Thursday, August 30, 2007

10 reasons to be paranoid

Every bit of your virtual existence is being monitored -- get scared accordingly

By Dan Tynan
August 27, 2007

The truth is out there ... and so is your data. And just because there are no virtual black helicopters following you doesn't mean somebody somewhere doesn't have a bead on who you are and what you are doing.

From buttinski bosses to spies and spooks, there are plenty of reasons to be, well, a little paranoid about the vulnerability of your data and the potential loss of your privacy. To help you gauge the appropriate level of hysteria, we've rated each threat on our Paranoia Meter, using a scale of 1 (Don't worry, be happy) to 5 (Be afraid, be very afraid). Though we've taken a lighthearted approach, concerns about data privacy are not all fun and games.

“You can look at 'paranoia' as just a good way of having a long horizon,” says Jim Harper, director of information policy studies at the Cato Institute. “Incentives exist for data practices to be abused very badly in the future. Being paranoid about them today is being rational about protecting yourself tomorrow.”

Here are 10 ways to practice your paranoia:

Paranoia No. 1: Your boss is watching
Paranoia No. 2: Google knows what you searched last summer
Paranoia No. 3: There's a spook in your inbox
Paranoia No. 4: Information brokers are bungling your data
Paranoia No. 5: The Feds are on your tail
Paranoia No. 6: Zombies abound
Paranoia No. 7: Hollywood wants to terminate you
Paranoia No. 8: Your ISP knows too much
Paranoia No. 9: Your Wi-Fi net is wide open
Paranoia No. 10: You are your own worst enemy
Dan Tynan is contributing editor at InfoWorld.


Get paranoid: Your boss is watching
Reason No. 1: Privacy and the workplace just don't mix

Ever get the feeling your boss -- or your boss's IT department -- is lurking through the network, spying on you? Odds are quite good your instinct is right. And the bigger the organization, the more likely it monitors employees' e-mail, IM, or Web surfing.

According to a 2005 survey by the American Management Association and The ePolicy Institute, three out of four companies monitor where their employees go on the Web, and more than half scan their e-mail. One out of four organizations report having terminated employees for e-mail abuse, and another 25 percent have canned workers for inappropriate Web surfing. Think that blog is safe for speaking your mind? Think again. Two percent of companies have fired workers over offensive blog entries, according to the 2006 version of the survey.

And then there’s background checks (80 percent of businesses conduct them, according to Spherion), drug tests (50 percent), surveillance cameras, and that GPS transponder in the company car.

This doesn't mean employers are evil. They do have a lot to worry about: trade secrets leaking out via e-mail, employee misrepresentation, harassment suits stemming from inappropriate e-mail or Web surfing, folks just plain goofing off on the company dime.

“There is enormous pressure on companies to expand their workplace surveillance,” notes Frederick Lane, author of The Naked Employee: How Technology Is Compromising Workplace Privacy.

“The biggest problem is that increased surveillance inevitably collects non-work-related information about employees and offers employers more opportunity to make employment decisions -- hiring, firing, promotion, etc. -- based on criteria other than qualifications and job performance,” Lane says.

“Workplace privacy”? That's just another oxymoron.


Get paranoid: Google knows what you searched last summer
Reason No. 2: Lusting after your personal data is the lifeblood of this beast

Not long ago, Google was the cuddly search engine that could. Now it's a bona fide data monster, and your personal information is its meat.

Google's pending acquisition of DoubleClick has shed new light on just how much data the G-men control, from search histories to e-mail, calendars, blogs, videos, and more. So notable is Google's stranglehold over personal data that even Microsoft claims to offer more privacy than Google, which is enough to tell you the universe has shifted.

The question is, What will Google do with this vast trove of information? Global privacy counsel Peter Fleischer points out that Google alone challenged the Department of Justice in January 2006 when the department demanded millions of search terms from the top four engines. And Google did voluntarily agree to anonymize the search data it retains after 18 months.

But privacy advocates are far from convinced. The next time everyone's favorite Uncle asks the company to display its assets, Google might not prevail. And if Google were ever acquired or chopped into bits, that data could be its most valuable commodity.

Worse, Google Desktop may represent a security risk to the data on your hard drive. In a Ponemon Institute survey of IT pros conducted in June, more than 70 percent believe Google Desktop is still vulnerable to cross-site scripting attacks.

The solution? Be very careful about how you use Google products. When in doubt, log out.



Get paranoid: There's a spook in your inbox
Reason No. 3: Every call is a could-be conference call with Uncle Sam

Remember when the CIA was a dark, malevolent force lurking in the shadows of our lives, tapping our phones, reading our mail, and planting explosive devices in Castro's cigars? Well, they're baaaack. Only now it's the National Security Agency, and they're snooping into your e-mail, cell phone conversations, and Lord knows what else.

