Millions of Home Network Devices Vulnerable to Hacking – Take Action Today

January 30, 2013

Consumers around the world are being advised to immediately check their home networks for the three major security holes after new research by Rapid7 has discovered that over 6,900 networked devices from 1,500 manufacturers are vulnerable to cyber-attacks because of a flawed use of the Universal Plug and Play (UPnP) protocol.

The Plug and Play protocols (standards) are what allow networks and computing devices (like PC’s printers, keyboards, webcams, flash drives and Wi-Fi access points to automatically identify and communicate with other devices without requiring users to configure the connections. For example, you plug in a webcam, flash drive or keyboard and it automatically works with your computer.

The issue is that while security has evolved for other aspects of computing to block criminal exploitation, these UPnP protocols have largely gone unchanged.  There are patches available to fix the issues, but it is expected to take a long time before the patch is included in new products. You’ll have to reach out to the manufacturer of any devices on your network that are at risk to see if they have patches for your existing devices.

“The results were shocking to the say the least. Over 80 million unique IPs were identified that responded to UPnP discovery requests from the internet,” said the report’s author HD Moore, creator of Metasploit and currently CTO at vulnerability testers Rapid7. Moore explained to that the scale of vulnerabilities was surprisingly high, and everyone from ISPs, businesses and home users should check their hardware. While the attacks are somewhat complex in nature at the moment, they are likely to be picked up and automated by malware writers in the future.

Find Out if Your Devices Vulnerable

upnp1Rapid7 has created a free ScanNow UPnP tool for Windows users to check for the flaws so that vulnerable equipment can be identified and locked down. For Linux and Mac users, you’ll need to get the same tool directly from Metasploit.

  1. Download the free ScanNow UPnP tool and select Run. This will bring up a page asking you to enter your IP address or range of addresses.

At this point you have three options for what to enter into these fields:

upnp2

  • If you only have one computer or laptop, you can enter the universal ‘loop back’ address that looks inside your computer. To do this you would enter 127.0.0.1 in both fields.  This will scan the individual device.

Start the scan and wait for the results.  The results page has a lot of information on it, but scroll to the bottom for your scorecard.  If your scan shows no issues, you’re in good shape and don’t need to do anything else. If your scan shows a problem, read on to find out what to do next.

upnp3

  • upnp4If you have multiple devices to test, you can infer the internal IP address range of your computers, keyboards, webcams, etc. you are using.

This IP address number range can be found by clicking on the Start menu, then typing CMD (command) into the search field, and clicking enter.

This brings up a needlessly scary looking black screen that was never made pretty because regular consumers rarely see it. upnp5On this screen you will see a command line that should say C:\Users\THE NAME OF THE COMPUTER ADMINISTRATOR>. On this line type in ‘ipconfig’ (which stands for IP address configuration). This will bring up a whole scroll of information but what you are looking for is easy to find.

Scroll down until you see a line called IPv4. For 99% of users (anyone who has not changed he default configuration of upnp6their devices, there will be a number sequence that will begin with 192.168.xxx.xxx, 172.xxx.xxx.xxx, or 10.xxx.xxx.xxx.  In this example, the number sequence starts with 192.168.

Copy the first three sets of numbers and enter into the first three fields of both the starting and ending address fields.  In the last field of the starting address, enter the number 1. In the last field of the ending address, enter the number 255. For the example shown above, it would look like this:

upnp7

Now, start the scan and wait for the results.  The results page has a lot of information on it, but scroll to the bottom for your scorecard.  If your scan shows no issues, you’re in good shape and don’t need to do anything else. If your scan shows a problem, read on to find out what to do next.

  • If you want to use your external IP address to scan all of your devices and peripherals, you can find your external IP address by going to the website whatismyIP.org. You’ll see your IP address displayed at the very top of the screen. Take that number sequence, and enter it into both the starting and ending address fields in the ScanNow application.

Now, start the scan and wait for the results.  The results page has a lot of information on it, but scroll to the bottom for your scorecard.  If your scan shows no issues, you’re in good shape and don’t need to do anything else. If your scan shows a problem, read on to find out what to do next.

