Cell phone text messaging (otherwise known as SMS, or “short message service”), is a lot of things. For teens, young people and many others, it’s a vital communication tool; I once knew a 20-something guy who almost never used his cell phone to make actual phone calls, but he texted constantly. For other people, it’s an annoyance, or even a hazard; in many places, laws are being passed to combat texting behind the wheel because of the potential safety risks. For more people than ever before, it’s a way of life: SMS technology is the most widely used data application on the planet, with 2.4 billion active users (74% of people with cell phones also send text messages). And increasingly, cell phone text messaging is something else: a means by which we can receive spam messages.

Text message spam (often called m-spam, for “mobile spam”) is among the most annoying spam we get. We’ve all gotten pretty accustomed to receiving spam in our email inboxes, even if we don’t care for it. But our cell phones are more personal. Receiving an unexpected text message that advertises something feels like more of a violation than other methods of spam. Also, many people pay per text message for the SMS technology, incoming AND outgoing, so victims end up not just enduring but PAYING for the experience of receiving unwanted texts. Customers don’t have the option of choosing which of their incoming text messages they accept (and agree to pay for) and which ones they don’t. Text message spam is frustrating and costly, so what can be done about it?

The CAN-SPAM Act of 2003 addresses this issue, at least in part. The Act prohibits sending unwanted commercial email messages to wireless devices without express prior permission. The definition of “commercial messages” (those that advertise a product or service) is pretty widely understood. That said, the CAN-SPAM Act covers messages sent to cell phones and pagers IF the message uses an Internet address that includes an Internet domain name. It does not cover “short messages” sent from one phone to another.

So if a spammer sends commercial texts to your cell phone and uses another phone (instead of a computer) to do it, are you stuck without any recourse? No, because where the Act leaves off is where the Telephone Consumer Protection Act (TCPA) and other FCC rules take over. From the FCC website regarding the TCPA: “FCC rules prohibit sending unwanted text messages to your wireless phone number if they are sent using an autodialer, or if you have placed that number on the national Do-Not-Call list.”

So for starters, put your cell phone on the Do-Not-Call list, just in case you receive (or fear you might receive) undesired text messaging. That way, you’ll have grounds for filing a complaint with the FCC. Keep in mind, though, that some messaging is exempt from the bans; for example, if you have an established relationship with a business (i.e., messaging regarding a warranty you have on a product you’ve bought from them), if you’ve given them consent to text or call you (always read the fine print when you sign up for a service, just to make sure you’re not giving consent if you don’t want to), or if the messaging falls under the noncommercial category (which includes political organizations and religions), you’re not allowed to file a complaint. But outside of these exceptions, if you put your phone on the Do-Not-Call list and still receive spam texts, or you receive a commercial message sent via email that is clearly in violation of the CAN-SPAM Act, you can file a complaint here.

What about short-code text messages? You know, the ones with just a 4-6 digits instead of a full phone number. If you get messages from short-code sources, you probably opted-in for something, such as radio station updates. If you don’t want to receive them anymore, reply with “STOP” and see if that works. If you’re not even sure where the messages are coming from, there’s a short-code registry that allows you to check. It’s not guaranteed to be accurate, and it’s not comprehensive, but it’s a start if you need to find out the source of your unwanted messages so you can contact them and tell them to stop.

What else can you do to prevent text message spam before it happens? First, don’t give your cell phone number out unless you absolutely have to. Don’t post your number online where people can find it, since that’s just an invitation to spammers. If you DO feel the need to share your number with a website (say, when you’re signing up for alerts), read their privacy policy to make sure that your phone number won’t be sold to a third party. You don’t want to unknowingly give out that “express prior permission” described in the CAN-SPAM Act that would open the door for spammers to flood your phone with messages.

You can also contact your cell phone provider to make them aware of unwanted text messages if it becomes a problem. AT&T, T-Mobile, Sprint and Verizon offer methods on their websites that allow customers to block emailed messages (or just certain domains) sent to their phone; for each provider, look for “text messaging preferences” or “communication tools” after you log in to get you started on setting up an email block. Even if your carrier doesn’t offer this feature online, most U.S. carriers should be able to handle this for you if you call them directly. Be careful using this option, though, since it could block messages you actually WANT to receive via email-based messaging, such as the message from your airline notifying you of a flight change. 

If all else fails, responding to a text spam with the word “unsubscribe” is worth a try.

Sources for this article: www.fcc.gov, www.lifehacker.com, www.consumer-preference.com, Wikipedia, Pogue’s Posts

For those who think only adults can be targeted for identity theft, here’s the reality: Children can have their identities stolen, too. In fact, children are among the most vulnerable targets for identity theft. Frequently (up to 54 percent of the time, according to the Identity Theft Resource Center), the victim is under 6 years of age. Sometimes, it’s a family member or friend of the family who does the stealing. And in most cases, it’s a crime that isn’t even detected for years.

