A recent report by Government Computer News sheds light on a topic that millions of people all over the world deal with on a regular basis: Internet privacy and security in the hotel industry. People have many different reasons to travel, but with the modern tech-era upon us one of the most frequently asked questions when booking a hotel is: “Do you have Internet?” That answer is most likely a, “yes.”

It’s common knowledge that the world has moved online, and so has the bulk of our personal lives. The majority of us pay our bills online, we manage our bank accounts online, and some may even earn an extra or full-time income from the Internet. Even those who were once leery of that “Internet thing” are venturing online these days. With our lives so impacted by the internet, there is an increased concern about online security. The information that we leave unguarded online can easily be obtained by unscrupulous people and used in ways that could a make our lives a nightmare. Be very careful of the footprints that you leave when you are on the web.

Reports from Internetnews.com state that NebuAd, creators of the very controversial behavioral targeting technology, recently announced they will stop their ad-targeting campaign. This comes shortly after many of their clients (such as CableOne) dropped NebuAd over privacy concerns and a Congressional hearing. In a statement made by NebuAd, they stated, “plans for wide spread deployment via the Internet service provider channel are delayed to allow time for Congress to spend additional time addressing the privacy issues and policies associated with online behavioral advertising.” Along with the project being halted and ISPs canceling their contracts, CEO and co-founder Bob Dykes resigned.

NebuAd’s behavioral targeting campaign was supposed to keep information anonymous and only collect and store pertinent information so that online advertisements could reflect an individuals tastes and offer products that they are more likely to want to purchase. The above mentioned ISP was one of the many multiple service operators that had contracts with NebuAd for their state-of-the-art services. ISPs have been tracking and recording their users’ information and selling it to the highest bidder, which in many cases was NebuAd. While this concept seemed like a good idea, privacy advocates and security experts called it “browser high jacking,” and made it clear that an ISP could be breaking federal wiretapping laws by using NebuAd.

NebuAd required the ISPs they contracted with to inform their users of the ad-tracking campaign. ISPs did inform their users, but in many cases did not allow them to opt-out of having their Internet privacy jeopardized. Also, many of the ISPs did not specifically tell their users what was happening, but just made small modifications to their privacy policies. Embarq, for example, stated in their privacy policy: “The Web sites that you visit or online searches that you conduct” may be used to “deliver or facilitate the delivery of targeted advertisements.” On a side note–only 15 Embarq users opted out. Who should be blamed then? Is NebuAd at fault for developing the eavesdropping software, or is it the fault of the ISPs who don’t tell their users they are being spied on and then sell the information? The next step is for Congress to introduce legislation requiring explicit consent from users that way they know and willingly allow their information to be collected.

Betty Ostergren, a privacy advocate that posts Social Security numbers she found on the Internet, has been given the thumbs up by a federal judge in Virginia. Computerworld reports that the state government can not stop her from posting the Social Security numbers on her website. At first glance, this privacy issue should enrage a lot of people. Knowing she has your personal information and is posting it all over the Internet would upset a lot of people; but how did she find this information in the first place? She got the information from the Internet and public records. The privacy advocate did this as a lesson, and to start a campaign to show people just how easy it is to find sensitive information about them.

She won the case and it was ruled that she should not have to remove the Social Security numbers from her site since she legally obtained them from public records. While the memorandum does not set a precedent, it is the first step in truly realizing how much we take our Internet privacy for granted. Ostergren’s website, The Virginia Watchdog, presents privacy issues that arise from the government posting personal information on websites. Over the past few years she has repeatedly shown that Social Security numbers have been posted and little has been done to protect personal information.

I can agree with what she is doing. She did not seek out the information from private sources or use illegal methods, she used the Internet and the public sector. Everything she found was attained from government documents that did not conceal the ultra-sensitive information. With the already astonishing number of identity thefts every year, I don’t see how the government posting such private information can help. How about a permanent marker and two seconds to hide the information? Problem solved… Ms. Ostergren also posts the information of high-profile officials, such as former Gov. Jeb Bush, former U.S. Secretary Colin Powell, and some local Virginia officials. I guess it really strikes a nerve and makes them care when their information is up there, and not just the information of the huddled masses.

Well it is more than an Internet Service Provider, but Cable One, the 10th largest cable operator, has recently admitted to conducted a six-month study on their Internet users’ surfing habits. Cable One joins Charter Communications (as reported in a previous post) and a slew of other MSOs (multiple service operators) who spy on their customers for behavioral targeting purposes, and ultimately sell that information for big bucks to advertising companies.