What we do know is fairly limited. According to an account in The New York Times, the spooks are heavily involved in data mining, combing through billions of electronic records, looking for patterns that might identify the behavior of terrorists.

We know that the Electronic Frontier Foundation is suing AT&T for allowing the spooks to tap into their datacenters and that the government is trying to quash the suit by claiming such information is a state secret -- which is about as far from a denial as you can get.

We also know Attorney General John Ashcroft, Acting Attorney General James Comey, and FBI Director Robert Mueller nearly resigned over domestic spying activities in 2004, forcing the Bush administration to change tactics.

And we know that Congress recently handed the spooks a virtual blank check for spying on conversations with foreign nationals, although they promise to revisit said blank check in six months.

And even if we did tell you what the agency is doing, we'd have to kill you -- and then flush all evidence of your existence down the memory hole.

“Until recently, we didn't have to worry much about the government spying on us,” says Larry Ponemon, director of the Ponemon Institute, a privacy management consultancy. “Now somebody decides that you're a terror threat or they don't like you for some reason, and you can't get on a plane. It may not necessarily happen to you, but it could happen to someone you know.”

Bottom line: Keep your nose clean and watch the plainclothes.



Get paranoid: Information brokers are bungling your data
Reason No. 4: Shoddy report vendors put the "credit" in discrediting your reputation

Anybody who requests a background or credit check on you -- or provides them to others -- has a ton of sensitive information about you that (a) may not be accurate and (b) is highly vulnerable to spills. That includes data brokers, credit bureaus, banks, insurance companies, cell carriers, and your employer.

Report vendors have morphed into one-stop data-mining shops, selling everything from credit scores to criminal records. A 2004 study by the U.S. Public Interest Research Group found that 80 percent of all credit reports contained errors and that one in four were serious enough to keep you from obtaining credit or getting a job.

Not surprisingly, report vendors' track records for protecting this information is abysmal (of course, Uncle Sam's record isn't too hot, either). According to the Privacy Rights Clearinghouse, nearly 160 million Americans have had sensitive personal information exposed by data breaches since January 2005.

What to do? Find out what information is out there by requesting a free copy of your credit report. Correct any mistakes and opt out whenever possible. Most data brokers now give you the option of removing your name from their marketing lists (although not credit or background checks); privacy policies on their Web sites usually spell out how. In September, ReputationDefender is launching its MyPrivacy service, which will remove you from some brokers' lists for a small fee.

The moral of this story: Keep your friends close and your data brokers closer.



Get paranoid: The Feds are on your tail
Reason No. 5: That letter in your doctor's hand may be hazardous to your health

If the National Security Agency is spying on you, you're probably connected in some way to a terrorist investigation -- even if it's just because you invited your neighbor Ahmed over for a barbecue.

But the FBI can investigate you for all kinds of reasons, and you may never know it until they slap on the cuffs. Are you a vegan, a member of People for the Ethical Treatment of Animals, or part of an antiwar organization? All of these groups have been investigated for “domestic terrorism” since September 11, according to documents obtained by the American Civil Liberties Union under the Freedom of Information Act.

Under the Patriot Act, FBI agents can issue NSLs (national security letters) to your employer, bank, ISP, doctor, library, or any other entity demanding your records without a warrant. Recipients of NSLs must comply with the FBI's demands and cannot notify the person under investigation. Between 2003 and 2005, the Feds issued more than 140,000 such letters, according to a March 2007 report by the inspector general for the Department of Justice.

In a random sample of nearly 300 NSLs, the inspector general found possible violations of FBI procedures or the law in 48 of them, or about one out of every six.

Worse, you can be an absolute saint and still be the target of an NSL. According to a November 2005 report in The Washington Post, “Senior FBI officials acknowledged in interviews that the proliferation of national security letters results primarily from the bureau's new authority to collect intimate facts about people who are not suspected of any wrongdoing.”

Feeling paranoid yet?



Get paranoid: Zombies abound
Reason No. 6: Hackers, crackers, and phishers -- need we say more?

We are in the midst of a zombie epidemic that shows no signs of slowing. During the second half of July, the volume of spam e-mails containing variations on the Storm worm increased tenfold. The result? A zombie network estimated by IT security company SecureWorks at more than 1.7 million PCs -- big enough to do serious damage to the Net.

The degree of your personal risk depends almost entirely on what you do and don't do online, says Bill Rosenkrantz, director of product management at Symantec.

“On one hand, the hackers are definitely out there, they are very creative, and there is significant financial gain available to them,” Rosenkrantz says. “On the other hand, you have decent control over that. If you don't randomly download files onto your system, have a full security solution on your desktop, and keep your browser and your OS updated, the risk is probably a 3 on a scale of 5. If you don't do any of that, your risk is probably closer to a 5.”

