115 posts categorized "Identity Protection" Feed

National Protect Your Identity Week 2012

Not sure what you can do to protect your sensitive personal information? October 20 - 27, 2012 is "National Protect Your Identity Week" (NPYIW).

The ProtectYourIDNow site contains a wealth of information for consumers, plus local events by state. I visited the website to see what's available this year. There are some interesting statistics about how consumers don't protect themselves nor their sensitive personal information:

"68 percent of people with public social media profiles shared their birthday information (with 45 percent sharing month, date and year); 63 percent shared their high school name; 18 percent shared their phone number; and 12 percent shared their pet's name-all are prime examples of personal information a company would use to verify your identity."

While it may feel nice to receive birthday congratulations from your "friends" on social networking websites, the fact is that your birth date is a sensitive and critical piece of personal information that data brokers (and identity thieves) use to distinguish between multiple people with the same name. Experts warn consumers to stop doing these seven things on Facebook and other social networking websites. Some other interesting statistics:

"Seven percent of Smartphone owners were victims of identity fraud... 32 percent of Smartphone owners do not update to a new operating system when it becomes available; 62 percent do not use a password on their home screen... 32 percent save login information on their mobile device... Young adults, aged 18-24, took the longest to detect identity theft - 132 days on average... the average cost ($1,156) was roughly five times more than the amount lost by other age groups... Children may be 51 times more likely than adults to have their identity stolen..."

The NPYIW website includes tips to protect yourself, informative videos, advice about what to do if you are a victim of identity theft and fraud, and an online quiz to test your knowledge about identity theft and fraud. Sponsors of NPYIW include the National Foundation for Credit Counseling, the National Sheriffs Association, the National Association of Triads, the Consumer Federation of America, the Council Of Better Business Bureaus, the U.S. Federal Trade Commission (FTC), the Identity Theft Resource Center, the National Crime Prevention Council, the Credit Union National Association, and many others.

Did you attend a NPYIW event? If so, share your experience below.

Survey: How Mobile Device Users Protect Their Privacy With Mobile Apps

A recent survey by the Pew Research Center investigated how mobile device users manage their privacy. The survey included both cell phone users and smart phone users. Key findings:

"54% of app users have decided to not install a cell phone app when they discovered how much personal information they would need to share in order to use it; 30% of app users have uninstalled an app that was already on their cell phone because they learned it was collecting personal information that they didn’t wish to share. Taken together, 57% of all app users have either uninstalled an app over concerns about having to share their personal information, or declined to install an app in the first place for similar reasons."

It is good to read that consumers are not blindly downloading and using mobile device apps, since prior studies have documented sporadic and inconsistent access to privacy policies for mobile apps. After pressure from the California Attorney General, several companies (e.g., Amazon.com, Apple, Google, hewlett-packard, Microsoft, and Research In Motion) that operate mobile app stores agreed to improve app privacy policies disclosing the personal data collected, stored, and shared. Earlier this month, researchers at M.I.T. documented privacy abuses by mobile apps that tracked consumers without notice nor consent. And, the U.S. Federal Trade Commission published guidelines for businesses that develop and market mobile device apps.

The Pew survey found that almost one-third, 31% of all smart phone users surveyed, have lost their device or had it stolen. Among users 18 to 24 years of age, about 45% had either lost their device or had it stolen. The survey authors concluded:

"Smartphone owners are generally more active in managing their mobile data, but also experience greater exposure to privacy intrusions"

The table below highlights this conclusion:

ActivitySmart Phone UsersCell Phone Users
Back up phone contents 59% 21%
Cleared browsing or search history 50% 14%
Turned off location tracking 30% 7%
Experienced lost or stolen device 33% 29%
Somebody accessed device in a way that felt like a privacy intrustion 15% 8%

Pew conducted the nationwide survey, in both English and Spanish, of 2,254 adults (age 18 and older) during March 15 to April 3, 2012. Download the Pew report: "Privacy and Data management on Mobile Devices."

How To Safely Dispose of Your Old Smart Phone

Everybody loves getting the latest smart phone. What to do with your old one? Perhaps, you plan to sell it on eBay or donate it to a charity. Whatever you decide, be sure to remove all sensitive data from it. Otherwise, you could create an identity theft and fraud problem for yourself.

The sensitive data on your smart phone isn't just your list of contacts and their phone numbers. The sensitive data also includes your passwords, email, browser history, calendar, and photos -- the things that document when and where you go both online and in the real world. The sensitivity of both your online passwords and browser history should be obvious. With access to your email, identity criminals could hack into your financial accounts and reset your online passwords. That would be an identity-theft disaster.

How to safely dispose of an old smart phone? Before selling or donating an old smart phone, security experts advise consumers to:

  1. Remove the SIM card
  2. Remove any memory cards
  3. Run a factory reset to delete sensitivie data. To do this, check the (print or online) manual for your smart phone.

But that may not be enough. Accessdata, a computer forensics firm, performed an analysis last year of several popular smart phones available on the resale market. Almost all had sensitive data from the prior owners. As Dark Reading reported:

"The phones were the iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus, and HTC Hero... Even though all of the Android phones had been wiped through a factory reset, four of the five phones also included information that would take someone with forensics tools and knowledge to extract from more hidden storage locations... Some of the details available within those four phones included user account information, Social Security numbers, geolocation tags for where the user had taken pictures using the phone, deleted text messages, and a resume. "

In this case, the only secure option is to go old-school: wrap it in cloth and then take a hammer to your old smart phone -- even the older clamshell types. Don't try to resell or donate it. Most consumers don't have access to industrial-strength hard-drive shredding services.

What did you do with your old smart phone? How did you remove any sensitive data from it? Or are your old devices gathering dust in a drawer or closet at home?

