Modern police work or invasion of privacy?

NOTE: This article was initially posted in June 2019 and has been updated with new and current information.

The Maryland legislature passed a new law in 2021 that further regulates how law enforcement uses commercial DNA databases to identify suspects. With this new law, Maryland joins Utah and Montana as the only states to limit police use of these databases. In 1994, the Maryland legislature passed the Maryland DNA Collection Act which authorized police to gather DNA evidence for certain criminal investigations. The Act was expanded in 2008 to included more crimes but also limited law enforcement from using State databases to search for relatives of a suspect, or familial matches. Maryland is the only state with such a limitation of state run databases.

Maryland’s new law will take effect in October 2021 and bars law enforcement from using commercial DNA databases to look for familial connections. Law enforcement will be required to exhaust all other avenues of identification and then make application to a judge. Police will also have to obtain consent from a person not suspected of a crime before comparing that person’s DNA to commercial databases. 

 

         _________________________________________________________________________________

 

In March 2019, Florida police identified a suspect in a 1998 cold case murder after a man submitted his fingerprints for a job application. Law enforcement had submitted unknown fingerprints from the murder scene to a National database. As fingerprints from crime scenes, criminal arrests, clearance, and background checks are submitted to the database they are checked against the fingerprints on file. Matches are then reported back to the submitting police departments.

Fingerprints

As detailed my blog, “National” Record Checks? there is not a national database of criminal records. There is, however, a database of fingerprints that matches to criminal records of individuals.  Maintained by the FBI and begun in 1924, the database contains the world’s largest database of fingerprints and associated criminal history. Up until 1999, the system was based on the manual collection, submission, and examination. Police would ink up a person’s fingers, roll out the prints on a card, and submit the card to the FBI. There, technicians would painstakingly, individually, examine the prints under magnification and check against known crimes or suspects. After which the cards were filed. When the system became digital it was possible to check the submitted prints against the entirety of the database. Unknown prints found at crime scenes could then been matched against previously submitted prints and suspects developed. If you have ever been fingerprinted your prints are stored in the system and checked against other submissions thousands of time a day. 

The Florida case happened that way. In 1998, police submitted latent prints collected from the murder site. For twenty years every fingerprint submitted to the FBI was checked against the 1998 submission. The killer had avoided being fingerprinted for two decades.

Familial DNA

DNA testing was first developed for use in paternity identification.  Police in England first used DNA in a criminal case in 1986. The first DNA conviction in the U.S. came in 1987. As with any new forensic test, court admissibility was tested early on. Over the years DNA identification has been accepted and the process of collecting and identifying made more efficient. What used to take weeks now only takes days.

In 2018, police and the FBI captured a man suspected of being a serial rapist and murderer in a multitude of cases from forty years ago. The case was broken through the use of DNA. The suspect himself was smart enough not to have his DNA logged into any DNA databases. Smart detectives realized that outside of justice system DNA databases there is a plethora of information being collected by private entities. Ancestral research companies provide DNA collection kits, which allow people to submit their DNA for comparison to other samples in hopes of finding family matches. You guessed it. The profiles are stored in databases so that they can be pinged during searches.

Checking crime scene DNA against public sources of DNA, police were able to get a familial match. That match narrowed the pool of suspects down to one family.  This method has been tagged as “genetic genealogy”.  After the familial match, through traditional police work, detectives were able to identify a suspect. 

Genetic genealogy also works to identify the victims of violent crimes. In 2019, Anne Arundel County Police identified the remains of a man who had been discovered in a trashcan during the construction of Marley Station Mall in 1985. Roger Kelso was believed to have been killed in the 1960s and buried in the woods where the mall would eventually be constructed. Police compared the victim’s DNA to samples in public databases to form the familial match. The long cold case is now active.

The same methods were used to identify the remains of a woman and children found buried in barrels in the woods of Allenstown, New Hampshire in 1985. Although law enforcement had long ago associated the victims to serial killer Terry Rasmussen they had never identified the victims. By using genetic genealogy police in 2019 were able to finally identify the victims as Marlyse Honeychurch and her daughters Sarah McWaters and Marie Vaughn.

As you can imagine privacy watchdogs are all over the issue of law enforcement having access to private sector databases.

Genetic privacy

Ancestry and 23andMe are the largest consumer testing providers. Both companies have policies in place that prevents law enforcement from having direct access to the databases. However, customers of both companies, hoping to grow their family tree, can upload their personal results to public databases. This is where law enforcement has access to the DNA results. Ancestral DNA companies are working to find balances. While they do not want to allow complete access to databases for misdemeanor crimes, companies do allow access for violent crimes. As law enforcement finds success they will rely more on these DNA databases.

Opponents of this kind of police work feel that the use of relatives DNA on public databases constitute unwarranted searches and thus illegal under the Fourth Amendment. State legislatures are paying attention as Maryland and a few others have had bills introduced to bar police from using relatives DNA to track criminals.

Fingerprints, DNA, facial, hair, optical, these are all methods of identifying humans as individuals. All were new sciences at one time. All have made their way through the world’s courts as legal ways of making identifications. They are most certainly other scientific discoveries that will be added to the list. The question is and always has been, Where does the privacy of individuals get compromised in the name of justice?