The way it usually works is that the criminals use the child’s Social Security number to open lines of credit; after all, that number is all that’s needed to steal an identity. The crooks eventually leave the child’s credit history in shambles. The child probably won’t know any of this, however, until he or she decides to open his or her own credit line as an adult, at which point the credit report will already show the damage (which might have accumulated over 10 or 15 years). In short, the child begins his or her adult life with lots of debt that they had nothing to do with acquiring. Not a great way for a child-turned-adult to start experiencing grown-up finances! Other ways that this problem can materialize before adulthood include collection agencies calling or sending letters regarding accounts that the child allegedly opened, or even a 16-year-old being told at the Driver’s License office that another license already exists with their Social Security number.   

It’s hard to tell how widespread this problem is, since most identity theft reports don’t track it. “We don’t ask for age in our identity-theft surveys,” said Claudia Bourne Farrell, spokeswoman for the Federal Trade Commission (as quoted in the Dallas Morning News). “Our self-reported, anecdotal data indicates that about 5 percent of the complaints last year were for people 18 and under.” It’s possible that the actual number of identity thefts involving children is higher, since many victims don’t learn about and report the theft until they are no longer minors.

Shouldn’t the credit card company know not to give credit to someone who is using a minor’s Social Security number? Not necessarily. Credit issuers don’t usually check the age of applicants for accuracy. It’s difficult to verify things like age on a credit application, so much of the information given on those applications is simply assumed to be correct.

So how can we protect kids from identity theft? The responsibility lies, of course, with the parents. First, parents need to make sure that all sensitive documents concerning their children (such as Social Security cards) are filed away safely and securely. Parents should never carry those numbers around with them. If anyone asks for the child’s Social Security number, the parents must ask why it is needed and whether another piece of information can be substituted.

Second, parents need to be vigilant in protecting the child’s information; for example, if they open a bank account or college fund for their child, they must tell the bank to remove the child’s name from any mailing lists. 

Third, the parents must be observant and watch for the possible signs of identity theft, such as the child receiving credit card offers in the mail (some of these offers are just age-unaware marketing, but they can also be indicative of something far more sinister). If the child does receive such offers, or if parents simply want to be thorough in their protection, they should check their child’s credit report to make sure there’s nothing on it. This doesn’t apply if, for example, a parent puts a teenage child on their credit card for spending purposes, but in general, minors don’t have a credit history because they don’t have any activity on their record.

If a parent looks into the child’s credit history and actually FINDS activity, what should he or she do? First, ask to have all of those fraudulent accounts removed from the report. This may mean going through the dispute process with the credit companies. Once the credit issuer learns that the account is in a minor’s name, they will usually cooperate with fixing the problem. Also, report the identity theft to all three of the credit reporting bureaus: Experian, TransUnion and Equifax (for Equifax, you can write directly to their Minor Child Department at P.O. Box 105139, Atlanta, Georgia 30348).

The ideal situation, of course, is to prevent any problems before they arise. Aside from the need for parents to be vigilant in protecting their children’s information, parents must also teach children not to give out sensitive information online or over the phone. Children frequently don’t grasp the importance of maintaining privacy and security, especially when it comes to information that they don’t entirely understand. When I was 13, I knew my Social Security number, but I also probably would have told anyone who asked me what it was. I didn’t know how important it was to my financial future. I’m just lucky that no one ever asked.

Side note: Sometimes, the parents are the ones who steal the child’s identity. Contrary to popular belief, this is not a case of family law. If you know or suspect that someone is using their child’s identity for credit purposes, report the case to the police immediately. A police report is necessary for credit companies to take the case seriously. Cooperate with any investigation, as well.

Sources for this article: The Dallas Morning News, FraudGuides.com, ConsumerAffairs.com, Identity Theft Resource Center

Last Tuesday, a new spam attack was launched via email. This harmless-looking message claims to contain top 10 lists from CNN.com, but when a user clicks on the link in the email, a pop-up tells the user that they need to install the newest version of Flash to view the list. The pop-up doesn’t allow the option of canceling the installation and instead traps the user into a neverending loop until the frustrated user either closes the browser window or clicks ”install.” Those who click install get to deal with a Trojan horse that contacts another server to get still more malware and install it. The Trojan horse goes by many names, including Cbeplay.a, and security professionals are still having trouble figuring out what malware is indeed installed when the process completes on a user’s system. 

According to security company MX Logic Inc., the spam attack traffic peaked on Thursday, with 11 million messages per hour. Even as the numbers have gone down slightly since then, it’s still in the millions of messages per hour. Security pros say that more than 1,000 hacked sites are hosting the fake Flash update, and they also say that hackers have gotten so cocky that they don’t bother trying to hide the sites they’ve hacked. The latest news is still worse: the spam has mutated since the news of the message first broke, claiming to be a CNN “MY Personal Alert” instead of a top 10 list and linking to several malware sites and filenames instead of just one. Some users even say that they’ve received the spam with subject lines that actually reference real articles on CNN, adding to the legitimacy of the message. The links in the email always lead somewhere that insists on a Flash upgrade, though.

