Sunday, August 31, 2008

More Social Security Numbers on the Web...

Betty Ostergren, a privacy advocate that posts Social Security numbers she found on the Internet, has been given the thumbs up by a federal judge in Virginia. Computerworld reports that the state government can not stop her from posting the Social Security numbers on her website. At first glance, this privacy issue should enrage a lot of people. Knowing she has your personal information and is posting it all over the Internet would upset a lot of people; but how did she find this information in the first place? She got the information from the Internet and public records. The privacy advocate did this as a lesson, and to start a campaign to show people just how easy it is to find sensitive information about them.

She won the case and it was ruled that she should not have to remove the Social Security numbers from her site since she legally obtained them from public records. While the memorandum does not set a precedent, it is the first step in truly realizing how much we take our Internet privacy for granted. Ostergren's website, The Virginia Watchdog, presents privacy issues that arise from the government posting personal information on websites. Over the past few years she has repeatedly shown that Social Security numbers have been posted and little has been done to protect personal information.

I can agree with what she is doing. She did not seek out the information from private sources or use illegal methods, she used the Internet and the public sector. Everything she found was attained from government documents that did not conceal the ultra-sensitive information. With the already astonishing number of identity thefts every year, I don't see how the government posting such private information can help. How about a permanent marker and two seconds to hide the information? Problem solved... Ms. Ostergren also posts the information of high-profile officials, such as former Gov. Jeb Bush, former U.S. Secretary Colin Powell, and some local Virginia officials. I guess it really strikes a nerve and makes them care when their information is up there, and not just the information of the huddled masses.

Wednesday, August 27, 2008

A Digital Bill of Rights to Protect Internet Privacy

TechCrunch (via the WashingtonPost) has recently published an article stating what should be the Digital Bill of Rights to protect consumers. With the Internet age in full-swing, and Election '08 in the near future, what better time than now to present a plan of action for laws and regulations regarding the Internet? Many laws governing the Internet are quite outdated and can't keep up with the daily advances in technology...as food for thought: What if laws had never been changed with the inception of modern mail carriers? Imagine the same laws were still completely intact even with the transition from the Pony Express to the modern-day United States Postal Service. Could that work? Could a law regarding the Pony Express still govern the actions of USPS?

Issues such as copyright infringement, net neutrality, and digital privacy are difficult to govern, mainly because they are creations of the modern era of technology. Maybe it is time to dust off the books and create some new laws that can maintain a degree of control and consistency over rapidly expanding technology. Many laws do not protect users' Internet privacy and allow companies to spy on us and record our information so they can build a profile of our web surfing habits. The Digital Bill of Rights would be a step in the right direction to create updated laws that can protect consumers from ISPs, marketing companies, device manufacturers, and even the government itself.

Presented in the article is the author's own Digital Bill of Rights, which he asks users to help further refine. Maybe our candidates can use this as a starting point and get the ball rolling in the right direction.

Saturday, August 23, 2008

European Privacy? More Like European Invasion of Privacy...

OhMyNews recently reported that the U.K., along with other European powers, are developing a system to spy on cell phone records, including text and calls, as well as Internet searches.

The British government wants to invade privacy by storing records in a database so that hundreds of public organizations can access this information as needed. The cell phone, text message, and Internet records will be used to investigate criminal and terrorist acts. The records will be kept at the data center for at least 12 months. Dates, times, and contacts (from cell phones) will be stored, while searches and instant message conversations will be tracked and recorded as well. The only bright side is that, supposedly, the content will not be stored just the identifying information.

The cost for transferring the massive amount of data--a mere 50 million pounds per year. It must be worth it to the surveillance-obsessed nation that already monitors citizens through CCTV. 1984 anyone? One spy camera for every fourteen people wasn't bad enough, now forget about protecting personal information or any type of Internet privacy.

I can't see any benefit in this. The U.K. is making it seem like every citizen is guilty and will be treated accordingly. What will the exact laws be concerning the use, or better yet misuse, of information? How secure will this database be? We could end up having another situation, much like what happened in Sarasota, but on a much larger scale--imagine millions of people having their information posted on the Internet.