Again, if you pass the test without any issues, you’re done. If however the test finds issues you have to figure out which device(s) or peripheral (keyboard, webcam, UPnP hubs etc.) is the culprit putting you at risk. If you only have computers, it’s pretty easy to sit down at each one and perform the test, and then disable peripherals to determine which (if any) are causing the problem.   If you have devices like an Xbox or internet TV, it is harder to perform the test directly on those devices so you may just want to unplug these one by one and run the test against your full network again to identify the culprit.

If you can’t figure out which device or peripheral is causing the problem, ask a friend or family member who is more technically savvy than you, or use a service like Geek Squad and have them come identify the issue.

Unplug and quit using any device or peripheral with security risks until you can get these updated with a fix. To do this, you will most likely have to contact the manufacturer and ask if they have a way to upgrade the code to a safe version.  This can be a real pain, but it’s far less painful than having hackers exploit your computers and steal your financial identity, your information or hold your information for ransom.

Linda


Will you ‘Gift’ Your Identity to Criminals this Holiday Season?

November 18, 2012

Between careless clicks, falling for scams, and companies’ data breaches your identity is under escalating threat as crooks find ever more ways to use your information.

And the Holidays represent prime hunting for thieves.

In fact, the onslaught is so aggressive that Identity theft claims more than 15 million victims a year in the U.S, and has become the fastest growing crime in the country. And it costs an average of $3,500 for victims to restore their identities, according to new data by the Hanover Insurance Group.

That of course doesn’t include the aggravation and increased risk victims will have to live with for the rest of their lives.  That increase in risk is due to the amount of information about you that doesn’t change. Typically, ID theft victims only change their credit card numbers and PINs. A few change their password(s) and even fewer change their Social Security Number (it’s hard to do).  But you can’t change your birthdate, your name, your mother’s maiden name, your address, your employer, etc., and these pieces of information help future thieves re-associate the information needed to impersonate you.

As your making your lists, and checking them twice, review this 9 step checklist to deter ID thieves:

  1. Secure your computers, laptops, tablets and smartphones with anti-virus, anti-spyware, and security tools.
    Keep them current and use them unfailingly-as automatically as locking your door when you leave the house. A computer that does not have security software installed and up-to-date will become infected with malicious software in an average of four minutes. That malicious software will steal your information and put you at risk for crimes.
  2. You must have anti-virus and anti-spyware software installed and up-to-date. If your computer or phone isn’t protected from Trojans, viruses and other malware, your financial information, passwords and identity will be stolen.
  3. Secure your internet connection – Make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. Never use a public WiFi service for any type of financial transaction or other type of sensitive information transfer.
  4. Use caution on public WiFi hotspots. Do not log onto sensitive sites (banking, shopping…) from an unsecured connection.  When using a public computer, uncheck the box for remembering your information.
  5. Use strong, unique passwords for every site. Creating strong memorable passwords is easy and can actually be fun – and the payoff in increased safety is big. The key aspects of a strong password are length (the longer the better); a mix of letters, numbers, and symbols; and no tie to your personal information. Learn how with my blog Safe passwords don’t have to be hard to create; just hard to guess.
  6. Watch your surroundings. Pay attention to who is around you so that they do not see you type your passwords, credit card numbers, PIN’s, etc., or read sensitive information you may be sharing.
  7. Put a credit freeze on your accounts. Block ID thieves from opening new accounts under your name by freezing or blocking access to your credit files. Learn more about creating a credit freeze here.
  8. Pay attention to messaging risks.
    1. Think twice before you open attachments or click links in messages -even if you know the sender-as these can be used to transmit spam and viruses to your computer.
    2. Never respond to messages asking you to provide personal information, especially your account number or password, even if it seems to be from a business you trust. Reputable businesses will not ask you for this information in e-mail.
    3. Never click on links provided in messages, unless you are sure of the sender. Instead, use a search engine to find the website yourself.
    4. Don’t forward spam. Whether it’s a cute ‘thought of the day’, ‘set of jokes’, ‘amazing photo’,  ‘recipe tree’ or similar email, if you don’t personally know the sender the email is surely a scam designed to collect the email accounts – and relationships – of everyone you share it with.
  9. Don’t trade personal information for “freebies.”   Online freebies come in two forms:
    1. The free games, free offers, and ‘great deals’. Just as in the physical world, if these types of offers sound too good to be true, they probably are. Not only will these collect and sell your personal information, these ‘deals’, and ‘free’ applications are usually riddled with spyware, viruses or other malicious software.
    2. Through survey’s, sweepstakes, quizzes, and the like. These marketing tools are designed for one purpose – to get as much information from you as they can, so they can sell that to interested parties. Even the most innocuous ‘survey’s learn far more than you imagine, and they may give you malicious software or download tracking cookies, so just skip these entirely.
  10. Trust your instincts.   Online and offline, your instincts play a critical role in your protection. If something feels ‘off’, go with your instinct. You don’t have to explain your reasoning to anyone.
  11. Shred sensitive documents. Do not throw bank statements, bills, or other sensitive material in the garbage.