Meanwhile, Adobe Systems Inc., source of the real Flash Player, warned people not to click on anything that didn’t come from Adobe directly. They pointed out that ALL software updates should originate with the company and not with a third-party site, so any questionable links should be avoided. If you want to be sure you’re downloading a real, non-malware update, go to the company’s website directly and look for upgrades to download from there. This may seem like too little, too late in terms of security warnings, but it’s one of those things that seems like a no-brainer to IT people but needs to be said (and said more than once) to the average email user.  

The lesson is the same as we’ve talked about here before, regarding email, phishing and other spam attacks: Don’t click on a suspicious link or URL that you get in your email. Put your mouse over a link to see where it really goes before you click it. Have a healthy dose of skepticism when something you didn’t expect arrives in your inbox. And if all else fails, contact the company that the message claims to come from, just to be sure. Don’t just blindly click whatever you’re sent, or you’ll learn some hard lessons (and get some pretty major headaches in the process).

Sources for this article: IT World, ComputerWorld, Techspot, MX Logic

This week in Las Vegas, Internet security professionals from across the country converged for Black Hat USA 2008. The many briefings and trainings that were offered covered a variety of safety issues, such as phishing, malware, data theft, threats to the 2008 Presidential Election, and the DNS flaw we wrote about last week (Dan Kaminsky was in attendance to detail that particular threat). Even current and former government cyber-security officials were in attendance to make presentations and learn the latest and greatest threats to online public safety.  

Part of the appeal of this conference (and its follow-up, the hacker conference DEFCON) is that the people who make a living protecting computers from malicious assault can indulge their less-than-heroic urges. In an effort to point out potential weaknesses in the current software and systems in use, the pros unveil their own codes and tricks that circumvent security and leave sensitive data vulnerable to attack.  Of course, the focus is on improved security to foil these attacks, but the real fun is in playing the bad guy (the “black hat”). This is why Black Hat declares itself positioned at the “intersection of network security and hacker ingenuity.”

Despite the creative efforts of security experts, one truth that routinely emerges from these conferences is that, no matter how good the mousetrap, someone will build a better mouse. This year’s Black Hat briefings indicate that the flaws and problems with our current systems are growing almost faster than security professionals can adapt to fix them. For example, web-based software (software that runs in a browser) has inherent weaknesses that are difficult to anticipate and correct, especially at the speed at which applications are being developed. 

Meanwhile, identity theft cases worth billions of dollars continue to come to light, usually with little response from those in the business. When the news broke during the conference that 11 people had been indicted for stealing 41 million credit and debit card numbers from a variety of retail systems (making it the largest hacking and identity theft case in history), the general consensus was not one of shock. Gathered professionals agreed that such crime will continue to persist, largely because it has been so successful and profitable for hackers. As one cyber crime expert for the Department of Defense told an AP reporter, “These guys were just persistent and lucky. And they got caught.” 

The reality is enough to make the average web merchant a little bit paranoid. Are our Internet security measures nothing more than Swiss cheese bricks just waiting for a clever hacker to slip through? Not necessarily. And the other important factor to keep in mind is that, as the need for security increases, the need to preserve privacy must also be considered. The Electronic Frontier Foundation (EFF) chose the Black Hat conference as the place to announce their new Coders’ Rights Project, which is an initiative designed to protect programmers and developers from legal threats that could interfere with their research. Above-board programmers shouldn’t have to worry that their latest, greatest development will lead to a lawsuit down the road; such a worry would have a serious chilling effect on technological advancement.

In the end, a persistent plea at Black Hat was one of collaboration. Working together, some claim, is the best way to thwart the hackers and protect our information. Rod Beckstrom, Director of the National Cyber Security Center in the U.S. Department of Homeland Security, gave a keynote address at Black Hat that walked participants back through history and drew parallels between historic events and the current situation with Internet security. While some of his analogies were elaborate, his message was simple: together, the developers and security professionals are more powerful than on their own. Whether that message will resonate remains to be seen. In the meantime, the best thing the average user or web merchant can do is be cognizant of what COULD happen, and vigilant in watching out for it.

Above all, resist the urge to turn to the “other side”… There may be lots of money to be had in stealing identities, but as Black Hat attendees prove, the efforts to reinforce the mousetrap are tireless and, in many cases, effective. There may never be complete and total security, but hackers don’t stand much of a chance when the guys working against them wear the black hat themselves on occasion.  

Sources for this article: NetworkWorld, Black Hat, PC World, Yahoo! News, InformationWeek

The news in online privacy this week has to do with a recently-publicized flaw in Domain Name System (DNS) caches. 