Shut down Apps?

The thought for this blog post started with the idea of security regarding remaining logged in to mobile apps. The question being does that open any doors for hackers to access data on either other apps or your phone? It ended up going down quite a rabbit hole of security and hacking techniques that only go to show that cybercrime and security is ever-present and evolving.

Cross-Site Request Forgery (CSRF) has been a known vulnerability since 2001. According to The Open Web Application Security Project CSRF is defined as:

A type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site when the user is authenticated. A CSRF attack works because browser requests automatically include any credentials associated with the site, such as the user’s session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site cannot distinguish between the forged or legitimate request sent by the victim. 

If you are logged in to sites and the cybercriminal can get you to visit one of their web sites or open an infected email or IM they then can make your browser send requests to the other sites posing as you. Thus, gaining access to whatever you have open. This kind of attack generally only occurs within the same browser. In other words, having clicked on a malicious site the attack could flow across any other sites you have open within that browser. Not jump to another browser say Safari to Firefox. An open browser could not transfer the attack to an open app as the two store their own credentials or cookies and do not share. The same goes for apps themselves. They store their own data. The malware would need a conduit to access other apps or your phone.

Heck of an opening to a business blog. Why do you need to know this? It is why it is important to log out of company websites and software either on your desktop or your mobile.

Developing security

Over the years sites and apps have become more security conscious. Shutting down your logon after a period of non-activity and/or making you log in every time. Sometimes a pain to log back in but it’s for your own security. With the addition of biometric features on mobiles, even the pizza ordering apps require a fingerprint to gain access. Games and social media apps/sites tend to keep you logged in. The term being “frictionless” because the developers want you to have easy access, at all times, to keep you engaged in their product.

We do a lot of browsing and an increasing amount on our mobile devices. Lots of times your thumbs get fat and you errantly click on the wrong thing. It doesn’t take much to click on the wrong link, even if you close it right away it may be too late. The same goes for links within emails. We get a ton of email to business accounts. It’s hard to distinguish every email between real and spam. Spam emails and links get opened. When employees are accessing company databases and files they are using those same computers to access their company email. Depending on computer use policies or adherence to the policy, employees may also be accessing their personal email accounts and browsing the web. This is when the company system becomes vulnerable to CSRF attacks and others.

Watering hole attack

It is what the name implies. A cybercriminal monitors a company’s employees to determine where they congregate, e.g.-restaurants, bars, etc. The criminal bets that one or more of the employees will access the “watering hole’s” website for menu information, reservations, etc. The criminal places malware on the establishment’s site. When an employee does visit the site the criminal then has access to the employee’s computer or phone. Any company files or databases that are open (logged in to) are now free game for the criminal.

None of this is or the precautions are new. The same security tenets we’ve heard over and over still hold true.  

Don’t open or click on suspicious emails or links in emails texts/IMs especially while logged into other accounts.

Don’t keep sites open-Logout

Change passwords frequently

Don’t use the same password for multiple sites

Don’t save passwords on your browser

Keep system security updated

I’m not a cybersecurity expert just a security conscious user. Hope that this information has been helpful.

Regarding the initial reason, I started doing this research, open mobile apps. It appears that it is OK to leave them open. Again most security conscientious apps like financial will time out and require login. So a criminal gaining access to your phone and then entering your bank account through your bank app is probably low.

Most risks to mobile apps occur at the server level or through poor app development, not actions by the user. Although using public WiFi (Wifi for dummies) is one of the biggest user faults to app security.

Research for the blog revealed information debunking an iPhone myth. Quitting apps does not help save battery life. The iPhone OS is designed for multitasking and places the app in suspension until needed. Closing and reopening the app actually causes the phone to use more power as it is starting the app from scratch. So keeping open frequently used apps doesn’t affect battery life.

Please feel free to share. Check the archives for other posts about privacy and online security.

How secure are apps?April 2018

One born every minute February 2018

Are you being watched? February 2018

Time expired on parking meters November 2017

Cleaning up your online presence September 2018

Public WiFi for dummies July 2017

Keys to the vault August 2015

There’s been a breach February 2015

Hey! That’s my WiFi!

Hey! That's my Wi-Fi!

Have you ever checked your home WiFi connection and noticed a long list of possible connections? Unless you live in the woods with few neighbors you’ll very likely pick up a lot. Sometimes you get a laugh at some of the crazy names your neighbors use and sometimes a start when you see NSA_Van_9.  The thing is, your router is also popping up on your neighbors' list.  

I did just that the other day and was wondering who else might be using my WiFi. Just like stealing cable in the old days, only not as personal a connection, someone close by could be sucking off precious signal strength. What I found wasn’t as shocking as much as a surprise.

Wi-Fi use

Slow WiFi is one indicator of someone using your signal. All depending on the plan you have with your provider and your own usage.  You can quickly check what devices are using your WiFi by logging in to your router. Once logged in you will be provided with a list of the devices currently logged on. A simpler way is to use a 3^rdparty app such as Who’s on my Wi-Fi. This app will use your Wi-Fi signal and provide a list of devices currently using the signal. It is not necessary to provide any personal or router information. The list is comprised of IP and Mac addresses. Once you have the list the task becomes identifying the devices. 