 

Following these steps will significantly reduce your chances of falling victim to ID theft, but nothing will eliminate your risk entirely. This means that monitoring your credit reports is often the best way to identify whether you have fallen victim.

 

Check your credit reports.  Under the Fair Credit Reporting Act, you have the right to one free credit disclosure in every 12-month period from each of the three national credit reporting companies: Experian – http://www.experian.com/consumer-products/triple-advantage.html, Equifax – http://www.econsumer.equifax.com, TransUnion – http://www.truecredit.com/?cb=TransUnion&loc=2091

  • Request a free credit report from one of the three companies for yourself, your spouse, and any minors over the age of 13 living at home to check for credit fraud or inaccuracies that could put you at financial risk. (Although exact figures are difficult to get, the latest data shows that at least 7 percent of identity theft targets the identities of children.) The easiest way to do this is through AnnualCreditReport.com.
  • You can also pay for credit monitoring services that will alert you to any suspicious activity or changes in your credit scores.

 

If your identity has been stolen or compromised, take immediate action:

  1. Contact your credit card companies and financial institutions of all affected accounts. Monitor your accounts closely for any fraudulent charges or withdrawals and notify the companies immediately.  Check to ensure charges are removed from your account, and retain documents of the incidents.
  1. If your Social Security number has been compromised, contact the Social Security Administration Inspector General, they will determine if you need to get a new number.
  2. Alert the credit bureaus and request a fraud alert be placed on your accounts. This will require that companies call you before opening a line of credit.
  1. Report the incident to the police, you should be asked to fill out an identity theft report, and you’ll want to keep a copy of that report as you may need to show this to prove to creditors that your identity was indeed stolen.
  1. Notify your health insurance company; don’t let your ID theft become medical ID theft!
  1. If the problem is large, consider hiring a reputable service that helps restore your credit.
  1. Recognize the emotional impact ID theft may have on you.  Given the severity of an incident, and whether you knew the person who stole your identity or not, the emotional toll of dealing with ID theft can be high. Be sure to take care of yourself and to reach out to others for support if needed.

Additional Resources:

Linda


FTC and EU Weigh in on Face Recognition Applications – Why Limiting the Use of This Technology Matters

August 1, 2012

Who should own and control data about your face? Should companies be able to collect and use your facial data at will?

Is it enough to let users can opt out of facial recognition, or should companies be required to collect your specific opt in before collecting your facial data? If a company has multiple services, is one opt in enough, or should they be required to seek your permission for every new type of use? Under what conditions should a company be able to sell and monetize their ability to recognize you?[i]

There are a lot of cool uses for facial recognition tools, but how informed are you about the risks? How do you weigh the pros and cons to make an informed choice about who can identify you?