DNS is what takes the website names we type into a browser and translates them into the IP (numerical) addresses that actually take us to the websites we want. Since a web address (say, privacycouncil.org) is easier to remember than an IP address (such as 69.89.31.103), most people ignore the IP addresses and take for granted that the DNS will translate for them, if they give it any thought at all. Clearly, this is a major and vital part of the Internet.

But earlier this year, Dan Kaminsky, director of penetration testing for IOActive, found a pretty major flaw in the system: It’s vulnerable to hackers who could, in theory, change the IP address that correlates to a website name for their own benefit. A possible result of this tampering could be that the average user who types in his bank’s website address correctly could end up being redirected to a fake website that looks exactly like his bank’s page. The user could then type in his username and password as he always does, totally unaware that he just gave his personal login information to a hacker.

This method of address redirection is not the same as phishing, which tricks people into visiting fraudulent websites through faulty links and bogus emails. No, this flaw, known as “cache poisoning,” is more sinister: it could victimize people who do everything right, simply by changing the IP address that is related to a typed-in website address. According to Kaminsky, this flaw has been around for almost two decades. It had simply gone unnoticed until now, by users and hackers alike, until he stumbled on it in February.

Kaminsky didn’t give many details of the flaw when he first publicly mentioned its existence on July 8; he didn’t want to give damning information to the hackers. In his announcement, he encouraged those who operate DNS machines to get a patch that would fix the flaw before it became a full-blown problem (a multivendor patch was released that same day). But last week, computer security firm Matasano published (apparently in error) some of the details of the flaw online, prompting fears that the affected computers, perhaps as many as 9 million, wouldn’t be fixed before the hackers used this new information and struck. This week, Kaminsky spoke out again, pushing companies to look to their own weaknesses. He plans to share more details of the flaw at a security conference in Las Vegas next week, hoping to motivate any remaining affected companies to take action.

Kaminsky said that, while 86 percent of people testing their systems on his website were vulnerable to the flaw just a few weeks ago, that number is down to 52 percent now. Another estimate puts the percentage of the Internet that’s unprotected at 41 percent. But just as this news has led companies to swiftly address their DNS weaknesses, it has also motivated hackers to start looking for ways to exploit those weaknesses. And this week, thanks to the leaked details of the flaw, they made progress.

The developers of the Metasploit hacking toolkit released an attack code this week that takes advantage of the DNS flaw. Systems that have not yet patched up the problem could face trouble from hackers wielding this new code, and again, the user at home on his computer would probably not notice anything wrong until it was too late. Computer security experts are already expressing concern that this code will be used in attacks, some of which might go unnoticed for a while if the hackers are careful enough. Thanks to the new attack code, it’s now a race against time for companies to update their systems and repair the flaw before they fall victim to hackers.

Kaminsky’s message is simple: Companies must patch their systems NOW. The patch can take time to work through the testing process, be fully implemented on a system and eliminate weaknesses caused by the flaw, and the longer a company delays, the more likely they are to suffer an attack from hackers. Word is spreading about the need for the patch, but it’s difficult to know how many companies have still not addressed the problem on their own computers. Most major Internet providers in the U.S. have already put the patch in place or are in the process of implementing it. But many other companies and smaller ISPs might still be at risk.

By now, it should go without saying that, if you own a company with a web presence, you need to make sure your system is flaw-free, as fast as possible. But should the home user panic? Not necessarily. For one thing, 15 percent of American computer systems and 40 percent of European computer systems are immune because they run software from a Dutch company called PowerDNS, which doesn’t contain the flaw. Also, there are ways for you at home to find out whether your system is vulnerable. A DNS checker, such as doxpara.com, DNS-OARC and DNSStuff, can help you determine whether your system is okay. If it is, you should be in the clear. If it’s not, contact your ISP or system administrator and let them know.

If your system is vulnerable (or if you’re just paranoid), you can get around your system’s DNS with sites like opendns.com, where you use their DNS server instead of your own. Don’t waste the time unless you have a legitimate fear of a security breach, though. And remember the good news: As you read this, more and more systems are being patched to fix the flaw. With any luck, the “good guys” will win this race.   

Sources for this article: CNET, CBS News, The New York Times      

News from the online privacy front: another court ruling on COPA.

COPA is the Child Online Protection Act, enacted in 1998 (not to be confused with COPPA, which we posted about before). According to the COPA Commission, which was the Congressional panel formed along with the law, “The purpose of the Act is to prohibit online sites from knowingly making available to minors material that is ‘harmful to minors’ (sexually explicit material meeting definitions set forth in the Act).” In essence, COPA would punish U.S. providers who post material that is “harmful to minors” online for commercial purposes without providing some sort of age verification system, such as requiring a credit card number, in order to keep children from viewing it. COPA was designed to be a narrower law than it’s predecessor, the much-derided Communications Decency Act (CDA) of 1996, which was struck down on constitutional grounds in 1997 by the U.S. Supreme Court.

