Monday, February 11, 2008
Three years ago, Paul Trigoso received one of those emails purporting to be sent from eBay.
The email said someone had been fraudulently using his account. He needed to log in and confirm his credit card information and so forth so the company could affirm the account's validity.
He followed a link, typed in his username and password and filled out his financial information. The next day he received the email again, which seemed strange. He went to eBay and read a bulletin the company had posted about scams.
"I was already thinking, 'Man, all my money's going to be gone from my account. I'm screwed,'" says Trigoso, a recent KU graduate.
The email he responded to looked legitimate, but it was not from eBay, and the information he sent went to somebody in the Netherlands. At least, that's where all the money in his bank account, about $900, was spent.
You know such things can happen, of course. And you know you should be careful, vigilant, blah blah blah. But sometimes, on the internet, bad things just happen.
Money gets stolen. Personal information winds up in the hands of companies, legitimate and illegitimate. Information you share innocently with, say, a lawrence.com reporter, winds up haunting you every time someone Googles your name.
In Trigoso's case, it wasn't as if he'd responded to a spam email with a subject line of "Gain 3 inches in just weeks" or "Change your life today!" He was a new eBay user, unfamiliar with whether such an email was normal for the company to send, and, although he felt foolish afterward, it looked real.
When he went to Commerce Bank, the banker asked whether he had been in the Netherlands the day before. The bank reported the fraud and refunded his money in a couple of days.
A WOMAN called lawrence.com a few months ago. She had spoken with a reporter in 2006 for a story about boob jobs. She was a KU student who had had one. In the year since the story was published, she had graduated from KU and started applying for jobs.
When she called, she said that after one interview, the employer confided to her that she was a strong candidate, but that after the first thing to come up on a Google search was the lawrence.com story about boob jobs, her stock went down.
She asked us to remove her name from the story. Because this was personal information that had caused her embarrassment and there didn't seem to be a compelling public interest in retaining her name, we decided to remove it, and added a note explaining why. It seemed simple enough.
Then, upon contacting her for this story, we realized we hadn't removed her name from the comments section underneath the story, and one commenter had referred to her by name. In the months since she had called, the comment (an unflattering one) had been coming up as the top Google search result for her name. So we removed the comment.
Her name no longer appeared on lawrence.com, but Google can take a while to catch up when a change has been made to a website. In this case, it took about three days.
While the examples of Trigoso and the woman who got the boob job deal with two separate issues-security and privacy-both of these people gave away information they later wished they could take back. In Trigoso's case, he was simply tricked. In the woman's case, she made a decision to share private information that came back to haunt her.
Invasion of Privacy
One of the biggest questions of the internet age is: What are the new boundaries of privacy? In other words, how is one to deal with the new lack of control over one's image?
Bill Staples is editor of the recently published Encyclopedia of Privacy and professor of sociology at KU. He says that if something about you is on the web, you simply have to assume that people are going to see it.
"Even for people who don't necessarily want to invade your privacy, it's too tempting," he says. "When I have somebody apply for a job or something, it's like, 'Should I Google them or not?'"
And then there's the problem of misidentification. What if there are two people on Google with your name, and one is a registered sex offender? These things happen, Staples says.
Do web users simply adapt to this unprecedented lack of control over privacy, or fight it?
An often quoted remark made regarding to this matter is, "You have zero privacy anyway. Get over it," uttered by Sun Microsystems CEO Scott McNealy in 1999.
Staples says that once during a speech he gave about privacy, a clear division emerged between two groups: the retired professors sitting in the front and a high school philosophy class sitting in the back.
The retired professors were outraged at what they saw as the breech of privacy of companies collecting information on web users. One of the high school students raised his hand. "If they get us the stuff better, who cares?" he said.
"Part of that is a shift in identity, in the sense that he literally sees himself as a consumer first, rather than the older folks, who, I think, consider themselves more as citizens," Staples says.
"I don't mean to draw that distinction so clearly, but the younger person is part of a consumer culture that they've been brought up under-companies produce stuff, we want stuff, we want to be able to get it fast, and anything that increases that is a good thing.
