informa
7 MIN READ
Security Insights

Your Privacy Doesn't Exist

Protecting your privacy never ends
When you are at your desk thinking about protecting someone else's privacy, you may have your colleagues in mind, or perhaps your customers or business partners. Ideally, this is data you can put boundaries around, control who has access, and for how long.

When you are thinking about your personal privacy, it's also data in the form of bits that you are attempting to control. What happens to your personal data when you purchase a home, apply for a credit card, or use your email address for a social network?

You are supposed to feel confident that the custodians of your personal information have safeguards in place the same way you are protecting your customer's data. What if they are compliant with the regulations, but your personal data is still available publicly. Huh?

It's happening every day with websites that crawl other websites and correlate the results, making it easier for the scienters to learn more about you. The crawlers are able to do this when privacy settings aren't battened down or purchasing a home means it's public knowledge to the world. Should it be?

I was fortunate to speak at the Cyber Defense and Disaster Recovery Conference 2013. After my talk was over, I was able to attend a couple of other sessions. They were both very good, but the one that repeatedly gets played back in my mind is "Hiding from the Internet," by Mike Bazzell.

Bazzell's presentation was about finding and removing your identity from the Internet. The session really seemed much more focused on protecting your personally identifiable information (PII) as opposed to not having any tracks left behind on the Internet.

The awareness of these sites isn't new, and a lot has been written about their aggregating activities. What is so amazing is that most people in Bazzell's presentation where unaware of how easy it is to get collaborative information, such as current address, previous address, DOB, social profiles, spousal PII, etc., with little effort.

Rehashing all of the information Bazzelldiscussed would be too long for this article, but we will look at some of the search websites that keep haunting me.

Spokeo
The name "Spokeo" is a fictitious word based on the premise that people using the website will become more interconnected, much like the spokes in a wheel. There is definitely truth to that because even unwanted people can interconnect with you easily.

Right on its home page, Spokeo dubs itself to be "...a people search engine that organizes white-pages listings and public records."

There is nothing better than seeing the facts for themselves. So let's do this together: Click this link to open the Spokeo website. Either type in your first and last name or someone who you know fairly well and his or her city and state. I'm assuming that you are doing this from the United States.

I entered information of a family member who doesn't live with me and who I never searched on previously. Her name came up quickly because it's not a very common name. If your name is much more common, then it may be harder to find yourself. Try searching "John Smith, New York, NY" to see what I mean.

In the left search results column you will see the searched name and possible addresses. What I learned is that my family member has a P.O. Box in town. I wonder why?

I clicked her home address and a wealth of "potential" information is available. Potential is in double-quotes because I have to pay for a three- or six-month subscription to unmask the juicy details.

Scrolling through the rest of the page will complete the picture of how much information is available with little effort and cost.

The good news is you can remove yourself from appearing on the Spokeo website. I'm no longer searchable in Spokeo -- are you? Its Terms of Use does state that it can't remove the information from the third-party sources, which makes sense.

I was not able to confirm whether Spokeo completely removes you from its database when you opt out, but it can still restore from backup, can't it?

Pipl
Pipl, pronounced people (\ˈpē-pəl\), uses a methodology called "deep web" searching. The deep web is also known as the invisible web, the Undernet, or Deepnet, which is a creative name for the data buried within the World Wide Web that is not on the surface and easily indexed.

From its website, this is how Pipl describes its technology: "Our robots are set to interact with searchable databases and extract facts, contact details and other relevant information from personal profiles, member directories, scientific publications, court records and numerous other deep-web sources."

Wow! Court records! Good thing I have a clean record.

I took the same approach to finding information about pipl (sorry, couldn't help myself) who I already know, who don't have very common names but live in New York City, with the chance there will be duplicates so as not to spend too much time sifting through the noise. The idea is to try and hit a small target in a big area looking to see how accurately I am able to find someone I know.

The only search criteria I provided was my friend's full name, no location information whatsoever. The suggested searches were very promising by nailing my friend's age and the borough where he lives. The first result back from Pipl was a reference back to Spokeo with the street he lives on! That was pretty easy.

The next result provided a link back to LinkedIn. Even while not being logged into LinkedIn I was still able to see that he participated in a hackathon, has a patent bearing his name, and his expertise. Metaphorically, data is spilling off the table and onto the floor.

Following LinkedIn, results were provided by yellowpages.com and addresses.com revealing my friends complete postal address including apartment number. Yikes!

The last bit of relevant results pointed to the patent he worked on, which came from the LinkedIn search results. There was also a reference to a Facebook user, which was not him.

All in all, it was a pretty jaw-dropping discovery with little effort and without any financial setback. The bad news is, Pipl doesn't have an option to remove yourself from its database similar to Spokeo because all it did was search deep within the Web to match the search criteria. One would have to go to each website that returned results to batten down their privacy settings or request removal.

AnnualCreditReport.com
Last, AnnualCreditReport.com is a great place for you to go to put a freeze on your credit. That's right -- a freeze. A freeze will prevent the cybercriminals and identity thieves from being able to damage your personal finances. The only time anyone will be able to apply for a loan, credit card, etc., using your personal information is when you unlock the freeze. I like to call that defrosting your credit.

This may not sound like a good idea because it can take a lot of effort to unlock your credit in the event you need to quickly allow a salesperson to run a credit check on a purchase. Bazzell told a short story of someone who was able to call the automated phone system to defrost his credit. When the report was run and the purchase was moving towards closure, the person froze his credit again in the same telephone call. That is how it should be. Is there an app for that?

Another benefit of freezing credit is for your children who already have Social Security numbers assigned to them. Freezing their credit reports will protect against unrealized credit accounts from being created with their personal information.

In the event you have older children, they may attempt to apply for their own debt instruments without consulting you first. Freezing their credit will prevent them from acquiring unknown credit cards, for example.

As obvious as this may all seem, people are still not adequately protecting their PII and the PII of those who are important to them. Please take steps to be a little more private on the Interwebs everyday, and then educate someone else to do so. The threats can come from anywhere.

No security, no privacy. Know security, know privacy.

David Schwartzberg is a Senior Security Engineer at Sophos, where he specializes in latest trends in malware, web threats, endpoint and data protection, mobile security, cloud and network security. He is a regular speaker at security conferences and serves as a guest blogger for the award winning Naked Security blog. David talks regularly with technology executives and professionals to help protect their organizations against the latest security threats. Follow him on Twitter @DSchwartzberg The opinions expressed in this blog are those of Schwartzberg and Sophos and not of Dark Reading