The Myth of Online Privacy

Posted by Maria Matasar-Padilla on May 08, 2012

GettyImages_125109629.jpgCardozo Law School recently hosted a multi-disciplinary conference on privacy and the Internet, "Anonymity and Identity in the Information Age."  Lawyers, computer scientists and public health advocates wrestled with the challenges of protecting personal information at a time when so much data is easily obtainable online.  There were various tips and suggestions beyond merely mastering privacy settings on social media sites and avoiding public Wi-Fi hot spots when doing any online banking—although these are easy and important first steps.       

Recently there have also been a number of good articles inspired by the public acknowledgement that major Internet companies like Google have been less than forthright about their use and abuse of private information, as confirmed by the FCC’s decision to fine Google for its collection of private data during its Street View program.  The best ones, like "How to Muddy Your Tracks on the Internet" by Kate Murphy in the New York Times, are easy how-to guides for savvy Internet users interested in gaining control over their information.  Devoid of jargon, Murphy clearly details easy steps to take in the defense against online snooping. 

But however empowering it may feel to think we’ve finally mastered the privacy settings of the technologies we use every day, the truth of the matter is that despite all our best efforts, information can and will be leaked.  As computer science Professor Steven Bellovin of Columbia University explained at the Cardozo conference, you can protect your email correspondence from being cross-referenced with your browsing history if you avoid Google or Yahoo email accounts and instead set up your own mail server.  But your messages are still fair game to Google if you email someone with a Gmail account.  Or you can activate your browser’s privacy mode to help wipe clean your browsing history.  But this change will stop short of concealing your computer’s I.P. address, the unique identifier that distinguishes it from all other computers.  And as Murphy points out, deciding to take that extra step and mask your I.P. address means incurring additional costs and possibly severely compromising your Internet speed.

Or you may assume that because you’ve never posted your address or physical whereabouts on Facebook or Twitter that you’ve managed to conceal where you actually live.  But the minute you post a picture, the image’s metadata may pinpoint the coordinates of where you took the shot.  So if you snapped that picture of your new puppy at home, you might be giving out your exact location when you upload it to Facebook. 

And then of course there’s the likelihood that information will be leaked by plain old human error, yours or someone else’s. There are always cautionary tales about someone inadvertently sending an email “Reply All” when it clearly shouldn’t have been.  At the Cardozo conference one computer privacy expert sheepishly admitted to making this rookie mistake himself—a confession that inspired chuckles of recognition from far less computer-literate audience members. 

And the actions of others, even if they were acting innocently, may expose your personal information as well.  For instance, one of our clients asked us to track down the settlor of a trust whose whereabouts had long since been a mystery.  But his family was all over Facebook, constantly updating their information with details about their home life and travels.  Eventually, we were able to locate him through them. 

Or take for example the recent news story of the Italian mobster finally arrested after being on the run for nine years.  He didn’t make a mistake, but his girlfriend did.  Police had been monitoring the mobster’s pregnant girlfriend’s social media sites for information about his whereabouts.  They hit the jackpot when the girlfriend decided to use Facebook to share photographs of her growing belly with friends and family.  In one of the photographs she posed in front of a sign for a beach in the Costa del Sol town of Marbella.  Then she uploaded another shot of her outside a well-known Italian restaurant in Marbella.  Soon after she sent the mobster an email predicting that she was going to go into labor sometime soon—an email that, unbeknownst to her, the police were monitoring.  Sure enough, the police apprehended the mobster when he arrived in Marbella shortly thereafter. 

So, despite the feelings of invincibility and invisibility that the Internet seems to inspire, the truth of the matter is that complete privacy or anonymity online are impossible.  

Fight Hackers with Encryption

Posted by Pavel Nikolaev on July 06, 2011

With all the focus on tech IPOs that reward gaming and chatting, it’s nice to see a company dedicated to privacy getting a little of bit of venture cash behind it. With just $1.5 million raised so far, CertiVox is still a tech minnow, but its idea is a solid one: people need to be able to trust that some privacy online is still a possibility.

key.jpgRemember all that spam e-mail for male enhancement and mysterious lottery winnings? Most people have become wise to the classic spam or phishing schemes, and hackers have stepped up their game. The new tactics are spear-phishing (researching and targeting specific users) and whale-phishing (targeting executives who have access to the most information).

One way this works is for hackers to research their target in the social network, pick one of the target’s “friends” and set up an e-mail account that looks like it belongs to the friend. The target won’t think twice about clicking on the malicious link that comes in from their friend. With this tactic, some hackers seek to simply create mischief, others are targeting corporations.

Recently we wrote about a particularly worrying study on corporate security breaches – think Sony, Lockheed Martin and Citigroup. The data shows that the problem lies largely with employees’ mobile devices and the completely unencrypted transfer of information. People are using Facebook, sending e-mails and clicking on links, all of which results in a public transfer of information that can be intercepted. Hackers bet on our complacency and “that’s just how the internet works” attitude and win every day.

Now comes CertiVox, whose goal is to provide government-grade encryption to corporations and your web browser. Their new (and free) PrivateSky plug-in allows you to encrypt what you do online and show it only to those for whom it’s intended. Your e-mail is no longer an open postcard and your Facebook rants stay private. For corporations, there are more robust solutions for the entire network.

A concern here is that a good encryption product, one that does not allow the product’s creator to see the message, could fall into the hands of criminals. Governments can crack highly sophisticated encryption programs, but at what cost in time and money? If CertiVox gets big enough, will it have to cough up its code to government authorities in order to keep going, as Research in Motion did in India?

While we don’t vouch for CertiVox’s reliability or competitiveness, it’s certainly a step in the right direction that such a company is able to raise cash to keep itself going.

(Photo Credit: Sasha Wolff) 

Security Breaches in U.S. Companies "Almost a Statistical Certainty"

Posted by Pavel Nikolaev on June 28, 2011

If 90% of U.S. companies are falling victim to computer hackers, according to a new Ponemon Institute study, is it that the companies are woefully unprepared or are the hackers are particularly smart? Looks like this one is on the companies.

hacking.jpgA research center dedicated to privacy and data protection, Ponemon looked at 583 U.S. companies and concluded that data breaches are “almost a statistical certainty.”

Most companies say there’s little they can do about it. That includes big names such as security firm RSA, Lockheed Martin, Oak Ridge National Laboratories and the International Monetary Fund.  Tech departments blame financial resources and complexity of networks as top reasons for breaches. Nearly two-thirds of the attacks resulted in losses anywhere from $250,000 to $2.5 million

But dig deeper and the numbers tell a story about risk that could be better managed.  Most companies are already running a firewall on their network and have anti-virus and anti-malware installed in their employees’ computers.  The problem is, the study found that 63% of breaches occurred from unsecured employee devices – laptops and mobile phones.  The vast majority of threats originate from website and social media malware and malicious software downloads.

Either the companies’ anti-virus software is outdated, or employees allow themselves to be too liberal with what they download.

This therefore looks like a training problem. Employees, and not just the IT department, should be aware of how to start lessening the risk.

  • If attacks are coming in from laptops and mobile devices (smartphones, tablets, etc.), it’s time to implement a new policy on how employees connect to the network or enterprise systems when out of the office.  The days of living one’s personal life on a company-owned device may have to come to an end.
  • Only 30% of companies report the use of encryption, while citing theft of information assets as their top concern. An encryption policy seems like a no-brainer. Data theft is a lot easier to tolerate when to the thieves it appears as a meaningless mishmash that would take sophisticated computers days or weeks to decrypt. The thing about encryption, though, is that you have to use it. If it’s turned off or if your password is your birthday or the name of your dog, it won’t help you.