I used this app to search for devices that returned a list of twenty-five devices currently logged on. After running down the list and doing some light deciphering I was able to determine good news and a surprise. The good news-No foreign devices were located. The surprise? All the devices were mine! The search revealed twenty-five devices that did not include the devices that were not currently logged on and had Wi-Fi disabled. If everything were in use the total would be over thirty.

Internet of Things (IoT)

As determined in the post Locking Down the Internet of Things we have, over time, without plan or intent, created our own IoT. That happens in most households. Excluding phones, 74% of U.S. homes have at least one smart device. Few people plan to set up a smart home system, it happens in bits and pieces. A security camera and/or alarm system, new appliance, TV, thermostat, one device at a time your IoT builds. Then a smart speaker is added that is able to control some or all of the devices and your IoT smart home comes to life. Added already to the phones, tablets, and eReaders your WiFi list expands. 

Security

With all of the security breaches that seem to be a monthly news item, we have become numb to the warnings of password and network security maintenance. It is important to perform regular checks of our home system. Especially as we add smart devices to our homes. (Are you being watched?) Properly setup new devices and be aware of what access you are granting them. 

The Wi-Fi usage check is yet another added security check but one that should be completed every so often. Just like changing your smoke alarm batteries at the seasonal time change it doesn’t hurt to set up some calendar reminder to review your home network security. This quick WiFi check not only reveals possible hacking but also helps you to get a handle on the number of devices in your home that are accessing the Internet.

Have you detected someone stealing your WiFi?  Tell us about your experience in the comments. 

Please share. Refer to the blog archive for more posts about Internet security.

Privacy access

Responding to privacy concerns and the EU’s restrictive privacy legislation, Apple launched a new portal on October 17, 2018, that allows users to see what kind of data Apple is collecting and storing. The portal has been available in Europe since May 2018. The portal provides users with a report on tracked data such as App store purchases, support history, calendars, photos, documents, and browser bookmarks.

To access the portal follow these steps.

Go to  https://privacy.apple.com/

Sign in with your Apple ID. You may be asked to authenticate the sign in.

You will then be presented with this page

Under the heading, Get a copy of your data, Click on Get Started

You can then select which data you wish to download or you can select all. Keeping in mind that the more or less you select will affect file size and download time.

Google also has an option to download your data. Access by signing in to your Google account.

After signing in, in the top right, click on the checkerboard symbol and receive this drop down

Click on Account. Under the section Personal info & privacy, click Manage your Google activity

Scroll down to Control Your Content and click on CREATE ARCHIVE under Download your Data. 

The next page, select the data you wish to download.

Refer to the blog archive for more articles on privacy and security.

What we give up for convenience

If you think about it, who is the culprit in the multitude of personal data breaches? The hackers? The companies that failed to protect the data? Or is it ourselves for uploading our personal data in the first place? This really isn’t a proper question because we aren’t the culprits. But the point is that we, ourselves, allow more and more data to be collected by mega corporations. Sometimes it is innocuous as registering on a web site or app, which we cannot always avoid because in order to do business in the digital world we have to. What I mean by allow is two pronged. One, we are not outspoken enough about the Google’s and Facebook’s of the digital world collecting data. Facebook has seen a little backlash recently, but people will continue over sharing every detail of their life. But that’s the really big picture. 

Second, and more specific to personal security, is what we allow by making choices to upload or share personal data. We do this by plugging in the new smart TV without learning about its capabilities and without changing the settings. Or by installing the multitude of other appliances, cameras, digital assistants that we bring into our homes and plug and play. Anything you can talk to on demand and receive a response has to be listening all the time. Creepy? We will allow apps to track our location so that when we are in certain stores or near certain locations we receive notifications. As with listening, these apps aren’t waiting for you to arrive at a certain location, they are tracking and storing your every move until you arrive at the specific location.

How much privacy are we willing to give up?

Last month police and the FBI captured a man suspected of being a serial rapist and murderer in a multitude of cases from forty years ago. The case was broken through the use of DNA. The suspect himself was smart enough not to have his DNA logged into any DNA databases. Smart detectives realized that outside of justice system DNA databases there is a plethora of information being collected by private entities. Ancestral research companies provide DNA collection kits, which allow people to submit their DNA for comparison to other samples in hopes of finding family matches. You guessed it, the profiles are stored in databases so that they can be pinged during searches.

Checking crime scene DNA against public sources of DNA, police were able to get a familial match. That match narrowed the pool of suspects down to one family. Then through traditional police work detectives were able to identify a suspect. As you can imagine privacy watchdogs are all over the issue of law enforcement having access to private sector databases.

For some time Amazon has been offering package delivery inside of your home. Utilizing an Amazon smart lock, with the customer’s permission and knowledge, delivery personnel can unlock your door and drop the package inside. Of course, you are alerted each step of the process. Amazon recently announced package delivery to your vehicle. Currently the service is only offered to owners of GM and Volvo vehicles in certain cities.  The privacy we give for convenience. We allow cleaning and pet sitting services into our vacant homes but more than likely we have met the workers performing the services. I’m sure Amazon does a fantastic job vetting it’s employees. The point is we are giving complete strangers access to our homes and vehicles. We are then shocked and surprised when something bad happens. 