In the case of Storm, the solution is relatively straightforward. Because the zombies connect to one another via a P2P network, IT managers can mitigate damage by blocking each PC's ability to use p-to-p networking.

In short, be careful out there.



Get paranoid: Hollywood wants to terminate you
Reason No. 7: Copping the latest 50 Cent single could translate to doing time

No, the Recording Industry Association of America and the Motion Picture Association of America aren't spying on you. They've got people for that, specifically companies such as BayTSP and SafeMedia, which infiltrate peer-to-peer networks so they can record file swappers' IP addresses and the types and number of files they're sharing. An IP address isn't proof positive of your identity, but it's good enough for most civil suits -- unless, of course, it belongs to a dead person or someone who doesn't actually own a computer.

If you never visit p-to-p nets, you're probably safe. If you do, using anonymous IP networks, Web proxy services, or open Wi-Fi connections can make your identity much harder to trace, says Peter Eckersley, staff technologist for the Electronic Frontier Foundation.

“Aside from the huge, open p-to-p networks like Gnutella/LimeWire or eDonkey/eMule, many people share files with their friends on small-scale networks,” Eckersley adds. “In those situations, copyright holders would have to send undercover agents to infiltrate those groups if they wanted to trace the participants.”

Given the revenue at stake and the history of the players involved, if you're swapping tunes with a small circle of friends, be sure to keep your attorney's phone number handy, just in case.



Get paranoid: Your ISP knows too much
Reason No. 8: Detailed logs. Of everything you've ever done online

If you think Google knows more about you than your parents do, imagine the kind of dope your ISP could drop if pushed to give up the goods.

As the gateway to all our personal Internet communications, service providers could create detailed logs of everything you've ever done online: e-mail, Web surfing, IM, file downloads, and more. The potential for using such records in criminal investigations (or worse) is huge, which is why some lawmakers have been pushing legislation that requires ISPs to retain user data for a year or longer.

“We are more trusting of ISPs than we should be,” says Jim Harper, director of information policy studies at the Cato Institute. “You may not be able to see it, but there's a big stream of data going out of your house through your ISP. It's foolish to rely on ISPs to protect us from their own interests or the government's interests in us."

And it's that second party's interests that send the deepest shivers down most folks' spines.

“I've even heard stories that some ISPs are reselling anonymous data about their traffic,” Harper adds. “Won't that suck if we find out the anonymized data they've been selling can be de-anonymized and re-identified.”

Can you trust your ISP? Don't be so sure.



Get paranoid: Your Wi-Fi net is wide open
Reason No. 9: Oh, I'll just hop on to this FraudDaddy3 Wi-Fi connection and pay bills while I wait for the bus

Got a secure Wi-Fi connection? Good for you. But your neighbors may not be so lucky.

According to an October 2006 survey by the Wi-Fi Alliance, three out of 10 home networks are insecure. More surprisingly, one out of four business Wi-Fi networks is totally open, according to a May 2006 survey by RSA.

That same RSA survey found that 20 percent to 30 percent of access points in major cities throughout the world use the user name and password supplied by their router manufacturer, allowing knowledgeable "war drivers" to log in to the device and change its security settings.

Aside from sucking up bandwidth, war drivers can use your connection to send spam, download porn, and snoop around your shared folders.

Using an open Wi-Fi network yourself isn't exactly safe, either. You could log on to an open network in an airport or other public space and end up on an “evil twin,” a Wi-Fi network set up to mimic a legit one but operated by some creep with a laptop and a mobile access point, notes Paul Henry, vice president at Secure Computing. The crooks could then sniff your data, grab passwords and other sensitive information, and gain access to your corporate network or steal your identity.

If your home net isn't already locked down, now's the time. And if you must access open Wi-Fi nets, use end-to-end encryption for the sensitive stuff.



Get paranoid: You are your own worst enemy
Reason No. 10: Having 185 million close personal friends does have its downside

Got a MySpace page? LinkedIn résumé? Facebook profile?

When it comes to sharing personal data (sometimes a bit too personal), many people are their own worst enemy. Letting it all out online is fine, until the day of that big job interview when you're asked to explain how you ended up in that Geeks Gone Wild video.

Roughly one out of five employers look at social networks when making hiring decisions, according to a survey by Viadeo, a European business social network. And with the ongoing proliferation of the social networking phenomenon, that number is only likely to grow.

“In general, people should be more concerned about the image they portray in places like MySpace and Facebook,” says Beth Givens, director of the Privacy Rights Clearinghouse. “More and more employers are searching them. Or one day you want to volunteer for an organization like Big Brothers or Big Sisters. You don't want to look like a drunk on the beach.”

OK, fine, you're hot. But does the world have to know it? Consider being a little more anti-social.

Dan Tynan is contributing editor at InfoWorld.