Technology Frustration Remediation®

Occasionally, I get a notification, from my favorite social networking site or my mortgage company, starting out with the words, “We respect your privacy.” Translation: “We respect the economic value of your personal information.” The notification typically continues with how my personal information is shared with affiliates, who may, at their discretion, share my personal information with other affiliates. They go on to explain that I am free to “opt-out” of [some of] these disclosures, and, should I chose to do so (after my information is already “out”) , “opt-out” separately with each affiliate, subject to their own privacy policies. Of course, these privacy policies are subject to change without notice.

If this situation does not strike you as sheer lunacy, an illustration is in order.

Imagine this. Frank and Jesse James walked into a bank with their affiliates Willie Sutton and Bonnie & Clyde. They fired several shots into the air and started to round up hostages and demand money. Immediately, the bank guard approached Frank and Jesse with a clipboard with a Bank Robbery Opt-out Form attached. Frank looked at the completed form, and said, “Everything appears to be in order. Since my brother and I are honorable people, we will honor your opt-out request. You will, however, need to opt-out separately with our affiliates.”

Next, the guard approached Bonnie with a Bank Robbery Opt-out Form. Bonnie took one look at the form and responded, “Clyde and I would be delighted to honor your opt-out request. Oh, my! Look at the time: It’s after four on Friday afternoon. Our opt-out system is down for the weekend. Come back on Monday, and we will honor your request. In the meantime, we have a bank robbery to attend to.”

Before the guard had a chance to approach Willy Sutton with the third Bank Robbery Opt-out Form , Frank mentioned that he and Jesse had just changed their Bank Robbery Opt-out Policy, and would be rejoining their affiliates’ bank robbery in progress.

Hopefully, now you understand that privacy opt-out policies are often designed to prevent you from opting-out. They monetize your personal information and trample on your privacy rights. I suggest you demand stronger privacy protection laws and regulations from our state and federal elected officials and regulators. More information is available through the Privacy Rights Clearinghouse, with whom I am not affiliated.

When the Hewlett Packard Officejet Pro printers, with their low electrical and ink consumption and high quality text printing, became available, it was inevitable that one of them would be my next printer. As soon as the Officejet Pro 8500 multifunction printer went on sale at a local retailer, I bought one. As is usually the case with Hewlett Packard multifunction printers, the software installation was the most time-consuming part of the installation, but it completed without a hitch. HP thoughtfully — without asking permission — put an icon for Solution Center, which handles scanning , cropping, OCR, etc., on my desktop. Everything worked as advertised, for a brief period.

Shortly after installing the printer, as part of normal maintenance, I ran the Secunia online software inspector, which reported an old and insecure version of Flash Player. After updating to the latest/most secure version of Flash Player and removing the insecure one, I opened Solution Center to scan a photo. Immediately, Solution Center started its installer and requested the installation CD be put back in the drive. Of course, if you put the installation CD back in the drive, the just-uninstalled insecure version of Flash Player gets reinstalled, and the process continues ad infinitum. It is possible to hit cancel when the installer requests the CD, and Solution Center will work fine — until the installer pops up again, and again. This is not the way software is supposed to behave, nor is constantly hitting cancel an acceptable workaround. In case you are wondering, this is the newest version — 12.0.0 — of the software from the HP web site.

Armed with the knowledge that Solution Center would eventually perform all the functions I needed it to perform with the newest version of Flash Player and without the two Flash components that it thought it needed from the old, insecure version, I tried an experiment. Please do not try to replicate this experiment, as tampering with files in your system folders can render your system unstable or unusable. When those two “needed” files were replaced with text files of the same name, Solution Center quit complaining and performed all the functions I asked of it, including scanning photos and converting paper documents to editable text. Printing, which is done through the print driver, not Solution Center, works quite nicely as well.

Wouldn’t it be nice if HP fixed its software to work properly? Currently your choices are: live with a known security problem, put up with constant installation windows, hack system files, or buy another vendor’s printer. Unless HP fixes this problem, alternative number four looks pretty good.

