"What The Web Knows About You"
January 27, 2009
My 20-year-old neighbor likes to get wasted at parties. Recently, a friend took his picture, intoxicated, at a party. I know where he was and when the party occured. Why do I know this? During a general Google search that I would have thought was completely unrelated to him, his MySpace page came up as one of the top results. Right up front was a photo of him, intoxicated, with the caption "me, wasted." That image may go over with his friends, but might be less well received by customers of the family business where he's been working.
How you react to the story this week, What the Web Knows About You , depends on who you are.
If you're a baby boomer like me, you might be shocked to learn just how much personal information I was able to discover about myself with just a bit of digging. If you're in your '20s, however, you probably don't worry so much. Among the generation that grew up on the Internet, many are used to keeping their lives an open book on the Web. Expectations are different.
Openness can be a good thing. The world of "free" services on the Web is being squeezed with the impact of the econonic downturn and the fact that advertisers that support this business model don't get very good click-through rates on many sites. Micro-targeting of advertising messages could allow users to receive offers that are highly relevant to their personal situation, improve click-through rates for advertisers and perhaps provide a revenue model to support the "free" Web and keep it from potentially collapsing.
From that perspective it's a win-win. But are users giving up too much? People detail their lives on social networking sites, twitter their whereabouts each day and fill out 400-question psychological questionnaires on online dating sites without much thought as to who might be using the information, for what purposes, and how long it will persist. The problem with what's on the Web today is that the user is not in control of most of it. But an increasingly large amount of personal data is self-contributed, and that can be controlled.
Private investigator Steven Rambam is personally shocked - and professionally pleased - at the extraordinary amount of data people divulge about themselves online. "If you look at what most people self contribute - or worse, what their friends contribute about them - that's far, far more comprehensive than what's in the private databases," he says. And he makes a living collecting it for his clients.
The problem for people like my neighbor, Rambam says, is that information, once posted, never really disappears. Everything is indexed, copied, replicated or sucked into marketeting databases that scrape the Web for personal data. "Every drunken photo in Cancun that you put up, every ranting political posting that you put up, every outrageous comment, everything is now there for eternity," he says.
Rambam likes to say that privacy is dead. But he doesn't like it. "I still cringe when we do a prelminary investigation on a target and that person has posted strange sexual practices on the Internet." But he admits that his views aren't universally shared. "I'm old school. But the young people who work for me think that this is perfectly normal."
Ironically while 18 to 24 year olds may divulge more about themselves online, they're also the most agressive in responding when others abuse that data. According to the Javelin Research 2008 Identity Fraud Survey Report , victims ages 18 to 24 were far more likely to file a police report - and were nearly three times more likely to pursue prosecution - than other age groups.
That's an interesting paradox.
What the Web knows about you
How much private information is available about you in cyberspace? Social Security numbers are just the beginning.
Robert L. Mitchell
January 27, 2009 (Computerworld) She had me at hello ... or just about. Our conversation had barely started when privacy activist Betty Ostergren interrupted me to say that she had found my full name, address, Social Security number and a digital image of my signature on the Web.
I had set out to discover just how much information I could find about myself online, and Ostergren, who runs the Virginia Watchdog Web site, was my very first call. If this was what could be uncovered in just a few minutes, what else would I find? Quite a bit, as it turns out.
What information is available about you in cyberspace? Where does it come from? What risks does it present and what, if anything, can you do to protect yourself? To answer those questions I decided to use my own identity, Robert L. Mitchell, a national correspondent at Computerworld, as my research subject.
Starting with the information Ostergren had turned up about me, I spent a few weeks combing through more than two dozen public and private resources on the Web and visiting many other Web sites to build a dossier on myself. I conducted both free and paid searches. I contacted a private investigator for tips on my investigation. And I spoke with data aggregators and privacy experts.
I quickly discovered that while the quantity of publicly available information about individuals to be found online is vast, it is riddled with inaccuracies. For example, I changed my primary residence more than a year ago, but many databases online still have my old address. In other cases, the information is just plain wrong.
Having a common name like Robert Mitchell -- or a famous one like Bill Gates -- makes the job a lot harder. While nuggets of information about you can be pulled up quickly, filtering out all of the data that is not actually about you and sorting out what is accurate is time-consuming. It requires a lot of digging.