If COPA were enforced, those who did not take adequate measures to keep children from viewing sexually explicit material on their websites would be subject to fines of up to $50,000 per offense, prison terms of six months, or both. But COPA is not enforced; it has been inactive almost since its inception because of challenges to its constitutionality by the ACLU and other plaintiffs. In the past, appeals courts have struck down the law for being in violation of the First and Fifth Amendments to the Constitution, and the Supreme Court has upheld the injunction on enforcement because of the likelihood that the law is unconstitutional. The case was referred back to the district court in 2006, and a ruling in 2007 once again saw the law struck down.

Now for the latest news: Despite defenses of the law from the Justice Department, the 3rd U.S. Circuit Court of Appeals on Tuesday upheld the lower court’s decision to strike down COPA as unconstitutional. It’s another blow for the government in this drawn-out battle over how to legislate online protection for minors. As the Center for Democracy and Technology put it, “Congress has spent twelve years attempting to use criminal laws to censor protected online speech on the Internet that is lawful for adults to access. That approach to protect children online has been an utter failure.” 

So just what is the problem with COPA? Protecting kids from harmful material is a great idea, right? The intent may be good, but the law itself is flawed. For one thing, the standards for defining “harmful material” are far too loose and open to interpretation as COPA is written. Even mainstream movies, TV shows, artwork and other socially-valuable speech viewed via the internet could fall under the definition of “harmful materials.” The law’s critics point out that COPA infantilizes the internet and places the burden of responsibility on websites for preventing minors from seeing material directed at adults; even a news site that contains a very small amount of adult material would fall under the umbrella of COPA. The law, as the judges wrote in this latest opinion, “effectively suppresses a large amount of speech that adults have a constitutional right to receive and address to one another…and thus is overbroad. These burdens would chill protected speech.”

In addition, when dealing with free speech rights, the best legal course of action is always to take the least-restrictive means, which COPA does not (filters that parents could install at home would be more effective and less restrictive than COPA). And in the end, COPA can’t stop kids from seeing harmful material that originates on websites outside of the U.S., or on non-commercial sites.

So how can we protect kids from seeing harmful content online? The responsibility lies with the parents, not with the websites. Sites like this one offer tips for parents to maintain control over their children’s internet surfing habits and offer ways to tell if your child might be viewing something they shouldn’t be. Tips include monitoring kids’ internet access, educating them on the dangers of giving out personal information, restricting the use of online chat forums, and using filtering software in order to control the flow of information that the children receive. All of this is far more reasonable and effective than a broad-spectrum, speech-limiting law like COPA. 

Just like in other forms of media, parents are required to be the ultimate gatekeepers to what the children can access. The government cannot force websites to be parents to the detriment of society’s free speech. A free exchange of information and ideas, even at the adult level, is the very definition of the freedom of speech described in the First Amendment. The 3rd U.S. Circuit Court of Appeals did the correct thing in coming down on the side of rights, not restrictions.

Sources for this article: ABC News, The COPA Commission, Child Online Protection Act, Online Child Privacy Tips for Parents, the Center for Democracy and Technology

Do you surf the web but wonder how those sites you visit seem to know you? Many sites gather data, such as IP addresses and search parameters, from users who visit the site. Some pages also leave cookies or “spyware” on the user’s computer so that the site can differentiate users and customize content based on surfing interests. In short, many sites build an ever-updating profile of you, from the items you think about buying to the news you prefer reading.

Most websites claim to do this in order to provide the best possible service to their customers. Not everyone likes the idea of being tracked online, though. For example, privacy concerns have been raised about cookies in the past. And in 2006, Microsoft, Yahoo and America Online admitted to giving records of their members’ internet searches to the U.S. Department of Justice when they were subpoenaed during a web filter investigation, despite the fact that more than half of internet users polled said that they are against search engines turning over data to the government (Google fought the subpoena and won a minor victory against the DOJ). Many people didn’t even know that sites collect unique identifiers such as IP addresses.

To combat online snooping, web anonymizers, or anonymous proxies, were developed. These allow the user to surf the web without leaving a personalized trail behind. The anonymizer accesses the internet on behalf of the user and relays the information in a safe, untraceable manner while hiding the user’s personal information from outside sources (acting as a sort of buffer). The need for this sort of tool becomes readily apparent when we think about anonymous whistleblowing or the discussion of taboo topics, or when people in oppressive nations wish to access websites blocked by the party in power. But anonymizers are also popular with many ordinary users who simply don’t want to be tracked. After the 2006 subpoena incident, for example, sites such as Anonymizer.com and FreeHaven.net saw a sharp spike in membership.

