Technology

The BBC is reporting that 25 million Britains were exposed to the threat of identity theft when the HM Revenue & Customs (similar to the IRS in the U.S.) lost a CD containing personal data.

Ouch!

This has to be one of the worst data breaches ever, since the CD was not encrypted (just password protected) and the data included:

• Name
• Address
• Date of birth
• Bank account details
• National insurance number

In case you're not familiar with that last item, it's similar to the Social Security Number here in the U.S. What else could a potential thief want?

The CD with the data was sent to another HMRC location by a lower level employee via regular mail instead of using an encrypted network connection or some other secure method. The CD never showed up at the other office and officials are now trying to determine if it was stolen or just lost.

"The data lost - bank account numbers, names and addresses - represents a gold mine for the thieves and is much more valuable to them than credit card numbers or taxpayer id numbers," said Gartner analyst Avivah Litan.

"In fact, in the black market, bank account numbers sell for the highest price, or between $30 and $400 (£15 to £200), which is significantly more than the fifty cents to five dollars that criminals pay for credit cards."

This disaster has already forced the resignation of HMRC's chairman - Paul Gray. I'm guessing the employee involved was also "sacked," as the Brits like to put it. Let's hope so.

More coverage on the BBC site - Q&A: Child Benefit Records Lost |  Analysis: How Worried Should You Be?

Who would have thought that befriending a frog could be dangerous? Well, it is, if that frog has access to things like your e-mail address, birth date, home address, work info or school info. You may say to yourself that you would never be so foolish, but what kind of info do you post on social network pages?

The security company Sophos did a study and to find out what kind of information people are sharing and how easy it is to get hold of it. So, they created “Freddi Staur” - a fake Facebook user - then sent out 200 friend invites.

“Of the 200 people contacted, 87 responded and agreed to be friends … 82% of them gave "Freddi" an open view of their profiles … 72% divulged at least one of their e-mail addresses, 84% gave up their date of birth, and 87% offered details about where they went to school and where they work.”

Having personal information on your profile isn’t the problem. The problem is who has access to the info because it could be used to steal your identity. While it may be cool to have lots of friends - even if it's just a frog - you need to stop and think what kind of information you are giving them and how safe you really are.

Read all the study details on the Sophos web site.

Update:

If one study isn't convincing enough, here is another.  The BBC show Watchdog did a very similar study to Sophos study.  They created a false identity and befriended people on facebook. Then they took their study one step further.  They actually opened bank accounts and credit cards using the information of an individual that was provided on their profile!  Social networks are not as safe as we would like to think.  Read all the study details on the BBC web site.

Need another reason to be cautious of social networks?  Here's one, facebook employees can track what profiles you are looking at.  Yep, not only can the look at anyone's profile they can track the profiles that people look at.  While it may weird you out, it also helps keep people safe.  Check out the story and decide for yourself.

Fidelity Investments lost a laptop that had sensitive employee information for 196,000 current and former HP employees. The employes were told this week that they are at risk for identity theft and that they should take steps to protect themselves.

Here's part of the email that went out to HP employees:

"This is to let you know that Fidelity Investments, record-keeper for the HP retirement plans, recently had a laptop computer stolen that contained personal information about you, including your name, address, social security number and compensation."

A web site has been set up that "includes some immediate steps that you can take to protect yourself, as well as information about how to enroll for a 12-month period of credit monitoring at no cost to you and a Fidelity call center number in case you have additional questions."

This is just the latest in string of laptop losses that have affected employees at Sun, Cisco and IBM. It's unclear if the laptops are being targeted because of the information they contain, or if it's just random theft. My guess would be random theft.

When I worked in the corporate world, laptops disappeared on a regular basis. Thieves are able to dress like the typical corporate type (tan slacks, blue dress shirt, just the right amount of hair mousse) and sneak into one of our offices. From there they'd look for an unattended laptop, pick it up, and carry it out the door as if they were rushing off to attend the next staff meeting.

Anyway...

Fidelity has good news for those affected. It appears the data was encrypted and the encryption key has expired on the machine - making the data more difficult to extract.

Here's Fidelity's take on the situation:

"At this time, we are unaware of any misuse of the information contained in the software on the laptop," said Fidelity spokeswoman Anne Crowley. "The application was running on a temporary license from a third-party software vendor. The license has expired. Since the expiration of the license, the scrambled data would be difficult to interpret and generally unusable.

