Opinity Weblog

Here's a report about identity theft insurance:

Increasingly, companies are offering insurance that reimburses victims for the costs of cleaning up after an identity theft. Coverage, usually part of homeowner or renter policies, includes $15,000 to $25,000 for expenses ranging from attorney fees and lost wages to postage, phone charges and notarizing documents.

Actual financial losses, such as money siphoned from an account, are typically not covered but also are unlikely.

Nationwide says its "experts" will:

• Quickly assess your situation to determine if fraud has occurred
               
• Stop damage to your credit within minutes of your authorization by directly contacting major credit bureaus
               
• Make all required phone calls to creditors, banks and agencies
               
• Assist you in replacing documents including driver’s license, passport, social security card or other I.D.
               
• Provide an emergency cash advance if theft occurs while away from home (restrictions and limits apply)
               
• Provide up to $25,000 in recovery reimbursement with no deductible.
               
• Offer emotional support including up to three in-person visits with a licensed behavioral specialist
               
• And provide a full host of Identity Theft services to save you time money and frustration

Is this a good thing? It's cheap, $25-$45 annually, but according to Javelin Strategy & Research's report for the Council of Better Business Bureaus, more than two-thirds of victims have no out-of-pocket costs, and the real costs to someone who's the victim of this kind of impersonation tend to be in things such as time and trouble--all the effort involved in tracking down the various agencies, companies, and banks who need to be notified that there's a problem.

So if these folks can provide the services they claim, perhaps they can help. We should note, however, that Paul Richard, executive director of the Institute of Consumer Financial Education, a nonprofit group in San Diego--which has a remarkably busy, not to say cheesy site--says, "Don't waste your money."

If you're interested, read the report.

Lifehacker has an article about ways to protect your privacy while searching--or conducting other business--online. Among their suggestions:

• Use a Web proxy, such as anonymouse
• Set up email accounts in a name other than your own, on services such as dodgeit
• Use an alternative (to the usual suspects) search engine, such as Ixquick or Generic A9, both of which allow you to search without being tracked

The article acknowledges that none (or even all) of these measures provides perfect protection against being tracked online, but ...

Taking such measures--particularly ones involving proxies, alternative search engines, and email accounts that mask your identity--will keep you from being routinely tracked by the major search engines, that is AOL, Google, Yahoo, and MSN.

Also very much to the point: if you start to take responsibility for what you do online by deciding what kinds of personal information you want to protect and how you might go about it, you've gotten into the game of identity and reputation management on your own terms. And that's what's important for most of us, most of the time, for reasons that I've often talked about.

So, if you don't know what  proxy is or don't know how to set up an alt.email account, or are looking for other ideas about how to manage your information online, have a look at the Lifehacker article and start finding these things out. You can also email me here, and I'll advise you as best I can or send you to places where you can find the kinds of advice I can't provide.

The New York Times reports:

United States and European authorities, looking for more tools to detect terrorist plots, want to expand the screening of international airline passengers by digging deep into a vast repository of airline itineraries, personal information and payment data.

A proposal by Homeland Security Secretary Michael Chertoff would allow the United States government not only to look for known terrorists on watch lists, but also to search broadly through the passenger itinerary data to identify people who may be linked to terrorists, he said in a recent interview.

Similarly, European leaders are considering seeking access to this same database, which contains not only names and addresses of travelers, but often their credit card information, e-mail addresses, telephone numbers and related hotel or car reservations.

