to that private server to start downloading content. But what if the link contains authentication information like a username or password? What if the link is an unsubscribe link which AOL follows and unwittingly unsubscribes you from a service or mailing list?

All of this is part of the global move towards “the cloud”, meaning data which is stored out there somewhere on the Internet and not locally on your PC or mobile device. My recommendation is that users do not upgrade to the latest version of AIM until AOL fixes these privacy-unfriendly features or introduces certain safe guards and/or encryption to stop unwelcome third parties listening in on your conversations.

January 28 is Data Privacy Day

Momentum is gathering for Data Privacy Day, which will be held on January 28, with events scheduled on the day and during the surrounding weeks. The brainchild of the National Cyber Security Alliance (NCSA), the event is sponsored by some big industry names including Intel and eBay Inc. Data Privacy Day is designed to promote awareness about the many different ways our personal information is collected, stored, used, and shared. And hopefully educate net citizens about the best ways to protect their personal information.

The privacy landscape of today is much different to that of say 25 years ago. Today our identities, locations, purchases and online histories are stored digitally and analysed constantly. How to control online privacy is as much a question for individual users as it is for the big web sites (like Google and Facebook), businesses, Internet Service Providers (ISP), and state and federal governments.

The DPD website has a number of education resources for Teens and Young Adults as well as Parents and Kids. Included are educational presentations and scripts for use in junior high and high school classrooms and a collection of online resources and videos designed for especially for parents and younger children.

It is important  that we constantly educate ourselves, our families and our friends about online privacy. Use the DPD day as an opportunity to remind people that almost every activities on the Internet leaves a digital foot print. Use the resources on the DPD site and tell people about this Privacy Blog. Education and prevention is the key rather than waiting until your identity has been stolen or your house robbed because of online privacy mistakes.

“This year, we encourage all digital citizens to take an active role in learning safe practices and behaviors. We encourage people to follow the basic advice from the STOP. THINK. CONNECT. campaign and protect their personal information. It is our collective and shared responsibility to help make the Internet a safer environment in which people have the ability to protect the privacy of their personal information, and it starts with three simple steps: STOP. THINK. CONNECT.” said Michael Kaiser, executive director of the National Cyber Security Alliance.

How can I protect my information from being misused?
According to a survey by the NCSA, 54 percent of Americans are extremely concerned about loss of personal or financial information. So what can you do? Here are five tips for better online privacy. Share them with your friends and family. Keep safe and stay protected.

  • Create strong passwords (including letters and symbols) and don’t use the same password over and over again.
  • Keep your OS (Windows, OS X) up to date. Also keep your anti virus software updated.
  • Beware of unsolicited messages (via email or within social networking sites like Facebook) with links to unknown websites.
  • Scan your computer regularly for malware and rootkits.
  • Use privacy tools like Hide My IPCookie Crumble and Firewall Fortify to protect your online privacy. You should also strongly consider using a virtual private network (VPN) like FoxyVPN.