Protecting Personal and Financial Privacy - Blog Review

As an avid reader with more than a casual interest in privacy, I tend to find interesting sites on the topic of privacy. Today I found Protecting Personal and Financial Privacy, a blog by Mike Valentine. Not only does he write well, I found the articles thoughtful.

His latest post discusses AOL and behavioral targeting. He points out that people are careless with their personal information. This is point we've been making on this blog since we started it. Privacy starts with personal responsibility. If you give up your personal information too easily, you forfeit your right to privacy.

Friday, August 22, 2008

Another ISP Admits to Invasion of Users' Privacy...

Well it is more than an Internet Service Provider, but Cable One, the 10th largest cable operator, has recently admitted to conducted a six-month study on their Internet users' surfing habits. Cable One joins Charter Communications (as reported in a previous post) and a slew of other MSOs (multiple service operators) who spy on their customers for behavioral targeting purposes, and ultimately sell that information for big bucks to advertising companies.

Cable One revealed the information on August 8 to the House Energy and Commerce Committee, which had previously expressed their concerns on cable operators using advanced technology to invade privacy. So if I decipher this correctly: Cable One tried to defend themselves against these allegations by providing information and stating they invaded their customers' privacy. Cable One stated that spying on 14,000 of their 700,000 customers was a better way to provide "more relevant advertising" to their customers.

Bresnan Communications and Knology also came out of the woodwork to say they spied on customers throughout a similar time frame. WideOpenWest admitted to doing this, in cooperation with NebuAd's service. WideOpenWest stopped the program after five months because of the privacy concerns. All efforts to surf anonymously have become null and void for many Internet users, and for no apparent reason other than having better online advertisements. Shouldn't these companies help protect personal information, not jeopardize it?

Cable One argues that they were not breaking any laws by conducting this research, and had made the information available to their users via the acceptable use policy they read when signing up for services. The information was also found in Cable One's yearly privacy notice, which is sent to all customers. They provided users with appropriate notice, BUT did not allow them to opt out of the research, "because doing so would stifle our ability to test new technologies that have the potential to offer significant benefits to our customers.” Wow...

In essence the companies are arguing that because they put it in writing it is alright to spy on users and completely ignore any type of Internet privacy laws. It seems a bit ridiculous that my privacy rights are in jeopardy and I have no way of opting out. I can't even choose to say "No." In other words, even if I know it is happening I have no say in the outcome. The companies are not just able to record information for advertising purposes, but can use this technology to track and record ALL information being transmitted and received through their network. Hopefully when the Committee drafts a new law they remember to add the clause that we, as paying customers who want to feel safe, should have to opt-IN to this research--not be forced into whatever absurd money-making scheme the companies are up to.

Thursday, August 21, 2008

Sarasota Students' Personal Information Posted on the Internet

Recently reported by the New York Times and the Herald Tribune (Sarasota's local newspaper), a little bit more than 88% of the 38,500 students in the Sarasota school district had personal information posted on the Internet for nearly two months.

The school district has a contract (for now) with Princeton Review to maintain a database of Sarasota County Planning Tools, to help teachers develop tests and keep track of students' grades. The information, which contained students' names and school ID numbers (which in some cases were Social Security numbers) from this database was accidentally posted on the Internet for two months before it was finally removed this past Monday. Along with names and ID numbers the information also included students': birth dates, sex, ethnicity, disabilities, and standardized test scores. The files were able to be found by using a search engine and Princeton Review claims the files were released when the company recently switched ISPs.

Sarasota students were not the only ones affected by this mistake, Fairfax, VA. students (nearly 74,000 of them) had their information posted on the Internet as well. The company was hired to measure student performance and nearly got 74,000 students' identities stolen. Hackers could have had a field day with this information--but if we recall correctly from a previous Identity Theft post, it usually takes the Identity Theft victim three months to realize something is wrong. In the case of a young student that has no need to check their credit ratings; it could be even longer.

The article hints around as to who is to blame here. Of course Princeton Review is at fault because the security of their system and website has been compromised and over 100,000 students had their personal information sitting on the Internet for two months. Not to mention that with the world wide web, nothing that has been posted can truly be deleted--some cached record may be sitting on a server with the information.