Basic passenger information is available in something called the Advance Passenger Information System, which Homeland Security wants available before flights take off. However, various American and European agencies alike now want access to the Passenger Name Record, which contains much more information, such as "rental cars or hotels, credit card information relating to travel, contact information for the passenger and next of kin, and at times even personal preferences, like a request for a king-size bed in a hotel." Here's how that would look, courtesy of Don'tSpyOnUs:

1A2B/GLOB-WARRIOR                                PREF-P  15AUG99
PERSONAL FILE      
  1N/ROAD WARRIOR      SR VICE PRES INTL SALES     * VIP *
  2N/ CAR >S*R.C  HTL >S*R.H  MPI >S*R.M  BPS >S*R.S
  3YN/N:1WARRIOR/ROAD*1234
  4YP/P:SFOR/415-555-1111-RES UNLISTED
  4YP/P:SFOR/415-555-2222-CELL
  5YP/P:SFOB/925-555-3333-JANE SMITH ASST
  6YP/P:SFOB/415-555-4444-PAX
  7YP/P:SFOF/925-555-5555-FAX
  8OD/D-VIP-CHECK  
        GLOBAL CONGLOMERATE INC
        123 MAIN ST 99TH FLR
        ANYTOWN CA 94123
  9OD/D-13 COUNTRY CLUB DR UNIT 2A
        SUBURBIA CA Z/94456
 10N/.             
 11NH/HTL: G-DC12345678901234EXP1104/SI-NSRM KING
 12NF/ALT FOP FIELDS
 13NF/F-DC12345678901234/D1104
 14NM/MP*UA00123456789*
 15NM/   US123456789*
 16NM/   DL1234567890*
 17NM/   AA87654321*
 18NM/   NW2345678901*
 19YP/[:3OSI YY CTCR SFOR 415-555-1111
 20NE/EMERGENCY CTCT MARGARET BLACK 650-555-8888 CELL
END OF DISPLAY

Years ago, before the various terrorist specters emerged post-9/11, I wrote an article about what I called "the Singapore question," which is, roughly, how much liberty are you willing to forfeit in the name of security? Since 9/11, the federal government in particular has had an answer ready: any and all. This is merely the most recent instance of this trend, which continues to tilt strongly in the direction of security and away from liberty.

Bruce Schneier comments on this whole trend. Here are some excerpts:

Regardless of the threat, from the would-be bombers' perspective, the explosives and planes were merely tactics. Their goal was to cause terror, and in that they've succeeded.
......................................................................................
The implausible plots and false alarms actually hurt us in two ways. Not only do they increase the level of fear, but they also waste time and resources that could be better spent fighting the real threats and increasing actual security.
.......................................................................................
The surest defense against terrorism is to refuse to be terrorized. Our job is to recognize that terrorism is just one of the risks we face, and not a particularly common one at that. And our job is to fight those politicians who use fear as an excuse to take away our liberties and promote security theater that wastes money and doesn't make us any safer.

In the wake of AOL's search information debacle, several people have taken up its implications. Tom Foremski concludes:

The AOL incident has placed Internet users on notice that their lives are transparent, even in unguarded moments, even when searching for something, anything, even when companies say they are not collecting identifiable data.
......................................................................................
Your every click and keystroke online is being collected by many different organisations, and that means that at some point it will be possible to track it all, and identify most of it. Welcome to the future transparency of your life.

Robin Harris, in StorageMojo, seconds Foremski, saying "we are what we search," and he advises us to name our children something simple, common, so that they can't be quickly and easily targeted by the search engines. He's right, of course, but it's still weird advice.

Harris also affirms Foremski's tactics: "to poison the database, to create a smokescreen, to use aliases/avatars ..." However, according to Bruce Schneier, poisoning the database or creating a smokescreen is more difficult than it seems, for a number of reasons. Even using aliases or avatars has its problems. We would still have to worry about various law enforcement agencies and their ability to force whoever maintains these pseudonyms to put aside your masks and tell who you really are.

However, if you're mainly concerned about being profiled and tracked by advertisers, stalkers, and nuisances of various kinds, nyms are an excellent choice. And nyms offer the ability to extend yourself into the marketplace on your own terms.

But I must mention again the possibility of anonymized Web use, as offered by Tor and Relakks. If your search engine records don't connect to you at all, you probably don't have to worry about anyone short of the NSA tracking you down--and even they might not find it that easy.