Cable One revealed the information on August 8 to the House Energy and Commerce Committee, which had previously expressed their concerns on cable operators using advanced technology to invade privacy. So if I decipher this correctly: Cable One tried to defend themselves against these allegations by providing information and stating they invaded their customers’ privacy. Cable One stated that spying on 14,000 of their 700,000 customers was a better way to provide “more relevant advertising” to their customers.

Bresnan Communications and Knology also came out of the woodwork to say they spied on customers throughout a similar time frame. WideOpenWest admitted to doing this, in cooperation with NebuAd’s service. WideOpenWest stopped the program after five months because of the privacy concerns. All efforts to surf anonymously have become null and void for many Internet users, and for no apparent reason other than having better online advertisements. Shouldn’t these companies help protect personal information, not jeopardize it?

Cable One argues that they were not breaking any laws by conducting this research, and had made the information available to their users via the acceptable use policy they read when signing up for services. The information was also found in Cable One’s yearly privacy notice, which is sent to all customers. They provided users with appropriate notice, BUT did not allow them to opt out of the research, “because doing so would stifle our ability to test new technologies that have the potential to offer significant benefits to our customers.” Wow…

In essence the companies are arguing that because they put it in writing it is alright to spy on users and completely ignore any type of Internet privacy laws. It seems a bit ridiculous that my privacy rights are in jeopardy and I have no way of opting out. I can’t even choose to say “No.” In other words, even if I know it is happening I have no say in the outcome. The companies are not just able to record information for advertising purposes, but can use this technology to track and record ALL information being transmitted and received through their network. Hopefully when the Committee drafts a new law they remember to add the clause that we, as paying customers who want to feel safe, should have to opt-IN to this research–not be forced into whatever absurd money-making scheme the companies are up to.

Recently reported by the New York Times and the Herald Tribune (Sarasota’s local newspaper), a little bit more than 88% of the 38,500 students in the Sarasota school district had personal information posted on the Internet for nearly two months.

The school district has a contract (for now) with Princeton Review to maintain a database of Sarasota County Planning Tools, to help teachers develop tests and keep track of students’ grades. The information, which contained students’ names and school ID numbers (which in some cases were Social Security numbers) from this database was accidentally posted on the Internet for two months before it was finally removed this past Monday. Along with names and ID numbers the information also included students’: birth dates, sex, ethnicity, disabilities, and standardized test scores. The files were able to be found by using a search engine and Princeton Review claims the files were released when the company recently switched ISPs.

Sarasota students were not the only ones affected by this mistake, Fairfax, VA. students (nearly 74,000 of them) had their information posted on the Internet as well. The company was hired to measure student performance and nearly got 74,000 students’ identities stolen. Hackers could have had a field day with this information–but if we recall correctly from a previous Identity Theft post, it usually takes the Identity Theft victim three months to realize something is wrong. In the case of a young student that has no need to check their credit ratings; it could be even longer.

The article hints around as to who is to blame here. Of course Princeton Review is at fault because the security of their system and website has been compromised and over 100,000 students had their personal information sitting on the Internet for two months. Not to mention that with the world wide web, nothing that has been posted can truly be deleted–some cached record may be sitting on a server with the information.

Is the school board to blame as well? Would they need to compile this massive database of personal information if standardized tests weren’t stressed as the focal point of a student’s education? While I am not trying to start a debate as to the validity of standardized tests, it is just an interesting subject to touch on. What happened to the days where teachers logged the information in their grade books? Is it necessary to have a massive database with every bit of information about a student? These are all questions that the school board will be answering when deciding whether or not to keep Princeton Review’s contract.

In this case I would say protecting personal information trumps the ease of sticking everything on some site to analyze the students performance. It is great for parents, students and teachers to have access to this information so they can all keep track of performance and make sure nothing is wrong. Is the risk of having this happen again worth it? Do students even get and interim reports and report cards anymore? I remember that being a pretty good gauge as to what I needed work on.

Today we reexamine and update a previous blog posting concerned with you privacy while travelling. A recent article presented by istockanalyst.com discusses how laptop searches cross the line between privacy and security.

Jawad Khaki was returning home from a business trip when he was stopped by customs. Khaki, a corporate executive, told customs everything he had done and everywhere he went. He was then asked to turn on his cellphone, which customs took from him and searched. Customs checked his to-do list and his calender.

This is just one story of the line between privacy and security that is being crossed by customs agents. Does the search and seizure of laptops, cellphones, and PDAs cross the line?

The main question being presented, in both this article and my previous blog post, “What if a traveler’s laptop includes corporate secrets, a lawyer’s confidential documents, a journalist’s notes from a protected source, or personal financial and medical information?” Advocacy groups are concerned with the misuse of information and say they have not gotten any clear answers when posing these questions to the Department of Homeland Security. Two groups have actually filed a lawsuit so they can get that information from Homeland Security.