But I was starting with a key piece of data -- my Social Security number -- and that makes finding relevant data a bit easier. As I gathered more data, I also reran many searches to get different -- and more targeted -- results. Here's what I found and where I found it.
Source: Government records
Information discovered: Full legal name, address, Social Security number, spouse's name and Social Security number, price paid for home, mortgage documents, signature
Much of the publicly available information on individuals online is sourced from online county, state and federal government records databases, and this is where Ostergren found my Social Security number. She hadn't purchased it from a hacker chat room or from shady characters in Russia. She got it by browsing an image of a mortgage document stored in a county database located in a building half a mile from my house.
Robert L. Mitchell
Name: Robert L. Mitchell
Title: National Correspondent
Information discovered online:
* Full legal name
* Date of birth
* Social Security number
* Current property addresses
* Personal phone numbers
* Business phone numbers
* Previous addresses and phone numbers dating back to 1975 (except for cell phone numbers)
* Real estate property deed descriptions and addresses
* Property tax record from 2004
* Assessed value of home from 1997
* Identifying photographs
* Digital image of signature
* Mortgage documents (current and previous) and a legal agreement
* Computerworld affiliation, stories and blog posts
* Employment history
* Resume with educational background going back to high school
* Sex offender status (negative)
* Affiliations with several nonprofits
* Editorial award
* Spouse's name, age and Social Security number
* Names of friends and coworkers
* Names, addresses, phone numbers and first six digits of Social Security numbers for
neighbors past and present
* Parents' names, address, phone and first five digits of Social Security numbers
What I haven't found ... yet:
* Driver's license number
* Vehicle registrations
* Banking records
* Medical records
* Detailed demographic data from marketing databases
* Insurance claims history
* Vehicle registrations
* Property records for land in Florida
* Voter registration record/political affiliation
* Mother's maiden name
* City and state of birth
Over the past five years, bulk scanning and online publishing of such documents have proliferated in many states. In many cases, including New Hampshire -- my state of residence -- little or no attempt has been made to redact sensitive personal data such as Social Security numbers before moving those records online. The public is blissfully unaware that these documents, which were once accessible only in dusty books inside the walls of the registry of deeds, are now freely available over the Web to anyone in the world with a click of a mouse.
Ostergren says that this information is a treasure trove for data aggregators, brokers and criminals. Unlike financial and medical records, which are regulated, Social Security numbers gathered from public records come with no strings attached. They can be republished anywhere with impunity. "You're in a state that is spoon-feeding Social Security numbers to everybody," Ostergren says.
In the county where I live, legal documents from 1975 and on have been scanned and placed for public viewing on the Web. No registration or payment is required to view those records, although there is a charge to print official copies. The database includes thousands of records on New Hampshire citizens, including tax liens, federal liens, divorce papers, financing statements, military discharge papers, death certificates -- even a mobile home warranty. Any legal document filed with the registry is fair game.
In these records I found names, addresses, Social Security numbers, dates of birth, signatures, children's names, educational backgrounds, blood types, work histories and other personal data. Newer mortgage documents no longer contain Social Security numbers (mine was from 2001), but many other documents still do -- including death certificates and tax liens. In my case, fortunately, just one document on file -- the old mortgage -- contained my Social Security number.
Revelations from the rest of my government database searches were less sensational. State and county court documents are public records. In many states, those records are already online and available for public viewing on the Web. New Hampshire's county court records have not been put online, but the state has plans to do so, according to a county official.
Lauren Noether, bureau chief for consumer protection and antitrust at the New Hampshire Department of Justice, says it's just a matter of time before those records are available online. But she is concerned because standards for what information appears in legal documents have changed over time.
"I had an individual call to tell me that their child's name was in [an old] child abuse indictment. Nowadays we don't do that," she says. Noether amended the document, but she worries that bulk scanning and publishing of all historical records would bring many other inappropriate disclosures into public view.
Like many states, New Hampshire has a child sex offender registry. I am not a sex offender, but for the purposes of this story (I am the subject of the investigation, after all) I ran my name through anyway. As expected, I wasn't on the list, but it was chilling to find three other Mitchells listed there.
My next stop was the federal Public Access to Court Electronic Records (PACER) database, which contains U.S. District, Appellate and Bankruptcy court records. Here the government wants to know who is searching. The registration process for users involves entering your Social Security number, date of birth and other data.