"I think these older folks were living under this idea that either the government or private organizations didn't have that kind of right, in essence, to cross the line."
The Google Factor
Last year, Google announced its intended acquisition of DoubleClick, an online ad placement giant. The deal is still pending, but together they will be responsible for an ad placed on nearly every website that carries advertising (including this one online).
Every time a user visits a site with a Google ad, Google serves the user an identifier called a cookie. When the user revisits the site, the cookie-unique to the user-is returned. In this way, Google could easily track users as they go from site to site, if the company wanted to.
And why not? Google could tell advertisers that those savvy readers of lawrence.com also regularly visit slate.com and kexp.org, etc., giving advertisers an invaluable picture-internet usage habits.
* Don't use Internet Explorer. Firefox (getfirefox.com) is free and far safer than Internet Explorer. Safari (the default browser on a Mac) is good, too, and also available for free for Windows (apple.com/safari).
* Don't use the same password for all your websites. At the very least, have different passwords for your banking websites and your email.
* If you get an email from a site you've got an account with, just visit that site in your browser by typing the URL or using a bookmark. Get used to not clicking links in your email-far too often they'll be fraudulent.
* Never share personal information-SSN, credit card numbers, account numbers, etc.-over email. No legitimate organization will ask for that information over email for any reason.
* If you get a phone call from someone purporting to be your bank, don't give them personal information: tell them you'll call back, and call the bank's regular central number. No legitimate organization will call you and ask for personal information.
* Even if there's nobody around, pretend someone's looking over your shoulder when you're using a public WiFi hotspot; don't do anything you'd rather keep private.
* Many banks and credit card companies offer "throw-away" single-use credit card numbers (a special credit card number that can only be used to make a single purchase). Paypal also offers this service if your bank doesn't. Use this service any time you're dealing with an online merchant you're not quite sure about.
* Trust your common sense. If it looks like a scam, it probably is. No, you didn't win the Spanish National Lottery.
In 2006, AOL published the search history of more than 658,000 users as research data. Companies, spammers, strangers are collecting information on you. The list goes on.
"There's a kind of line around us, in the sense of where we feel invaded, and I think the older generation of people expect a bigger buffer zone, and younger people are less likely to be concerned about that," Staples says. "There is a little bit of that falling into (McNealy's) line about 'Get over it.' There's a kind of resignation, I think, underneath some of it."
State of Insecurity
When Trigoso unwittingly gave away his personal information, he was likely feeding it not to some amateur punk akin to petty street thief, but to a professional online criminal.
The Anti-Phishing Working Group, an international organization that tracks "phishing" scams like the one that got Trigoso, says that in November alone (the most recent month with available data) phishers set up 23,630 fake sites like the one where Trigoso typed his username and password.
The sites, on average, were up for only three days, and the phishers targeted 178 different companies, the vast majority of them in the financial service industry.
These are not pranksters sending out spam viruses for fun. As scammers grow more sophisticated, the picture of an organized criminal network comes more clearly into view.
And even if, say, the United States government, in the future, gets real good at cracking down on these criminals, they will be harder to track internationally. In November China overtook the United States as the leading host of phishing sites, according to the anti-phishing group.
"We can pass all kinds of laws that restrict various things," Staples says, "but when you've got guys from China sending you stuff, or Nigeria, wherever, where there are no laws covering it, it's very difficult to screen it out or do anything about it."
With more sophisticated criminals come more sophisticated viruses. Look at Storm, a powerful virus that has infected millions of computers in the past year. It's multilayered, mutating, hard to detect, and hard to get rid of, and no one knows who is behind it.
It also has little noticeable effect on a computer's performance and little malicious behavior. This has people spooked all over the web. If whoever created it was smart enough to stay ahead of anti-virus software and propagate the virus at an alarmingly steady pace, is the virus simply waiting to flower? It's certainly conceivable. On the other hand, it could be lying low, lulling people into a false sense of security before scanning their computers for usernames and passwords.
"The scams get better and better," Staples says, "and harder and harder to detect."
-lawrence.com lead developer Jacob Kaplan-Moss contributed reporting to this story.