Is the school board to blame as well? Would they need to compile this massive database of personal information if standardized tests weren't stressed as the focal point of a student's education? While I am not trying to start a debate as to the validity of standardized tests, it is just an interesting subject to touch on. What happened to the days where teachers logged the information in their grade books? Is it necessary to have a massive database with every bit of information about a student? These are all questions that the school board will be answering when deciding whether or not to keep Princeton Review's contract.

In this case I would say protecting personal information trumps the ease of sticking everything on some site to analyze the students performance. It is great for parents, students and teachers to have access to this information so they can all keep track of performance and make sure nothing is wrong. Is the risk of having this happen again worth it? Do students even get and interim reports and report cards anymore? I remember that being a pretty good gauge as to what I needed work on.

Friday, August 15, 2008

Breaking Down the Great Firewall (part 2)...

As an update to my recent post about China's Great Firewall it seemed appropriate to discuss the methods for bypassing the Golden Shield Project. With the Olympics in full swing, and nearly halfway over, it is only a matter of time before China's government re-bans the websites and Beijing is again part of China's Internet censorship program. Chinese officials lifted their ban on certain websites after journalists were upset that many of the sites they needed to access were unavailable because of the GSP. Once the final medal is awarded it most likely won't be much longer before China is back to banning as much content as possible, so it is important to know ways to bypass the Great Firewall and maintain Internet privacy.

The following methods may seem familiar, as they are used for anonymous surfing, but they do in fact work rather well for circumventing the GSP and gaining access to banned sites.
  • Anonymous Proxy servers: Anonymous proxy servers based outside of China can be used to access blocked content. The sites are blocked only to Chinese citizens and therefore if you surf using a U.S.-based proxy server then you can gain access to restricted sites. The website will read the IP address and give you permission to view the site. At the same time, the server will hide your IP so that anyone snooping the connection will see a person from Tulsa, OK surfing the Internet. As an added bonus a good proxy server will also encrypt the data being transmitted so that anyone spying can not view the information.
  • Foreign companies can apply for a local website hosted in China. While this method does not apply to an individual user attempting to access a banned site, it is a method to bypass the Great Firewall since the company's content does not have to go through the Great Firewall (but the company does have to apply for a local ICP license)
  • Using secure tunnels such as a Virtual Private Network (VPN). GSP can't filter secure traffic that is being communicated and therefore secure tunnels provide a way for users to access content and create sites that would otherwise be banned.
  • Onion routing networks, such as Tor, can be used since it requires a network of computers to encrypt and mask your information. This method is, in essence, very similar to an anonymous proxy server. The major drawback of Tor is that you do not know who set up the anonymous connection you are passing through. As noted in an earlier post, you really have no idea who set up the connection and therefore anyone can invade your privacy through this trusted network. If a group of grad students and professors can do it, why wouldn't the Chinese government?
  • FreeGate: a software utility created for Iranian and Chinese citizens to bypass any Internet censorship attempts by the government. The software finds open proxies, which are not blocked and can be accessed by any user, and penetrate firewalls. This useful tool is a bit controversial as it has been reported to be a Trojan virus.
  • Reporters without Borders offers a "Handbook for Bloggers and Cyber-Dissidents" (PDF) which gives detailed information and tools for blogging and surfing anonymously. The handbook gives detailed instructions, including screenshots, for setting up a blog and remaining anonymous.

Friday, August 8, 2008

Anonymous Surfing Software vs Web-based Anonymous Proxy...which is better for your Internet privacy?

As an Internet user you face many dangers online ranging from cyber criminals trying to steal your identity to marketing companies and ISPs tracking and logging your IP address. As a lot of web surfers know, one of the best ways for protecting personal information and maintaining Internet privacy is to use a proxy server. While many useful proxy servers can be found on the Internet simply by searching "proxy" on Google, the age old question that many Internet users have difficulty answering is: What is better to use, anonymous surfing software or free web-based anonymous proxies?

Web-based:
These are quite easy to use and require nothing on your part besides an active Internet connection. These web anonymizers require you only to enter the URL of the site you wish to visit and give it a click. Your IP address is hidden and replaced with the IP address of the site's server. This is a great example of proxy avoidance and will get you onto a blocked website, but only offers minimal, if any, data protection and encryption services. The main purpose of the web-based anonymous proxy is to get on a website such as MySpace, that would normally be blocked by an IT Department. Another downside is that this type of proxy can't gain access to sites that use Secure Socket Layer or Secure Shell encryption, such as banking sites.

