It’s 10 o’clock. You’re on the Web. Do you know where your identity is? In fact, at any time of the day, the elements that make up who you are online may be manipulated in an increasing flood of fraud. What can you do to protect your self? Read on. 

INTERNET INSECURITY

THE IDENTITY THIEVES ARE OUT THERE – AND SOMEONE COULD BE SPYING ON YOU. WHY YOUR PRIVACY ON THE NET IS AT RISK, AND WHAT YOU CAN DO. 

My colleague Joel Stein let drop a while back that he was working on a book proposal. I found it a bit frustrating that he wouldn’t tell me the topic. Joel had been traveling a lot lately too – to Iceland to interview Bjork; to Hollywood for the Oscars – but he was stingy with details. Where was he going? Whom was he hanging with, and how much money was he spending? I’ve also wondered what kind of websites he surfs. And, O.K., I wouldn’t mind reading his e-mail.

            So I did.

            Joel went out of town recently, which allowed me to duck into his office and install spy software on his hard drive. You can buy commercial spyware these days, but I used VNC, which can be downloaded free. VNC was designed to help people link their own computers. But it also worked as a cheap and easy way for me to keep tabs on Joel. Soon after loading VNC onto my computer, I was rifling through Joel’s hard drive.

            That book proposal? With a few mouse clicks, it appeared on Joel’s screen – and mine. (Adventure in Monogamy, a 12-chapter comic romp starring---Joel. Mystery solved.) It was also easy to pore over his expense reports, checking out whom he took to dinner in L.A., and what he thinks passes for a legitimate expense. Has Bjork even recorded $112.76 worth of CD’s?

            Then I – or should I say Joel? – hit the Internet. The great thing about controlling another person’s computer is that you can surf the Web as if you were he or she. When you go to a site, his or her IP address – a kind of digital fingerprint – is the one that gets left behind, not your’s.

            I was going to mess with Joel. Stop by a few investing message boards, and have him break securities law by pumping stocks. Get him trapped by one of those FBI agents who patrol kiddie chat rooms, looking for predators. But in an effort to keep Joel – O.K., both of us – out of jail, I just posted a few items for him on pet newsgroups seeking poodle-grooming tips.

            When Joel returned, I could look over his shoulder as he surfed the Net. It was weird but oddly riveting to see his cursor click, click, click its way across my screen. But in the end, there were no busty babes, no Catholic school girls looking for trouble. He actually spent most of his time on cnn.com.

            Then he started opening his e-mail. The first was from our boss, about Joel’s next column. I liked being a snoop in the loop. Another was from Joel’s girlfriend’s brother asking Joel to score free concert tickets. Then a chain e-mail from a few of our co-workers, with snarky comments about someone else on our floor they evidently don’t like. Ah, isn’t this what computer spying is all about?

            I also had Joel’s Social Security number, the keys to the kingdom. Those digits would be enough on some websites to get me a driver’s license in his name – and to start a full-scale identity theft. Before long, I could be running his credit rating, draining his bank accounts and – well, you get the idea.

            Too bad my editors, darn them, insisted I tell Joel what I was doing. (I can’t help thinking he trashed some good stuff before I started spying.) Not that it would have been difficult to really spy on Joel at his home computer. I could have sent him spy-ware wrapped in an e-greeting card, programmed to install itself when he opened the card. He’d never know.           

            It has been two years since Sun Micro-systems CEO Scott McNealy delivered his famous warning: “You have zero privacy (on the Internet) anyway. Get over it.” Privacy advocates resisted that pessimistic assessment at the time. But since then, hardly a week goes by without a news story suggesting McNealy was on to something. Russian hackers breaking into e-commerce sites to steal credit-card numbers. Rings of Nigerian identity thieves. Cyberstalkers.

            Just last week, Microsoft conceded that all versions of Windows 2000, and early “beta” versions of its new XP operating system due out this fall, have a “serious vulnerability” that lets hackers take control of victims’ machines. Microsoft, which is making patches available for Windows 2000, has urged consumers to “take action immediately” to fix the glitch. And it is promising to cure the problem before XP’s rollout.

            Internet users are well aware they are trading off privacy when they dial up their modems. In a recent Time/CNN poll, 61% of respondents said they were “very concerned” or “somewhat concerned” that information about their Internet usage was being collected without their knowledge.