Canadian Privacy Commissioner Introduces Graphic Novel To Help Youth Safely Use the Internet With Mobile Devices

The Office of the Privacy Commissioner in Canada has introduced a graphic novel designed to help teens and youth use the Internet safely with mobile devices. If you haven't read it, I highly recommend it. It is an easy read and it clearly describes some good, basic data security habits.

The graphic novel (Adobe PDF - 4.5 M Bytes) is good for youth (and their parents) everywhere, and not just in Canada. The skills needed to safely use mobile devices and maintain privacy are universal.

In the United States, the Federal Trade Commission (FTC) offers the "Heads Up: Share With Care" guide (Adobe PDF) for youth at the OnGuard Online website.

Traveling Outside The Country? Before You Leave, Notify Your Credit Card Issuer So Your Purchases Aren't Denied

With the increase in identity theft and fraud during the past few years, many banks have increased their security efforts to fight identify fraud. This includes proactively flagging or automatically denying credit card purchases in another country. This increased security has both good and bad news.

The good news: consumers are better protected against fraud. The bad news: valid purchases by cardholders traveling outside the the country may be denied. The last thing anyone wants to experience is a denied credit card purchase when you are in a different country and low on cash in the local currency.

To avoid this, I notified my credit card issuers before my recent vacation travel. Credit card issuers will want to know your card number, travel destinations, travel start/stop dates, and cardholders traveling.

The letter I used, which you are welcome to adapt for your upcoming trip:

"This regards the [insert Visa/Discover/MasterCard/Amex/etc.] account ending XXXX. I am the cardholder for the above account. This letter is to inform you that I will be traveling on vacation from November 22, 2011 to December 9, 2011, and visiting the following locations: Mexico, Guatemala, Panama, and Colombia (Cartagena). Hence, you will see purchases on my [insert Visa/Discover/MasterCard/Amex/etc.] card at these locations, and from the XXXXXXXXX cruise line."

With some credit card issuers, you can report upcoming travel via a toll-free phone number. I prefer a written letter which documents the communication. The address to use is on your monthly statement. Check the website for your bank or credit card issuer about how to report upcoming travel.

How To Protect Your Sensitive Personal Data When Using Public WiFi Networks

Last week, I met a friend for lunch to discuss her new business venture. After lunch, we moved our discussion to a nearby coffee shop. While there, my friend surfed the Internet using her mobile device and the coffee shop's public WiFi network.

When we finished our discussion, I suggested that she change her passwords for the websites she visited, since she had signed into with HTTP connections instead of HTTPS connections. (My friend had not heard about PrivateWiFi.) During the subway ride home, I began to wonder what a comprehensive list for consumers would be of tips about how to securely use public WiFi networks, at places like airport lounges and coffee shops.

If you aren't familiar with the identity-theft threat, about a year ago there were many articles about the Firesheep Web browser plugin, which allows hackers at public WiFi hotspots to monitor nearby consumers' online sessions and steal account log-in passwords. A recent tweak of Firesheep allows it to steal your Google web history. Not to be outdone, the newer Droidsheep app allows hackers to monitor and steal from mobile devices running the Android operating system.

With tools like these, the identity-theft and fraud damages can be extensive. Thieves can send spam from your email and/or social networking website accounts, or steal money from your bank accounts.

So what can a consumer do to protect their data? This Hot Spot Hacker article offers several good tips for using your mobile device securely at public WiFi networks:

"1. Set your laptop or smart phone so you have to manually select the Wi-Fi network. You may need to change the default setting

2. Make sure you know the exact name of the establishment's Wi-Fi network and connect only to it. Don't be fooled by look-alikes."

These two tips are good reminders because it is easy to set your mobile device to automatically connect at coffee shops you visit repeatedly, and forget about WiFi network security.

"3. Avoid any hot spot that your device lists as "unsecured." Keep in mind that even if a password is required, a hot spot can still be unsecured."

This tip cannot be over emphasized. Of course, it is preferable to use WiFi networks that require a password log-in, but that is just a start. A password log-in is not complete security. For full security, the entire session must be encrypted, because browser cookie and other files transmitted during the session contain personal data hackers can abuse:

"4. If your device shows the site as secured, pay attention to what kind of encryption it lists. WEP (Wired Equivalent Privacy) is an early system, dating from over a decade ago. If it's WEP, treat the network as not secure. WPA (Wi-Fi Protected Access) is better, and WPA2 is best of all."

Most people I know have no idea what brand of wireless encryption to look for and to use. Now you know. Here's what else you need to know about WiFi network security:

"5. If you send personal data over a Wi-Fi link, do so only to an encrypted website. You can tell a site is encrypted if you see the letters "https" (the "s" stands for "secure") at the beginning of its Web address. Also, look for a lock icon on the top or bottom of pages throughout the site."

So, what can a consumer do to use WiFi networks safely and securely? One suggestion:

"6. Before using a public Wi-Fi network, install such software as Force-TLS and HTTPS-Everywhere, which are free add-ons to the Firefox browser. They make sure you use encryption features available on websites you visit. Virtual private network software — some of it free, some not — can also add security."

You could also use PrivateWiFi. And, there are more WiFi network security tips. To learn more, visit the Hot Spot Hacker article. If your mobile device uses the Android operating system, watch this Droidsheep video.

