Internet Insecurity
By ADAM COHEN
My colleague Joel Stein let drop a while back that he was working on a book proposal. I found it a bit frustrating that he wouldn't tell me the topic. Joel had been traveling a lot lately too--to Iceland to interview Bjork; to Hollywood for the Oscars--but he was stingy with details. Where was he going? Whom was he hanging with, and how much money was he spending? I've also wondered what kind of websites he surfs. And, O.K., I wouldn't mind reading his e-mail.
So I did.
Joel went out of town recently, which allowed me to duck into his office and install spying software on his hard drive. You can buy commercial spyware these days, but I used VNC, which can be downloaded free. VNC was designed to help people link their own computers. But it also worked as a cheap and easy way for me to keep tabs on Joel. Soon after loading VNC onto my computer, I was rifling through Joel's hard drive.
That book proposal? With a few mouse clicks, it appeared on Joel's screen--and on mine. (Adventures in Monogamy, a 12-chapter comic romp starring...Joel. Mystery solved.) It was also easy to pore over his expense reports, checking out whom he took to dinner in L.A., and what he thinks passes for a legitimate expense. Has Bjork even recorded $112.76 worth of CDs?
Then I--or should I say Joel?--hit the Internet. The great thing about controlling another person's computer is that you can surf the Web as if you were him or her. When you go to a site, his or her IP address--a kind of digital fingerprint--is the one that gets left behind, not yours.
I was going to mess with Joel. Stop by a few investing message boards, and have him break securities law by pumping stocks. Get him trapped by one of those FBI agents who patrol kiddie chat rooms, looking for predators. But in an effort to keep Joel--O.K., both of us--out of jail, I just posted a few items for him on pet newsgroups seeking poodle-grooming tips.
When Joel returned, I could look over his shoulder as he surfed the Net. It was weird but oddly riveting to see his cursor click, click, click its way across my screen. But in the end, there were no busty babes, no Catholic school girls looking for trouble. He actually spent most of his time on CNN.com
Then he started opening his e-mail. The first was from our boss, about Joel's next column. I liked being a snoop in the loop. Another was from Joel's girlfriend's brother asking Joel to score free concert tickets. Then a chain e-mail from a few of our co-workers, with snarky comments about someone else on our floor they evidently don't like. Ah, isn't this what computer spying is all about?
I also had Joel's Social Security number, the keys to the kingdom. Those digits would be enough on some websites to get me a driver's license in his name--and to start a full-scale identity theft. Before long, I could be ruining his credit rating, draining his bank accounts, and--well, you get the idea.
Too bad my editors, darn them, insisted that I tell Joel what I was doing. (I can't help thinking he trashed some good stuff before I started spying.) Not that it would have been difficult to really spy on Joel at his home computer. I could have sent him spyware wrapped in an e-greeting card, programmed to install itself when he opened the card. He'd never know.
It has been two years since Sun Microsystems CEO Scott McNealy delivered his famous warning: "You have zero privacy [on the Internet] anyway. Get over it." Privacy advocates resisted that pessimistic assessment at the time. But since then, hardly a week goes by without a news story suggesting McNealy was on to something. Russian hackers breaking into e-commerce sites to steal credit-card numbers. Rings of Nigerian identity thieves. Cyberstalkers.
Just last week, Microsoft conceded that all versions of Windows 2000, and early "beta" versions of its new XP operating system due out this fall, have a "serious vulnerability" that lets hackers take control of victims' machines. Microsoft, which is making patches available for Windows 2000, has urged consumers to "take action immediately" to fix the glitch. And it is promising to cure the problem before XP's rollout.
Internet users are well aware they are trading off privacy when they dial up their modems. In a recent TIME/CNN poll conducted by Yankelovich Partners, 61% of respondents said they were "very concerned" or "somewhat concerned" that information about their Internet usage was being collected without their knowledge.