            Yet websites that track users’ movements are the least of it. Privacy advocates and law enforcement are homing in on nine areas – from spyware to identity theft – where they say the Internet’s threat to privacy is the greatest. Here are the nine, followed by 10 ways individuals can defend themselves.

1.    SOMEONE MIGHT USE THE INTERNET TO STEAL YOUR IDENTITY 

When Police arrested Brooklyn, N.Y., busboy Abraham Abdallah in March, he had a Forbes magazine’s issue on the 400 richest people in America, plus Social Security numbers, credit-card numbers, bank account information and mother’s maiden names of an A list of intended victims drawn from the issue, including Steven Spielberg. Oprah Winfrey and Martha Stewart. Abdallah is accused of using websites, e-mail and off-line methods to try to steal the celebrities’ identities and make off with millions in assets. One scheme that was caught in time: he allegedly sent an e-mail purporting to come from Siebel Systems founder Thomas Siebel to Merrill, Lynch, directing that $10 million be transferred to an offshore account. (Abdallah, who has yet to be indicted on federal charges, denied all wrongdoing at the time of his arrest.)

            Abdallah’s high-profile arrest brought national attention to identity theft, which the FBI says is the nation’s fastest-growing white-collar crime. An estimated 500,000 Americans have their identities stolen each year. A sign of the times: at least four insurance companies offer ID-theft policies. The Privacy Rights Clearinghouse, which works with victims, says it takes an average victim of identity two years to clear his credit rating. A growing worst-case scenario: “criminal-identity theft,” in which thieves use the stolen identity when they are arrested, leaving their victims with a criminal record that can be difficult to expunge.

            Most identity theft still begins off-line, often in such low-tech ways as a criminal sifting through garbage to find an unwanted pre-approved credit card. But once an ID theft is under way, the Internet can make the work considerably easier. A particular problem: fast-proliferating websites that sell fake Ids.

            It was a fake-ID seller who helped an identity thief run up $30,000 in false charges to Charles Glueck, a Metarie, La., dentist. After Glueck lost his wallet, the man who took it went online to get a driver’s license with his picture and Glueck’s identity. He then used that license to get 15 credit cards in Glueck’s name and started charging. Glueck was shocked to learn later from police that the website had not broken the law because when it shipped the driver’s license to the thief, the license was marked for “novelty” use only. “Once you know how to work a computer, you can be whoever you want to be,” Glueck says. 

2.    YOU MAY BE UNINTENTIONALLY REVEALING INFORMATION ABOUT YOURSELF AS YOU MOVE THROUGH CYBERSPACE 

Surfing the net feels anonymous, like looking through the pages of a magazine in a library. But the websites you visit can look back at you. Many use “cookies” to collect data about your visit – where you go on the site, what links you click on. There was a blowup last year when it appeared that Internet advertising agency Double-click would match up its cookies with data from an off-line marketing company that had names, addresses and phone numbers of 88 million Americans. That plan, since abandoned, would have let the company create personal profiles of individuals and their Web-surfing habits.

            Your Web browser may also be giving away information about you as you travel through cyberspace. Whether you know it or not, your browser’s “preferences” menu may include your name, e-mail address and other information that can be captured and stored by sites you visit. Your Internet Protocol address can also give you away. Every computer on the Internet is assigned an IP address, the online equivalent of a street address, which allows it to receive data. Dial-up connections usually assign you a new IP address every time you connect. But if you use a fixed connection (like DSL or cable), you may have a permanent IP address that any website you visit can capture and, by comparing it against a database, connect to you by name.

            Sometimes the spy is an “E.T.” program, so called because once it is imbedded in your computer it is programmed to “phone home” to its corporate master. Real Networks’ RealJukebox program was found in 1999 to be sending back information to headquarters about what music a user listened to. The Federal Trade Commission decided in May that zBubbles, a now defunct online shopping service once owned by Amazon, probably deceived consumers when it told them that the information it collected about a user’s Web surfing would remain anonymous. 

3.    THAT PERSONAL INFORMATION YOU JUST PROVIDED TO A WEBSITE MIGHT BE SOLD – OR STOLEN 

Websites, particularly E-commerce sites, collect a lot of data from visitors. If you buy a book or a magazine at a bookstore and pay cash, there will be no record linking you to the purchase. But the books, magazines, music and movies you buy online are all linked to you buy name. Web retailers are collecting a sizable database of information on individual purchasers. Who’s buying pornography, and who’s buying extreme political tracts. Who’s buying cancer drugs or contraception?