The Mercury News has an excellent article following up on the AOL search information debacle. They posed some hard questions to the major search engines, and they found:

America's top four Internet companies -- Google, Yahoo, AOL and Microsoft -- promise they will protect the personal information of people who use their online services to search, shop and socialize.

But a close read of their privacy policies reveals as much exposure as protection.

The massive amounts of data these companies collect -- which can include records of the searches you make, the health problems you research and the investments you monitor -- can be requested by government investigators and subpoenaed by your legal adversaries.

But this same information is generally not available to you.

In short, from a privacy advocate's point-of-view, the companies' answers are evasive, incomplete, and somewhat alarming.

Why do they collect this information? "The Big Four all collect personal information for the same reason: to make their services better and to provide a targeted audience to advertisers."

Well, okay, but this information can be made available to other parties without your consent and to your disadvantage:

"Imagine that your life is recorded in such a way that never happened in the history of mankind and that information can be discovered in the course of litigation,'' said John Palfrey, executive director of the Berkman Center for Internet & Society at Harvard University.

However, the companies don't want to talk about that: "None of the Big Four would respond to questions about the nature or number of times they have provided a user's information to a third party."

So, in conclusion:

While AOL's mistake is unlikely to be repeated, attorneys say there is nothing to prevent search histories from becoming standard evidence in court.

At that point, the searches will no longer be in any way anonymous, and the intimate, awkward and curious stories they tell will become part of the public record.

Don't you feel ever so slightly exposed?

Note: the Mercury News started this investigation weeks before AOL's debacle. Good work, guys.

Note: Relakks, a Swedish company, is offering completely anonymized Internet access for $5/month. I have no experience with their service and so can neither recommend it nor comment in detail on it, but I would note that it should completely eliminate all issues arising from search engine records, among others. The Electronic Frontier Foundation also offers its Tor anonymizer, which is still in development and, by EFF's own assessment--"it's not a good idea to rely on the current Tor network if you really need strong anonymity."

(For a summary of the search engine companies' responses to the News's questions, click here. For a complete list of the questions posed and the companies' answers, click here.)

If the recent AOL privacy debacle has you wondering about previous ones, Wired has a list of what it regards as the ten worst. Number 1 on the list, taken from Adam Shostack--security expert, privacy advocate, and all around good guy--is the creation of Social Security numbers. Number 5, one I'd forgotten, has an all-too-human face:

In 1999, a stalker named Liam Youens paid New Hampshire-based internet investigation firm Docusearch roughly $150 to get the Social Security number and workplace address of Amy Boyer. He'd been obsessed with Boyer since high school, and had created a website that detailed his plans to destroy her. With the data provided by Docusearch, Youens was able to hide outside Boyer's office and shoot her to death before killing himself.

Read the list. Once you do, it's hard to dismiss privacy as an irrelevance or to accept with a shrug the proposition that we have none.

The New York Times has discovered that when search engines store our search activities, our privacy can get violated and has recommendations:

The storing and sharing of data of this kind is a violation of users’ privacy rights. Congress, the Federal Trade Commission and the companies should do more to protect these rights.

Right, and we should also all just get along, but we won't. Instead, whatever actions Congress and the FTC take will be shaped by whatever special interests take this one in hand. Meanwhile, the companies who could most efficiently take the problem in hand will only do something only if it enhances their bottom line. All parties involved will ritually genuflect in the direction of our privacy rights and do little more to protect them.

If we want to protect ourselves from unwanted revelations about our conduct online, we need to protect ourselves. In order to do so, we need identity management that serves our needs, by which I mean, as I always do: systems that allow us to reveal information selectively and, when possible and desirable, under a pseudonym. In that context, some governmental and corporate privacy protections could be helpful.

According to Reuters, America Online's CTO, Maureen Govern--pictured to your left, well before things got ugly--has resigned as a result of AOL's release of 600,000-and-some users' search data.

Wired reports that "a researcher in AOL's technology research department and the employee's supervisor have also left the company."