I found myself trolling through dozens of records of people who were not me, at a cost of $.08 per page of results. I pulled up a total of 119 records, including 51 Robert L. Mitchell bankruptcies.
Pacer database bankruptcies Robert L. Mitchell
The PACER database found 51 Robert L. Mitchell bankruptcies.
Another Robert L. Mitchell had been arrested for kidnapping. But nothing matched the Robert L. Mitchell I was researching.
The PACER system required that I conduct a separate search for each jurisdiction. CriminalSearches.com is a commercial site that aggregates the same information so that you can do a single search across all jurisdictions -- and it's free. I executed a free search on the Web site. Apparently, I have a clean record in all 50 states.
I also searched state and county databases for the state in which I reside. Database aggregators such as LexisNexis pull information from all of the various local, state and federal databases and roll them up for easier searching, but you need to buy a subscription to use such services.
Computerworld has a LexisNexis subscription, but that costs money. While I did fork over $.08 a page for PACER results, that amounted to less than a dollar. At this point in my investigation, I wanted to see how much I could find for nothing -- or next to nothing -- before resorting to fee-based services.
Source: Free people searches
Information discovered: Employer name, job title, age, month and date of birth, phone numbers, wife's name and age, historical addresses and phone numbers, personal e-mail address, identifying photographs, employment history
I continued my investigation with the people and business search Web sites, including ZabaSearch, WhitePages.com, PeopleFinders.com, US Search, Intelius, Switchboard and PublicInfoGuide.com. The initial searches were free, although each service charged a premium for some of the data it uncovered. As I found out, you get what you pay for.
I gathered plenty of data on Robert L. Mitchells, but most of the data wasn't relevant to the Robert L. Mitchell I was investigating. Each search yielded multiple results, including some records with outdated information about me and others with totally inaccurate data. In some cases, aggregated data clearly had been mismatched, which appeared to be the result of mashing together two different Robert Mitchells into one identity.
ZabaSearch pulled up only an e-mail address I don't use and another that no longer exists, but it did find my mailing address, which it displayed on a satellite map. WhitePages.com had my name and phone number associated with a wrong address. Switchboard incorrectly described my home telephone number as unlisted. PublicInfoGuide.com found a residential address but listed four "relatives" that I never knew I had. PeopleFinders returned an address and phone number in another state where I had lived 20 years ago.
Social Security numbers and the law
Is it really legal to post Social Security numbers online? That depends on who's posting them.
If the source of my Social Security number had been a financial institution, it would be regulated by the Gramm-Leach-Bliley Act, which states that the information can't be disclosed to third parties without notifying the consumer, and the Fair Credit Reporting Act, which controls the access to individuals' financial information for the purposes of marketing credit offers.
Ironically, public records disclosure of Social Security numbers -- on death certificates, mortgages, military discharge papers, criminal records and other documents -- isn't restricted. (See "FAQ: Is your county posting your Social Security number online?") In fact, the government is required to make the records public -- although there is nothing in the law that states that the data must be published on the Web. And while some documents, such as death certificates, are required to include Social Security numbers, others, such as mortgages, are not.
To make matters worse, anyone can republish Social Security numbers if they were already published on a public government Web site, according to a recent court ruling in Virginia.
But there is hope: On Jan. 6 of this year, U.S. Sens. Judd Gregg (R-N.H.) and Dianne Feinstein (D-Calif.) introduced legislation, called the Protecting the Privacy of Social Security Numbers Act, that would prohibit anyone -- including the government -- from displaying Social Security numbers on the Web.
In some cases, part of the search results, such as the full address or e-mail address, was deliberately omitted. PeopleFinders located a Robert L. Mitchell in the correct town but wanted $1.95 for the full address. As up charges go, that was cheap: US Search wanted $10 to divulge the full address. I found it unnecessary to pay for these results, since different sites tended to provide different information upfront -- I could piece together all the bits of free information from various sites.
My Computerworld affiliation didn't turn up initially, nor did my business phone lines or my cell phone number. A search at ZoomInfo produced my correct title and Computerworld affiliation, but the work history was a comedy of errors, including incorrect titles and a stint as a PC World contributor that I must have forgotten. Under "Education," the results simply said "MSN dial-up."