Governments are paying greater attention to potential privacy threats

A preliminary report by the Federal Trade Commission (FTC) identifying the latest facial recognition technologies and how these are currently being used by companies has just been released. The report also outlines the FTC’s plan for creating best-practice guidelines for the industry that should come out later this year.

In Europe concerns over facial recognition technologies potential to breach personal privacy has resulted in a similar review.

This is great news for consumers as it signals a shift in the timing of privacy reviews from a reactive approach where guidelines have come after consumers have largely already had their privacy trampled, to a far more proactive approach to protecting consumers online privacy, safety, and security.

In response, companies like Facebook and Google are dramatically increasing their lobbying budgets and campaign funding

It is no coincidence that as government bodies increase their focus on consumer’s online privacy that the companies making the biggest bucks from selling information about you – and access to you – are pouring money and human resources into influencing the government’s decisions.

According to disclosure forms obtained by The Hill, “Facebook increased its lobbying spending during the second quarter of 2012, allocating $960,000, or three times as much as during the same three-month period in 2011”.

And a report in the New York Times noted that “With Congress and privacy watchdogs breathing down its neck, Google is stepping up its lobbying presence inside the Beltway — spending more than Apple, Facebook, Amazon and Microsoft combined in the first three months of the year.” Google spent $5.03 million on lobbying from January through March of this year, a record for the Internet giant, and a 240 percent increase from the $1.48 million it spent on lobbyists in the same quarter a year ago, according to disclosures filed Friday with the clerk of the House.

In addition to lobbying spend, these companies, their political action committees (PAC’s) – and the billionaire individuals behind the companies have exorbitant amounts of money for political contributions; chits to be called in when privacy decisions that could impact their bottom line hang in the balance.

Here’s what today’s facial recognition technologies can – and are – doing:

 

It only takes a quick look for you to identify someone you know; yet facial recognition technologies are both faster and more accurate than people will ever be – and they have the capability of identifying billions of individuals.

Although many companies are still using basic, and largely non-invasive, facial recognition tools to simply recognize if there is a face in a photo, an increasing number of companies are leveraging advanced facial recognition tools that can have far reaching ramifications for your privacy, safety, and even employability.

Advanced facial recognition solutions include Google+’s Tag My Face, Facebook’s Photo Tag Suggest, Android apps like FaceLock, and Visidon AppLock, and Apple Apps like Klik,  FaceLook, and  Age Meter, then there are apps like SceneTap, FACER Celebrity, FindYourFaceMate.com and DoggelGanger.com.  New services leveraging these features will become increasingly common – particularly if strict privacy regulations aren’t implemented.

Some companies use facial recognition services in their photo and video applications to help users recognize people in photos, or even automatically tag them for you. (You may not want to be tagged in a particular, photo, but if you allow photo tagging you can only try to minimize the damage, you can’t proactively prevent it).

Some services use facial recognition for security purposes; your face essentially becomes your unique password (but what do you do if it gets hacked? Change your face??).

What are the potential risks of facial recognition tools to individuals?

The Online Privacy Blog enumerates some of the risks in easily understood terms; here is an excerpt from their article The Top 6 FAQs about Facial Recognition:

Take the massive amount of information that Google, Facebook, ad networks, data miners, and people search websites are collecting on all of us; add the info that we voluntarily provide to dating sites, social networks, and blogs; combine that with facial recognition software; and you have a world with reduced security, privacy, anonymity, and freedom.  Carnegie Mellon researchers predict that this is “a world where every stranger in the street could predict quite accurately sensitive information about you (such as your SSN, but also your credit score, or sexual orientation” just by taking a picture.

Risk 1:  Identity theft and security

Think of your personal information—name, photos, birthdate, address, usernames, email addresses, family members, and more—as pieces of a puzzle.  The more pieces a cybercriminal has, the closer he is to solving the puzzle.  Maybe the puzzle is your credit card number.  Maybe it’s the password you use everywhere.  Maybe you’re your social security number.

Identity thieves often use social security numbers to commit fraud. Photo: listverse.com.