Living Life Online: New FTC Guide For Teens And Tweens

The U.S. Federal Trade Commission (FTC) has launched the Living Life Online website to help teens and tweens stay safe online, make good choices online, and understand the consequences of their online choices. A companion print guide (PDF, 3.4 MBytes) explains the website. Both include short articles, activities, quizzes, and an ask-the-expert column, all to help kids learn how to think critically:

"As you live your life online and off, some behaviors can help you be more successful: asking questions to help you figure out what’s real and what’s hype; thinking about things to do – or not – that can help you keep safe; figuring out ways to act that can help you treat others the same way you’d like to be

The guide addresses topics including sexting, cyber-bullying,online manners, your personal information to protect, photo-sharing, how to avoid cell-phone bill shock, and much more:

"What you post could have a bigger "audience" than you think. Even if you use privacy settings, it’s impossible to completely control who sees your social networking profile, pictures, videos, or texts. Before you click send, think about how you will feel if your family, teachers, coach, or neighbors find it. Once you post information online, you can’t take it back. You may think that you’ve deleted information from a site – or that you will delete it later. Know that older versions may exist on other people’s computers... Get someone’s okay before you share photos or videos they’re in."

The print guide includes resources (e.g., worksheets and information) for parents to encourage discussion with their kids. I found the Living Life Online website thin on interactivity and not nearly as robust as it could (should) be to fully engage kids. The website is more a webpage. A better implementation could have presented separate website sections for children and parents. Hopefully, this is the draft version of the webiste and enhancements will be released soon.

The print guide is a good resource for kids and parents to start the process of learning and discussing good decision-making online. Kids living in the USA must ultimately learn who the FTC is and how to use its resources -- chiefly to recognize phishing, to protect their sensitive personal information, and to file identity theft and fraud complaints.

With a variety of topics, the Living Life Online print guide is a good first step to help kids learn to make good decisions online. What do you think of the guide?

Win Some Cash! Enter The Privacy Concern Contest on Twitter

Here is an opportunity to win some cash! PrivateWiFi, a provider of secure wireless services, is operating a contest via Twitter. Tweet your biggest privacy and security concern and you might win one of the following prizes:

  • First Prize: $300
  • Second Prize: $200
  • Third Prize: $100

The contest started July 12 and ends Friday, July 22. Browse contest rules. You can enter multiple tweets. After the deadline, PrivateWiFi will select the three winning tweets. To enter the contest, tweet your online privacy and security concerns to @PrivateWiFi and use the hashtag #ilikeprivacy. Here is my entry:

@PrivateWiFi Banks selling consumers' debit card shopping habits to 3rd parties. Broken trust & don't know where data goes. #ilikeprivacy

Here are a few other entries:

"SarahaADowney My biggest privacy concern is the collection, sale, & public display of personal data on people search websites. #ilikeprivacy"

"TomBarten my biggest privacy concern is not knowing, and not being able to find out, what happens to your personal data. #ilikeprivacy"

"CAPAPA Privacy-invasive provisions of the negotiated-in-secret Anti Counterfeiting Trade Agreement #ACTA #ilikeprivacy"

So, visit Twitter.com or fire up the twitter app on your mobile device and enter the contest today!

Curious? A few related articles:

12 Tips For Consumers To Avoid Identity Theft And Fraud

First, to avoid identity theft and fraud consumers need to first know the ways which identity thieves try to steal your sensitive personal information:

  • Skimming-thieves attach devices to ATM machines, ATM booth doorways, and gas-station pumps
  • Phishing e-mail messages
  • Change of Address: thieves divert your billing statements to another location by completing a change of address form at the post office
  • Old-fashioned theft: stealing your wallet or purse
  • Pre-texting: thieves pretend to be you and contact (online or via phone) your bank or financial institution to obtain your personal information and money
  • Fishing: accessing unlocked snail-mail mail boxes, or lowering "pieces of cardboard covered with glue down blue mail boxes and open envelopes that stick looking for personal information they can steal"
  • Dumpster diving for financial statements and "convenience checks" you've thrown out in the trash without shredding them
  • Discarded computers, with hard drives that contain personal information, that haven't been properly erased or destroyed before disposal
  • Online research of government registers, Internet search engines, and public records to gain pieces of your personal information
  • Remote-theft with portable readers that scan and read your contactless (e.g., RFID) debit/credit cards
  • Shoulder surfing: simply looking over your shoulder when you make ATM transactions in public places
  • Malware: using computer viruses to accesses the personal information on your (home) computer
  • Employment scams: thieves advertise fake job openings and use the personal information submitted by applicants
  • Social networking sites: thieves access profile pages left publicly open by consumers who ignore privacy settings, produce bogus quizzes, and/or hack a friend's account to gain access to your sensitive personal information

To combat these theft methods, the Los Angeles County Sheriff's Department suggests these 12 tips for consumers to protect themselves:

1. Identity theft starts with the misuse of your personal identifying information such as your name, Social Security number, credit card numbers, or other financial account information.

2. Check your credit report from each of the three major credit bureaus every year.

3. Open your credit card bills and bank statements right away. Review your statements and close unused accounts. Be aware if bills don’t arrive on time. It may mean that someone has changed contact information to hide fraudulent charges.

4. Don’t carry your Social Security card or PIN numbers in your purse or wallet because of what can happen if they fall into the wrong hands.

5. Avoid giving any personal information over the phone, mail, or Internet unless you know who you are dealing with. Give it to them in person instead.

6. Criminals pretend they are collecting money for victims of a natural disaster. Sometimes they claim to be police officers and ask for donations.

7. Elderly people are frequently targeted in money scams. Keep a helpful eye for elderly family members and vulnerable neighbors.

8. Make sure that you disconnect your laptop from a broadband or a shared connection when you are not using it.

9. Avoid offers and pop-up ads that sound too good to be true. They want you to enter your information so they can access all of your personal information.

10. Remove your name from mailing lists for pre-approved credit offers. Pre-approved credit card offers are a target for identity thieves who steal your mail. Have your name removed from credit bureau marketing lists. Call toll-free 888-5OPTOUT (888-567-8688).

11. Only enter personal information on secure Web pages that encrypt your data in transit. You can often tell if a page is secure if "https" is in URL or if there is a padlock icon on the browser window.