Social networks provide wonderful opportunities to communicate with friends, colleagues, clients, etc., without regard for geographical, time, and physical constraints. What we frequently fail to realize, however, is that there should be absolutely no presumption of privacy of communication, regardless of your privacy settings. Assuming that there are no software vulnerabilities and no human error or misdeeds on the part of those maintaining these social networks, an incredible stretch in and of itself, all it takes is one person to re-tweet or post on their own wall to open your “private” communication to the entire world. Recently, a Chicago lady tweeted to her twenty-six Twitter “friends,” implying that her apartment was moldy. Within hours, this tweet became national news. This case exemplifies both the power and danger of social networking.

It bothers me not at all that people who don’t do their jobs post their slacking exploits on Twitter and Facebook. What does concern me, however, is that ordinary people may be telling the world a little more than they should. For example, a simple “I’m leaving for California tonight, and will be back in two weeks,” means just that to friends, but means “My house will be empty for two weeks,” to potential burglars. Young people boasting about wild parties may mean “I’m cool” to friends, but could mean “Don’t accept me to your college,” to an admissions officer, or “Don’t hire me,” to a potential employer.

Perhaps it would be appropriate to ask yourself, “Is there any reason not to share this with the entire world,” BEFORE posting. News, good or bad, travels around the world in the blink of an eye. As we all know, there is no “recall” button on information traveling around the internet.

Con artists are targeting eBay users with a phishing email intended to steal personal information. The following image is a capture of an email I received this morning. When I moused over the link to take me to the eBay form, I saw that it did not in fact lead to ebay.com, but instead to cgi.ebay.com.jiki.com.mx — a fraud site. You could use the mouseover method I employed, or just open your web browser and go to Ebay to check your account. Do not click the link in the email! Also, you could forward the email to spoof@ebay.com for analysis.

These principles apply to any email you receive, especially those purporting to be from e-commerce sites, banks or other financial institutions. Sadly, neither Postini nor the Outlook 2007 spam filter quarantined this message. Remember, YOU are the last line of defense against fraudsters.

Phishing Email

If you have ever had a business relationship with a financial institution, you should know that they have access to a variety of your personal information. You may not realize that they can, without your permission, disclose this information to their “affiliates” and non-affiliated third parties. Additionally, they can change their disclosure policies at any time. Here is a typical financial institution privacy notice, which outlines what type of information they collect and disclose to others. They make it your obligation to “opt out” of disclosure. They also make it your problem to figure out and provide your account numbers. So, if you have a checking account, savings account, and a CD, you must provide account numbers for all three, to prevent disclosure of your personal information. Although they do freely provide your personal information to their other business units and affiliates, if you are a customer of one of these units or affiliates, you are on your own to separately contact them to “opt out” of disclosure.

Clearly, the rules make it easy for financial institutions to monetize your personal information and difficult for you to prevent disclosure of your personal information. What’s wrong with this picture? Isn’t it time to change our privacy laws to require explicit permission to release your personal information? For your privacy, you should demand that your elected officials enact “opt in” privacy laws.

Most information security professionals agree that passwords, in order to be effective, need to be complex and use at least three of the following: uppercase letters, lowercase letters, numbers, and special characters (i.e., !, $, ), ?, etc.). There is, however, strong disagreement about usability. For example, many will argue that Z9!*pQZ7Rn! is a good password. Not in my book! In order to be effective, a password has to be both strong and memorable. Aside from being terribly hard to type, the only thing memorable about Z9!*pQZ7Rn! is that it’s nearly impossible to remember. Passphrases, but not common ones like America’sTeam can be quite effective. Redskin fans may be inclined to use HailToTheRedskins, but instead should modify it to something like rail,2theHEADskins. You should be able to make your own quirky passphrases that cannot be guessed or easily cracked by password-breaking software attacks. Anybody who knows you should know the names of family members and pets, so they fail the first criterion. For Windows log ons, any password under eight characters can be easily broken, as can most under fifteen characters. Wireless network encryption keys should be at least twenty-eight, to be effective. In most cases, the key only needs to be typed once, so such a long key is not usually a big problem. On the flip side, asking paying customers in a coffee shop to type a twenty-eight character encryption key would be a risky business proposition!

