The Ethical Investigator

Cardozo Law School recently hosted a conference on privacy and anonymity in the information age.  Lawyers, computer scientists and public health advocates wrestled with the challenges of protecting personal information at a time when so much data is easily obtainable online.  There were various tips and suggestions beyond merely mastering privacy settings on social media sites and avoiding public Wi-Fi hot spots when doing any online banking—although these are easy and important first steps.       

Recently there have also been a number of good articles inspired by the public acknowledgement that major Internet companies like Google have been less than forthright about their use and abuse of private information, as confirmed by the FCC’s decision to fine Google for its collection of private data during its Street View program.  The best ones, like this article by Kate Murphy in the New York Times, are easy how-to guides for savvy Internet users interested in gaining control over their information.  Devoid of jargon, Murphy clearly details easy steps to take in the defense against online snooping. 

But however empowering it may feel to think we’ve finally mastered the privacy settings of the technologies we use every day, the truth of the matter is that despite all our best efforts, information can and will be leaked.  As computer science Professor Steven Bellovin of Columbia University explained at the Cardozo conference, you can protect your email correspondence from being cross-referenced with your browsing history if you avoid Google or Yahoo email accounts and instead set up your own mail server.  But your messages are still fair game to Google if you email someone with a Gmail account.  Or you can activate your browser’s privacy mode to help wipe clean your browsing history.  But this change will stop short of concealing your computer’s I.P. address, the unique identifier that distinguishes it from all other computers.  And as Murphy points out, deciding to take that extra step and mask your I.P. address means incurring additional costs and possibly severely compromising your Internet speed.

Or you may assume that because you’ve never posted your address or physical whereabouts on Facebook or Twitter that you’ve managed to conceal where you actually live.  But the minute you post a picture, the image’s metadata may pinpoint the coordinates of where you took the shot.  So if you snapped that picture of your new puppy at home, you might be giving out your exact location when you upload it to Facebook. 

And then of course there’s the likelihood that information will be leaked by plain old human error, yours or someone else’s. There are always cautionary tales about someone inadvertently sending an email “Reply All” when it clearly shouldn’t have been.  At the Cardozo conference one computer privacy expert sheepishly admitted to making this rookie mistake himself—a confession that inspired chuckles of recognition from far less computer-literate audience members. 

And the actions of others, even if they were acting innocently, may expose your personal information as well.  For instance, one of our clients asked us to track down the settlor of a trust whose whereabouts had long since been a mystery.  But his family was all over Facebook, constantly updating their information with details about their home life and travels.  Eventually, we were able to locate him through them. 

Or take for example the recent news story of the Italian mobster finally arrested after being on the run for nine years.  He didn’t make a mistake, but his girlfriend did.  Police had been monitoring the mobster’s pregnant girlfriend’s social media sites for information about his whereabouts.  They hit the jackpot when the girlfriend decided to use Facebook to share photographs of her growing belly with friends and family.  In one of the photographs she posed in front of a sign for a beach in the Costa del Sol town of Marbella.  Then she uploaded another shot of her outside a well-known Italian restaurant in Marbella.  Soon after she sent the mobster an email predicting that she was going to go into labor sometime soon—an email that, unbeknownst to her, the police were monitoring.  Sure enough, the police apprehended the mobster when he arrived in Marbella shortly thereafter. 

So, despite the feelings of invincibility and invisibility that the Internet seems to inspire, the truth of the matter is that complete privacy or anonymity online are impossible.  

If 90% of U.S. companies are falling victim to computer hackers, according to a new Ponemon Institute study, is it that the companies are woefully unprepared or are the hackers are particularly smart? Looks like this one is on the companies.

A research center dedicated to privacy and data protection, Ponemon looked at 583 U.S. companies and concluded that data breaches are “almost a statistical certainty.”

Most companies say there’s little they can do about it. That includes big names such as security firm RSA, Lockheed Martin, Oak Ridge National Laboratories and the International Monetary Fund.  Tech departments blame financial resources and complexity of networks as top reasons for breaches. Nearly two-thirds of the attacks resulted in losses anywhere from $250,000 to $2.5 million

But dig deeper and the numbers tell a story about risk that could be better managed.  Most companies are already running a firewall on their network and have anti-virus and anti-malware installed in their employees’ computers.  The problem is, the study found that 63% of breaches occurred from unsecured employee devices – laptops and mobile phones.  The vast majority of threats originate from website and social media malware and malicious software downloads.

Either the companies’ anti-virus software is outdated, or employees allow themselves to be too liberal with what they download.

This therefore looks like a training problem. Employees, and not just the IT department, should be aware of how to start lessening the risk.

