Lexis Nexis - The bottomless pit of user data

(Image used under: Creative Commons 3.0 [SRC][Mod])

LexisNexis and ChoicePoint are two of the largest data-brokers in the world. They’re only product is information about you which they buy and sell with little to no regulation of any kind. I have always wondered what kind of information they keep about us, and now I know. In the profile I ordered from them, I found not only several pieces of my personal information, but descriptions of other kinds of information that they collect. Here is a summary:

Information they Had

• Full first, middle, and last name
• Wife first, middle, and last name
• Address history with dates and locations
• Social Security Number
• Full date of birth
• Driver’s License Number
• Vehicle VIN
• Insurance history including companies, policy details, dates of coverage, accidents, claims filed, etc.

Information they Collect, but Didn’t Have For Me

• Auto and property insurance history
• Pre-employment background report including “personal credit information” and state driving record.
• An Esteem® report which lists admitted or convicted cases of theft while visiting or working at a retail company (used by retailers for hiring).
• A ScreenNow® report which displays a ChoicePoint national criminal records search of your name and personal information (used for hiring and volunteer work).
• A Resident Data® history that includes personal credit information and a criminal record search (used for rental applications).
• A Resident Data® eviction report used for resident screening.
• FAA Aircraft Registrations
• Uniform Commercial Code filings (when securing a loan with collateral).
• Bankruptcies, Liens, and Judgments
• Professional Licenses
• Pilot Licenses
• Marine Radio Licenses
• Controlled Substance Licenses (for physicians, dentists, pharmacies).
• Firearms and Explosives Licenses
• Business Affiliations (for officers or principals of an incorporated Company).
• Significant Shareholders Search Results – If your name and address appear at the top of a corporation record.

And the most exciting part of all of this is that you never asked to be part of their profiles, they just take it. Neat huh?

A completely horrifying service that some people have actually signed up for.

When you first hear about Blippy, the purchase-sharing website, you would think that no one in the whole world would be crazy enough to sign up. You’d be wrong.

Blippy is a service where you can share your purchases on most of the major web stores in real time (similar to Twitter). ALF just got a movie at Netflix (Full Metal Jacket… classic!). Jessestay just bought something at iTunes for 2.99 ( Epitaph One, by Dollhouse). On and on the purchases go. As they scroll by, I learn more about where the people live, what kinds of things they like, and what kinds of secrets they have. One user just purchased an iPhone app to find, let’s say, non-traditional bars in his city.

Believe it or not, the complete transparency of your purchasing habits is the least of your worries on Blippy. This site, supposedly run by four average sounding college graduates, promises good security and protection of your information, but history shows that even major banks and government agencies are hard pressed to keep data safe. Especially if they’re a big target!

So what makes Blippy a big target? Well, you may have heard my advice not too long ago to never give away your e-mail address password to these new sites like Facebook and Twitter that use your address book to add friends automatically. Blippy does the same thing, but for your web stores AND your bank accounts too!

In case you missed it, let me say it again more clearly: Blippy gets their information of your purchases by logging into your iTunes, Netflix, or eBay accounts and constantly monitoring them for new purchases. And not just web stores, but banks and credit cards too. Bank of America, Citibank, Chase, Paypal, and American Express are just some of the ones they’re set up for currently. All you have to do is provide all your usernames and passwords for each service you want to share your purchases for with Blippy.

You don’t have to be a privacy nut like me to find that prospect completely horrifying.

We'll be watching you...

For whatever reason, the future proposed in the movie V for Vendetta seems to be approaching every day in the UK.

From the Guardian:

Police in the UK are planning to use unmanned spy drones, controversially deployed in Afghanistan, for the ­"routine" monitoring of antisocial motorists, ­protesters, agricultural thieves and fly-tippers, in a significant expansion of covert state surveillance.

The UK is constantly in the news for gathering data on its citizens into databases so this comes as no surprise, but it's like watching your beloved sibling descending into drug addiction and homelessness. We can offer the people of the UK a safer place to live (for now anyway), but as far as the government's over-reaching dictatorship tendencies, all we can do is advise and hope for the best.

(Image used under: Creative Commons 2.0 [SRC])

It looks like a Facebook employee decided to come clean about Facebook's horrid data protection practices

(Image used under: Creative Commons 2.0 [SRC])

As justification for the complete jerk-move Facebook recently made that forced many people's private information into the public against their will (his included), Mark Zuckerberg claimed publicly that privacy is no longer the social norm:

I think that people can agree they don't like things like getting embarrassed, getting fired, or getting robbed by the things found in their Facebook page (each of which happened). Sadly, people experiment with getting involved with the Internet via Facebook and it takes something drastic for them to learn that they should be more careful about what they share.

Source:Guardian.co.uk

EPIC has been fighting what they call Whole Body Imaging for a while now, but this is an interesting new twist. I never thought about this before, but taking a nude scan of a minor is a violation of child pornography laws.