Software-based:
A software-based proxy will run with your current browser and allow you to surf freely without having to go back to a homepage to enter a new URL. After installation it should only require 1-click to run the program and surf anonymously. A good software proxy will cost you a few dollars a month (nothing to break the bank over), which is a downside compared to the free web proxies. There is usually a fee associated because you are getting what you pay for...software proxies offer anonymous surfing, but also encrypt the data being transmitted. This means that in addition to your IP address being masked, your data and the transmission between networks is also secure (which is not the case with a web proxy).

Ultimately, both methods of protecting your IP address and Internet privacy have their pros and cons. At the end of the day if you only need a quick fix to get onto a blocked website that requires no personal information (such as a log-in, e-mail, or password) then a web proxy will work for you. Using a software proxy whenever you surf, even if only for a few minutes, would be highly recommended. It is still easy to use and offers much more protection and freedom to surf without the worry of just how protected you are. The advanced protection alone makes software proxies your best bet.

Breaking down the Great Firewall...

No, this isn't a clever campaign to start a world movement to get rid of the Great Firewall and liberate China's netizens. With the arrival of the 2008 Olympic games in Beijing, it seems that this would be an appropriate time to focus on The Great Firewall of China, or the Golden Shield Project (as it is officially known). The Golden Shield is a censorship and surveillance program run by China's Ministry of Public Service. While the Chinese government has been using the Great Firewall to censor and block websites in China since 2003, many of us do not have a full understanding of the Golden Shield Project and its intricacies. This article is not meant to start a revolution against the Chinese government to bring down the Great Firewall, but a means to gain a better understanding of something that many Americans and Europeans have little knowledge about--Internet censorship using GSP.

While most Americans and Europeans do have the right to choose what sites they visit and surf the Internet freely (again the keyword is "most"), other countries' citizens are stifled by government censorship of the Internet. In China any site that expresses opposing views or states a negative opinion of the government is banned. Not only will the site be banned, but the authors may face criminal charges and a lengthy prison sentence. While many sites have recently been unblocked by the Chinese government because of the Beijing Olympics, many other sites including, pro-democracy advocates, Taiwanese government and media, and blog sites are still banned. The idea of having privacy rights or any type of Internet privacy is a concept that many Chinese citizens have little understanding of.

The concept of the Great Firewall started in 1998 and began operating in 2003. The need for the GSP stemmed from Communist regimes fearing that the Chinese Democracy Party would develop an extensive and powerful network that couldn't be controlled. The GSP acts as a firewall (hence the nickname) and blocks content based on IP addresses and a massive database of banned websites. The IPs are banned and prevented from gaining access to blocked content basically by using a proxy server the opposite way we would use it (think: reverse proxy). GSP combines IP filtering with DNS poisoning to maintain control over the Internet in China.

Along with IP blocking, URL-, DNS-, and Packet-filtering, the GSP has a unique characteristic: it doesn't just ban sites based on these methods, but also bans websites based on the content. This blog would be banned instantly because it shows methods for gaining access to "forbidden sites," but also any content that is considered subversive by the government would be subject to banishment (this means any pro-democracy, pro-Tibet, and pro-anything else the Chinese government is against).

The final point that has been brought about because of the Great Firewall is self-censorship. While sites that should be banned do slip through the cracks, many Chinese citizens end up practicing self-censorship and not visiting these sites anyway. It makes perfect sense: Just because the site hasn't been banned yet, is it still okay to look at? Why take that chance and end up in prison like many Chinese bloggers do? The thought that you are being watched by the Golden Shield Project even if the site is allowed on the network is a mighty force...people tend to act differently when their bosses, or the authorities, are paying attention.