Check yourself

As with corporations and social media we gladly share and upload personal data, even our current location and DNA profiles. Trusting souls that we humans are we don’t cry foul until there is a breach or government overreach. Even though we are the ones that probably share a little too much.

You can’t always avoid uploading data or providing data through registrations. What you can do is be aware of what and to whom you are sharing. Monitor your financial accounts and pay attention to announcements of breaches. You may not be directly affected, but your other accounts may have been compromised through third party links to the breach victim.

Just as we are told to change smoke detector batteries at Daylight Saving Time, maybe we should get in the habit of doing online security checks every time there is a breach announcement.

Please see the blog archive for other posts relating to privacy.

There’s been a breach May 2018

How secure are apps? April 2018

One born every minute February 2018

Are you being watched? February 2018

Cleaning up your online presence September 2017

Public WiFi for dummies July 2017

Keys to the vault August 2015

There’s been a breach

Note: This post was originally published in 2015. It has been updated with new information relating to the topic. 

Last week Twitter announced a breach of passwords. Twitter claimed that no personal data was released and encouraged users to change passwords. Since the big breaches from the fall of 2014 it seems like every month we have heard about a new breach. If not banks then major retailers or healthcare systems. The private information we entrust others to keep safe is being violated on a regular basis.

Try as you might to stay off the “grid” by paying cash, getting paper statements, or banking in person, eventually you will be a victim of identity theft or some sort of financial intrusion. Either because of convenience or because a company demands you use an electronic system. It is difficult to navigate in today’s world without having some portion of personal data stored on an institution’s computer.

Personal data

Ever check out at a store that you shop infrequently and they ask for your address, phone number, or name, and you’re in their system? Freaky right? At some point you’ve provided them with your personal information. Larger companies own smaller companies…your personal data is bought and shared daily.

Tax season just passed and it’s a good bet that when you filed your taxes, electronically of course, your return was rejected by the IRS because, surprise, the return associated with your social security number has already been filed.  

The IRS estimates that more than 122 million returns were filed electronically in 2017. While the IRS has seen a decline in personal tax fraud, falsified business returns have increased. The IRS identified 10,000 compared to 4,000 fraudulent business returns in 2016.  The IRS doesn’t publish everything it is doing to combat tax identity fraud. Some of the public efforts are tightening access to private sector filing software and more thoroughly scrutinizing refunds. When your SSN has been compromised the IRS issues you an electronic identification number for future filings. This solution should keep your tax information safe, as it is a unique number. But so was you’re your SSN at the time it was generated. 

We use to worry about someone stealing a driver’s license or credit card. If that didn’t happen you didn’t have much to worry about. Years ago, while working as an undercover detective, and when I say “years ago” I mean before there was a computer in every home and a world-wide inter web of computers.  A senior administrator had a briefcase stolen that contained contact information for all of the detectives. Not just name and phone numbers but addresses, birthdays and yes the coveted social security number. Not sure what we called it then, but it wasn’t a breach. But in today’s terminology, the breach compromised so much personal information what could one do? You couldn’t completely change everything. In those days though we were more concerned with operational security than identity theft. Yes, identity theft occurred, but not on the level or frequency as today. The criminals at that time weren’t as sophisticated in that skill set as they are today. Plus, copying and sharing was a literal concept. The documents would have to be photocopied and personally distributed. 

We knew that if we worked hard and fast to recover the documents, we could determine the extent at which the information had been distributed. The faster the culprit was caught, the less chance the information could be distributed. Today, your information can be stolen from a third party vendor’s database by a criminal in another country and uploaded to a distribution network all from a keyboard, in a matter of minutes.

Document, document, document

The tenets of the paper world of long ago still hold true. Identify the breach and work fast to stop the leak.

Once you’ve identified a problem, you need to start working to quickly plug the leak. Contact the source in which you became aware of the breach-credit card, driver’s license, IRS, etc. Get that entity started on resolving the issue. File a complaint with the Federal Trade Commission, your State’s Attorney Generals Office, even the FBI if you seem to be apart of a larger breach. File local police reports also. It may seem for naught but you’ll have a record of the report and a case number to go with any other complaint filings. Most of the entities you will deal with, including law enforcement, have online complaint forms. It doesn’t take long and you can get it done in less than a day.

Document, document, document, everything you do and the entities you’ve contacted. Keep your notes for future reference.

Consider a monitoring program. There are lots of companies out there that perform this service. Of course do your research and choose wisely. If the breach occurred from a major retailer, financial, or health institution, they may offer some sort of credit monitoring or identity repair service for free. Take advantage of it.

Update, update, update

If you get notification of a password breach or hear it on the news, such as the recent Twitter breach, don’t ignore it. Like Twitter, companies publicize that no personal data was infiltrated but passwords “may” have been compromised. It is important to regularly change passwords as a matter of routine. However, when a company has had their password database specifically breached it is important to act quickly and update your settings. It is equally important to update other accounts in which you use that same password. Maybe get in the habit of updating passwords whenever there is a breach in the news. 

We should have different passwords for every account but let’s face it no one does that. So when one password is compromised the other accounts that use that same password are now in danger of being hacked. Cyber-criminals have highly sophisticated search processes. They may not be searching for you, specifically, but once they get your logon or password they can use that to find other accounts. Once they have one piece of the puzzle it is isn’t that difficult to break the rest.