Facial recognition software is a tool that can put all these pieces together.  When you combine facial recognition software with the wealth of public data about us online, you have what’s called “augmented reality:”  “the merging of online and offline data that new technologies make possible.”   You also have a devastating blow to personal privacy and an increased risk of identity theft.

Once a cybercriminal figures out your private information, your money and your peace of mind are in danger.  Common identity theft techniques include opening new credit cards in your name and racking up charges, opening bank accounts under your name and writing bad checks, using your good credit history to take out a loan, and draining your bank account.  More personal attacks may include hijacking your social networks while pretending to be you, reading your private messages, and posting unwanted or embarrassing things “as” you.

The research:  how facial recognition can lead to identity theft

Carnegie Mellon researches performed a 2011 facial recognition study using off-the-shelf face recognition software called PittPatt, which was purchased by Google.  By cross-referencing two sets of photos—one taken of participating students walking around campus, and another taken from pseudonymous users of online dating sites—with public Facebook data (things you can see on a search engine without even logging into Facebook), they were able to identify a significant number of people in the photos.  Based on the information they learned through facial recognition, the researchers were then able to predict the social security numbers of some of the participants.

They concluded this merging of our online and offline identities can be a gateway to identity theft:

If an individual’s face in the street can be identified using a face recognizer and identified images from social network sites such as Facebook or LinkedIn, then it becomes possible not just to identify that individual, but also to infer additional, and more sensitive, information about her, once her name has been (probabilistically) inferred.

Some statistics on identity theft from the Identity Theft Assistance Center (ITAC):

  • 8.1 million adults in the U.S. suffered identity theft in 2011
  • Each victim of identity theft loses an average of $4,607
  • Out-of-pocket losses (the amount you actually pay, as opposed to your credit card company) average $631 per victim
  • New account fraud, where thieves open new credit card accounts on behalf of their victims, accounted for $17 billion in fraud
  • Existing account fraud accounted for $14 billion.

Risk 2:  Chilling effects on freedom of speech and action

Facial recognition software threatens to censor what we say and limit what we do, even offlineImagine that you’re known in your community for being an animal rights activist, but you secretly love a good hamburger.  You’re sneaking in a double cheeseburger at a local restaurant when, without your knowledge, someone snaps a picture of you.  It’s perfectly legal for someone to photograph you in a public place, and aside from special rights of publicity for big-time celebrities; you don’t have any rights to control this photo.  This person may not have any ill intentions; he may not even know who you are.  If he uploads it to Facebook, and Facebook automatically tags you in it, you’re in trouble.

Anywhere there’s a camera, there’s the potential that facial recognition is right behind it.

The same goes for the staunch industrialist caught at the grassroots protest; the pro-life female politician caught leaving an abortion clinic; the CEO who has too much to drink at the bar; the straight-laced lawyer who likes to dance at goth clubs.  If anyone with a cell phone can take a picture, and any picture can be tied back to us even when the photographer doesn’t know who we are, we may stop going to these places altogether.  We may avoid doing anything that could be perceived as controversial.  And that would be a pity, because we shouldn’t have to.

Risk 3:  Physical safety and due process

Perhaps most importantly, facial recognition threatens our safety.  It’s yet another tool in stalkers’ and abusers’ arsenals.  See that pretty girl at the bar?  Take her picture; find out everything about her; pay her a visit at home.  It’s dangerous in its simplicity.

There’s a separate set of risks from facial recognition that doesn’t do a good job of identifying targets:  false identifications.  An inaccurate system runs the risk of identifying, and thus detaining or arresting, the wrong people.  Let’s say that an airport scans incoming travelers’ faces to search for known terrorists.  Their systems incorrectly recognize you as a terrorist, and you’re detained, searched, interrogated, and held for hours, maybe even arrested.  This is precisely why Boston’s Logan Airport abandoned its facial recognition trials in 2002:  its systems could only identify volunteers 61.4 percent of the time.