Do anonymizers work? Yes, but with limitations. For example, some anonymizers can’t process secure protocols like “https://” because your browser needs to access the site directly for the encryption to work (NEW INFO: anonymizer.com now handles https; thanks to Lance Cottrell for leaving the comment updating our information). Plugins might have problems, as well, and Java and JavaScript might compromise your security and allow identifying information to be accessed if you use the anonymizer as a regular proxy. Also, anonymizers mean that web sites will no longer be personalized to you when you visit them; a shopping site won’t already know what you like to buy when you go there, so you’ll have to start from scratch in filling your shopping cart.

In short, anonymizers aren’t perfect. They’re simply pieces of software that can be circumvented in some cases, and no matter how smart the software “mouse” becomes, someone will probably build a better mousetrap. Still, as long as you don’t expect anonymizers to be ironclad, they can provide a measure of protection from online tracking. Don’t let things like a firewall and anti-spyware protection slide, though; the more security you have in place, the safer you’ll be.

Sources for this article: www.eweek.com, www.searchenginejournal.com, www.anonymizer.com, www.livinginternet.com, www.securiteam.com, www.opennet.net, searchsecurity.techtarget.com

On July 9, 2008, the U.S. Senate committed to protecting telecommunications companies. From what, you might ask? From the lawsuits that have been springing up against the telecoms for aiding the government in wiretapping Americans without court authorization.

First, some background: The Foreign Intelligence Surveillance Act (FISA), which went into effect in 1978, created a court that had to approve any wiretapping requested by the government. The idea was that the sort of secret wiretaps that occurred during Watergate and the Vietnam War, wiretaps that were for mostly political reasons, should not be allowed to occur. The court, it was decided, would provide the oversight that would keep the government above-board in its surveillance.

Fast-forward to the new millennium. According to an article published in The New York Times in December 2005, President George Bush secretly authorized the National Security Agency (NSA) in 2002 to start eavesdropping on the international phone and email communications of people in this country without a court order. The NSA was to be looking for and preventing terrorist activity after the 9/11 attacks. The monitoring went on for three years before the New York Times story broke, and once the cat was out of the bag, critics began to declare that such eavesdropping, often on up to 500 unsuspecting Americans at any given time, was both illegal and unconstitutional. The program’s defenders, on the other hand, said that the activity was a vital tool in preventing terrorist attacks, and that the lack of court approval meant that the government could move more quickly in protecting this country. They also said that Bush had been given the power to initiate the snooping based on the Congressional resolution that gave him power to wage war against Al Qaeda.

Even before the program was brought out of the shadows, senators and others who knew about the monitoring were raising concerns. Some were worried that the NSA had too much power and not enough restrictions on their behavior. In addition, of course, was the fact that FISA had been bypassed entirely with this program. The court that was put into place to protect the public against unwarranted communications monitoring had been ignored by the government, and some in the government (of the few NSA, CIA, Congressional, Cabinet and administration officials who knew about the program) questioned the legality of the eavesdropping.

With the program now made public, watchdog groups and privacy advocates were up in arms against it. Americans were being denied civil liberties, they insisted, in the name of national security. While any communications that were wholly domestic (i.e., from once place in the U.S. to another) still required a warrant to monitor, the international communications of thousands of Americans were secretly heard by NSA agents. Critics of the secrecy also pointed out that FISA is more agreeable than one might expect in granting wiretapping warrants… Few requests for such warrants were ever denied, and the permissions were frequently granted in a matter of hours if the situation called for speed. In short, the administration’s actions in circumventing the checks and balances of the government did not sit well with many Americans.

As the investigations into the wiretapping progressed, it became clear that several telecommunications companies had aided the NSA in the snooping. The NSA, after all, needed cooperation from the companies to access the data records of the people they had monitored. Americans began to file civil lawsuits against the telecoms for their part in the program, and as of this week, more than 40 such suits had been filed in U.S. District Court. The U.S. Congress has been working for the past year on legislation that would address the wiretapping issues in this country, and after a bitter struggle, they reached an rather lopsided agreement this week.

This is where the protection for the telecoms comes in this week: The bill that the Senate (and earlier, the House of Representatives) approved on Wednesday overhauls the eavesdropping program but also calls for immunity for the telecoms against the lawsuits. Americans, in short, have no legal recourse against the telecoms for their participation in the questionable wiretapping activities. In fact, the White House had threatened to veto the bill if it DIDN’T protect the telecoms. Amendments that were proposed to weaken the bill or delay the immunity were also defeated. The new bill requires the government to get permission from FISA before monitoring Americans overseas, but it also allows the government to get broad, yearlong permissions that target entire groups of people. It also gives the government the right to monitor communications without permission for a week (in an “emergency” situation) before having to apply for a court order.

Many lawmakers were against the bill, for a variety of reasons. Senator Arlen Specter, R-PA, called the bill “buying a pig in a poke.” Senator Russell Feingold, D-Wis., put it more bluntly: “This president broke the law.” One of the biggest complaints from the lawmakers was that the details of the snooping are still classified and kept private from many of those in Congress, meaning that the Congresspeople were being asked to vote on protecting the telecoms without actually knowing what they did in the first place. The bill dismisses the 46 lawsuits currently pending against the telecoms, but three additional lawsuits against government officials will continue for now.

