Identity Theft? That’s Been Outsourced, Too

There’s been a lot of attention paid to “pretexting”,the practice of posing as someone else in order to gain access to their personal data, lately in the wake of the HP scandal. However, a British TV program has shown that there’s more than one way to skin the identity fraud cat, as an undercover reporter was offered the personal details of 100,000 UK bank customers, stolen by offshore call-center workers.

The knee-jerk reaction is simply to point the finger at outsourcing and offshoring, but they’re largely irrelevant to the situation. Lax corporate security and indifferent attitudes towards data breaches certainly aren’t restricted to a particular country, industry or line of work, so the suggestion that banks and other companies that allow offshored workers access to personal financial information could simply solve the problem by bringing outsourced functions back in-house is inaccurate.

Quite clearly, many companies’ security policies are inadequate, unenforced or nonexistent, whether for in-house employees or external suppliers, and there’s currently little motivation for them to take the problem seriously. Whether data is kept internally or shared with offshore workers doesn’t really seem to matter — it doesn’t appear particularly secure either way.

The Age of Technological Transparency

“Executives and politicians may be starting to realize that privacy is dead and secrets can no longer be kept in the information age. There is always a technological trail, and transparency is pervasive. Just ask Patricia Dunn and Mark Foley.

In a piece at eWeek, Ed Cone from CIO Insight talks about the specific technologies that brought them down.”

From the article:

“Foley may have thought his IMs were disappearing into the ether as soon as they cleared his computer screen. Instead, the messages were saved, and his career was ruined, and the House leadership is left to fight for survival. We talk a lot a about transparency as a virtue in the age of the web, and hold it up as a marketing technique and a better way to run an enterprise. Sun’s blogging CEO, Jonathan Schwartz, is lobbying the SEC to allow more financial information to be disclosed online. Corporations are using all manner of web-techs to speak more directly to stakeholders. But transparency needs to be understood as more than a slogan or a strategy. It’s a reality. It can be imposed on you by the Internet, whether you want to be transparent or not.”

No One Has Any Idea How Much Work Email Is Spam

Can we just say, for the record, that no one actually has a good handle on how much spam is out there? This is absolutely true when it comes to corporate email accounts.

In 2001, we had a report that said that only 21% of all emails were work related, with the rest being junk or personal emails… but a year later the story was that office employees don’t get much spam at work. Last year, a report came out saying that spam made up 33% of office email, which seems lower than the other studies (which also said another 25% of work emails were personal, and thus 42% — twice of that earlier study — were work related).

The latest such study claims a flip of that original stat: 21% of corporate emails are spam. So, basically, over the past few years, we’ve had reports of lots of spam and not very much spam at all when it comes to the office — suggesting that, frankly, no one really knows how much spam there is in the office. Also, to be honest, the aggregate number is pretty useless, as different companies (and different people within a company) probably face vastly different levels of “spam threat.”

So, rather than focusing on how much corporate email is spam, why not focus on how effective (or not) IT departments are at stopping the spam from those who are most targeted?

How Retailers Watch You

“With $30 billion lost to shoplifting and employee theft last year, retailers are turning to increasingly sophisticated electronic surveillance systems to fight theft. Some systems, like RFID tags, have been well-publicized by privacy advocates. Others are less well known: video surveillance systems are being tied to software that can recognize specific types of activity and identify individuals; and data-mining software is being used to analyze everything from shoppers’ habits to irregular register activity.”

From the article: “Despite this revolution in retail tech, you won’t find many stores bragging about their new security tools. No one wants to tip off shoplifters or advertise that they suspect their customers. That’s why so much of the technology is hidden in the first place. But another reason stores don’t talk much about surveillance is that they know it sparks concerns about privacy. Consumer groups and legislators have opposed the spread of RFID and video surveillance for just that reason.”