12. If you’re going to use a mail box, do so during or close to the posted pick up hours. Better yet, drop your mail off at your local post office. Retrieve mail promptly and discontinue delivery while out of town.

McAfee Anti-Virus Software Rated Poorly By Consumer Reports

I have been a happy and satisfied McAfee Internet Security Suite user for the past 12+ years on several desktop and lately laptop computers at home. I have written in this blog about anti-virus software, anti-phishing softare, and the need for consumers to keep the anti-virus software on their home computer current. I do.

Given this, I was concerned to read in the June 2011 issue of Consumer Reports magazine about an extremely low rating of the McAfee Internet Security 2011 software. The 31-point rating was far below the 65-point rating of BitDefender. This low rating was the opposite of my experience with the McAfee anti-virus software. I really like and use heavily the McAfee SiteAdvisor browser plugin.

So, I wrote to McAfee asking them what they thought of this low rating by Consumer Reports, and their plans to address it. I received this reply via e-mail:

"From: McAfee NA Customer Service
Sent: Wednesday, May 11, 2011 8:43 PM
Subject: RE: McAfee Customer Service - SR-xxxxxxxxx

Dear George,
Thank you for contacting McAfee Customer Service. I understand that you are disappointed with the McAfee ratings that has provided by Consumer Reports magazine.

George, I would like to inform you that the results in the area of virus and firewall protection in this one particular review, are disappointing to us as we always strive to earn top ratings and therefore the rankings for our various products.

However, the review results are a direct opposite of the test results shown in reviews performed across the top anti-malware vendors by other testing organizations like NSS Labs and AV-Comparatives. Also, the article in Consumer Reports shows nothing more than an overview chart of ‘their findings’ and it is not clear how the various products were specifically tested by Consumer Reports.

In spite of this, let me assure you that McAfee takes this test seriously and remains dedicated to further improving threat detection. In doing so, we are continually working to enhance our malware detection processes including through our Global Threat Intelligence, and through our company-wide Trust & Safety Initiative. Please be confident that McAfee remains relentlessly focused on security.

You may also contact us by phone by dialing 1-866-622-3911. Our business hours are from 8 am to 8 pm CST, daily. xxxxxxxxx is the Service Request number for this issue. You can quote this number in your further contacts. For all your future Service and Support needs, please visit http://service.mcafee.com. Thank you for contacting McAfee Customer support!


Rengarajan K.
McAfee Customer Service-Tier 1

PC World reviewed McAfee Internet Security 2011 and rated it 3.5 of 5 stars. A prior blog post discussed some of NSS Lab's findings. I revisited the NSS Labs website and downloaded the Q3 2010 NSS Labs review of consumer anti-malware products. NSS Labs rated McAfee Internet Security highly on several measures, and recommended it plus two other products. You can download the NSS review for free (PDF).

I plan to continue using McAfee software and will watch for more test results by other independent labs.

What anti-virus software do you use/ Why?

Video: Invasion Of The Data Snatchers

If you want an explanation of the role and scope of data mining companies and information brokers, the video below provides a pretty good overview, with engaging graphics. It highlights all of the various ways companies collect personal information about consumers. And, "invasion" is an accurate description.

This blog does not endorse the online service mentioned. Consumers should shop around and read the contractual fine print and terms of any online service before purchase, to determine if the product or service meets your needs.

Anonymous Web Surfing: Get Cocoon

With all of the online threats, malware, and tracking some consumers have turned to anonymous web browsing. To learn more, I discussed the Cocoon anonymous web browsing service with Brian Fox, cofounder and Chief Technology Officer at Virtual  World Computing (VWC), producer of Cocoon.

I've Been Mugged: What is your position and duties at Get Cocoon?
Brian Fox: I am co-founder and CTO of VWC. I am the principal inventor of the technology and process in the Cocoon service. Jeff Bermant is the other co-founder, and the primary owner of the itch that needed scratching.

Mugged: How and why did Virtual World Computing start offering anonymous web browsing?
Fox: We believe everyone has a right to use the Internet securely and privately, and without the risk of getting malware. We see that the Internet is the next generation of communication, after Pony Express, Telegraph, and Telephone. Why should we as a society accept that this form of communication be less private and secure than its previous forms?

Mugged: How secure are your company’s web servers?
Fox: Today, our servers are housed in a tier 3 secure facility. Our servers run SE Linux, which is the Linux that was modified by the NSA to increase security and compartmentalization. Because we run Linux, we are not vulnerable to Windows-based viruses. Because we run SE Linux we are not vulnerable to any currently known linux-based attack. We believe that our servers are extremely secure.

What consumer data is retained on your servers and for how long?
That's up to you. You can choose to not save any data in your Cocoon account, and that's your prerogative. We feel there are benefits to having your history stored securely, encrypted and available to you, and only you, whenever and wherever you want. Everyone has experienced the scenario of having found some piece of information while on one computer, say at home, and then had difficulties finding that same info when they want it at work. With Cocoon, your history, bookmarks, logins, passwords, notes, are all available to you on any computer where you've installed Cocoon. And you are the only one who has the key to unlock that encrypted information. But it's your call, never save the data or leave it there as long as you like and delete it when you close your account, it's up to you.

On my laptop, I use the Better Privacy add-on with Firefox to regularly delete the web browser cookies that websites save to my laptop. How is Cocoon different?
Cocoon prevents cookies from being stored on your computer at all. They are stored in your Cocoon account. Today, Cocoon doesn't offer an option to delete cookies on a periodic basis (which of course, can only happen while Firefox is running :-) Instead, we supply an option to delete your Cocoon stored cookies whenever you log out. We are building a feature that lets you specify for which websites Cocoon should not delete stored cookies. We feel this offers you the best of both worlds - you can keep the cookies that you want (e.g., login cookies for Gmail or sourceforge), and delete all of the other cookies (e.g., banking, etc.).