It’s important to consider just what you are protecting with your passwords. For most people, your password to a newspaper web site is not that important, unless they have your credit card number, or other confidential or proprietary information; however, if you have a high profile, you certainly do not want people making unauthorized comments in your name. Bank and brokerage accounts are intuitively obvious, but email accounts are also very important. For example, once someone has access to your email, that person can attempt to log in to any online account and click the Forgot Password link. Many sites will email the password or a password reset link. It gets quite ugly from there!

Lastly, consider physical security. If you are in a location with access by those who should not have your passwords, do not have your passwords written down. Likewise, do not let your web browser manage passwords for any accounts that you need to protect. There are many robust password safes that require a master password to access. Norton’s Identity Safe is one such product.

Please remember — it’s your privacy. Do what you can to protect it.

On this side (Western) of the Atlantic Ocean, personal information is monitized and sold/rented with little regard for the privacy of the real owner of that information. Data brokers, banks, insurance companies, mortgage companies, universities, web sites, social networks, and merchants — to name a few — provide your personal information to their “affiliates” and customers, for money or other consideration, without your knowledge or permission. In some instances, you can opt-out, but it’s your responsibility to figure out how to do this. If a particular organization allows you to opt-out, you are on your own to contact each and every one of the “affiliates” to whom they have provided your information, to opt-out from them as well — if the “affiliates” allow you to do so at all. If you think that the playing field is tilted in favor of those who profit by selling your personal information, you are correct. It’s all about the money.

If you believe that your privacy should be yours, and not a commodity to be bought and sold, contact your elected officials. Tell them that you demand a national opt-in policy, where you are in control of how and when your personal information is used. It needs to be all about your privacy, not about the money.

Craig Herberg

Occasionally, I hear from clients who are upset about the sudden increase of unwanted email shortly after they sign up for a “free” giftcard. Let’s take a look and see just how free that giftcard is. On one web site, there is a link labeled, “Take survey/Gift Card,” which leads to another web site, with an offer to complete a short questionnaire for a chance to win a giftcard. It couldn’t be easier! Agree to their terms of service, provide your email address and year of birth, and get ready to take the survey. Next, provide basic biographic/demographic information, such as name, date of birth, address, telephone number, gender, marital status, employment status, occupation, etc., and you’re on your way. Wait a minute. That’s a lot of information they are asking for. Perhaps it’s time to take a look at their privacy policy. As is frequently the case, this particular vendor shares personal information with third-party marketers. Of course, you are free to “opt-out” at any time, but must “opt-out” separately with the third-party marketers with whom they have shared your information. Oh, and by the way, they cannot vouch for the privacy policies of those with whom they have shared your information.

Now may be a good time to look into a good spam filter or another email address.

An article, in the Wall Street Journal, titled Firm Mines Offline Data To Target Online Ads details how a database marketing firm mates public records, survey information, and tracking cookies secretly placed on people’s computers, to sell this tracking information to web marketers wishing to display targeted ads on your computer. If you think this sounds a bit like a toilet paper company putting a hidden camera in your bathroom, so they can offer to sell their product when you run low, you are not far off the mark. Should you be concerned? Absolutely! Is there anything you can do about it? Yes!

In Internet Explorer, click on Tools — Internet Options — Privacy. You can either set the privacy level to Medium or higher — up to Block All Cookies, or you could click on Advanced, and check Override automatic cookie handling, and Block first party cookies and third party cookies, then check Always allow session cookies. This last option should allow you to login to your bank or brokerage. You may want to experiment a bit. While you are at it, under the General tab of Internet Options, (assuming Internet Explorer 7) you can click on Delete — Delete all. Please be aware that doing so will delete all cookies, form data and passwords that Internet Explorer has stored on your computer. This may cause you some inconvenience, but will help protect your online privacy.

Taking these precautions will make it impractical for marketers to monetize your online privacy. While you’re still outraged, why don’t you write to your congressperson and request legislation to protect your privacy?