Friday, September 12, 2008

Arkansas Man Posts County E-mail Records

Computerworld reported that an upset Arkansas man has posted sensitive information on his website, PulaskiWatch. The information was found via public records and consisted of e-mails between nine government officials, including the county clerk. This privacy issue may seem a little familiar as the Virginia Watchdog (which, coincidentally, does not seem to be working) also posted sensitive information on government officials in Virginia.

Bill Phillips, the creator of PulaskiWatch, did this to prove a point to the county officials who had posted circuit court records containing Social Security numbers, bank account numbers, and images of voided checks. Phillips' retaliation consisted of searching thousands of e-mails, mostly with office-related communications, on the Internet and posting his findings. Some of the e-mails that Computerworld had access to discussed sensitive topics, such as: appropriate salaries for two recently demoted employees, and a woman who had quit because of safety concerns (there was a stranger roaming the parking lot). Phillips also posted every county clerk employee's name, date of hire, and salary. He focuses his retaliation on the county officials and does not seem to be posting the sensitive information. Having them on the Pulaski County site once is already bad enough. And by the way, students working on the elections will be making $7.50 an hour. Yes, I did find that in one of the e-mails.

While this may seem like an invasion of privacy, and limits a person's privacy rights, the important thing to notice is that both Pulaski Watch and Virginia Watchdog had found their information publicly. They did not have to buy records from a secretary or bribe a judge like in The Sopranos. All they had to do was search their local county government website and perhaps even Googling someone's name. Phillips has agreed to remove all the sensitive, yet legal and public, documents from his website on the condition that County Clerk Pat O'Brien removes the documents with sensitive information. It seems like a fair trade off to me. Your private e-mails will be removed once the residents all have their personal information removed, and hopefully identity theft won't be on the rise in Pulaski County.

The county has already faced this issue once, when it was forced to remove personal information from real estate records. O'Brien stated he won't remove the court records, and even if he wanted to only the Arkansas Supreme Court can give instructions on blocking out Social Security numbers. O'Brien said he would remove the records, but the software used for real estate records can't be used on court records. Too bad, so sad Pulaski County..

Wednesday, September 10, 2008

Google Introduces New Protocol for Storing Data

Reuters and Yahoo! News report that Google has agreed to cut the amount of time it stores users' web surfing habits from 18 month to only nine months. This is quite a significant drop, especially when taking into account that in March 2007 Google had no policy and kept the information for an indefinite period of time. Google's new policies, "are part of a broader trend that is increasing across the industry for companies to compete in good privacy practices," according to Google's global privacy counsel Peter Fleischer.

Along with the new nine month data retention policy, Google plans to anonymize the data much more quickly. Could this be in response to the Viacom/YouTube issue? This is is a great precautionary measure to protect our Internet privacy from companies like Viacom that want to sue Google so they can obtain users' records. After nine months the data and the IP address are disassociated and the data can no longer be tracked back to a specific user.

The move to an 18-month data retention policy came about due to the European Union putting pressure on Google to increase their privacy measures. The new nine-month policy was adapted to further refine Google's privacy protection and keep users much safer while surfing the Internet. The new nine month policy makes Google the alpha male, as far as privacy is concerned. Microsoft still keeps data for 18 months and Yahoo! currently retains data for 13 months.

While this is good news for anyone who surfs the Internet, it is important to remember that your data is being tracked and recorded. Data retention policies are extremely helpful, but ultimately privacy must begin with you. Using an anonymous proxy server will help you be invisible and maintain anonymity while surfing and stay one step ahead of even the most favorable data retention policies.

Monday, September 8, 2008

NebuAd Halts Invasion of Users' Privacy...

Reports from Internetnews.com state that NebuAd, creators of the very controversial behavioral targeting technology, recently announced they will stop their ad-targeting campaign. This comes shortly after many of their clients (such as CableOne) dropped NebuAd over privacy concerns and a Congressional hearing. In a statement made by NebuAd, they stated, "plans for wide spread deployment via the Internet service provider channel are delayed to allow time for Congress to spend additional time addressing the privacy issues and policies associated with online behavioral advertising." Along with the project being halted and ISPs canceling their contracts, CEO and co-founder Bob Dykes resigned.

NebuAd's behavioral targeting campaign was supposed to keep information anonymous and only collect and store pertinent information so that online advertisements could reflect an individuals tastes and offer products that they are more likely to want to purchase. The above mentioned ISP was one of the many multiple service operators that had contracts with NebuAd for their state-of-the-art services. ISPs have been tracking and recording their users' information and selling it to the highest bidder, which in many cases was NebuAd. While this concept seemed like a good idea, privacy advocates and security experts called it "browser high jacking," and made it clear that an ISP could be breaking federal wiretapping laws by using NebuAd.

NebuAd required the ISPs they contracted with to inform their users of the ad-tracking campaign. ISPs did inform their users, but in many cases did not allow them to opt-out of having their Internet privacy jeopardized. Also, many of the ISPs did not specifically tell their users what was happening, but just made small modifications to their privacy policies. Embarq, for example, stated in their privacy policy: "The Web sites that you visit or online searches that you conduct" may be used to "deliver or facilitate the delivery of targeted advertisements." On a side note--only 15 Embarq users opted out. Who should be blamed then? Is NebuAd at fault for developing the eavesdropping software, or is it the fault of the ISPs who don't tell their users they are being spied on and then sell the information? The next step is for Congress to introduce legislation requiring explicit consent from users that way they know and willingly allow their information to be collected.

Thursday, September 4, 2008

Internet Explorer's Privacy Mode, Not So Private...

Microsoft has recently introduced the world to InPrivateBrowsing, or privacy mode, which is the latest and greatest feature of IE8. According to numerous reports, including PCAdvisor, private mode is not very private at all. The information can easily be recovered and the privacy features are mostly cosmetic, giving you the false sense of security that you are protecting and securing your browsing habits. The main goal of InPrivateBrowsing is to prevent other users [of the same PC] from being able to access web surfing information.

InPrivateBrowsing was created by Microsoft to protect a user's Internet privacy by deleting browser history and other data that is stored by IE during a web surfing session. The dubbed, "Porn Mode," hides browser history from nosy people trying to spy on your web history. Forensic experts were able to easily retrieve all the information that IE was expected to keep protected. The main feature of InPrivateBrowsing is that it does not allow cookies to be stored. Cookies are bits of text and data that are stored on your computer so that websites can easily access your information. Without cookies, login details and other sensitive information remains secure. Along with the disabling of cookies, the browser doesn't allow history to be stored in the Windows registry, which is another way information can be found on your PC.

The major flaw of InPrivateBrowsing lies with cache files. These files are stored on your computer so that the websites you visit will load faster. The major flaw of InPrivateBrowsing is that it does not delete, or even disable, the Internet cache files. A user can manually delete these files, but they are still easily accessible with forensic tools. Users can always delete their cookies, cache, and temporary Internet files, but why would someone want to do that? For example, if I am searching the Internet for an engagement ring I could use privacy mode to make sure no traces of the searches are left online. That would be much more convenient than manually deleting everything. Not only would it be convenient, but it would look a lot less suspicious than having to delete all traces of my surfing. Both privacy mode and manual deletion solve the same problems, but the latter definitely looks fishy.