The ACLU calls the bill “a blatant assault upon civil liberties and the right to privacy,” but supporters of the bill call it a protection of those rights. Senator Christopher Bond, R-Mo., said, “This is the balance we need to protect our civil liberties without handcuffing our terror-fighters.” Whatever the motivation, the decision was reached on a deadline; current wiretapping authorizations will begin to expire in August, and without new legislation, the guidelines would revert to the old FISA rules, which would require many new orders and delays in the wiretapping efforts.

So are NSA officials listening to your phone calls or reading your emails right now? Probably not. Should you worry? Worry less about monitoring on your own lines and more about the broader ramifications of this legislation. What is security worth? The delicate balance of safety and liberty is one that has been brought into stark relief since 9/11, and as Americans move forward, the privacy of our communications will become an increasingly-hot issue. Some say that, if you have nothing to hide, you have nothing to fear from monitoring. But in 1975, as Senator Frank Church, D-Idaho, investigated the NSA, he was troubled enough to say: “That [spying] capability at any time could be turned around on the American people, and no American would have any privacy left, such is the capability to monitor everything: telephone conversations, telegrams, it doesn’t matter. There would be no place to hide.” Whether you have anything to hide or not. 

Sources for this article: www.breitbart.com, The New York Times, www.cbs11tv.com, ap.google.com

Many cell phones today come with a convenient GPS feature that allows the user to find his or her way around unfamiliar territory. What some people don’t realize, though, is that others can monitor YOUR whereabouts because of the signals your cell phone sends out.

The June 4, 2008 issue of Nature featured an article about humans and where their daily movements take them. Tracking the movements of human populations over time can be vital to understanding and preparing for concepts like controlling disease outbreaks and designing urban areas. The study’s authors followed Europeans for 6 months to collect data about where they went, what patterns emerged from their travels, etc. How did the authors track the people? By tracking their cell phones.

The cell phones of 100,000 users sent data to the an unnamed European cell carrier, which then shared the anonymized data with the study authors. Every time a call or text was made (and the cell users made millions of them), the carrier recorded the location (to within 3 km) that the user was in at the time. After six months of data, the study authors found that, by and large, humans are creatures of habit. Most people found themselves in the same places, day after day, making calls or texts from those places. It’s a fairly obvious conclusion, but the authors determined that “people devote most of their time to a few locations.” And our cell phones, as well as the ease at which we are tracked, provide the proof.

The use of cell phone data to keep tabs on the public doesn’t stop with determining call locations for the benefit of science. That technology has existed for years, albeit in a less-than-precise form. But now, a UK-based company called Path Intelligence is taking cell phone signal monitoring to a new level. A shopping center can place a Path Intelligence FootPath(tm) device on its wall and track users who are wandering the shops, even if they’re not making a call at the time (a cell phone that’s turned on will emit silent pings back to the network when it’s not in use, and those pings can be tracked). The system can monitor when people enter the shopping center, how long they stay, what stores they visit, and even what route they take through the building, all to within a few meters of distance. It can also keep track of the country in which a given phone is registered. As of May 16, 2008, two shopping centers in the UK had installed the Path Intelligence system, with three more planning to install it in the next month.

Is this a bad thing? Privacy watchdogs say it might be. Path Intelligence claims that its system can’t record information from a user’s cell phone, such as personal identity, phone numbers, account information or other sensitive material. But even supporters of the system do caution that it would be inappropriate if the system were to be linked to other systems that contain personal information. While getting a good idea about the shopping interests and habits of customers might be extremely helpful to shopping centers, intruding on personal privacy is not a responsible means to gain that information.

In addition, many people dislike the idea of being monitored in their movements. When an article about this system was posted at the Times Online, comments on the article from readers included concerns that the monitoring could extend into private homes if the homes were located close enough to the shopping centers. Questions were also raised about whether customers in the shopping centers were informed of the monitoring when they entered, or whether this monitoring was a form of forced “market research” (the article did not address this question). In short, many cell phone users might be uncomfortable with the thought that someone else is watching their movements, especially without their consent.

Path Intelligence, however, counters these concerns by saying that their FootPath(tm) technology is less invasive than closed-circuit televisions or other monitoring devices currently in place in many shops. “All we do is log the movement of a phone around an area,” they say in their website FAQ, which is less intrusive than methods that collect more personal information, such as your image. They insist that their system does not collect or keep personal information, and they say that their monitoring is similar to watching a dot move around a screen (or many dots, in the case of a shopping center). They currently encode the information that they receive in order to further protect the privacy of customers, as well.