I understand that sometimes it is necessary to conduct these searches to protect our national security…I am not referring to the time where it does compromise national security, but instead the times where a businessman is travelling and is extensively searched above and beyond what is reasonable. Customs and Border Patrol spokeswoman said that, “The department doesn’t keep seized electronics unless it suspects wrongdoing, and any U.S. citizen’s information that’s copied is kept only if it’s relevant for criminal or national-security investigations.” I do appreciate that, but it needs to be made into official policy.

CBP is using the same reasoning behind checking luggage to check laptops. No reason or probable cause is needed to be searched by customs. There needs to be a distinction between the two. Laptops carry sensitive and personal information, especially if it being used for business travel. The data found on there is an “extension of a person’s professional and personal identity.” The main difference between the search of luggage and the search of a computer, which is also pointed out in the article, is that the luggage can be returned easily…but do you know what has been downloaded and copied off your laptop?

Tough situation…

A recent USA Today tech article focused on the invasion of privacy many will face when traveling to the Olympics in China this summer. The warnings, aimed mostly at federal officials and business people, are telling travellers that the Chinese government will most likely attempt to penetrate the electronic devices (cell phones, PDAs, and laptops) being brought into the country. The Chinese government intends to steal information and plant bugs to gain access to U.S. networks. Just about anyone that has political influence, a government position, or works for a large company is at risk to have their privacy completely compromised.

The Overseas Security Advisory Council states that Chinese government frequently uses these tactics to gain access to personal and official computers. China’s Internet and wireless networks are run by the government, which has access to any bit of data being transferred. A laptop being searched by airport security or left in the hotel while attending the day’s games are vulnerable to attack. The control that the government has over the Internet allows them to invade any one’s privacy since they have to surf the web through their network.

This is a major privacy threat for anyone travelling abroad for the Olympics. Any information you have on you is subject to Chinese inspection. Further, travelers coming home. should have their systems checked before connecting their network.

So now where does it go from here? Consider travelling without any of these electronics. If you have to bring them with you, make sure no personal or official information (of a sensitive nature) is stored on them. And if none of those precautions can be taken, then make sure a good proxy server is used while in China, and have everything on the computer’s drive encrypted.

InsideCRM.com recently published an article that outlines 50 tips to maintain your privacy and avoid ID theft or other cyber crimes. This list is comprehensive and includes great advice on how to keep yourself protected. Everything you do online is susceptible to scams and other privacy risks; these tips could end up being the difference between security and theft. The article does not focus primarily on Internet privacy, it also discusses the ways to stay protected when offline. The full list can be found in the article, but the following are some of the major points.

• Internet Privacy
• Don’t save e-mail address or password settings (log-in information) for frequently used sites such as online banking.
• Use anti-virus protection.
• If using wireless, set up a password and secure the connection.

• Credit and Financial
• Check you credit report about 2-3 times per year.
• Use a credit card for online purchases instead of a debit card.
• Never use your Social Security Number as a pin or password.

• General Privacy
• Don’t use your Social Security Number as an identification number (such as an employee number) or write your SS# on checks. This number needs to be secured and given to as few people as possible.
• Understand pretexting and the danger it poses to your privacy.

• Cell Phones and Online Phones
• Check and understand your providers Privacy Policy and frequently stay informed on updates to the policy.

• Other Rules to Follow
• Keep your Social Security card in a safe and secure place. That place is not your wallet or purse either!
• Shred documents that contain personal information such as birth dates and credit card numbers.
• Look for “https” when making an online transaction. This is different from “http” because the “s” indicates a secured and encrypted connection so only you and the site have access to the information.

The tips and tools on the site are very helpful. As stated before, these can be the difference between having your identity stolen or maintaining your security. Many of these tips are common sense for some people, but the fact is identity theft and cyber crime are a problem. If you already know to keep your Social Security Number secured, that’s great! Now take the next step and do something else on the list to protect yourself.

We’ve all heard about Phishing; i.e. getting phony e-mails asking you to give up important personal information. We also all know about scams involving telephone solicitation.

Now we have Smishing which is getting personal information by sending bogus text messages to your phone. According to an article in the Kansas City Star, warning consumers about a new, multifaceted identity theft scam where victims are targeted by phone, text messages and e-mails, we now have to worry about fake text messages.

Here’s my question: “How many of us get text messages from their banking or brokerage firms?” My guess is not many at all. Therefore why would anyone believe a text message could be from their financial institution, especially in this age of ever more clever identity theft criminals?

It is sad that people get taken in by these thieves. However we all must continue to be cautious when we get a suspicious communication regardless of the way it was transmitted. The first step in preventing identity theft is to be skeptical of any communication that asks for personal information. Without willing takers, identity thieves would have a harder time collecting this information.