Wednesday, August 6, 2008

China partially lifts its Internet censorship and restrictions

CNSNews.com has reported that China is loosening their restrictions on Internet censorship, something that privacy advocates have been pressuring China to do for years. With the Olympics coming to town, the Chinese government has lifted many of the tight controls which previously restricted its citizens from freely surfing the Internet. The important part of the story is that these restrictions have not just been lifted at the Olympic games compound, but in other parts of Beijing as well. This ultimately means that Chinese netizens can now use Wikipedia, BBC China, and non-government sites such as Amnesty International and Reporters without Borders. These sites, along with many other have been banned by the Chinese government via The Great Firewall.

For the first time in years, or ever in some cases, Chinese citizens have the the chance to surf the Internet freely and see China from a different point of view. The Chinese government banned many websites that do not coincide with their point of view and Chinese citizens did not have the opportunity to see things from an outside perspective. Chinese netizens had to resort to anonymous proxy servers and other methods to maintain their Internet privacy. People can now openly view and dialog some of the major issues facing China such as: air pollution, Tibet, media censorship, and human rights.

The lifting of the ban came about due to an overwhelming demand from foreign journalists that were angered because they could not visit certain sites they needed. While the ban being lifted is a big deal in China, many sites are still censored and unable to be accessed. Reporters without Borders has stated that their English-language site is no longer banned but the Chinese-language site is. Many Tibetan advocacy sites and the Chinese Human Rights Defenders site still faces the restrictions placed by The Great Firewall.

Although the system isn't perfect, China did agree to loosen the restrictions for the Olympics. This is a step in the right direction, as far as human rights are concerned. While Chinese government and media will always defend their Internet censorship policies, the rest of the world still sees it as a way to oppress their people even more. The major question posed to Chinese citizens is: Does an average person really worry about the censorship? Do they want to know about the U.S. or U.K.'s view on China's government policies? Or is it a case of ignorance is bliss and as long as they have a job, shelter, and food for their family?

Saturday, August 2, 2008

Identity Theft Resources and Tools for Victims

While we write blogs and update our site with useful tools and information to protect your Internet privacy, 84 million people a year fall victim to identity theft. With fraud totals reaching $49.3 billion in 2007, it is very important to take the first step and proactively find ways to keep your information private. We provide blogs, articles, and products that protect you, but the 84 million people a year who have fallen victim to identity theft have little help or support.

Many victims find out within three months of the theft...that means the person who stole the identity has had a three month head start on spending your money and opening up false accounts. This fact, along with the fact that the average identity theft victim can spend 330 hours repairing their credit, shows that ID theft is a dangerous crime. 330 hours = roughly 13 full days. That means a person can spend 13 24-hour days (or 41 8-hour work days) trying to fix the damage from ID theft. The FTC has created a section of their website that contains tools and information for the victims of identity theft so they can begin the rebuilding process as quickly as possible.

If you are the victim of identity theft you should do these four steps immediately:
  1. Review your credit reports and place a fraud alert (or extended fraud alert) with the credit bureaus.
  2. Close the accounts that have been tampered with or opened fraudulently.
  3. File a complaint with the FTC.
  4. File a police report.
This is the shortened version of the list, but these are the steps you should follow to ensure the situation is dealt with asap. The following tools for victims of identity theft will be useful in conjunction with the four steps:

  • You must always keep a log of your actions and findings when gathering information from an identity theft. The FTC has provided a "course of action chart" to help you keep detailed information for your reference.
  • FTC ID Theft Complaint form. This form found on the FTC's Consumer Protection page can be combined with the police report to create an Identity Theft Report, helping victims get the ball rolling sooner and recover quicker. The report is used to block fraudulent information from appearing on your credit report, and prevent companies from collecting debts due to an identity theft.
  • ID Theft Affidavit (pdf). This form is less detailed and does not offer as much protection as the Identity Theft Report, but is still a very useful tool to have. The eight page document must be filled out in order to absolve you of any debt incurred due to identity theft, or to gain access to the information a company has on the identity thief they dealt with.
  • Victim's Statement of Rights. This statement details your rights under federal law (and also has a link to state resources).
  • You will have to write many letters to credit card companies, banks, and other companies that have been used during your identity theft. The FTC provides a list of sample letters for various purposes that are useful and time saving tools (note: Word documents):
These tools will help the identity theft victim reduce the number of hours and the amount of effort needed to resolve an identity theft. Of course always remember the best offense against an identity theft is a great defense!