Do you feel better, or are you feeling “watched”? One way to address this concern is simple: turn off your cell phone if you don’t want to be tracked. It makes it more difficult for people to reach you, of course, but if you don’t want the cell phone companies (or anyone else) to know your physical whereabouts, it’s the only way to be invisible. Other than total technological disconnect, there’s not much that average cell phone users can do about being tracked if the cell providers deem it worthwhile. For now, our technology, by its very nature, makes it possible for us to be a dot on a screen.  

Sources for this article: ars technica, Nature, The Times Online, Path Intelligence; Photo source: FCC

You’ve probably seen LifeLock’s ads on TV: The CEO, Todd Davis, hands out his own Social Security number to strangers and even has a truck with the number painted on it drive around town, assuring the viewers that, thanks to LifeLock’s protection, no one can steal his identity. He also claims that, should a client’s identity be stolen, LifeLock will fix the problem and reimburse the client. But can this service, which costs roughly $10 per month, truly protect you from identity theft, reduce your junk mail and give you peace of mind? And is it all it claims to be?

Experian, one of the three main credit bureaus, says no. They filed a lawsuit against LifeLock in February, claiming deception and fraud in the attention-grabbing advertising campaign. Davis calls the lawsuit groundless. Some of the details of Experian’s claims:

1. Fraud alerts, which notify companies that check credit to be on the lookout for imposters, are LifeLock’s main fraud prevention tool. Under the Fair Credit Reporting Act, fraud alerts be requested only by an individual, either the consumer or someone acting on the consumer’s behalf, not by a corporation. They can also be requested only when there is a strong suspicion of impending fraud or identity theft (say, when your credit card goes missing). LifeLock, however, has placed continuous fraud alerts on the credit files of its approximately 1,000,000 customers, which is against federal law, Experian claims. They say that LifeLock pretends to be the consumer and actively avoids detection as a corporation. They also maintain that this constant “crying wolf” ties up the Experian systems and slows the process down for legitimate fraud alerts.

2. Experian also claims that LifeLock uses deceptive advertising because credit reporting is free under the Fair Credit Reporting Act, but LifeLock does not make it clear to consumers that the credit reports (and many of the other services, such as junk mail reduction) are free to obtain through other means. Experian also charges that the advertising is deceptive because the service does not afford all of the protection it claims; it cannot prevent an identity theft in progress or the unauthorized use of a credit card, and is not always effective in preventing undocumented workers from using stolen Social Security numbers to get a job.

Davis counters the first claim by saying that placing fraud alerts is legal and “in the spirit of the Fair Credit Reporting Act.” He notes that LifeLock customers are happy and satisfied with the service, and that he had received no complaints of deceptive practices. He addresses the second claim by saying that his service makes it “virtually” impossible for someone to steal a client’s identity (the word “virtually,” he says, keeps the ads from being deceptive).

It should be noted that the fraud alerts do cost the credit bureaus time and money to run, which they don’t appreciate, obviously, but may not be as illegal as they claim. Experian is also under investigation by the FTC for running www.freecreditreport.com, a site that charges customers for credit monitoring and could be considered a competitor to LifeLock. Davis suggests that Experian simply wants to make more money and sees LifeLock as a threat.

As to the reports that Davis’s identity WAS stolen, the reality is that it was not. One man got a $500 payday loan using Davis’s Social Security number, but the clerk who took his information did not run the number through any of the credit bureaus for verification before handing over the money. Once the fraud was discovered, LifeLock fixed it, and Davis’s credit is just fine, even after 87 other, failed attempts to steal his identity.

LifeLock is not the only company that offers its services to consumers (see also Debix, LoudSiren and TrustedID). But as of this month, LifeLock had become the target of several class-action lawsuits from competitors, credit bureaus and lawyers in several states. LifeLock an easy target, thanks to its memorable and slightly scary advertising. But many experts doubt that the lawsuits have any merit, and interpreting the Fair Credit Reporting Act might easily go in favor of LifeLock (especially since many people have been potentially compromised when their personal information has gone missing from the computers of companies, banks and other agencies, so they’d have reason to put fraud alerts on their accounts).

Wired Columnist Bruce Schneier makes the point that LifeLock does what the government should do anyway: make stolen personal information harder to use. That said, though, he is not a customer of LifeLock because, as he puts it, dealing with identity theft is routine and not nearly as damaging as it used to be. Also, it’s hard to tell how effective LifeLock is, since it gains customers more from the fear of identity theft than the theft itself.

In the end, LifeLock can be a very useful and reassuring service if you choose to pay for it, but you can keep track of your own credit and identity yourself, for free. You can put your own fraud alerts on your account if you remember to renew them every 90 days (since fraud alerts expire). You can request free credit reports at one per year (visit www.annualcreditreport.com, for example). And of course, above all, you should be careful with your personal information. Shred credit card offers and other documents that come to you in the mail; don’t give out your personal info over the phone or in email; and investigate unknown charges to your accounts. Being a conscientious consumer may be all it takes to protect yourself from identity theft and fraud.

Sources for this article: MSNBC, LifeLock Reviews, WIRED