Yet websites that track users' movements are the least of it. Privacy advocates and law enforcement are homing in on nine areas--from spyware to identity theft--where they say the Internet's threat to privacy is the greatest. Here are the nine, followed by 10 ways individuals can defend themselves (see box):
1 SOMEONE MIGHT USE THE INTERNET TO STEAL YOUR IDENTITY
When police arrested Brooklyn, N.Y., busboy Abraham Abdallah in March, he had Forbes magazine's issue on the 400 richest people in America, plus Social Security numbers, credit-card numbers, bank-account information and mothers' maiden names of an A list of intended victims drawn from the issue, including Steven Spielberg, Oprah Winfrey and Martha Stewart. Abdallah is accused of using websites, e-mail and off-line methods to try to steal the celebrities' identities and make off with millions in assets. One scheme that was caught in time: he allegedly sent an e-mail purporting to come from Siebel Systems founder Thomas Siebel to Merrill, Lynch, directing that $10 million be transferred to an offshore account. (Abdallah, who has yet to be indicted on federal charges, denied all wrongdoing at the time of his arrest.)
Abdallah's high-profile arrest brought national attention to identity theft, which the FBI says is the nation's fastest-growing white-collar crime. An estimated 500,000 Americans have their identities stolen each year. A sign of the times: at least four insurance companies now offer ID-theft policies. The Privacy Rights Clearinghouse, which works with victims, says it takes an average victim of identity theft two years to clear his credit rating. A growing worst-case scenario: "criminal-identity theft," in which thieves use the stolen identity when they are arrested, leaving their victims with a criminal record that can be difficult to expunge.
Most identity theft still begins off-line, often in such low-tech ways as a criminal sifting through garbage to find an unwanted preapproved credit card. But once an ID theft is under way, the Internet can make the work considerably easier. A particular problem: fast-proliferating websites that sell fake IDs.
It was a fake-ID seller who helped an identity thief run up $30,000 in false charges to Charles Glueck, a Metarie, La., dentist. After Glueck lost his wallet, the man who took it went online to get a driver's license with his picture and Glueck's identity. He then used that license to get 15 credit cards in Glueck's name and started charging. Glueck was shocked to learn later from police that the website had not broken the law because when it shipped the driver's license to the thief, the license was marked for "novelty" use only. "Once you know how to work a computer, you can be whoever you want to," Glueck says.
2 YOU MAY BE UNINTENTIONALLY REVEALING INFORMATION ABOUT YOURSELF AS YOU MOVE THROUGH CYBERSPACE
Surfing the internet feels anonymous, like looking through the pages of a magazine in a library. But the websites you visit can look back at you. Many use "cookies" to collect data about your visit--where you go in the site, what links you click on. There was a blowup last year when it appeared that Internet advertising agency Doubleclick would match up its cookies with data from an off-line marketing company that had names, addresses and phone numbers of 88 million Americans. That plan, since abandoned, would have let the company create personal profiles of individuals and their Web-surfing habits.
Your Web browser may also be giving away information about you as you travel through cyberspace. Whether you know it or not, your browser's "preferences" menu may include your name, e-mail address and other information that can be captured and stored by sites you visit. Your Internet Protocol address can also give you away. Every computer on the Internet is assigned an IP address, the online equivalent of a street address, that allows it to receive data. Dial-up connections usually assign you a new IP address every time you connect. But if you use a fixed connection (like DSL or cable), you may have a permanent IP address that any website you visit can capture and, by comparing it against a database, connect to you by name.
Sometimes the spy is an "E.T." program, so called because once it is embedded in your computer it is programmed to "phone home" to its corporate master. RealNetworks' RealJukebox program was found in 1999 to be sending back information to headquarters about what music a user listened to. The Federal Trade Commission decided in May that zBubbles, a now defunct online shopping service once owned by Amazon, probably deceived consumers when it told them that the information it collected about a user's Web surfing would remain anonymous.
