Risk

8/1/2013
10:55 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Pressure Cooker Flap Traces To Employer, Not Google

Worried your Google searches are being watched by the authorities? Forget the NSA and start worrying about privacy closer to home.

Google Maps Updated: 10 Cool Features
Google Maps Updated: 10 Cool Features
(click image for larger view)
A Long Island, N.Y., woman's account about being visited by authorities because of her Google searches about pressure cookers says volumes about privacy fears, but very little about what actually transpired. Call it the Snowden Effect.

Michele Catalano, a writer who has written for Forbes and other publications, published an account on Medium of being visited several weeks ago by "six agents from the joint terrorism task force" due to what she "imagined" was the result of "[her] son's reading habits combined with [her] search for a pressure cooker and [her] husband's search for a backpack set ..."

Along with other news outlets, The Guardian published a story based on Catalano's account with a headline suggesting the police visit arose from online search activity: "New York woman visited by police after researching pressure cookers online." But that link proved difficult to establish on Thursday afternoon, because the relevant law enforcement agencies were slow to acknowledge that any investigation actually took place.

[ Do government searches go deeper than we even imagined? Read NSA Surveillance Can Penetrate VPNs. ]

Catalano initially refused via Twitter to respond to media inquiries seeking clarification, though she did subsequently insist, "I didn't make it up." She did not respond to an emailed request for comment.

The Suffolk County, N.Y., Police Department Thursday afternoon referred a request for comment to the FBI. The FBI's New York Office did not immediately respond to a request for comment, but the agency did deny Catalano's claim to The Washington Post.

The FBI told to The Washington Post that officers from the Nassau County, N.Y., Police Department visited the woman's home.

Yet, a spokeswoman the Nassau County Police Department, reached by phone, denied that. "We were not at the house and we didn't conduct an investigation," a spokeswoman in the department's public information office said.

In a Google+ post, CNET correspondent Declan McCullagh suggested a more likely explanation for government scrutiny would be public posts, such as this image of M-66 firecrackers. Catalano appears to have posted it to Flickr in 2008 and more recently to her Facebook page.

Google declined to comment, but the company has a well-documented policy for handling law enforcement requests for information. It seems unlikely Google would provide user search history information without enough evidence to sustain a warrant.

Lurking in the background is the tinfoil-hat explanation: The NSA tipped off local authorities.

The truth turns out to be rather more prosaic: Thursday evening, the Suffolk County Police Department emailed a statement to TechCrunch in response to inquiries about Catalano's post indicating that it had received a tip from a local computer company about a former employee's online searches about backpacks and pressure cookers and that it had visited the subject's home to ask about the suspicious searches. As of 8:30 a.m. ET Friday, the department had not published the release on its website.

TechCrunch has identified Catalano's husband as Todd Pinnell and the company where he was employed as Speco Technologies. It's not immediately clear whether Catalano's search for a pressure cooker was made through Pinnell's work computer, though that would make more sense if Pinnell had brought a work-issued device home.

Catalano subsequently published a clarification: "We found out through the Suffolk Police Department that the searches involved also things my husband looked up at his old job. We were not made aware of this at the time of questioning and were led to believe it was solely from searches from within our house."

In short, it appears that given the heightened vigilance following the Boston Marathon bombing, someone in IT was paying attention and alerted authorities.

The irony in all this is Catalano's lament about her lack of privacy, which her widely covered post has all but eradicated.

"This is where we are at," she wrote in her initial post. "Where you have no expectation of privacy. Where trying to learn how to cook some lentils could possibly land you on a watch list. Where you have to watch every little thing you do because someone else is watching every little thing you do."

For privacy, try self-employment and abstain from blogging.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
8/2/2013 | 9:04:29 PM
re: Pressure Cooker Flap Traces To Employer, Not Google
When I first heard about this, I figured the FBI hadn't shown up on the basis of Google searches alone. For one thing, if every computer whose Internet search histories include "pressure cooker" and "backpack" warranted an in-person investigation, the government would run out of resources in about 10 minutes.

There simply aren't enough agents to act on so little information. Think how much time the authorities would waste investigating every grad student who looked at extremist sites while researching a dissertation on terrorism and foreign policy. Ditto for the wannabe screenwriter who uses Google to research bomb-making techniques so he can add authenticity to his next action movie plot.

So even if Google had been involved (which it wasn't), I never bought that the authorities would have acted on so little. That's not to say we shouldn't worry about privacy, or that we we have nothing to fear as long as we have nothing to hide. But the original story just seemed fishy.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
8/2/2013 | 8:24:00 PM
re: Pressure Cooker Flap Traces To Employer, Not Google
Sounds like an old Twilight episode (for those who recall the TV series). Nassau County was there, says FBI. No we weren't, try the FBI. We weren't, try Suffolk County. No, not here try the NSA. Who? Are we certain it isn't just a slow Friday or if Ms. Catalano was visited by anyone (temperature was high in that area of the country wasn't it). Blogging has certainly made it simpler for anyone to get their 15 minutes and created many a virtual coffee shop. :-)
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
8/2/2013 | 7:45:41 PM
re: Pressure Cooker Flap Traces To Employer, Not Google
Oh I see now, I was still thinking of the earlier theories. Yet somehow, I still believe it could happen! As Thomas says, call it the Snowden Effect.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/2/2013 | 7:36:16 PM
re: Pressure Cooker Flap Traces To Employer, Not Google
Becca--No, it wasn't several family members. Just the husband, on a work computer. (Or, at least, all the searches were on the work computer. If he'd brought it home, perhaps another family member used it.) The ex-employer called the cops.

Jim Donahue
Managing Editor
InformationWeek
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
8/2/2013 | 6:34:06 PM
re: Pressure Cooker Flap Traces To Employer, Not Google
What I find most interesting is how a random collection of Google searches conducted by several family members on different devices triggered the alarm as easily as one person doing it all on a single laptop. This story gives us some idea as to the data storage and the software smoothly connecting these searches, it really is mindblowing.
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.