So if this is really the case, and the TSA doesn't get some kind of exception they will be barred from scanning anyone under 18 at which point the terrorists get an advantage by sending through young recruits (or ones young enough to plausibly lie about it).

The really sad thing about all this is that the technology is very good. It's less invasive than a strip search or pat down and it's extremely fast and easy for the traveler. If it were possible to trust that the TSA could keep the images from being stored and distributed, maybe even I could support it.

Betcha never meant for that to be public

So Facebook is not exactly known for protecting people's privacy. Besides many grievous displays of poor security, they have only added decent privacy controls over time none of which matter because you can get to the pictures anyway and every installed Facebook app can get all your data too.

All that aside, assume that setting your privacy controls is still better than not setting them. Facebook pulled a real jerk move recently when it required all users when they first logged in for the day to make a decision about their privacy settings. You had to click to keep your current settings, but if you didn't, it would open your profile up using the new default settings.

Though it doesn't probably change anything in the long run, it's quite satisfying to know that Mark Zuckerberg, the founder and CEO of Facebook, fell prey to his own tactic.

In a bit of very interesting timing, Zuckerberg’s photos have been made public to the entire internet, mostly through a post from gossip blog Gawker, after Kashmir Hill at True/Slant discovered and reported that Zuckerberg was sharing photos with a wide circle — friends of friends — and his event calendar with everyone.

Serves him right.

Facebook did not immediately respond to a call seeking comment about whether Zuckerberg’s changes to his privacy settings were deliberate, leadership-by-example-style actions. But in a status update on his profile (pictured above), Zuckerberg says he sets most of his content open and “didn’t see a need to limit visibility of pics with my friends, family or my teddy bear :)”

Sure… He claims that he didn't mind that they were public and that he did it on purpose. Of course it wasn't proof positive that the settings changes are confusing and designed to nudge people out of their privacy into the public eye. Still, some would claim foul.

But why did Zuck suddenly decide to be less private than two months ago, when his settings were uber-private? You couldn’t even friend him before, and you certainly couldn’t see him shirtless..

The fact that Zuck drastically reduced his privacy settings makes me think the Facebook CEO did this accidentally, and now doesn’t want to change back for fear of the resulting PR disaster.

I wonder if Zuckerberg is regretting this move now. He can't go back towards privacy without making it seem that he's a hypocrite. Still, you have to wonder if he's going to start posting less information to his event calendar and photo albums than before since it's been forced for PR reasons to remain public.

Better privacy controls? Yes please!

For as long as Google has existed, it has been and continues to be my favorite search engine by far. I like the company, their services, and just about everything about them except for one thing: abysmal privacy policies.

Though Google has legitimate use for storing search records to see how long it takes someone to find what they're looking for, there's no need to store an IP address along with the search records. Any unique identifier would work. There's certainly no reason why Google should store your records for 18 months, let alone 18 minutes.

To be fair, sometimes they get things right like when they strongly resisted government invasion of search records, but the information is there and that creates a risk.

While that issue is still in the air, Google recently made another step in the right direction with their Google Dashboard feature. When logged into any Google service, you can go to http://www.google.com/dashboard to see a consolidated listing of everything Google knows about you. Documents, chat records, search history, etc.

The service gives you single-page access to the privacy controls for every service that you're using with Google. This not only makes what they have on you more transparent, but easier to manage. Granted, they have more work to do in giving you control over what's stored and what isn't, you can at least delete some of the data. For instance, if you've made searches in the past that list your home address or medical information and you don't want Google to have that on file, you can delete it.

Of course, that doesn't get rid of every copy that exists, but it at leasts takes it out of their current records and makes it less likely to get swooped up by government snooping or any future data breaches that Google might suffer. All in all, a very good step in the right direction so make sure to check it out if you use Google services.

You might have heard of the "need to know principle" used in movies and such (usually in a comedic way). Despite the mockery people assign to the phrase, it is not only quite valid, but a very good rule of thumb.

In the classic form, any decision to provide information to someone must pass the "need to know" test. If the person requesting information has no legitimate need for the information, you don't provide it.

People who, like me, who think Internet communication and collaboration is a great thing and that open and transparent government are vital to the health and continuation of our country usually think that need to know is the exact opposite of those ideals, when it fact, it is not.

The truth is that open government doesn't mean that people know EVERYTHING. They can't and shouldn't know everything that our police and courts know because if they did, enemies of our country could use them against us.

Similarly, people have been learning for a few years now the consequences of what happens when they post too much online or aren't careful with who they add to their friend's list on social networking sites. Getting embarrassed, fired, robbed, etc.

The Geek Privacy Principle

Need-to-know doesn't go far enough

Remember that privacy is the right to decide who knows what about you and when. It's your information and as long as you haven't performed criminal acts, you maintain that right. Therefore, even if someone has a need or right to know in some sense, you should first decide if there's any specific benefit to providing the information. Benefits usually fall into one of these categories:

Now to bring it together:

If there's no purpose or benefit to providing information, the only possible consequence is negative Given these odds, wouldn't you agree that it's much smarter to keep things to yourself?