Mandatory fingerprinting of European children

The European Union is working on a new rule that would require all children in the EU to be fingerprinted and entered into an international database. Currently, the proposed regulations would require all children age 12 and up to be fingerprinted, but some committee members are lobbying for an even younger age limit, possibly as young as six. The European Commission notes that “Scientific tests have confirmed that the paillary ridges on the fingers are not sufficiently developed to allow biometric capture and analysis until the age of six.”

Ben Hayes, spokesman for the civil liberties group Statewatch said “We are going from fingerprinting criminals to universal fingerprinting without any real debate. In the long term everyone’s fingerprints will be stored on a central database. You have to ask what will be the costs to a person’s privacy.” Statewatch also accused the EU Governments of making decisions based only on “technological possibilities – not on the moral and political questions of whether it is right or desirable.”

On the one hand, so long as you do nothing wrong, what difference does it make who has your information on file? On the other hand, however, the potential for misuse is huge. What do you think? Would you be concerned if your kids had to be fingerprinted and put into an international database? Or do you, like I do, see this as a positive move forwards in authentication?

Technology: tracking or trusting?

Would you, if you could, track how fast and how far your kids go in the family car? I drove pretty fast when I was a teenager and, for the most part, my folks never knew; if they had, I might not be here today. What about their internet usage? Would you read their e-mail or listen in on their instant message conversations? Would you want to know what websites they visit?

If the answer is yes to any of these, then you’re in luck — you’re living in the right era. There is a lot of technology available today that will let you keep track of your kids like never before. SFGate has a nice write-up of some of your options, including devices for your car — including some that would have worked with my mother’s vintage Citroens — and your computer.

While the article cites some instances where this sort of technology has helped, such as the case of a 14-year-old who met a 24-year-old man online and was given a bus ticket to meet him out of state, it covers all sides of the issue. According to Jane Bluestein, parent educator and author, “To track kids for the sake of tracking kids — I know it gives parents a sense of control, but I think it points to bigger problems in the relationship: mistrust, a need to control, a need to think for your kids.” She also points out that it’s important “for parents to teach kids how to think and act when they’re not there.”

I’d like to think that I’ll be able to trust my kids and that, by the time they’re ready to go off on their own, I will have taught them to make good choices, but that could just be my arrogant innocence waiting to be smacked down by reality. What do you think? Do you or will you use technology to stay on top of what your kids are up to? Which is more important, trusting them or tracking them?

High school reserves right to search cellphones

Framingham High School, in Framingham, Massachusetts, is famous for a number of things. Now they can add another first to their list: the principal has decided that he has the right to search students’ cell phones if he thinks they may have drugs or stolen goods. Critics, including the students, say it is an invasion of privacy. At least one student feels that administrators are making the school out to be more problematic than it actually is.

Administrators, on the other hand, say they need the policy to improve security at the school and stop illegal activity. According to federal law, schools can conduct searches if there is a “reasonable suspicion” that a student has contraband. According to the U.S. Department of Education’s Office of Safe and Drug-Free Schools, “School officials need only have ‘reasonable suspicion‘ that a particular search will reveal evidence that the student has violated or is violating either the law or the rules of the school.”

Personally, I’m not sure data held in a cell phone would be “evidence” — there could be plausible explanations for just about anything and, once upon a time, people in this country were considered innocent until proven guilty. At the very least “I’m writing a novel about a drug dealer — those are notes and excerpts” should result in reasonable doubt. I know that if I were a student at the school, I would certainly encourage my classmates to join me in putting “incriminating evidence” in their cellphones just to make the policy irrelevant.

You have to remember, though, I’m a troublemaker by nature. What do you think? Is this a reasonable policy for a high school in this day and age, or is the school really going way to far?

Marines recruiting on MySpace

The Marine Corps entrance into the hangout of 94 million mostly-teenage users is stirring up controversy.

In an effort to “fish where the fish are”, the United States Marine Corps has set itself up with a profile on MySpace in an effort to pique the interest of potential new recruits.