            E-commerce sites routinely share your information, or sell it. The Electric Frontier Foundation launched a campaign in early June against Macys.com for giving away info from its bridal registry to its business partners. Amazon, which once permitted users to choose to keep their data confidential, rewrote its privacy policy last year to say customer data are an “asset” it may sell or transfer in the future. If an e-commerce site you bought from goes bankrupt, it could be legally required to sell your data to the highest bidder. And sites routinely sell or exchange your personal information. Privacy advocates are pushing for federal legislation requiring websites to let users opt out of sharing, as has recently happened in financial services.

            Theft of personal data from websites is also growing. Egghead.com sent a chilly wind through cyberspace late last year when it disclosed that hackers had broken into its system and may have accessed millions of credit-card numbers from its database. (It was later found that no credit cards had been compromised.) It was a stark reminder that financial data are only as safe as every website you share them with.

            There have been other recent high profile hacks. Music retailer CD Universe lost up to 300,000 credit-card numbers; Bibliofind, a subsidiary of Amazon, had the names, addresses and credit-card numbers of 98,000 customers stolen. One thing that makes online credit-card theft more tolerable than some cyberscams; if consumers find false charges, banks and merchants should pay most of the bill. 

4.    THAT WEBSITE ON WHICH YOU JUST ENTERED YOUR CREDIT-CARD NUMBER MAY BE A FAKE 

In April the FBI cracked a Russian ring and charged a pair of its members with conspiracy and fraud. The hackers were also allegedly involved in website “spoofing.” Federal officials said the Russians tried to create a counterfeit website mimicking the real home page of PayPal, the popular online fund-transfer service. PayPal has been hit with such spoofs several times. When a fake site was operating, hackers e-mailed PayPal users and got them to click on a hyperlink with the spoof site’s domain name: www.paypai.com On many computers, a capital I looks identical to the l at the end of the word PayPal.

            Near-identical domain names are easy to obtain. Banks have also been a frequent target of spoofers. Bank of America got www.bankofamerica.com taken down – its domain name, minus the dot after www- but not before some customers were tricked into entering financial information. 

5.    THE GOVERNMENT MAY BE GIVING OUT YOUR HOME ADDRESS, SOCIAL INSURANCE NUMBER AND OTHER PERSONAL INFORMATION ONLINE 

If you live in Ohio, anyone who types your name into a county database can learn your address and how much your house is worth. He can also inspect detailed floor plans of your house, showing placement of your windows, porches and balconies. Supporters of the state’s online initiative call it a breakthrough for open access to government records. Critics have another way of describing it; a breaking-and-entering handbook.

            Governments around the country have been rushing to put property records online. Many jurisdictions have joined Ohio in creating databases searchable by name. If you go to the Brookline, Mass. website, you can find out where Michael Dukakis lives. Miami’s will tell you Janet Reno’s home address.

            It isn’t just property databases. Wisconsin has most of its arrest and court records online. (I discovered that a former law-school classmate of mine has had two traffic violations and was a defendant in a civil lawsuit.)  

6.    FOR-PROFIT COMPANIES AND PEOPLE WHO DON’T LIKE YOU MAY BE BROADCASTING YOUR PRIVATE INFORMATION ON THE INTERNET 

The murder of Amy Boyer, a 20-year- old New Hampshire dental assistant, by an obsessed admirer in 1999 called attention to an obscure part of the cybereconomy – online data brokers. Boyer’s assailant paid $45 to Florida-based Docusearch.com for her Social Security number and later purchased the name of her employer. He then tracked her down on the job and killed her.

            Data brokers insist they are doing necessary work, providing background information to employers, creditors and other people who legitimately need it. But many sell Social Security numbers and private financial information to anyone willing to pay their fees. Often they are the first stop for identity thieves and stalkers.

            Data brokers get most of their information from government records. Privacy advocates want governments to be more selective about what they allow brokers to harvest. California, for example, has a law that permits police to release arrest data to reporters while withholding it from businesses that would use it for commercial purposes. Privacy advocates say more jurisdictions should follow California’s lead.

            The Internet makes it easier for people to broker information about people they don’t like. In Seattle, a battle is raging over Justicefiles.org, a frequent critic of law enforcement. The group began posting police officers’ Social Security numbers on its website. A state court has ordered the group to stop, holding that it was infringing on the officers’ privacy rights. Free-speech advocates are fighting the ruling, arguing that there is no basis for preventing the dissemination of truthful, legally obtained information.

( Continue )