How secure are apps?

Every business is pushing their mobile apps. Some are highly interactive, giving access to secure accounts. Others are merely informational almost static platforms. Everyday we become more and more dependent on our phones. The Pew Research Center estimates that 77% of Americans have a Smartphone. A conglomerate of different studies from 2017 reported that Americans average five (5) hours a day using mobile devices and of that time 90% is spent using apps. Now when you allow that everything on your phone is an app of some sort it kind of diminishes the 90%, but the point being is that we are on are phones a lot.

Why have an app?

Phones are now like appendages. We are rarely without them. This is a big reason why companies push apps. That and because the phones create a focal point for data collection. Most apps require some sort of registration. That provides a modicum of security but it is mostly for data collection. Location services on smart phones allow app users to be tracked and pinpointed where they are using the app. This let’s the business collect, not only, your personal information but how, why and where you’re using the app, and what you are buying. All of this data is used to target advertising and reshape sales.

Since 2014 mobile Internet use has been more common on mobile devices than desktops. You can accomplish so much on your phone now you probably could go days without turning on a laptop or desktop. Apple has a cute commercial where the camera follows a girl throughout her day using her iPad.

A neighbor asks her what she is doing on her computer. She answers, “What’s a computer?”

The procession to apps began with the advent of online access to accounts and shopping. To encourage electronic account access, some companies even threatened higher fees for receiving paper documents through the mail. Then everything moved to our phones. Businesses lure customers into their apps with rewards or deals for using them. Some put more effort into their apps than their websites.

Secure?

How secure are all these apps we’re either using voluntarily or “forced” to use by companies? The transmission of data between the users phone and the app servers usually has end-to-end encryption. Meaning the data being sent and received is encrypted. The problems arise from the users lack of security awareness and hacks into the apps servers.

A high percentage of our phone use is in public. If you’re concerned about data usage you’re always looking for a WiFi signal. Logging into public WiFi is one of the most unsecure actions a Smartphone user can do. If you don’t inadvertently log into a hackers signal then you’re sending a signal that your phone is publically available. Once a hacker zeros in on your phone they can intercept your transmissions to and from the apps you are using. Intercepting the phone’s connection to the router is commonly known as “man in the middle”. While that is still a popular hack it is time consuming and much more work than going after the bigger treasure. Company servers.

Why is it important to frequently change passwords? And not use the same passwords or login/password pair for more than one account? More sophisticated cyber criminals know where the money is. It’s in the servers of big companies. If not the financial records then the personal data. Recently, Under Armour announced that their app had been breached. They assured users that no financial data had been accessed only user names and emails. While that may give some a sigh of relief there’s still a problem. Hackers will sell those users names, emails, and passwords on the dark web. They’re valuable because many users will use the same login information across many accounts. Hackers can use the data gleaned from one breach to access your other accounts.

Using apps are as safe as the host makes their server data and how you use the app. Most of the security issues are out of your hands. If you are not compromised in public more than likely the company’s servers or app itself will be hacked, exposing your data. All you can do is be as safe and aware as possible on your end. Monitor accounts and change passwords frequently.

Please feel free to share. Check the archives for other posts about privacy and online security.

One born every minute February 2018

Are you being watched? February 2018

Time expired on parking meters November 2017

Cleaning up your online presence September 2018

Public WiFi for dummies July 2017

Keys to the vault August 2015

There’s been a breach February 2015

One born every minute

You are security conscious and know all the Internet do and don’ts, but sometime it is going to happen. You’re going to fall for click bait, open an infected email attachment, or fall for a social media hoax. You’re not dumb. You’re not gullible. You’re not alone. People of all ages, backgrounds, and intelligence will fall for social media hoaxes. Including this writer.

As with any scam, whether it is a criminal affair or a joke, the perpetrators play on our human nature and how we react to stimuli. Must notably anything that threatens our family or personally well being. Fear. As with any con, the perpetrator uses broad, widely known information, with some truth sprinkled in for good measure. Sometimes, as the case with privacy issues, will use functions of the app to make it believable. Instructing the victim to perform a function within the app that produces a result. When the result happens, it further validates the hoax.

The ones that get you are intelligently written in a generic style or tone that could be from any close friend or relative that you would normally trust. They either forward the item to you, or worse, endorse it with a message that reads something like, “Tried it. It works!” or “This is true”. Most people don’t do research. If so and so posted it must be true, and we quickly click ‘share’. After fourteen years, Facebook is still having trust issues with its users. Anything that hints at a privacy scandal runs wild and users react.

Hoaxes, just like malware, circulate, mutate, and resurface, sometimes years after being launched. The one that got me was the ‘Following me’ security check on Facebook. [Spoiler alert-It’s a hoax] You receive a message from someone you trust that reads like the photo heading of this blog post. And trust me, it will read like the above photo because the original language just keeps getting forwarded. Following the steps outlined in the post you’ll find these unknown people “following” you on Facebook. You quickly go to the next step and start deleting all of these unwanted followers. How dare they intrude onto my highly secure and private Facebook page! The nerve.