Version 3.0+ of the Firefox browser already has a feature called “Start Private Browsing.” How is Cocoon different?
Private browsing mode on Firefox does not provide you with anonymous browsing and only prevents your browsing and cookie history from being saved on your computer. On the other hand, Cocoon prevents both websites and your ISP from knowing what sites you've visited, as well as keeping all tracking information off your computer. It does this at the same time as giving you the option to keep that history or those cookies stored securely if you want.

Many consumers like to use free (unsecure) WiFi at places like coffee shops and airports. How does Cocoon protect consumers in these situations?
Cocoon makes every website on the Internet encrypted and secure, even on free open WiFi. When you log into Cocoon, you create a secure connection between you and Cocoon preventing man-in-the-middle attacks like Firesheep.

Version 4.0 of the Firefox web browser offers a Do Not Track feature. How does Cocoon compare  with this?
Firefox 4.0, like Chrome and IE9, all offer an option to be added to Do Not Track lists - but these lists rely on voluntary compliance by advertisers to join and/or honor - and the user is responsible for activating these systems. Cocoon's method is proactive - a service that lets you take control without needing advertisers to agree to anything.

What types of consumers or professionals (e.g., attorneys, financial advisors, etc.) can best benefit by using Cocoon?
Although anyone can benefit from features such as stopping spam by using Mailslots (disposable anonymous email addresses), professionals such as lawyers, doctors, and financial advisors –- who work with highly private data– can directly benefit from the protection Cocoon offers stopping malware from infecting their computers and potentially stealing personal data, and having secure connections while on WiFi networks. Everyone deserves the peace of mind that comes from knowing their information is private, secure and malware-free.

How might a consumer use Cocoon while traveling on business or vacation?
In addition to being protected on open WiFi networks, I've appreciated that once I securely log into Cocoon I have access to all my login and passwords even on my wife's computer - and once I log out I know that that information is not on her computer, it's still safely stored in my account on Cocoon.

How flexible is the Cocoon configuration, so consumers can switch to normal browsing mode when visiting trusted websites, like their bank?
The configuration of Cocoon is so seamless it is almost invisible. There's actually no need to turn off Cocoon when visiting any site. If you choose to bypass the protections of Cocoon, there is a "pause" or "un-lock" button right on the toolbar for you.

Many consumers like comprehensive services/software. What are Get Cocoon’s plans to provide an umbrella service covering a user’s computer, tablet, and smart phone?
Great question, and it's definitely in the works. We've tested Cocoon with the Firefox browser on various systems and will be offering other options soon. IE is the next to roll out and others to follow. We are particularly focused on the needs of the mobile user, and have products and service enhancements in store for them.

What do you see in the future for anonymous web browsing software?
While anonymity is an important feature of Cocoon, we feel that it is only one part. We feel that privacy is not synonymous with anonymity. For instance, I am happy to do this interview, but there is a limit to what information I will divulge. That is because my personal privacy is important to me. In the future, we feel that both inward and outward facing privacy will be de rigueur, and we know that Cocoon customers will be enjoying that -- as well as additional features that will be necessitated by changes in online behavior, such as voting, reviews, and the like.

Is there anything else you want consumers to know about Cocoon and/or your company?

Cocoon is created by a team of people who strongly believe in the rights of people to use the Web privately and securely. We believe that the Internet is a resource for the world, and not just for a select few. Our mission is to enable access, privacy, and security on the Internet to anyone who desires it. Our feature creation is driven by the needs of our users, and we ensure that there are many ways to communicate with us - even anonymously!

Thanks to Brian Fox for discussing Cocoon with the I've Been Mugged blog.

The Four Pillars of Online Data Privacy

A few weeks ago, I blogged about personal identity information values -- shopping and acting online consistent with what you deem important. eGov precently published comments by the European Union (EU) Justice Commissioner, Vivianne Reding, about privacy for individuals. Reding's view of privacy for individuals in an online digital world includes four pillars:

1. The “right to be forgotten” - a combination of consumers' right to withdrawn or opt-out of any data collection efforts by companies, and the burden on companies to prove first that they have a need to archive and store the sensitive personal information of consumers they have already collected.

2. "Transparency" - to build consumers' trust, companies should fully disclose and inform consumers about what personal data they collect about consumers and why, how they use the personal data collected, the names of all third-party companies they share personal data with, the rights of consumers for remedies when consumers' rights are violated, and the risks with the personal data companies ask consumers to share.

3. "Privacy by default" - in too many instances companies build websites with privacy controls that are so complicated and convoluted that consumers can't effectively make their personal data private. In these websites, there really isn't any privacy and the websites' privacy controls don't reflect consumers' true consent. Reding believes that this situation must change, and that private should mean private.

4. "Protection by data location" - privacy standards for EU citizens should be consistent regardless of where consumers' personal data is stored. For example, if an EU resident's personal data is collected and stored by a U.S.-based company, then that company must comply with EU privacy standards, not U.S. privacy standards.

All of these pillars make perfect sense to me, but I see the fourth pillar being particularly tough. It's logical extension would force a website operator to konw, track and comply with a multitude of countries' varying privacy policies. My impression is that many corporate executives would be unhappy with having to work within the boundaries of all four pillars (not just the fourth), when they usually don't have to today.

I especially agree with Reding about the risks stated in the second pillar. Explanations about risks from sharing personal data apply to all consumers, but especially to youth who don't yet understand how business works and how companies use personal information. The risks and consequences should be explained to consumers about personal data that companies may make public permanently that consumers cannot make private again.

Over at the Guardian UK, columnist Mayes contests Reding's second pillar:

"But does the "right to be forgotten" really have a sound basis? In British law there is no right to be forgotten, but there are a host of laws to protect your identity and personal data... But to say there should be a right to be forgotten is to say we can live outside society. We can't."