Learn more about facial recognition technologies, how they work and what the risks are in these resources:

Three steps to protecting your facial data:

  1. There are many positive uses for facial recognition technologies, but the lack of consumer protections make them unnecessarily risky. Until the control and management of this data is firmly in the hands of consumers, proactively opt out of such features and avoid services where opt out is not an option.
  2. Voice your concerns to elected officials to offset the impact of corporate lobbying and campaign contributions intended to soften proposed consumer protections.
  3. Voice your frustration to the companies that are leveraging this technology without providing you full control over your facial data – including the ability to have it removed, block it from being sold, traded, shared, etc., explicitly identify when and how this data can be used either for standalone purposes or combined with other data about you, and so on. If a company does not respect your wishes, stop using them. If you allow yourself to be exploited, plenty of companies will be happy to do so.

Linda


[i] See The One-Way-Mirror Society – Privacy Implications of Surveillance Monitoring Networks to understand some implications of facial recognition tool’s use when companies sell this information.


Top 10 Takeaways from AT&T Study of Families Mobile Phone Perceptions

July 10, 2012

To better understand the landscape for families and mobile phones, AT&T commissioned GfK Roper Public Affairs for a national study on parents and children’s (ages 8–17) views.  Among the findings:

  1. On Average, kids receive their first mobile phone at age 12, and 34% get a smartphone.
  2. 53% of kids report that they have ridden with someone who was texting and driving.
  3. 22% say they’ve been bullied via a text message by another kid.
  4. 46% of kids ages 11–17 say they have a friend who has received a message or picture that their parents would not have liked because it was too sexual.
  5. 90% of kids think it’s OK for parents to set rules on how kids use their phone;  66% of kids say they have rules and 92% think the rules are fair (consistent across age groups and types of phone)
  6. If kids had to choose one technology device for the rest of their lives, the majority say they would choose a mobile phone above all else — computer, television, tablet.
  7. 75% of kids think their friends are addicted to phones.
  8. 62% of parents are concerned that they are not able to fully monitor everything their child is doing and seeing on the phone.
  9. 40% of kids with a mobile phone say their parents have not talked to them about staying safe and secure when using the mobile phone.
  10. 58% of parents say that their mobile phone provider offers tools or resources for parents to address issues like overages, safety, security and monitoring.

If you’re among the 38% of parents at a loss as to how to help your children be safer on their mobile phones, see my blog Using Mobile Phones Safely.

Linda


Want Increased Control Over online Communications? Consider Wickr

July 9, 2012

If you’re tired of having your personal information, conversations, photos, texts, and video messages exploited by companies, used to embarrass you by frenemies, or pawed over by data collection services, Wickr’s an app worth considering.

The company’s founders have the credentials and the right motivation to build a tool that puts control of your communications squarely – and simply – in your own hands.  Kara Lynn Coppa, is a former defense contractor; Christopher Howell, is a former forensics investigator for the State of New Jersey; Robert Statica, is a director at the Center for Information Protection at the New Jersey Institute of Technology; and Nico Sell, is a security expert and longtime organizer for Defcon, an annual hacker convention.

Responding to questions during an interview, Ms. Sell said, “Right now, everyone is being tracked and traced in ways they don’t understand by numerous governments and corporations,” “Our private communications, by default, should be untraceable. Right now, society functions the other way around.”

Continuing, Ms. Sell said, “If my daughter wants to post a picture of our dog, Max, on Instagram, she shouldn’t have to know to turn the geo-location off,” “People have always asked me ‘How do I communicate securely and anonymously?’ There was never an easy answer, until now.”

Mr. Statica added to this point saying “There is no reason your pictures, videos and communications should be available on some server, where it can easily be accessed by who-knows-who, or what service, without any control over what people do with it.”

Amen to these views.

So what does Wickr offer?

Encrypted messaging – all messages – text, photos, video and audio – sent through the service are secured “by military-grade encryption… They can only be read by you and the recipients on the devices you authorize,” Wickr only stores the encoded result – and only for as long as needed for system continuity.