• If attacks are coming in from laptops and mobile devices (smartphones, tablets, etc.), it’s time to implement a new policy on how employees connect to the network or enterprise systems when out of the office.  The days of living one’s personal life on a company-owned device may have to come to an end.
• Only 30% of companies report the use of encryption, while citing theft of information assets as their top concern. An encryption policy seems like a no-brainer. Data theft is a lot easier to tolerate when to the thieves it appears as a meaningless mishmash that would take sophisticated computers days or weeks to decrypt. The thing about encryption, though, is that you have to use it. If it’s turned off or if your password is your birthday or the name of your dog, it won’t help you.

Imagine this: You have an iPhone, iPad and Mac computer. You use all three devices mostly for personal home use, but you also receive work e-mail on them. Medical records, tax returns, and other confidential information goes on these devices. They all sync amongst themselves and you’ve just started using Apple’s new server farm, iCloud. The system sends files into storage automatically over your wireless signal once a day and all your private data ends up on Apple’s new cloud. There’s no assurance that all these personal files cannot be intercepted, but Apple promises to keep them under secure lock and key. 

News from Apple’s World Wide Developer’s Conference is flooding the web today. Our call regarding iCloud was on the mark, but today’s formal announcement brings several serious worries into even sharper perspective. iCloud is designed for sharing not only music, videos and photos, but also to store your e-mail and personal calendar. And the system does this with all of your Apple devices, wirelessly, while running in the background. 

No need to hit “send.” Apple with just grab your information and store it for you. 

As Steve Jobs said regarding iCloud: “We think this is going to be pretty big,” and we wholeheartedly agree with him. It’s just that big in this case is not better. 

Just what a generation of Googlers doesn’t need: more false hopes from Google Chairman Eric Schmidt that Google is a treasure trove of answers to their questions.

Schmidt said in an interview this week that that Google aims to “compute the right answer” to questions typed in by users rather than just provide links.

We’ve written before here about why Google as a business is not the same as a neutral finder of information, as well as why computers such as Jeopardy’s Watson or the ones at Google don’t actually think, but only seem as if they are thinking.

Just why, then, is Google going to be unable to “compute answers” much of the time? Among other reasons,

• Most things in the world aren’t on Google. You can’t get answers to questions that depend on information that isn’t there. Google yourself: how much information about your whole life can you find? Every roommate you ever had? Every job? Significant other? Dispute? Most people can find perhaps one percent of their life on line, if that. The fact that Google wasn’t around before 1998 is one reason for this, but there are others.
• As we wrote before, Google likes to give you information about the things that are profitable for Google, not useful for you. We know how a library index is put together, but Google’s algorithms, ever changing, are a business secret. Libraries get funding from the public, but Google has to make its money from ads.
• Using Google properly requires “meta searching,” or searching for the thing that will lead you to the answer you want. You think a computer can do this, but it’s remarkably difficult to program. Say you want to find an optician in a particular state. He probably won’t be on Google, because the authority that licenses opticians there is either not on line or uses PDF documents that Google’s robots don’t index. But if you Google optician licensing authorities, you could then download and read the PDF file to find the person you’re looking for.
• Google and most computers are rotten at telling you what ought to be there, but isn’t. Can’t find a Big Four accounting firm that looks after Bernard Madoff? Google might give you the answer that his accountant is a one-room operation in the suburbs. It won’t add that this seems mighty fishy and there are more important questions with which to follow up.

 Remember that Google is tool for thinking people, not a substitute for thinking.

While the U.S. Supreme Court is deciding whether it’s lawful to covertly track a suspected felon through warrantless GPS monitoring (see April 15, 2011 petition here), the European Commission is tackling a more powerful, already implemented technology that could potentially threaten everyone’s privacy if left unregulated.

Ever heard of the “Internet of Things?” The term was coined by the Radio Frequency Identification (RFID) community 10 years ago and refers to sensors that can read physical, environmental changes and report them back over the internet. (RFID technology uses radio waves to identify data from an electronic tag and has commonly been used by businesses for inventory management and logistics.)

The Internet of Things is a collection of sensors that are “readable, recognizable, locatable, addressable and/or controllable via the Internet.” Imagine these as sensors of any kind with the ability to monitor any type of action, including radiation detection.

The good news about having lots of sensors spread around: The recent devastating earthquakes and tsunami in Japan prompted a need for immediate region-wide radiation detection. During what has emerged in the last few weeks as a nuclear accident ranked as seriously as Chernobyl, the internet of things played its part in monitoring and reporting back over IP (Internet Protocol) the radiation levels in real-time to news sources, rescue and aid organizations, and the brave cleanup crews. Hundreds of radiation sensors, very much like weather sensors, were already in place – strategically positioned around the country for an event just like this disaster.