To me, it's not about living "outside of society." For a lot of perfectly valid reasons, a consumer may decide to live off the grid, or entirely off-line. It is about consumers' control; the ability to control when and where your sensitive personal information is archived. Without the second pillar, there is no real control for consumers.

What do you think of these four pillars?

Facebook Comments Plugin: To Switch Or Not?

Like many bloggers, I want readers to easily comment on bog posts and keep out the spammers. It is a tricky balance to achieve. Like many bloggers, this blog requires commenters to enter a name, email and website address. Despite these rules, including the Terms of Service policy, spammers continue to submit off-topic comments that are clearly advertising and unrelated to the blog post topic.

To effectively keep out the spammers, some bloggers have turned to the Facebook Comments Plug-in as a solution to verify users and to screen out the spammers. Some notable blogs like CrunchGear have implemented the Facebook Comments Plug-in -- at least on a trial or temporary basis. Other bloggers have seen their comments traffic decline as Facebook membership has risen. Some bloggers like the new Facebook Comments Plugin -- at least on others' blogs and not yet theirs.

For this blog, I have made the decision not to switch to the Facebook Comments Plug-in. Why? As I see it, the disadvantages outweigh the advantages.

The chief advantage is that Facebook Comments Plug-in requires commenters to use real identities (or at least identities as "real" as they have been created on Facebook). And, I am happy with the current comment system Typepad.com provides. The disadvantages I see of the Facebook Comments Plug-in:

Loss of control and of content: the comments become the property of Facebook. Upon terminating the Facebook Comments Plug-in, I would lose those comments. There are several valuable comment threads in this blog, with some running as long as two years. My readers and I have learned a lot from the comments submitted, and I would never give up this valuable content.

Comprehensive Solution: my preferred commenting solution must be comprehensive and allow users to choose how they want to identify their selves. As TechCrunch noted:

"Facebook comments don’t support Twitter or Google logins. It doesn’t yet allow sites to archive their comments to make backups..."

Readership Usage: this blog has more followers on Twitter than on Facebook. This blog has more followers via e-mail than on Facebook. So, the comments approach must factor in this actual readership usage.

Mistrust: having written repeatedly about Facebook's privacy missteps and class-action lawsuits. I have learned that Facebook will consistently act in its own self-interest. I don't trust Facebook. I trust Facebook to continue to make public at some date members' sensitive person data it had previously deemed private. That abuse is something I would not subject my readers to.

Corporate Blocks: many companies block access to Facebook in the workplace. That alone is probably a deal-killer. Discussions of identity theft, data breaches, and privacy require access to this blog.

Lack of Disclosure: at times, Facebook doesn't disclose to members everything it is doing, like censoring members time line.

Extensive Tracking: in a prior post i wrote about how Facebook Social Plug-ins perform tracking around the Web. The commenter verification advantage is not enough to subject my readers to more tracking by Facebook.

Buggy Interface: having used Facebook for several years, I have noticed many bugs and errors. I am not going to subject my readers to that.

On supposed benefit of the Facebook Comments Plug-in is that it will bring more readers, and commenters, to your blog. This blog has been optimized for search/SEO, so getting new readers has not been a problem. Currently, monthly readership is about 19,000 page views monthly, an increase of greater than 45% compared to a year ago.

To summarize, any plug-in solutions have to be consistent with my identity information values.

As always, I value my readers' opinions and comments. Let me know below what you think about the Facebook Comments Plug-in.

Error-Filled Background Checks Make Finding a New Job Difficult

At some point during our work careers, we all look for a new job. Given the recent, ongoing economic downturn, many people are looking for work. When applying for a new job, potential employers usually perform a background check of applicants. What happens when the background check includes wrong information? The following story explains what happens.

Channel 7 News, the ABC News affiliate in San Francisco, reported the story of Patrick Chad Padilla, who applied for a security job position at a Walmart store in Sacramento, California. After the third interview, Padilla was offered the job pending a background check. Walmart withdrew the job offer when the background check turned up problematic information.

After looking at the the background check Walmart, Padilla noticed that the report contained information about Patrick Saenz Padilla, who Channel 7 News would later discover is a criminal serving time in a New Mexico prison. Despite the middle name differences, Walmart insisted on using the faulty background check and refused to offer Padilla the job.

Hello? Does anybody at Walmart use their brains?

Obviously not. Brain-dead bureaucracies operate in the private sector, and not just in government agencies.

This story is important for several reasons. First, multiple companies made errors in this story. Walmart's errors are clear. Second, Padilla applied for a job at Roseville Hyundai later and the same thing happened again. The faulty background check stopped another job offer.

Third, there are some sensible guidelines governing the proper use of background checks by companies. In at least one instance, an employer started a new policy demanded Facebook passwords from both job applicants and current employees without any suspicion of wrongdoing. (That policy has since been suspended for a 45-day review.)

Fourth Acxiom, the provider of the background check service definitely shares some of the blame for Padilla's job-search difficulties. Acxiom clearly made mistakes by combining information about two different people into a single report. From the news story, it isn't clear that Acxiom has corrected Padilla's profile information. The middle name difference should have been easy to spot, but Acxiom either missed it, or ignored it. And Padilla suffered the consequences.

This is not the first incident with an erroneous background check. In this incident in Kansas last year, the local sheriff's office helped the affected job applicant clear his name.

Background checks are necessary, as employers can't hire convicted criminals for certain jobs. A wide variety of companies use Acxiom products and services, including Sony Ericsson Mobile Communications, Urban Mapping, Blackboard, USA Swimming, Senior Checked, Windstream, and General Motors. At its mid-year 2010 conference, the National Association of Professional Background Screeners (NAPBS®) Background Screening Credentialing Council (BSCC) announced that Acxiom and several other companies had achieved compliance with its Background Screening Agency Accreditation Program (BSAAP).