A Marine Corp representative said “The Internet is a great way to show what the Marine Corps has to offer.”

But some object to these tactics to recruit teenagers, noting that it’s not fair for the Corps to be using something that’s kind of like a youth domain, to “sucker youth into something they’re not really explaining fully.”

The US Army, originally leery of MySpace because of well-publicized report of online predators, plans to set up a profile soon.

Now, I’m not sure of the legalities around recruiting teenagers in the US, but this does seem a little stealthy to me, kind of like recruiting in a high school parking lot. I think perhaps I’d be more comfortable with the notion of a paid ad space on MySpace, rather than a “profile” set up as a member of the MySpace community.

What do you think? Is this just really savvy advertising or an unethical way to recruit teenagers?

Just how public are your private records?

I’ve talked before about how concerned I am regarding internet security and identity fraud. I think any country that relies on social security numbers as the main source of identification in both social and financial arenas is doing things ass-backwards and just plain stupid. Yes, fellow Americans, I mean our government allowing our social security numbers to become part of a public record both inside county courthouses and on the internet. What? You think your social security number isn’t available to anyone with internet access around the world? Are you sure?

Betty Ostergren, a 56 year old resident of Richmond Virginia, is committed to making important people angry. She puts their Social Security numbers on her Web site, or links to where they can be found. She does this because she is trying to embarass government into making privacy a priority. And she’s making an impression. She isn’t trying to make government officials like CIA Director Porter J. Goss, former secretary of state Colin L. Powell, or Florida Gov. Jeb Bush be victims of identity theft, as were millions of plain, hardworking Americans in the past year. She is on a crusade to scare and shame public officials into doing something about how easy it is to get sensitive personal data.

Ostergren discovered that a wealth of documents — including marriage and divorce records, property deeds, and military discharge papers — containing Social Security numbers, dates of birth and other sensitive information is accessible from any computer anywhere. Many of the online records are images of original documents, which also display people’s signatures. She began organizing citizens and complaining to officials on the issue in 2002, when a title examiner called to warn her that her county was about to put a slew of documents online, including pages with her signature. She swung into action, bringing enough pressure on the Hanover County Virginia officials that they halted their plans. Then she broadened her attack, targeting other counties in Virginia and elsewhere.Today, she is eager to guide reporters to her favorite example: the Social Security number of House Majority Leader Tom DeLay (R-Tex.), which is viewable via the Internet on a tax lien filed against him in 1980. She says that if she could easily find Tom DeLay’s social security number online, couldn’t internet identity thieves do just as well with your records. I think she’s got a good point.

Ostergren found that for decades, Social Security numbers, mothers’ maiden names and other crucial forms of personal identity were routinely included in dozens of documents with little thought to the consequences. That, in turn, enabled companies such as ChoicePoint to send their workers to courthouses across the country to grab such personal data for their databanks. The information is collated, or analyzed, and sold to other companies and back to government agencies. Just what I wanted to hear. All those things I assumed would remain private, like my mother’s maiden name, are out there for anyone willing to dig them up in a county courthouse. Once that information is found, it becomes a valuable commodity and can be sold over and over again to financial database organizations. Now I get why I’m on every junque mail list for credit cards ever created, regardless of the “Do Not Contact” letter I’ve sent.

Florida is one of the few states that has legally required the blacking out of sensitive data from public records. Why Florida, which has never been known for it’s forward thinking? Thank Ms. Ostergren. When she finds a well-known figure, she decides whether exposing his or her number on her Virginia Watchdog Web site might further her cause. Which is how she came to link to Jeb Bush’s Social Security number.She notified Bush through someone she knew in the administration of his brother, President Bush. Soon after, she noticed that the governor’s number was blacked out on the county Web site in Florida where it was listed. So she posted it on her site. Ostrander says:”I decided since he protected his own hind end and nobody else’s, I’d put his on there,” she said.Ostergren gets my vote for Woman of the Week. She’s my new hero!