3 THAT PERSONAL INFORMATION YOU JUST PROVIDED TO A WEBSITE MIGHT BE SOLD--OR STOLEN
Websites, particularly e-commerce sites, collect a lot of data from visitors. If you buy a book or a magazine at a bookstore and pay cash, there will be no record linking you to the purchase. But the books, magazines, music and movies you buy online are all linked to you by name. Web retailers are collecting a sizable database of information on individual purchasers. Who's buying pornography, and who's buying extreme political tracts. Who's buying cancer drugs, or contraception.
E-commerce sites routinely share your information, or sell it. The Electronic Frontier Foundation launched a campaign in early June against Macys.com for giving away info from its bridal registry to its business partners. Amazon, which once permitted users to choose to keep their data confidential, rewrote its privacy policy last year to say customer data are an "asset" it may sell or transfer in the future. If an e-commerce site you bought from goes bankrupt, it could be legally required to sell your data to the highest bidder. And sites routinely sell or exchange your personal information. Privacy advocates are pushing for federal legislation requiring websites to let users opt out of sharing, as has recently happened in financial services (see box).
Theft of personal data from websites is also growing. Egghead.com sent a chilly wind through cyberspace late last year when it disclosed that hackers had broken into its system and may have accessed millions of credit-card numbers from its database. (It later found that no credit cards had been compromised.) It was a stark reminder that financial data are only as safe as every website you share them with.
There have been other recent high-profile hacks. Music retailer CD Universe lost up to 300,000 credit-card numbers; Bibliofind, a subsidiary of Amazon, had the names, addresses and credit-card numbers of 98,000 customers stolen. One thing that makes online credit-card theft more tolerable than some cyberscams: if consumers find false charges, banks and merchants should pay most of the bill.
4 THAT WEBSITE ON WHICH YOU JUST ENTERED YOUR CREDIT-CARD NUMBER MAY BE A FAKE
In April the FBI cracked a Russian ring and charged a pair of its members with conspiracy and fraud. The hackers were also allegedly involved in website "spoofing." Federal officials said the Russians tried to create a counterfeit website mimicking the real home page of PayPal, the popular online fund-transfer service. PayPal has been hit with such spoofs several times. When a fake site was operating, hackers e-mailed PayPal users and got them to click on a hyperlink with the spoof site's domain name: www.paypai.com On many computers, a capital I looks identical to the l at the end of the word PayPal.
Near-identical domain names are easy to obtain. Banks have also been a frequent target of spoofers. Bank of America got wwwbankofamerica.com taken down--its domain name, minus the dot after www--but not before some customers were tricked into entering financial information.
5 THE GOVERNMENT MAY BE GIVING OUT YOUR HOME ADDRESS, SOCIAL SECURITY NUMBER AND OTHER PERSONAL INFORMATION ONLINE
If you live in Ohio, anyone who types your name into a county database can learn your address and how much your house is worth. He can also inspect detailed floor plans of your house, showing placement of your windows, porches and balconies. Supporters of the state's online initiative call it a breakthrough for open access to government records. Critics have another way of describing it: a breaking-and-entering handbook.
Governments around the country have been rushing to put property records online. Many jurisdictions have joined Ohio in creating databases searchable by name. If you go to the Brookline, Mass., website, you can find out where Michael Dukakis lives. Miami's will tell you Janet Reno's home address.
It isn't just property databases. Wisconsin has most of its arrest and court records online. (I discovered that a former law-school classmate of mine has had two traffic violations and was a defendant in a civil lawsuit.) The federal courts have put many of their records online through a system called Public Access to Court Electronic Records (PACER). Among the data available: Social Security numbers; financial assets, which often must be revealed in court proceedings; and the names and ages of minor children.
Critics say the government has gone too far in making data available online, and there are signs the tide may be turning. California's court system is considering new rules that would deny Internet access to certain court records, including those of criminal, family and mental-health proceedings. "The purpose of making public records accessible is to ensure accountability," says Chris Hoofnagle, legislative counsel for the Electronic Privacy Information Center. That, he argues, does not require putting details of divorce and child-custody disputes or bankruptcy proceedings on the Internet.