Although this class-action against Acxiom was ultimately unsuccessful in the courts, it did reveal that Acxiom buys a lot of its information about consumers from various states' motor vehicle agencies.

A recent survey by The Black Book of Outsourcing rated Acxiom number one in customer satisfaction for IT outsourcing. Well, Acxiom may help its IT department customers save money, but I wonder how reliable that customer satisfaction rating is. Would consumers rate Acxiom highly? My guess is Padilla wouldn't rate Acxiom highly.

Fifth, background-check concerns are not only about Acxiom, but also apply to other companies that provide similar services. CNN Money listed some of the companies, including Rapleaf, that provide background checks based on the collection of consumer data from public records. The Wall Street Journal published a similar list of what it called "scrapers." LewRockwell.com published a similar list of companies consumers should consider removing their profile data from.

Sixth, when private companies offer products and services based on their collections of sensitive consumer information, there has to be a method to discover and correct mistakes and erroneous entries. This process exists with the major credit reporting agencies, but not with companies like Acxiom. As Channel 7 News reported:

"There's no federal or state agency that's making these companies actually clean up their records and make them accurate..."

Getting pack to Padilla's story: later, Walmart reversed itself and encourage Padilla to apply for a different job. What? Is Walmart serious? After all of the obvious mistakes and blunders, Walmart couldn't do the right thing, apologize, and simply offer the job to Padilla?

Meanwhile, Padilla had moved on to work for another company. I wouldn't work at Walmart either after this poor treatment. It signals that Walmart probably treats vendors, suppliers, and its employees just as poorly.

If this story upsets you (and I truly hope that it did upset you), I encourage you to write to your elected officials and tell them:

  • Potential employers must give job applicants copies of the background check report used for the hire decision
  • Consumers should not suffer the consequences for corporate mistakes and errors, especially about background checks
  • Federal and state laws must require companies to correct errors in their databases containing consumer information
  • Database marketing services (e.g., companies that collect data and offer products based on those databases) must provide consumers with a fast, easy-to-use, and prompt process for reviewing and correcting errors in their profile
  • Corporate violators should be prohibited from the data collection and from any services/products based on that data collection

Have you been denied a new job due to an error-filled background check? Have you lost a job offer to an erroneous background check? We'd like to hear your experiences, and if you were able to correct the problem.

How To Protect Your New Mobile Device And Your Sensitive Data On It

You just bought a new smartphone, tablet computer, video game, or flat-screen television that connects to the Internet. How do you protect yourself and your sensitive personal information on it? Infosec Island published a good list which I recommend. Some of the tips:

"... threats aimed at mobile phones are growing. Use software that backs up smart devices and use strong discretion when storing, saving or editing personal information on your smartphone or device. Don’t keep all of your personal passwords on your device, and avoid using it to store financial information like credit card and bank account numbers."


"Many people don’t realize that their new gaming console may represent another port of entry for cybercrooks into their household. Some Internet TV applications can expose personal information, so be sure to install anti-virus software, two-way firewalls, anti-spyware, anti-phishing, and safe search capabilities, just as you would on a PC..."

Read the full list of security tips for consumers.

Facebook Members Warn Their Friends About Spokeo

During the past few weeks, I have seen several friends on Facebook post this message about Spokeo:

"There's a site called www.spokeo.com that's a new online USA phone book with personal information: everything from pics you've posted on Facebook or the web: your credit score, home value, income, age. Remove yourself by searching your name, copy the URL of your page, then go to the bottom right corner of the page and click on the Privacy button to remove yourself. Copy & re-post so your friends are aware."

Regular readers of this blog already know about Spokeo since this blog covered it in April 2010. When I reviewed my personal Spokeo listing recently, it had plenty of errors: incomplete name, wrong address, and other details. The data looked as if Spokeo tried to match and merge (unsuccessfully) data from an old White Pages phone book directory with data they may have purchased from marketers and/or state motor vehicle registries.

This data inaccuracy reminded me of an experience I had with credit reporting agencies in 2004. That year, I applied for an American Express card anticipating an extended business trip in London. American Express denied my application because I was "deceased." Obviously, I am not dead. When I checked my credit reports, they had erroneously co-mingled data from my deceased father and from me. If you don't know it, credit reporting agencies rely on consumers to check the accuracy of their credit reports, and to submit correcting information. This approach rests on the assumption that most consumers want their credit reports to accurately reflect their creditworthiness.

My points:

  1. It is good to view your Spokeo listing and opt-out of their program. The problem: the burden is on consumers to continually opt out as every new Internet-based marketing company springs up. That is not the Internet I envisioned nor long for, and I'll bet you agree.
  2. I feel no obligation whatsoever to notify Spokeo about the inaccuracies in my listing, and hope that you don't feel obligated either. Better to let Spokeo wallow in ignorance.
  3. Like Facebook and other data mining or marketing companies, Spokeo makes money from our personal data, correct or incorrect. If I were sharing in that revenue stream, then I might feel motivated to inform Spokeo of the errors in my personal listing.
  4. Data mining companies like Spokeo will continue to publish plenty of mistakes in their databases. Why? Many consumers have multiple online identities. While data mining companies can analyze purchases from credit cards, patterns from location-based status meesages, or your "likes" on social networking sites, only YOU know how accurate the demographic and descriptive data is about YOU. Spokeo "swims" in the same consumer identity cesspool as other data mining companies and markets. At least credit reporting agencies have the benefit of updating their records with structured data from lenders and banks.
  5. Executives at data mining and marketing companies like Spokeo want to believe their data is accurate. In my view, it often isn't. People move, change street addresses, use multiple email addresses, use multiple phone numbers, regularly delete their web browser cookies, use add-ons like BetterPrivacy to delete Flash cookies, use software like MAXA Cookie Manager to delete a variety of LSO's stored on their computers, and opt-out of location-based messages. So, the value of that data is less than they think and has less utility for applications.