Self-destruct option – allows you to determine how long the people you communicate with can view the content – text, video, photos – before it is erased. (Recipients can however still capture a screenshot of the content, but the team behind Wickr is looking for ways to notify the sender if a screenshot is taken).

Total phone wipe – one of the risks of recycling cellphones is that you can’t easily erase the phone’s hard drive which enables criminals (and forensic investigators) to recreate your content. Wickr addresses this issue with an anti-forensics mechanism that erases deleted content by overwriting the metadata and rendering indecipherable.

Anonymity on Wickr – the service takes your privacy so seriously they don’t even know your username, you aren’t forced to share your email address or any other personal information that could identify you to the service or to others. Instead, your information is “irreversibly encoded with multiple rounds of salted cryptographic hashing prior to being sent to our servers. Even we cannot determine the actual values based on the hashed values we store.”

Free to use – you might think a service like this could put a hefty price on your privacy, instead the company has chosen to use the “freemium” business model that charges only for premium service features like sending files to large groups or sending large files.

NOTE: I am not associated in any way with this app, nor do I know any of the individuals behind it. While it’s rare I endorse a product, the philosophy behind the service is fabulous, and the tools are something every consumer needs to protect themselves and their privacy.

The next step is for every consumer to demand this same level of respect and security of EVERY online service with whom they interact. 

Want to learn more? Read Wickr’s FAQ

 

Linda


Proposed legislation would prevent employers from demanding Facebook access

June 27, 2012

Responding to the blatant trampling of consumer’s privacy, Senator Richard Blumenthal (D-CT), Representative Martin Heinrich (D-NM) and a number of cosponsors in both the House and the Senate have introduced new legislation called The Password Protection Act of 2012 (PPA).

This act would make it “illegal for an employer to compel or coerce access to any online information stored anywhere on the internet if that information is secured against general public access by the user.”

Speaking to the proposed legislation Senator Blumenthal said, “Employers seeking access to passwords or confidential information on social networks, email accounts, or other protected Internet services is an unreasonable and intolerable invasion of privacy. With few exceptions, employers do not have the need or the right to demand access to applicants’ private, password-protected information. This legislation, which I am proud to introduce, ensures that employees and job seekers are free from these invasive and intrusive practices.”

U.S. Senator Jeanne Shaheen (D-NH), who joined in introducing the legislation said, “As Facebook and other websites become an increasingly important part of the daily lives of millions of people, we must be vigilant in protecting online privacy. This legislation provides an important safeguard for all Americans.”

Drafted with assistance from major technology companies and legal experts the proposed act is provides welcome first step in providing relief from employers encroachment on employee privacy.

However, as the ACLU points out, there are some omissions and exceptions in the Act as it currently stands that should be remedied:

  • It doesn’t protect students so schools can continue their assault on student privacy
  • It allows states to still require passwords of government workers who work with children under age 13
  • It allows the executive branch to exempt whole classes of workers and require passwords if they come into contact with classified information, including soldiers.
  • “Finally the legislation doesn’t make clear that states have a role to play. Many states have already begun to act, and we believe that it’s critical that federal legislation be a floor, not a ceiling, for employee protections.”

“This bill creates a necessary framework for guarding privacy in the 21st century,” Christopher Calabrese, ACLU legislative counsel, commented. “While the legislation contains some problematic exceptions, it does establish clear, bright boundaries when it comes to what online information our bosses can access. Employers have no business snooping on their employees’ Facebook pages, private email accounts and smart phones. Passing the Password Protection Act would be a major step toward ensuring they can’t. We’ll work with the sponsors to extend these protections to students and eliminate some problematic exceptions.”

This proposed legislation matters to each and every citizen. It draws a line on personal privacy protections and continues the dialog about the need to extend these protections in many other technology related areas – the rights of privacy and control over one’s data. The ownership of your personal information. The limits to how corporations can expose your information. And so on.

Let your voice be heard.

Take 5 minutes and contact your elected officials with a message saying “I support the password protection act”.