Source: Search engines
Information discovered: Age, phone numbers, Computerworld affiliation, Computerworld stories, blog posts, identifying photos, social network and nonprofit affiliations, editorial award
I continued my research with the commercial search engines, including Google, Yahoo Search, Microsoft's Live Search, Dogpile and Vivisimo's Clusty. I used combinations of my name, job title, business name and location, and I concerned myself with only the first few pages of results.
As I encountered new information, I added it to my search criteria and ran searches again and again. The search engines divulged my age, phone numbers, my identities on three social networking sites and dates when I had signed up, my positions with two nonprofit organizations, links to Computerworld stories, blog links, a few snarky remarks about my stories and an announcement that a Computerworld story I wrote won an ASBPE award in 2007.
For good measure, I also searched the Techmeme, Technorati and Computerworld sites directly, assembling a long list of stories I had authored, as well as comments about those stories and contact information.
Source: Image search
Information discovered: Computerworld publicity photos, Flickr photos
Here I stuck with Google Image Search and Flickr. The 429 Google image results included dozens of Robert L. Mitchell photos, but the correct one was buried five screens down in the results. Also, displayed were photos of people whom I have interviewed for Computerworld stories.
Google image search -- Robert L. Mitchell
A Google image search for Robert L. Mitchell. Where am I?
Flickr searches on variations of my name produced no photos of me, but I was able to find my account by searching members with the name "Robert Mitchell." On the third screen, my photo appeared next to an account name. By matching that photo with the Computerworld publicity photo, I was able to identify myself.
From there, I was able to view several hundred publicly shared photos associated with that account. But like much of the content on Flickr, those images are untagged. Finding photos of me in the long list was a painstaking process.
Source: Social network search engines
Information discovered: Computerworld stories, blog posts, social network friends and co-workers
Here I searched individual social networking sites, as well as two search tools that promise to provide information from social networking sites: Delver and iSearch.
iSearch people search -- Robert Mitchell
iSearch produced the same results I'd seen elsewhere.
With iSearch, users can search for social network content by name or by screen name. A name search on "Robert L. Mitchell" produced the same people search results I had seen before, and searches on all my screen names produced no results. A spokesperson stated that iSearch, a service launched by Intelius last September, was still building up the database for the service.
Delver, another social network search engine, indexes content and ranks its relevance based on what your social network of "friends" have to say about it. It indexes content from MySpace, Blogger, LinkedIn, YouTube, Hi5, FriendFeed, Digg and Delicious, as well as profile data from Facebook. A search on "Robert L. Mitchell" brought up 47,755 Web links. I found no personally identifying information but did find links to stories I have written.
I concluded by searching individual social networking sites. I didn't get much here, but private investigator Steven Rambam, who runs the Pallorium investigative agency in Brooklyn, N.Y., says the amount of self-contributed data available on many individuals is enormous.
"If you have a MySpace page, and Friendster, LinkedIn, Plaxo, Yahoo 360 and Monster.com, and you use Twitter and Flickr, in 90 seconds I'll have your photo, your likes and dislikes, where you live, what you do and so on -- all contributed by you," says Rambam. That search, he says, provides as much information as he used to gather during a 12-month investigation in pre-Web days.
If that sounds scary, the technology also has its limits. "You have the best defense against a casual investigation: a common name," says Rambam. To find people like me on social networking sites requires logging onto each one individually and using advanced search features to try to narrow down the field.
"Even then there are dozens of records that would have to be manually examined," Rambam says. But that just slows him down. "It would probably take a full day to compile a decent dossier on you," he says, while a unique name takes just a few minutes.
Source: Paid searches
Information discovered: Address history to 1985; real estate purchase dates, assessed values and mortgagors; 2004 property tax bill; nonprofit affiliations; Flickr account details; published stories; parents' names, address, phone number and first five digits of Social Security numbers; current and past neighbors' names, addresses, phone numbers, dates of birth and first six digits of Social Security numbers
At this point, I decided to invest a little money to see what premium searches would buy me.
Since no one had come up with my cell phone number, I decided to start small, with a US Search reverse phone lookup -- which means you provide the number and the company traces its owner. US Search indicated that the information was available on my number -- for a fee of $14.95.
I pulled out my credit card and purchased the report. US Search could not find any data initially. The next day it sent an e-mail that attributed the phone to "Josh (last name unavailable)." Address information was limited to a town name, which was incorrect. US Search refunded my money.