6 FOR-PROFIT COMPANIES AND PEOPLE WHO DON'T LIKE YOU MAY BE BROADCASTING YOUR PRIVATE INFORMATION ON THE INTERNET
The murder of Amy Boyer, a 20-year-old New Hampshire dental assistant, by an obsessed admirer in 1999 called attention to an obscure part of the cybereconomy--online data brokers. Boyer's assailant paid $45 to Florida-based Docusearch.com for her Social Security number and later purchased the name of her employer. He then tracked her down on the job and killed her.
Data brokers insist they are doing necessary work, providing background information to employers, creditors and other people who legitimately need it. But many sell Social Security numbers and private financial information to anyone willing to pay their fees. Often they are the first stop for identity thieves and stalkers.
Data brokers get most of their information from government records. Privacy advocates want governments to be more selective about what information they allow brokers to harvest. California, for example, has a law that permits police to release arrest data to reporters while withholding it from businesses that would use it for commercial purposes. Privacy advocates say more jurisdictions should follow California's lead.
The Internet makes it easier for people to broker information about people they don't like. In Seattle, a battle is raging over Justicefiles.org a frequent critic of local law enforcement. The group began posting police officers' Social Security numbers on its website. A state court has ordered the group to stop, holding that it was infringing on the officers' privacy rights. Free-speech advocates are fighting the ruling, arguing that there is no basis for preventing the dissemination of truthful, legally obtained information.
7 YOUR COMPANY OR YOUR SPOUSE MAY BE USING YOUR COMPUTER TO SPY ON YOU
Companies have the legal right to monitor their employees' Web surfing, e-mail and instant messaging. Many do, whether they warn their workers or not--so don't count on any of it remaining private. Last month the University of Tennessee released more than 900 pages of archived e-mail between an administrator and a married college president in which the administrator wrote of her love for him and of her use of drugs and alcohol to deal with her unhappiness. Employers, including the New York Times and Dow Chemical, have fired workers for sending inappropriate e-mail.
But the fastest-growing area for Internet spying is the home. SpectorSoft, a leading manufacturer of spyware, at first marketed its products to parents and employers. Sales jumped fivefold, however, when the company changed its pitch to target spouses and romantic partners. "In just one day of running Spector on my home PC, I was able to identify my fiance's true personality," a testimonial on the company's website trumpets. "I found all 17 of his girlfriends."
What can you expect if someone puts SpectorSoft's Spector 2.2 on your computer? It will secretly take hundreds of snapshots an hour of every website, chat group and e-mail that appears on your screen, and store them so that the special someone who is spying on you can review them later. A new product, SpectorSoft's eBlaster, will send the spy detailed e-mail reports updating your computer activities as often as every 30 minutes. These products work in stealth mode, so that the people being spied on are totally unaware.
SpectorSoft has sold 35,000 copies of its spyware, and it has only a piece of a booming market. WinWhatWhere, another big player, sells primarily to businesses, but what it calls the "disgruntled spouse" market has been finding WinWhatWhere. Many smaller companies have sites that sell relatively crude "keyloggers," software that records every keystroke typed on a computer.
Isn't all this spying on loved ones a little creepy? Not to SpectorSoft president Doug Fowler. "If you're in a committed relationship and you get caught because of evidence online, as far as I'm concerned you deserve to be caught," he says. Richard Eaton, president of WinWhatWhere, recognizes that in a perfect world users would reveal that they have placed monitoring software on a computer. But WinWhatWhere Investigator has a feature that allows it to be completely hidden. "Our customers demanded it," he says.
8 A STRANGER MAY BE USING YOUR COMPUTER TO SPY ON YOU
Hackers can get into your computer and look through everything on it if your defenses are down. Computers hooked up to the Internet through cable or DSL connections, which are always on, rather than dial-up services, are particularly vulnerable. A home firewall is the best protection against these sneak attacks.