To find your representatives and their email addresses click here: http://www.house.gov/representatives/find/

To find your senators and their email addresses click here: http://www.senate.gov/general/contact_information/senators_cfm.cfm

Linda


Canadian Teens Behind Human Trafficking Ring

June 14, 2012

In a sickening new twist in teen-on-teen sexual exploitation, three Canadian teens girls (two 15-year-olds and one 17-year-old) are charged with human trafficking by luring other teen girls through social media services, asking to meet up at a housing complex and then forcing them into prostitution.

According to ABC news, three separate incidents were identified in which three female victims, ranging from 13 to 17 years old, were lured to a housing complex in Ottawa and then forcibly driven to other locations for prostitution purposes.” …[Ottawa Police Staff Sgt. John] McGetrick said that “social media was a factor” in planning the initial meetings arranged between the suspects and the victims. He told ABCNews.com that the suspects and the victims were “vaguely known to each other,” but were not friends. “The meetings were intended to do an enjoyable activity, let’s say, hang out,” he said. “There was no ill-intention in the invite. Obviously things changed once that happened.”

Shockingly, police do not believe that adults were involved in the trafficking ring; it looks as if this was entirely the creation of the three girls.

In addition to human trafficking charges, these girls are charged with robbery, procuring, forcible confinement, sexual assault, assault, uttering threats and abduction, yet because they are minors, McGetrick believes the teens will be tried as juveniles and only face up to 3 years in prison.

This isn’t the first case of teens leveraging technology and online services to sexually exploit others, in 2010 a 17-year-old was arrested for pimping a hooker through Craigslist, and there are reports that teen girls in the UK deliberately set up meetings between pedophiles they’d found online and girls they didn’t like in the hopes these girls would be exploited.

But this case is, as far as we know, unique in the deliberation shown in befriending and grooming their victims, the logistical complexity of arranging these abductions, and the sophistication in finding men  interested in raping young girls and arranging the meetings with these ‘johns’.

Takeaway for parents

Teens virtually meet other teens online every day, and it can seem particularly innocuous when the teens are remotely connected as they apparently were in this case. Most of the time, these friendships are harmless, in many cases they have very positive and lasting benefits that should be encouraged. So how do you spot and mitigate risks to prevent tragedies like those reported here from occurring?

  1. Talk and keep talking. You should know and understand the services your teens are using and who their interacting with. That doesn’t mean reading all their comments, but it does mean making sure the conversations are healthy, and it does mean discussing situations where even when everything seems fine – as it surely did for the victims in this case – things may not be as they seem.
  2. Make sure your teen knows they can NEVER EVER meet someone or a group of people for the first time alone or in a private place. Meetings need to occur in public places when other people are around. Ideally you go with them to meet the other teen and that teen’s parents.  At a bare minimum you need to know where and when they’re meeting and how to contact the person their meeting up with, AND they should be required to check in with you on a set schedule.  This way, any missed call alerts you instantly to take action.

How you negotiate that your kids always tell you before meeting anyone is critical. With 4 young adult children I’ve lived this compromise with each of them during their teens.

They thought I was paranoid, but we framed it this way – they wanted to do something; and I needed to know they were safe. Then we negotiated a solution that both of us could live with. This gave my teens a way to do what they wanted – meet up – and minimized my anxiety.

In each case my teens were fairly sarcastic when they called to check in, and it was clear whomever they met up with knew exactly what the calls were about because in the background of the “hi mom, just want you to know I’m ok, the friend really is my age and not an old pervert” I could hear laughing, but I was more than fine with that, and I knew exactly where to find my teen, I knew they were ok, and equally important, the person they met knew I was monitoring their meeting.

Fortunately the vast majority of people we, and our teens, meet online are wonderful, respectful people who have represented themselves and their intentions honestly.

For the fraction of cases that are malicious, the talks and the safety rules need to be in place.

To learn more about human trafficking and the internet see my blogs:

To learn more about meeting online ‘friends’ in person safely see my advice for online daters, and buyers and sellers:

Linda


Follow

Get every new post delivered to your Inbox.

Join 1,767 other followers