Risk
8/1/2013
10:55 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Pressure Cooker Flap Traces To Employer, Not Google

Worried your Google searches are being watched by the authorities? Forget the NSA and start worrying about privacy closer to home.

Google Maps Updated: 10 Cool Features
Google Maps Updated: 10 Cool Features
(click image for larger view)
A Long Island, N.Y., woman's account about being visited by authorities because of her Google searches about pressure cookers says volumes about privacy fears, but very little about what actually transpired. Call it the Snowden Effect.

Michele Catalano, a writer who has written for Forbes and other publications, published an account on Medium of being visited several weeks ago by "six agents from the joint terrorism task force" due to what she "imagined" was the result of "[her] son's reading habits combined with [her] search for a pressure cooker and [her] husband's search for a backpack set ..."

Along with other news outlets, The Guardian published a story based on Catalano's account with a headline suggesting the police visit arose from online search activity: "New York woman visited by police after researching pressure cookers online." But that link proved difficult to establish on Thursday afternoon, because the relevant law enforcement agencies were slow to acknowledge that any investigation actually took place.

[ Do government searches go deeper than we even imagined? Read NSA Surveillance Can Penetrate VPNs. ]

Catalano initially refused via Twitter to respond to media inquiries seeking clarification, though she did subsequently insist, "I didn't make it up." She did not respond to an emailed request for comment.

The Suffolk County, N.Y., Police Department Thursday afternoon referred a request for comment to the FBI. The FBI's New York Office did not immediately respond to a request for comment, but the agency did deny Catalano's claim to The Washington Post.

The FBI told to The Washington Post that officers from the Nassau County, N.Y., Police Department visited the woman's home.

Yet, a spokeswoman the Nassau County Police Department, reached by phone, denied that. "We were not at the house and we didn't conduct an investigation," a spokeswoman in the department's public information office said.

In a Google+ post, CNET correspondent Declan McCullagh suggested a more likely explanation for government scrutiny would be public posts, such as this image of M-66 firecrackers. Catalano appears to have posted it to Flickr in 2008 and more recently to her Facebook page.

Google declined to comment, but the company has a well-documented policy for handling law enforcement requests for information. It seems unlikely Google would provide user search history information without enough evidence to sustain a warrant.

Lurking in the background is the tinfoil-hat explanation: The NSA tipped off local authorities.

The truth turns out to be rather more prosaic: Thursday evening, the Suffolk County Police Department emailed a statement to TechCrunch in response to inquiries about Catalano's post indicating that it had received a tip from a local computer company about a former employee's online searches about backpacks and pressure cookers and that it had visited the subject's home to ask about the suspicious searches. As of 8:30 a.m. ET Friday, the department had not published the release on its website.

TechCrunch has identified Catalano's husband as Todd Pinnell and the company where he was employed as Speco Technologies. It's not immediately clear whether Catalano's search for a pressure cooker was made through Pinnell's work computer, though that would make more sense if Pinnell had brought a work-issued device home.

Catalano subsequently published a clarification: "We found out through the Suffolk Police Department that the searches involved also things my husband looked up at his old job. We were not made aware of this at the time of questioning and were led to believe it was solely from searches from within our house."

In short, it appears that given the heightened vigilance following the Boston Marathon bombing, someone in IT was paying attention and alerted authorities.

The irony in all this is Catalano's lament about her lack of privacy, which her widely covered post has all but eradicated.

"This is where we are at," she wrote in her initial post. "Where you have no expectation of privacy. Where trying to learn how to cook some lentils could possibly land you on a watch list. Where you have to watch every little thing you do because someone else is watching every little thing you do."

For privacy, try self-employment and abstain from blogging.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
8/2/2013 | 9:04:29 PM
re: Pressure Cooker Flap Traces To Employer, Not Google
When I first heard about this, I figured the FBI hadn't shown up on the basis of Google searches alone. For one thing, if every computer whose Internet search histories include "pressure cooker" and "backpack" warranted an in-person investigation, the government would run out of resources in about 10 minutes.

There simply aren't enough agents to act on so little information. Think how much time the authorities would waste investigating every grad student who looked at extremist sites while researching a dissertation on terrorism and foreign policy. Ditto for the wannabe screenwriter who uses Google to research bomb-making techniques so he can add authenticity to his next action movie plot.

So even if Google had been involved (which it wasn't), I never bought that the authorities would have acted on so little. That's not to say we shouldn't worry about privacy, or that we we have nothing to fear as long as we have nothing to hide. But the original story just seemed fishy.
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
8/2/2013 | 8:24:00 PM
re: Pressure Cooker Flap Traces To Employer, Not Google
Sounds like an old Twilight episode (for those who recall the TV series). Nassau County was there, says FBI. No we weren't, try the FBI. We weren't, try Suffolk County. No, not here try the NSA. Who? Are we certain it isn't just a slow Friday or if Ms. Catalano was visited by anyone (temperature was high in that area of the country wasn't it). Blogging has certainly made it simpler for anyone to get their 15 minutes and created many a virtual coffee shop. :-)
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
8/2/2013 | 7:45:41 PM
re: Pressure Cooker Flap Traces To Employer, Not Google
Oh I see now, I was still thinking of the earlier theories. Yet somehow, I still believe it could happen! As Thomas says, call it the Snowden Effect.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/2/2013 | 7:36:16 PM
re: Pressure Cooker Flap Traces To Employer, Not Google
Becca--No, it wasn't several family members. Just the husband, on a work computer. (Or, at least, all the searches were on the work computer. If he'd brought it home, perhaps another family member used it.) The ex-employer called the cops.

Jim Donahue
Managing Editor
InformationWeek
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
8/2/2013 | 6:34:06 PM
re: Pressure Cooker Flap Traces To Employer, Not Google
What I find most interesting is how a random collection of Google searches conducted by several family members on different devices triggered the alarm as easily as one person doing it all on a single laptop. This story gives us some idea as to the data storage and the software smoothly connecting these searches, it really is mindblowing.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.