After testing the theory and seeing that it does indeed reveal hidden followers, you forward the message on with your own endorsement. Because it does work, it must be true. You have to alert all of your friends. I didn’t go that far. But it did give me an idea for a blog post. A couple minutes of research had me SMH. Got me!

Snopes.com addressed this very hoax in a January 2017 article that was updated in September 2017.(Are Facebook users secretlyfollowing you?) Snopes traced the origin to a rumor post being circulated that Facebook security teams were paid to follow individual accounts. The post read similar to the one pictured except the user was instructed to enter ‘Facebook security’ in the block users search box. While this did return a list of people, it was determined to be people who had used ‘Facebook security’ in their profiles. In September 2017, the hoax took on the form we have pictured. However, now following the instructions returns a list of people that have “me” in their profiles.

In fact, the search box reads

So the hoaxers set you up with instructions that return what they want, a list of people you’ve never heard of, which gives validity to the hoax. Which gets it forwarded. And on and on and on it goes.

Please feel free to share. See the blog archive for more posts about privacy.
Are you being watched? February 2018

Time Expired on parking meters November 2017

Cleaning up online presence September 2017

Skimmers August 2017

Public WiFi for dummies July 2017

If you ever want to see your files again… August 2016

What did you say? August 2015

Keys to the vault August 2015

Are you being watched?

Do you feel safe in your home? Your exterior is probably pretty well defended against intruders with metal doors and deadbolts, locking windows, and maybe an alarm system. How about intruders from within?  “…The call is coming from inside the house”, an oft repeated quote from the 1979 movie, When a Stranger Calls, can still make your skin crawl when you’re all alone, think you heard a noise, and then the phone rings. Just the thought of an intruder with you in your home can be terrifying. There may not be physical intruders inside your home at this moment, but someone may be listening or quite possibly watching.

Internet of things

Kevin Ashton of Procter & Gamble first coined “Internet of things” in 1999. It is defined as network of devices, appliances, vehicles, etc. that connect and exchange data through the Internet. It is estimated the Internet of things will be populated with 30 billion devices by 2020.

Technology has always invaded our homes as we excitedly open the boxes to the latest modern conveniences. In the early days of the 1900’s telephones began appearing in homes. The 1950’s saw televisions showing up in living rooms. People started bringing home desktop computers in the 1980’s. Those computers were connected to the Internet in the 1990’s.  Phones went on our belts and into our pockets in the 2000’s and then became handheld computers. The first Internet connected appliance was a LG refrigerator released in 2000. According to Statista.com, there were nearly 36 million smart home devices sold in the U.S. in 2017. Over 40 million smart TV’s were sold in the U.S. in 2016 and 244 million worldwide.

Privacy

The remote accessibility of household devices creates new security issues everyday. As appliances get “smarter” their vulnerability also increases. Smart devices only work to their full capability if they are connected to the Internet. Once that occurs they are searchable and hackable. When the device reaches out to the web it declares itself open for business. Hackers are always looking for unsecure networks and devices to exploit. If not for gain then just because then can.

We first heard about these types of intrusions in 2015 two years after consumers starting bringing home smart TV’s.  Samsung released TV’s in 2013 that could listen to voice commands from their owners. The problem? The TV has to be listening all the time to pick up the commands. What was “heard” was being transmitted via the Internet. Samsung warned consumers, through privacy policies, that spoken words are being captured and transmitted through the voice recognition system. Consumers were further warned not to hold personal conversations in front of the television. But who read or reads the privacy policies, right?

Another popular device entering our homes are web accessible cameras. We set these up to watch the nanny, housekeeper, or house in general. There are even petcams available that not only allow owners to watch their pets but speak to them and deliver treats remotely. The first cameras imbedded in teddy bears, sold as a “nanny cams”, began appearing on the market in 1992. The first cameras to transmit remotely via IP were sold by Axis Communications in 1996. Today, the market is flooded with cameras and phone apps that allow web transmission of live video. It’s fun to watch Mr. Snugglekins romp around the house. But if you can access your webcam remotely, so can someone else.

Hacking

The device most people have heard stories about and are aware is the camera on your computer. Yes, they can be used against you. Unlike the movies, your home computer usually has to be “infected” with malware that you allowed in my clicking on a link or visiting a sketchy website. As with all of your devices, locally, you have to let someone in for them to be monitored. Not to say that you and your devices could not be specifically targeted and intruded. With the effort it could be done. Hackers and, yes, governments have the capability to access the television microphones, computer and remote cameras, turning them on and off and recording at will. However, most likely you’ve been the victim of malware.

The privacy and security issue with smart appliances is the collection and transmission of data. First, your viewing habits, conversations, actions are being collected. Second, the data is being transmitted to the Internet and held on third party servers. All of which can be hacked. So no matter the security measures you take at home, your personal data is vulnerable once it hits the WWW.

The thing is, you allow them into your home with the purchase, unpacking, and setup to connect to your network. Data transmissions you are unaware of because you have most likely allowed the device to set itself up per the manufacturer’s settings. Any warning or setup recommendations were clicked through and unread. Admit it. You’ve done it. Who reads the privacy settings on a new device? Or whenever you allow an update? That’s what the manufacturers are counting on. The key word in the previous paragraph is “allow”. You’re inviting the snooping by purchasing the device, bringing it into your home, and allowing self setup.