I tried other sites, also without success. One possible reason why: I never provide my cell phone number online or use it for business transactions.
Things did not go so well with USATrace.com, which claimed to offer an "SSN Search" background report on any Social Security number for $37.99. I had picked the company at random from a long list of businesses that came up after I ran a Google search on "Social Security number trace."
The company processed my transaction, but I received no report. Over the next few days, several phone calls and e-mails went unanswered. I ended up challenging the charge on my credit card bill -- a process that eventually resulted in a refund from American Express. Caveat emptor.
I then approached Intelius, a bigger name that also provides data to business partners such as ZabaSearch. Intelius waived its $49.95 background search charge for the purpose of this story. I requested a few extra bells and whistles, which would have brought the total cost to $77.
Among other things, the report included searches of criminal records, civil judgments, sex offender records, address history, real estate property records and death certificates. Intelius gets its information from public records, marketing databases and information that is scraped off the Web, says Ed Petersen, co-founder and executive vice president at Intelius. Much of the information is purchased from other data providers.
Intelius people search -- Robert L. Mitchell
The Intelius people search results.
Inaccuracies in the data and the abundance of data on people who were not me made combing through the 67 pages of results a bit of a chore. After removing the irrelevant content, I was disappointed to find that the report contained just one piece of data that I had not found through my previous, free searches: a June 2004 property tax bill in the amount of $1,857.
Despite the fact that I'd entered my address and Social Security number, the bulk of the report consisted of state and federal criminal records of 156 Robert Mitchells from all over the country, none of which were me. It included incorrect names of "relatives" as well as records with my correct phone number attached to the wrong address and vice versa. It did not find my primary legal residence address or phone number at all. (We moved one year ago.) The business records section of the report did not turn up my position at Computerworld or my business phone number.
Intelius did aggregate a lot of data about me that I had already discovered, and might have saved some research time. However, I would still have had to do additional work to resolve the inconsistencies and other errors.
Next I tried a service called ReputationDefender, which tracks both what is being said about you (the MyReputation service; $9.95 per month) and personal information available about you on the Web (MyPrivacy; $4.95 per month). After a few days, the service uncovered my residential phone numbers, information about my work with a nonprofit organization, details of my Flickr account and a couple of Web sites I set up.
Finally, I tried searching public records through LexisNexis. Computerworld's subscription includes a search function that combines data from public records databases ranging from motor vehicle records to court documents to hunting and fishing licenses. While much of the information LexisNexis returned was the same as what I'd found previously, it produced more information overall, and data accuracy was somewhat better.
LexisNexis people search -- Robert L. Mitchell
LexisNexis returned the most accurate information.
I came away with a listing of past and present neighbors' addresses, phone numbers and partial Social Security numbers and a historical list of my real estate property transactions that included the amount paid, date of purchase and mortgage lender name. I found the assessed value for my residence for the year 1997. Also available: my mother's and father's names, ages, address, phone number and partial Social Security numbers.
While LexisNexis allows voter registration list searches, no information appeared for my name in New Hampshire. Voter registration lists have been consolidated into a central database to meet federal requirements. Currently, that database is exempted from New Hampshire's Right-to-Know Law, but legislators have given the Democratic and Republican parties exclusive access to it, says New Hampshire State Representative and privacy advocate Neal Kurk, a Republican.
"The parties take this information and sell it to candidates, and you can be sure that a disc containing all of this information goes to various marketers or charities or whoever," he says. So far, though, it wasn't accessible to me.
I also could have searched for other, more sensitive data, such as driver's license and motor vehicle registrations, on LexisNexis. Access to that data is controlled by government regulations, but to see it I simply had to pick a "permissible" use (litigation, debt recovery, insurer, etc.) from a drop-down list. While LexisNexis' terms and conditions do state that it keeps track of who has accessed regulated data, as far as I could tell, anyone can conduct a search without any verification of a permissible use claim.
What else is out there?
Did I find everything that was out there? Private investigator Rambam says the information I gathered in a few days of work was just the tip of the iceberg of what is available about individuals online. Rambam runs PallTech, an investigative database service for law enforcement and security professionals. Its 25 billion records on individuals and businesses include aggregated public records, telephone listings, marketing data, and more sensitive, regulated data such as vehicle registrations.