How to apply the principle

In social situations

In social settings, there may be many situations where someone asks you something you don't want to provide. A business interview, a neighbor, an old schoolmate you see one day in the grocery store; all of these might tread a little to far into your personal life.

If you learn to adopt the Geek Privacy Principle, you won't tell them any more than they need to know and certainly nothing that you're uncomfortable providing. To respond to a question that goes too far, try this:

1. Ask, "Why do you want to know?", "What do you mean?", or "Why do you ask?". Doing so buys you a little time to think about whether you really want to answer or not, but it also gives them the chance to clarify. They may drop the subject right then realizing they went to far or they may not have meant what you thought at all.
2. Once you have clearly determined that you do not want to answer, a simple way of handling it is to say "I prefer not to say", "That's a bit personal", or in a business situation "I don't believe that question is relevant to my work performance". It takes some guts to do this, but it's well worth learning.

For obtaining goods and services

1. You receive a request for information. Ex. "What's your phone number?".
2. Determine their need for the information by asking them why they want it. In this case, let's assume that the haircut place will remember the details of your cut so they can repeat it easily the next time.
3. Decide if you benefit from the information request. For example, do you care if they remember what "numbers" they used for your haircut?
4. Question the validity of the request. Ex. Must they have your phone number for that? Won't any number do? If so, now would be a good time to apply your privacy alias (explained later in this guide)
5. In cases where it's not legal (when dealing with courts), not ethical, or not practical (to obtain healthcare with your insurance) to provide your alias information, your only option left is to decide to provide the information or walk away (but be willing to walk away when necessary).

In Summary

Always remember that the more information someone has about you the more creative and successful they can be if they ever decide to destroy you. The neighbor who hates your guts, the spurned ex girlfriend or boyfriend, the guy who you accidentally cut off on the highway.

And sometimes, you can't tell the difference between a regular person and a psycho killer which is why you should never, ever say "I've got nothing to hide…" (go to next section). Tags: Nothing to Hide, The Basics

angry_eggplant@nosuchmail.com

Have you every thought about the art-form that is picking an e-mail name? You have to choose one that no one else is using, it has to be creative or descriptive of you in some way, and not include too many numbers (angry_eggplant is creative, but angry_eggplant375253 is lame and hard to type too).

But there's more to it than that. If you're using an account for business, you'll probably want your business name or personal name. If you're using the account to sign up for religious, political, or hobby sites that you don't necessarily want people to associate with you for privacy reasons, using your real information is not a good idea.

Many e-mail services also let you choose a display name that is different from your e-mail address (which is how spammers can show up in your e-mail box as "Joe" when their actual address is eoi26@aoidjwd.net).

Whether it's your e-mail itself or just the display name, follow The Geek Privacy Principle: Never give up important data without a reason.

How to choose a good business e-mail name

First, decide how you want to use the e-mail account. Generally, only in cases where you are specifically using an account for a business of some sort would I say it's ok to use your real name. Even then, why list your full name when your first name and last initial (or the reverse) will do? Here are some examples:

• Jeremy D (jeremyd@nomail.com)
• J Duffy (jduffy@nomail.com)

Be careful that your e-mail name added with your display name don't give away everything such as in this case: Jeremy D (jduffy@nomail.com).

You can also get creative with your e-mail (which you usually have to do since there's probably a lot of people with your name that already have e-mail accounts). Maybe something like this would work:

• Jeremy (thegeekprofessor@nomail.com)
• Jeremy (onestopcomputing@nomail.com)

I know plenty of people who look perfectly professional with public e-mail accounts by using their business name as their alias and using the display name to make who they actually are more obvious.

And in the final case where you have your own domain name, it's pretty easy to create a good e-mail name, but don't over-do it:

Good

• jeremy@thegeekprofessor.com (not a real e-mail by the way)

Not Good

• jeremyduffy@thegeekprofessor.com (unless you don't care that EVERYONE knows your last name)
• Jeremy.G.Duffy@thegeekprofessor.com (is there ANY point to giving out your middle name or initial? I don't think so).
• CEO_Jeremy@thegeekprofessor.com (Way to paint a target on yourself. Prepare for Phishing and worse).

How to Choose a Good Personal Username

Real name and BIRTHPLACE!?

The first rule is to not use your real name or any other important information. At the MOST you can put your first name as your "display name" so people have an idea of who you actually are, but unless it's necessary, it's better not to.

The second thing is to think twice about what IS important information in the first place. Do you really care if everyone knows that you love dolphins? Probably not, but if you are trying to be anonymous, even that amount of information could be used to help uncover your true identity.

Also, if your e-mail name broadcasts the things you like, that can be used by someone to social-engineer you. Now, it might be paranoid to avoid something so innocent for a fairly low risk of being conned, BUT if someone were to contact you talking about how much they loved dolphins, remember that a con artist will start out by trying to build rapport and a good way to do that is to love what you love.