We have taken steps to implement extra security processes requiring additional authentication for access to those HP accounts as well as other measures to prevent unauthorized use. We have also employed additional security controls above and beyond our already significant monitoring activity to identify if there is any unusual activity in these accounts. Further, we have reviewed activity in the HP accounts and have found no indication of unusual or suspicious activity."

The bottom line is that no matter how careful you are, someone else's blunder can expose you to identity theft. The only way to avoid it is to withdraw from modern society. I'd personally rather have the 401k money.

I've seen a number of stories, most recently in yesterday's Times Online, that describe surprise and fear over what Google knows about its users.

This is silly, in my opinion.

Sergey Brin and Larry Page - Founders of Google

The Times Online headline is "Big Google is Watching You" and the article states:

"Google has an extraordinary amount of information about its users. It logs all the searches made on it and stores this information indefinitely. Because every computer has a unique IP (internet protocol) address, every visit to every website can be traced back to the computer making it — a fact which is well known in geek circles but remarkably under-publicised outside them."

and

"Users of Google’s Gmail service, who are already having their e-mails scanned to place targeted ads, have given the company their identity, a full record of all their searches and copies of all their e-mails, stored indefinitely. Users of Google’s Toolbar are inadvertently giving the company a list of not just all their searches but also of every single website they visit. And, as the lawsuit makes clear, all this information is potentially vulnerable to subpoena."

Maybe I'm one of those geeks that realizes that this happens on virtually EVERY web site you visit.

What's a Log File and What Does it Look Like?
When you visit a web site, most will keep a log of what information is requested along with the IP address of who requested it. What does the log file look like? Here's a real sample from the Fight Identity Theft site:

192.168.1.100 - - [29/Sep/2005:09:56:28 -0400] "GET /how-to-report-scams.html HTTP/1.1" 200 22806 " http://search.yahoo.com/search?p=how+to+report+a+scam" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"

So here's what this glob of code shows...

• First is the person's IP address (I changed it to protect the visitor's privacy)
• The date and time of the request
• What was requested (in this case, our "How to Report Scams" page)
• The referring web site (in this case, the person did a Yahoo search for "how to report a scam")
• The type of browser being used (Microsoft Internet Explorer 6)
• And the operating system (Windows NT 5.0 = Windows 2000)

This is how web sites work. They collect data and log the data for later analysis (e.g. "How many people visit my homepage?" "What did a person search for to find my web site?", etc.)

What Information Are You Sharing and Can You Hide It?
So what information are you sharing as you browse the web? ShowIpAddress.com is one of many sites that will show you what a log file can capture about you. The only personally identifiable piece of information is your IP address. That number is assigned to you by your Internet Service Provider (ISP). One way or another that number can be traced back to you as an individual, even if you are surfing during work at a Fortune 500 company or other large organization.

Does that make you scared, angry, or just plain nervous? Maybe it should, maybe it shouldn't. In either case, you can browse anonymously if you choose.

There are many products and services that allow you to web surf anonymously. Most will route your requests through their servers, thus hiding your IP address. Anonymizer.com has been around for a long time and they provide a service where you can use their site to browse anonymously for free.

But, back to Google...

Are they evil because they log this information? Powerful, yes, because so many people use their services, but I wouldn't say evil.

When I choose to sign up for a service like Gmail, I know that they will be reading my email content so they can serve up related ads. That's how they make money. That's how I can have a 2.5 gigs of free storage for my messages. Yahoo has a similar policy. Same with MSN Hotmail.

When I choose to use Google search I have to know that they log what I'm searching for and analyze it to spot user patterns. The same thing happens at Yahoo and MSN.

I have to realize that sites, like Google, store this information and will use it to improve their product and to make money. I also have to realize that it could be handed over to the government.

This is all part of the trade-off we make every day between security/privacy and convenience. If you are extremely concerned with privacy you probably shouldn't be using the internet and you certainly shouldn't sign up for a service that clearly states it will read and store your email messages. If you're concerned that your search history or email messages could be revealed at a later date you should consider using a product that protects your anonymity, like Anonymizer.

Here's the bottom line...

When information is aggregated, abuses, information leaks, subpoenas, and profiteering can occur. When it does occur it should be exposed and fought. I just don't see where Google has done anything evil or different than any other web site on the internet.

Feel differently? Then please append a comment to this story.