Your appliances aren’t the only ones listening. There’s been conspiracies floated the last couple of years that Facebook is listening to your conversations to better target ads. While feasible it is unlikely and has been debunked by several sources. Facebook may not be overhearing conversations but they, as is Google, “listening” by recording your search habits and even communications in messaging and emails apps to better address advertising. Netflix was recently caught by tweeting about the number of times a few viewers had watched one of its programs, trying to be funny. Netflix admitted that it did track viewing habits of subscribers.

Security

When you invite smart appliances into your home you give up your privacy. You have to consider these devices as other persons and guard your privacy accordingly. Take the time to read the manufacturer privacy policies. Read the manual setup instructions and adjust the device settings accordingly. Block cameras in sensitive areas or turn them towards the wall when you’re home.

This reads like an Orwellian or tinfoil hat conspiracy. It wasn’t meant to be or to keep you from enjoying the conveniences of technology. Just be aware of the surroundings you’ve created. Any smart device has to be considered to be listening or watching. Alexa, Siri, Google, they all have to be listening all the time to be able to pick up your commands.

Please feel free to share. Read other posts about security in the blog archive.

Time Expired on parking meters November 2017

Cleaning up online presence September 2017

Skimmers August 2017

Public WiFi for dummies July 2017

If you ever want to see your files again… August 2016

What did you say? August 2015

Keys to the vault August 2015

Cleaning Up Your Online Presence

Ever been asked at checkout for your phone number? You haven’t been in the store for a long time, if ever by your recollection, but the clerk wants to know if you’re in the system. You provide a phone number and surprise surprise you are in there! Phone number, name, and address. It’s probably not a retail conspiracy to create a super database of shared data. What it does reveal is how our lives and personal data are intertwined within the world of information.

When information was written on paper there was less of it and it was more fragile. Tear it up, burn it, poof it’s gone. Carbon paper, mimeographs, and copy machines (Younger readers will have to look those up) changed that. Documents were being copied and filed in triplicate. Computers, of course, made it all easier but it wasn’t until the ol’ World Wide Web came along that hiding in plain sight became difficult.

In the old days it was easy to disappear. You simply moved to another town. Started using a new name and slowly built your new persona. As technology progressed information began being stored on computers. Those computers could be accessed for information stored about you, but only for the specific information the entity had stored. Once computers became connected one entity could access another’s information. Then they began sharing information between each other and saving the data locally. The more digitally involved you are the bigger your online presence. As young people enter adulthood they have little to no digital footprint in the context of financial databases. What they do have is a social footprint, more on that later.

Google yourself

Have you ever searched your name? If not, give it a try. You might be surprised what pops up or how many of you are out there. The more you are in the public eye the more information that is going to be out there and, thus, the harder to clean up your online presence. A regular Joe should have limited occurrences as the result of a search. But even regular Joe’s can have an online presence depending on their interaction with social sites and images associated to their name. And that is what you need to be controlled.

Information for sale

Think about the seed system of a watermelon. You can take out a portion from the middle, but there are going to be all those strands extending throughout the melon. That is how it is in the digital world. Things truly do live forever on the Internet. You can have a record expunged from a database, but any reference to or sharing of that record in other databases is going to give it new life. Data has become a big commodity. Everything is for sale on the Internet. Data is being collected on every interaction you have on the Internet. The data collected by brick and mortar businesses is sought after. Once government databases went online (real estate, court information, etc) information brokers snatched up this data. All of this information is bought and sold and resold. The original purveyor of the data may have deleted it but the new entity has it saved and published it their own way.

Everyone that has data is looking for revenue sources, especially governments. Data mining companies buy data from phone companies (landline and wireless) and the government (real property and court records). The information is legitimately offered for sale on the Internet through pay sites or resold. Ever get those mailings and wonder how Joe Realtor knows how long you’ve lived in your house and what you can sell it for?

Your Job image

Younger people may not be in databases for real estate or financial institutions but they are using social media and sharing the media. Even someone with little life experience will pop up in a simple Google search, most likely under images. This is what haunts the 20-somethings when they start their job searches. Over the last few years’ different surveys have revealed that 40% of college admission offices and 40% of HR professionals research social media regarding applicants. Staying aware of your online presence is especially import when trying for a job.

Cleaning up online presence

You’re first step should be stop the flow of information. Review and change your social media privacy settings. Remove information from online shopping and other accounts that are old or unnecessary.

Whether it’s the garage, the basement, or the Internet before starting any clean up job you have to assess the situation. Start by searching your name and then different variations with your name, town, occupation, and any other identifier that you feel has a strong attachment to your name. Would suggest using Google as it is the most powerful, but using other search engines wouldn’t hurt. You’ll probably get different results.

Make note of the sites in which you pop up and what they are referencing. Find the source of the material you want removed and contact the source directly. Many will want sound reasoning why the post/picture should be removed. May want to read the companies privacy statements before you make the call to know where you stand and/or how to make the request.

Even though the source removes the post once it has been shared it lives on in other sites. You’ll have to track the posts digital trail and contact those companies as well. The tedious part is finding every link that’s associated with your name and going through the process each time. As with any situation where you are fighting an issue Document Document Document. Keep copious notes of your efforts in case you need to prove your attempts later or make subsequent requests.