So, go ahead and check your Spokeo listing. How accurate was it? Did you opt-out? I've Been Mugged blog readers want to know.

Over-Sharing During The Holidays

One important thing I try to do in this blog is to remind consumers of good data security habits. A recent "Connected But Carelesss" study of 1,000 Internet users in the United States, sponsored by Symantec Norton and conducted by Javelin Research, found that many consumers are lax about the security of their information while online:

"... consumers are still somewhat cavalier and under-informed when it comes to Internet security, specifically in three areas: location-based services, mobile phone transactions, and online passwords."

Just under half (47%) of the consumer survey participants respondents said they expected their online purchases to increase between the Thanksgiving and New Year's holidays. About a third (31%) between the ages of 18-34 said they expected their social networking activity to increase during the same period.

Location-based status messages, or telling people real-time where you are via your mobile device, is a leading risky behavior when consumers share too much:

"... 15% of people surveyed knew enough about geo-location to be able to explain it... 22% who use their mobile or smartphones to connect to the Internet, admitted to giving applications on those devices permission to identify their location... 56% under the age of 35 said they update their social networking status with their location, which can inadvertently broadcast to real-world criminals that they’re not at home."

A second risky behavior is that consumers take for granted that their mobile devices are secure. While 38% of survey respondents use a mobile device or smartphone to check bank accounts and 51% post updates on social networking sites:

"... one in four people accessing the Internet this way aren’t sure, or haven’t even thought about, what’s safe mobile practice, while another 42 percent have only a “general idea” of what constitutes safe practices. In addition, 52 percent of those people accessing the Internet via their mobile devices don’t use the basic level of protection of having an access password in place..."

I have repeatedly discussed in this blog the need for strong passwords. More results from the Norton study:

  • 46% said they never change their password on their e-mail account
  • 31% said they never change their password on banking and financial accounts
  • 42% said they never change their password on social networking sites
  • 71% of survey respondents who have one password across different accounts/sites say they do so because it is easier

Identity thieves and spammers are probably happy to read these survey results. Experts advise consumers to do the following to protect your identity and financial information:

  1. Password-protect your mobile device or smart phone: add a password so nobody else can access the information in your mobile device
  2. Consider a "remote-wipe" feature for your mobile device. Norton offers a Mobile Security application for Android users to remotely lock or wipe data when their phone is lost or stolen.
  3. Think before using your personal mobile device for business. Check for your employer's mobile device policy, as some employers use remote-wipe features which will delete everything in your smart phone
  4. Think before logging in: assume that public WiFi connections are risky with communications monitored, whether you use a laptop, smart phone, or other mobile device. Avoid becoming a sidejacking victim. Never enter sensitive bank account information, debit card or social security numbers when browsing the Web via a public Wi-Fi connection
  5. Use one credit card specifically for online purchases. It makes it easier to spot any fraudulent items, and limits your liability if your card number is stolen. Don't use a debit card
  6. Update the anti-virus software on your laptop or desktop computer
  7. Change your passwords at least once every 90 days. Use strong passwords
  8. Don't use the same sign-in credentials and password for all of your online accounts and email accounts. Use different passwords. The recent Gawker breach highlighted this risk.

Happy holidays!

The State of Anti-Virus Software

Last week, NSS Labs released their quarterly report on Consumer Anti-Malware Products. I read this report because one advice experts always recomend to avoid identity theft is that consumers keep the anti-malware (e.g., software that identifies, blocks and deletes viruses, spyware and related bad stuff) software on their home computers up to date.

Usually NSS Lab's report is available for a fee, but this quarter's version is free because of the subject matter. NSS Labs tested several anti-malware software brands and the software effectiveness is far from consistent. Key results from the report:

  • Software effectiveness varies. The ability to block software viruses varies widely by brands from a low of 54% (AVG) to a high of 90% (Trend Micro) across tested products. You would think that performance would not vary so widely (36% points) across products, but it does. Higher numbers are better since it represents a product that prevents the user's computer from downloading more viruses and from running more viruses accidentally downloaded.
  • Update time varies. The time before a malicious website (e.g., a web site infected with malware) was blocked ranged from a low of 3.3 hours (Trend Micro) to a high of 28.5 hours (AVG) across 11 vendors' products. Lower numbers are better since it represents a product that prevents sooner the web browser from visiting infected websites.

The report includes a really good chart comparing each product's performance in 3Q2009 to 3Q2010. The report groups products into three categories: Recommend, Neutral, and Caution. I am happy that the anti-virus software I used was listed in the "Recommend" category. Products in this category performed well consistently across all tests, compared to products rated lower which performed highly on one test and poorly on another.

The report's authors estimated that:

"Cybercriminals have between a 10% - 45% chance of getting past your AV with Web Malware (depending on the product). Cybercriminals have between 25% - 97% chance of compromising your machine using exploits."

NSS Labs tested all software on computers running Windows® 7 with 2 GB RAM and 20GB hard drive. "Exploits" included attempts to take over the computer and send spam to others, to capture and transmit sensitive personal information such as bank account numbers and sign-in credentials. Applications included Internet Explorer®, Mozilla® Firefox®, Apple® Quicktime®, and Adobe® Acrobat®. NS Labs tested the leading anti-virus software products including AVG Internet Security 9, ESET Smart Security 4, F-Secure Internet Security 2010, Kaspersky Internet Security 2011, McAfee Internet Security, Microsoft Security Essentials, Norman Security Suite, Panda Internet Security 2011, Sunbelt VIPRE Antivirus Premium 4, Symantec Norton Internet Security 2010, and Trend Micro Titanium Maximum Security.

Download today the NSS Labs report.