AOL's also planning "to create a task force to review its current customer information privacy policy." Well, yeah, maybe you should, even though more than half a million horses are long gone out that barn door.

Steve Rubel has a new post about the issue of splogs and the threat they pose to the blogosphere as such--which is a startling claim if you think about it for even a moment. Years ago, I compared spam to both cockroaches and the common cold, and I think splog needs to be included in the comparison. If the comparison is apt, they probably won't cure us, but they do generate an enormous amount of discomfort, distrust, and inconvenience, measure them as you will.

If you don't follow this sort of thing, a splog as defined by whatis.com, is:

A fake blog created solely to promote affiliated Web sites, with the intent of skewing search results and artificially boosting traffic. Some splogs are written like long-winded ads for the Web sites they promote; others have no original content, featuring either nonsense or content stolen from authentic Web sites. Splogs include huge numbers of links to the Web sites in question to fool Web crawlers (programs that search the Web for sites to index). The sploggers associate popular search keywords with their pages so that the splog links turn up in blog search results and are sent out as search subscription notifications through e-mail and RSS feeds.

Rubel quotes the following ugly statistics from the September Wired magazine, not yet online:

* Some 56 percent of active English-language blogs are spam ... 
* A survey by Mitesh Vasa in December 2005 found that Blogger.com was hosting more than 100,000 sploggers
* One splogger interviewed by Wired ... made over $70,000 in just three months from his network of splogs

To quote William Gibson's years-old insight yet again, "the Street has its own uses for things," and spam and splogs and phishing and Nigerian bank account scams are among them. In the cases of spam and splogs, their particular evil is that they can be automated--spam to blanket millions of users without their consent, splogs to steal content and shape it to search engine needs in order to generate advertising revenue.

When the Wired article emerges online, I'll have a look to see if it convinces me that the blogosphere is in danger.

Two footnotes:

First, Wikipedia is having trouble with its "splog" page. It is being considered for deletion, which strikes me as silly--however, I am not qualified by either experience or expertise to comment on the finer points of Wikipedia process.]

Second, here's a chunk of a Doc Searls Splog--i.e., not one made by Doc but one attempting to use the phrase "Doc Searls" to generate traffic. Thanks to Doc himself for the link:

Welcome to the Doc Searls On Producerism one stop website! We offer the best information, resources and links on this side of the planet, you will find no greater and more comprehensive source for all your Doc Searls On Producerism needs! ONLY at our website, will you find every Top Quality information and knowledge resource website on the Doc Searls On Producerism topic! Please Enjoy your stay at your #1 Doc Searls On Producerism website, and do remember to bookmark, come again and tell all your friends!

Read/Write Web reports that the news has been filled with reports about social software. It cites Apple's new social software push, Facebook's open APIs, Microsoft's enabling user-created Xbox 360 games, the growth of online video, the prospect of Internet-based TV, XuQa combining social networking with games, Yahoo making its Answers API available, the BBC talking about "liberating" its content, and Comcast having "Yahoo-size ambitions" on the Internet.

If you're concerned with the future of identity and reputation online, all these events and a host of others all point to the same thing: a rich social environment online where both identity and reputation require managing for the convenience and privacy of all of us.

• There must be an end to the apparently ceaseless creation of username/password pairs--at once insecure, irritating, and inefficient.
• There should be an end to the constant demands for our personal information--from name and address and phone number to credit card numbers--for the most trivial transactions.
• And there should be a way for us all to manage all the data that we create about ourselves, that is gathered about us, that others contribute about us in various way.

There is also the question of privacy. The richer the social environment and the more intensive our interactions with it, the less privacy we will have. We can possibly defend ourselves against some loss of privacy if we have ways to control:

• To whom we expose ourselves,
• What information we expose
• What names (or pseudonyms--a constant theme of this blog) we attach to our information

Perhaps the growth of social networks can serve as a driver for all these developments.