A single query performs 62 different searches and produces an average of 230 pages of results in 90 seconds, Rambam says. He quickly found my Social Security number, driver's license number, vehicle registrations, date of birth, e-mail address and other information.
PallTech's database isn't open to the public, but Rambam says much of the same information is out there for anyone who's determined to find it. For example, I didn't find my medical records or banking records online; both types of information are regulated. But, says Rambam, "Any competent social engineer can get that information. There's just too many places where it's available."
For instance, Rambam says he once tracked down a subject by calling pharmacies near the person's address, posing as the subject and asking if his prescription was ready. He quickly learned both the name of the prescription and the doctor who prescribed it. By calling the doctor's office, he was then able to get the time and date of the subject's next appointment. While all this is illegal (he did it with the subject's permission, as part of a friendly bet) and he says most professional investigators don't do that today, he's certain that scammers use the technique.
I also didn't find my state of birth or mother's maiden name online, but Rambam says that I could have found the information with a little more work. (For example, I didn't think to look on genealogy Web sites.) "The downside to all of this publicly available information is that it's now a lot easier to social engineer somebody," he says. If someone has access to a profile of personal information about you as well as your network of friends, that makes it easier for someone to pose as you to gain access to more sensitive data.
And much more personal information is tucked away in marketing databases, says Rambam. Data aggregators such as ChoicePoint and Acxiom, he says, maintain giant databases of information about individuals for risk management and marketing purposes.
To find out more, I spoke with Jennifer Barrett, global privacy officer at Acxiom, a large data aggregator and marketing services provider in Little Rock, Ark. Acxiom specializes in helping businesses build complete demographic profiles of their customers. It builds large, proprietary data warehouses that match up the client's marketing data on its customers (what they bought) with "intelligence" on those customers (who they are) that includes demographic data, interests, what types of products the subjects like to buy and so on. (For details, see "How much do marketers really know about you?")
Acxiom and some other data aggregators do allow consumers to request, for a fee, a report summarizing the basic identifying and background screening information that the company has about them in its databases. (Acxiom does not release this information without a signed form and a personal check for $5 with name and address information printed on it that matches the name and address of the subject of the request.) I wanted to find out what details Acxiom had on me, so I made the request (the company waived the fee for the purposes of this story); however, the report I received did not include the full search results.
Interestingly, Barrett cites privacy as the reason Acxiom didn't reveal more of the data it owns about me. Search results often return information on other people who are linked to the subject's data in some way, such as through a common address or phone number. "It divulges details on other individuals and would invade their privacy," she says. But Acxiom does allow consumers to opt out of its marketing databases.
How much do marketers really know about you?
Database aggregators like Acxiom gather intelligence about consumers from sources that include surveys, product registrations, and magazine subscription data, says Barrett. "If you subscribe to a cooking magazine, we know someone likes to cook in your household," she says. Many businesses sell or rent that data to Acxiom.
It's an urban myth that companies like Acxiom collect data from everywhere and can pull out anything they want about you, she says. "People call us and expect us to have the fact that they bought a blue shirt from Lands End last night." Actually, Barrett says, Acxiom buys generalized data from companies with which individuals have made a purchase, such as in the cooking example above.
But Paul Stevens, director of policy and advocacy at the nonprofit Privacy Rights Clearinghouse, believes that the amount of detail gathered about individuals is far more extensive than most people would imagine. While the data Acxiom gathers isn't likely to end up in the hands of identity thieves, he says that if people knew just how much aggregators know about them it would probably make them uneasy. "Some of these database aggregators know more about us than we know about ourselves," Stevens says.
Rambam agrees. "Where this all gets a little creepy is when they aggregate all of this data together and have an extraordinary profile of you," he says. "Marketing companies know your religion, your sexual orientation, the names of your family members, what magazines you read, when and how often you go to the supermarket, what candidates you contribute to. It is a window into your soul."
But access to information in marketing databases is tightly controlled, says Acxiom's Barrett. "Our clients get far more scrutiny [from regulators, privacy advocates and the public] of where are you getting this data and is it legal" than ever before, she says.