After all that you are still going to be able to “find yourself” on government public access sites like real property and courts. People search sites and phone number search sites sell the information you are trying to keep private. Matters of public record like newspaper articles in which you’ve been mentioned are going to pop up.

To get your name removed from marketing lists there are organizations that can help. Similar to the national do not call registry, these services allow consumers to opt of marketing offers. You would be adding your name to another database, which may be counterproductive to what you’re trying to accomplish, but it does keep marketers from contacting you. Maybe. Who knows if it really works?

One such service is run by the Direct Marketing Association and allows consumers to have their names and addresses removed from direct marketing mailing lists. There is a fee-$2 for 10 years if you register online. The site can be found at www.dmachoice.org. The second removes the consumer from credit card and insurance offers. The service is provided in a joint venture between Experian, Equifax, Innovis, and Transunion. The site can be found at www.optoutprescreen.com.

You won’t be able to eradicate everything. If you’re serious about removing yourself from the Internet you’ll have to have as much as possible redacted. The rest will have to get buried in the voluminous amount of data filling the Internet. The less that is out there the more specific the search will have to be to find you. Not gone but harder to find.

Your personal information may be in myriad retail databases but at least you can try to keep what others read about you to a minimum. You can’t just completely disappear but can clean up your online presence so that you’re not easily searched.

See our blog archive for more posts about online presence.

Should social media rants get you fired? March 2017

Social media checks July 2016

Convicted? Never convicted October 2014

Social media checks

Background checks use to be associated with financial institutions during applications for loans. Now they are performed during job applications, college admissions, even dating sites. One of the most important parts of the background check is the character reference. References were historically performed by field investigators interviewing the person’s friends, neighbors, associates, coworkers, etc. This is still an integral part of checking someone’s references, but in today’s online all the time society, social media is fast becoming the standard.

Who’s looking?

Private employers are. Social media checks are now on the checklist during candidate research. HR hiring surveys estimate that more than half of employers search an applicant’s social media during the hiring process. The New York Post reported on January 29, 2016, that at least 40% of college admissions officers report they check applicants’ Facebook pages and other social media when weighing who should get accepted. A third say they Google applicants. Even professional sport franchises do their due diligence when deciding on draft picks. As part of the vetting process, social media of potential draftees are reviewed. With the media attention on football players gone wild in recent years, franchises are doing every thing they can to determine the character of the player they are drafting.

Now the federal government is getting into the game. Investigators will now be probing social media as part of background checks for security clearances. Seems far-fetched that federal investigators didn’t perform these checks in the past, but now it’s official. On May 13, 2016, Director of National Intelligence James Clapper signed a policy directive that allows investigators to collect publicly available social media information pertaining to the person whose background is being investigated. In a press release, Bill Evanina, Director of ODNI’s National Counterintelligence and Security Center stated, “We cannot afford to ignore this important open source in our effort to safeguard our secrets—and our nation’s security.” While federal investigators are prohibited from requiring or requesting applicants’ password information, they will be searching for publically accessible accounts.

Privacy concerns

States and the Federal government have responded in a challenging effort to protect citizens’ privacy and rights. Twenty-three states have enacted laws that prevent employers from requesting passwords to personal accounts to either apply for or keep a job. Maryland was the first state to enact such a law, which took effect on October 1, 2012. Maryland’s law states that employers may not require employees or applicants to disclose a user name, password or other means of accessing a private Internet site or electronic account.

The Equal Opportunity Employment Commission (EEOC) and National Labor Relations Board (NLRB) regulate, monitor, and enforce employer misuse of social media during the hiring process. Since 2010, the NLRB has heard dozens of cases regarding employers infringing on employee rights through social media. Both the EEOC and the NLRB have issued guidance to employers regarding social media rights of employees.

Does your mother see your posts?

Whether you’re currently looking for job or suddenly need a clearance, you never know when a situation will surface that requires a background check, which will now more than likely include social media checks. As we are seeing, the trend is spreading beyond dating sites to employers, college admissions, pretty much anyone who wants to know more about who you are. A picture truly is worth a thousand words.

Getting a lot of ambiguous rejections? Check your social media posts.

Even social media posts from years ago can haunt you. During the 2016 NFL draft, a potential first round pick had his Twitter account hacked.  A years old video showing him allegedly smoking marijuana with a bong hit the web. As this sorted out, draft round after round passed. He eventually was chosen in the thirteenth round, costing him millions.

Because of the anonymity of the Internet, the narcissist in us all, and the instantaneous culture we have, social media seems to be a window into our daily lives. Not only what cat videos we find hilarious or what we’re eating and where, but social media goes a long way in determining who we are, the character of the person doing the posts. Now one could argue that it’s not how they really are, that they use social media as an alter ego. But over time, patterns do develop and the onus appears to be on the account holder to justify the veracity of their posts and not the reviewer.

A good rule of thumb is-If you wouldn’t want your mother to see it, then don’t post it.

See our blog archive for other posts relating to social media:

What’s your social media policy? March 22, 2016

Enforcing company policy May 8, 2015

Convicted? Never convicted. October 17, 2014