Another prime method of turning your computer against you is tricking you into downloading spyware. Hence the name Trojan horse. This software's danger is hidden inside a benign exterior. That's why so many viruses--like last year's "I Love You," and recent ones promising photos of Anna Kournikova and Jennifer Lopez--are wrapped in appealing packages.
A lot of viruses are designed to damage computers, but some are aimed at stealing information. The "I Love You" virus retrieved passwords from victims' computers to send back to its creator. Other viruses are programmed to strip e-mail addresses from your address book. Back Orifice, a notorious piece of software created a few years ago by a hacking group called Cult of the Dead Cow, takes over a host computer completely. Among its privacy-invading features: it can dig up passwords and monitor every keystroke typed into it.
Computer worms and viruses can dig through the files on your hard drive. VBS.Noped.A@mm invades computers and searches for child pornography. If it finds picture files with suspect-sounding names, it notifies the police and e-mails some of the files to them--and sends copies of itself to addresses in the victim's e-mail address book. A big problem with Noped, in addition to the privacy concerns: it's often wrong.
Back Orifice is freely available online, along with newer hackware like SubSeven. There are sites like hack.co.za and astalavista.box.sk that hold a hacker's hand as he plans an assault on your computer. And there are mailing lists like BugTraq that offer up the latest viruses. As a hacker posted at astalavista.box.sk: "Nowadays, every idiot knowing how to press buttons is able to take control over your computer if you are not careful."
9 YOU MAY HAVE A CYBERSTALKER
When a woman in North Hollywood, Calif., spurned Gary Dellapenta's advances, the 50-year-old security guard got back at her via the Internet. Using her name, he posted personal ads describing fantasies of a "home-invasion rape." Six men appeared at her apartment over five months to take her up on Dellapenta's offer. Sentenced to six years in prison in 1999, he was the first person jailed for cyberstalking.
Dellapenta met his victim off-line, at church, but more often the first encounter occurs online. There are few hard statistics on cyberstalking. But Working to Halt Online Abuse, a group that helps cyberstalking victims, says it receives reports of nearly 100 cases a week. The stalkers meet their victims, according to the group, mainly via e-mail, chat groups, newsgroups and instant messaging.
Jayne Hitchcock, president of WHOA, believes that her cyberstalker found her when she got into a controversy in a writers' newsgroup. Her stalker sent sexually explicit e-mails with forged addresses purporting to be from her. One contained her home address and phone number and said she was interested in sado-sexual fantasies. At one point, Hitchcock was getting 30 phone calls a day. She was repeatedly mail-bombed--barraged with enough e-mails to shut down her computer. Her stalker also mail-bombed her husband, her literary agent and her colleagues at the University of Maryland.
Hitchcock is lobbying states to enact specialized cyberstalking laws. So far, 33 have. In most of the cases that WHOA tracks, contacting the offender's Internet service provider is enough to make the activity stop. But more than 16% of the time, victims have to go to the police.
When I was done spying on Joel, I gave him a quick rundown on what I had seen. He was fine about the book proposal. He'd been having second thoughts about it anyway. He had an explanation for the $112.76 that involved the high price of American CDs in Iceland. And he pointed out that he had not added to the snarky e-mail about our co-worker. All he did was read it. Then he told me that for the good stuff I should have spied on his home PC. That's where he does his most interesting web surfing, he said. He went off on a brief discourse about the various kinds of hard-core pornographic pop-ups that show up when he visits soft-core sites. Joel also told me that he keeps all his financial data on his home computer. Interesting. Come to think of it, I've always wondered about his salary. Joel, I owe you an e-birthday card. Be sure to open it at home.
--With reporting by David Jackson/Los Angeles, Laura Locke/San Francisco and Elaine Shannon/Washington
With reporting by David Jackson/Los Angeles, Laura Locke/San Francisco and Elaine Shannon/Washington