Acxiom's clients expect the company to provide data that has been legally obtained, and to deliver it within a context that meets regulatory guidelines for each type of request, says Barrett. In fact, she says, Acxiom screens clients that request access to the more sensitive data it collects and may provide different levels of access to client employees based on their business role and their need to know.
Assessing the risks
Perhaps the biggest risk that accompanies the proliferation of personal information on the Web is the increased danger that the information will be used for identity fraud. Although overall identity fraud has trended down somewhat, 8.4 million people were victims of identity fraud last year, according to Javelin Strategy & Research, which publishes an annual survey report on the subject.
Of the information available about me on the Internet, the most troubling was my Social Security number, blatantly posted online by my own county government, for the convenience of lawyers, insurance agents -- and petty criminals interested in identity theft. Today, you need more than just a Social Security number to commit identity fraud, but a criminal who has that number is off to a great start.
"Various arrest records released by law enforcement have included criminals' confessions of using bulk scans of both paper and electronic records access," says Javelin president James Van Dyke.
While I was able to have my Social Security number redacted from the county Web site record by filling out a form with the Registry of Deeds, there's no telling if that information was already scraped by thieves. (On the plus side, the information from the county database didn't show up on Google or other search sites, probably because it resides in a database and must be queried rather than appearing on a Web page that is easily indexed by Web crawlers.)
I had my Social Security number redacted on the county Web site.
Identity thieves can also cobble together Social Security numbers from different sources that publish different parts of the Social Security number as an identifier. For example, subscribers to LexisNexis can find the first five digits of a subject's nine-digit Social Security number, while Acxiom provides the last four digits in its reports (although that's harder to obtain, since Acxiom screens its customers). Federal tax liens use the full Social Security number, and state tax liens use the last four, says Ostergren. Both are publicly available on paper records, and in many cases the data is being republished on the Web.
Once a thief has the number, it can be used to unlock more data about you that can be used for identity theft.
The sheer breadth of information available about individuals online is also a concern. According to Rambam, having access to that much information makes it easier for criminals to obtain other identity authentication factors such as a mother's maiden name.
But others say that even having one or two authentication factors for an individual is no longer a guarantee of success in identity theft. Improved processes and consumer awareness are key reasons why new account fraud has remained flat in the past year, according to Javelin, and faster detection has caused account fraud losses to decrease by 21% from 2007 to 2008.
Barrett says that the number of authentication factors required is on the increase, and varies with the risk involved. Accessing an online subscription to the Wall Street Journal would require fewer authentication factors than would accessing a bank account. In fact, most financial institutions now require multiple authentication factors to open an account -- or even to process an address change. "If there's a high degree of risk it can be seven or eight or nine factors. If it's not it might be three or four. But it's not one or two."
As a test, I called my business credit card company and my bank. The credit card vendor asked for my account number and mother's birth date to access my account. To change my address, I also needed to provide my full name and the credit card's four-digit security code. That's four factors.
When I called my local bank with the same request, the representative asked for my name, middle initial, city of birth and mother's maiden name. (According to a security executive from the bank, representatives may also ask the branch location where you opened the account and how long you've had the account.) The representative did not ask for my account number, and she divulged my current address during our conversation.
But are four authentication factors today really more secure than two were 10 years ago? Four may be the new two. Because so much data about me is readily available online, right out of the gate I had found online two of the four factors needed to change the billing address for my credit card. But I still needed the physical card to determine the card number and security code.
More worrying was the fact that I had tracked down three of the four authentication factors needed to change my address with the bank (which is now reviewing its policies).
While both institutions require four authentication factors, the fact that the answers to some of those "authentication" questions about me are readily available online mitigates their value. In this case, an identity thief is two authentication factors away from cracking my credit card account and just one away from messing with my bank account data.
The banks might do well to increase the number of authentication factors in use -- even though it presents an inconvenience to customers. The challenge will be figuring out what questions to ask in a world where almost everything there is to know about you is publicly available online.
Privacy may be dead, as Rambam likes to say, but individuals can play a role in reducing their information footprint and shaping the information that is available about them. Keep reading our special report for steps you can take to control data about you.
Next: 12 tips for managing your information footprint
January 27, 2009 (Computerworld) When it comes to managing personal information online, most people are their own worst enemies. Many of us fail to adequately protect our personal data before it gets online, but once information makes its way to the Internet, it can be quickly replicated and is often difficult, if not impossible, to remove.