Sensors, like the ones used to monitor radiation in Japan, can all be operated remotely and businesses are beginning to use them in remarkable ways. One company allows food suppliers to trace their goods along the supply chain, allowing their customers to see where the food came from. Another lets farmers monitor the health and vitals of their livestock through sensors planted in an animal’s ear. And the technology is not reserved only for businesses, thanks to a company making recent waves in the news called Pachube.  

Now anyone can use the system to link a sensor, and have the Pachube computer control a setting. For instance, one developer uses a temperature sensor in his office and has Pachube automatically turn on the fan for him. Pachube’s sensor data is available to anyone in real-time, and the service is free. It’s clear that these “smart systems” are allowing businesses to improve their services and better allocate their resources, but they could also be used for more sinister purposes.

But if we let our imagination run a little, we start to see a potential problem for privacy.

Envision walking by a remotely operated sensor, monitored over a service like Pachube, as all of your clothes and your electronic devices contain RFID tags. The sensor reports your exact preferences and the receiving party – the manufacturer, for instance, has your credit card information on file. The sensor now knows exactly who you are from the RFID tags. This is where the implications and dangers of this kind of technology really begin to run rampant and why many countries are already ahead of the game in preparing regulation.      

The European Commission, along with supply chain standards organization GS1 and the European Network and Information Security Agency (ENISA) are partnered in working on implementing guidelines for all companies in Europe using RFID technology in order to address the issue of data-protection. Miguel Lopera, GS1’s CEO, stated that the partnership is working so that “no personal data is actually present on a tag.” Is it then up to the individual companies to protect the purchaser’s information in some sort of gentleman’s agreement?

Sensors like the ones used to transmit radiation data in Japan are undeniably important during a crisis. If left unchecked, this technology, along with Pachube’s efforts to “democratize the sensor” could allow anyone to set up a sensor and secretly monitor what it is reading.

I don’t know about you, but that idea scares me.

The most dangerous thing about all the tracking that’s done on us over the internet is not how much computers get to know about us, but how wrong they can be.

That presents a bunch of worries over those transactions (such as credit checks) that rely on the automated crunching of mounds of data.

But if you need to know a lot of detail about a person with a high degree of certainty, data mining isn’t where the gold is. For a good human investigator, modern computing brings to mind the primitive clunker pictured below when compared to a keen mind and an impressive bit of technology known as the telephone.

Take the latest, well-researched treatment of the subject by Joel Stein in TIME. With all of the ingenious tracking technology that follows him around on the internet, data miner RapLeaf thinks he has no kids (when he has), works as a medical professional (which he isn’t), and drives a truck (which he doesn’t). Google Ads and other well known data accumulators also get him very wrong.

His conclusion is that “RapLeaf clearly does not read my column in TIME.” My conclusion is that RapLeaf could be outsmarted by any decent investigator who can read and then substantiate Stein’s writings by chatting with a few people who work with him.

Surf over to Gunsandammo.com, and one of the data miners might conclude you’re a Second Amendment enthusiast when the truth is, you were researching a case about guns. The best way to find out someone’s feelings about guns is to see what they’ve written in the past through a thorough press search, check their political donations, and then to call people who knew or know them.

Maybe such an error is costless for guns people who want to send you a virtually free spam email, but for someone thinking of hiring you or investing with you, which places you visit on the internet is hardly a reliable indicator to color such an important transaction.

Data mining sounds creepy. One of the leading journals in the field features a current article called Limitations of Matrix Completion via Trace Norm Minimization. It sounds as if it’s beyond the mathematical skills of most of us and probably is, but so what? The best math modelers failed to spot the various financial bubbles that have burst over the past decade. Nobel laureates in math and statistics have helped with hedge funds that blew up from too much risk taken on. It’s all laid out beautifully in Nassim Taleb’s The Black Swan.

Besides, Stein makes the point that our identities have never been completely within our control.

“Our friends keep letters we've forgotten writing, our enemies tell stories about us we remember differently, our yearbook photos are in way too many people's houses. Opting out of all those interactions is opting out of society.”

What are some of the bits of information a good investigator has always been able to get about most people, and still can?

• How much you paid for your house, who you bought it from, and how much your mortgage is
• Which political candidates you give money to
• Whether you’ve ever been suspended or disciplined from your profession or occupation that’s subject to a state license
• What kinds of equipment and car leases you have
• What side companies you run out of your house or office

You can try finding this out on the web. Sometimes you’ll succeed and sometimes you won’t. But hire an experienced fact investigator with a computer and telephone, and you will be able to get most of this information in a completely legal, ethical manner.

Just as you could have done 20, 30 or 40 years before Google and modern data mining were even invented.