For example, in four weeks of on-and-off reporting and online searches using publicly available online records and tools, I was able to find my current and past addresses and phone numbers, date of birth, Social Security number, employment history, identifying photographs, a digital image of my signature and much more. See "What the Web knows about you" for all the gory details.
You can take an active role in managing data about you, whether it resides in marketing lists, government databases, telephone directories or credit reports. Here are some tips.
1. Think before you disclose personal information about yourself online on business networking sites such as LinkedIn, job listing sites such as Monster.com, and social networking sites such as MySpace and Twitter.
How much do you want to disclose about your employment history, likes and dislikes, and where you are at any given time? Do you really want everyone to know when you're not at home, how long you'll be out and when you'll be back?
2. Don't give out your Social Security number -- anywhere -- unless absolutely required.
3. Don't use real information about yourself for authentication, recommends private investigator Steve Rambam. Instead, he suggests making up answers to commonly asked security questions such as a mother's maiden name.
4. Know what's out there about you. Do a search online using search engines, government Web sites and other resources cited in "What the Web knows about you" to get an idea of what information about you is available online today. If your Social Security number appears in a public records database, ask the agency in charge of the database if they will redact it from the record on your behalf. You can also ask Web site owners to have sensitive information redacted and any potentially damaging inaccuracies corrected.
5. Keep up with new data about you as it is published on the Web. Alert services such as Google Alerts are designed to continuously search the Web to track topics you're interested in, but you can also use them to find out what information about you is being published on the Web. Configure the service to search the Web for instances of personally identifying information such as your name, address, phone number, Social Security number, and so on. When Google finds matches, it will send you an e-mail with links.
6. Consider requesting a fraud alert from one of the three major credit reporting agencies (Experian fraud alert, TransUnion fraud alert or Equifax fraud alert) if you discover sensitive data such as your Social Security number on a public Web site or service. If you request a fraud alert with any of the three agencies, it will notify the others on your behalf.
7. Also consider requesting a security freeze, which takes a fraud alert one step further. It means that no one can access your credit report without your explicit consent, which makes it difficult for fraudsters to open up new accounts in your name.
This is a new option that has only become broadly available in the past year. A freeze must be placed with each of the three major credit reporting agencies, and you must unlock access to your credit report (for a fee) when a lender, insurance company or other party requests the information.
True, it's inconvenient. You pay a small fee to freeze your credit report at each of the three reporting agencies. Then you pay another fee each time you unlock it. But you'll have the security of knowing exactly who is trying to access your credit report -- and for what reasons -- every time.
8. Request a copy of your credit report at AnnualCreditReport.com and review it for errors.
Ignore the sales pitches for credit monitoring products. Identity fraud monitoring services, including those sold by the three credit reporting agencies and others, can provide peace of mind, but they're pricey for what you get and most tell you only after someone has compromised your identity.
See this Privacy Rights Clearinghouse report on credit monitoring services for details.
9. Opt out of the marketing databases at the big data aggregators such as ChoicePoint and Acxiom. Unfortunately, the companies usually won't take requests from third-party services like Reputation Defender, which attempt to do this on your behalf; you have to contact each one yourself. You can also ask to see the profile they have of you and ask for changes if the data is incorrect. They won't, however, pull information about you that's used for "risk purposes," such as for insurance underwriting or litigation.
While you can opt out of Web people search and background checking services such as Intelius and US Search, there are simply too many to contact. Intelius will honor your request, but Ed Petersen, co-founder and executive vice president, says it's not worth the effort. "You're tilting at windmills. I'm not the original source of the data, [and] there's a lot of companies like Intelius out there." This is one reason why it's so important not to let these data bits get out there in the first place.
10. Protect your cell phone number. If you don't want it in public database records, don't give it out for business transactions. "If you never put it down anywhere, then it is not going to be in the public records," says Petersen.
Using an unlisted phone number reduces, but does not eliminate, the number of places where your telephone number will appear online. Every time you give out the number, as may be requested for purchases, registrations and other business transactions, it goes into databases that may be sold to aggregators.
11. Don't participate in surveys or fill our product registration cards. It's not required for warranty service (all you need is your receipt), and the information you submit goes right into marketing databases.
For more privacy tips, read the Privacy Rights Clearinghouse's Privacy Basics and Opt-Out Strategies page.