130 Million Credit and Debit Card Numbers Stolen – Is Yours Secure?

August 17, 2009

The largest case of ID theft ever prosecuted reads like a thriller. A small group of men stole more than 130 million credit and debit card numbers between 2006-2008. At the same time, the ringleader, Alberto Gonzalez, 27, played informant for federal investigators helping them catch his cohorts.

It appears that at the ripe age of 22, Gonzalez began his career into ID theft stealing Credit card information from a string of stores including Office Max, Barnes & Noble, Marshalls, and TJ Maxx, 7-Eleven, Heartland Payment Systems, and at least two unnamed national retailers. It is still unclear how many of these credit and debit card numbers were then sold online through the internet black market and used by other criminals to make unauthorized purchases and withdrawals from banks.

It is also unclear whether all victims have been notified that their cards were stolen as not all states have laws requiring stores to notify consumers of data breaches. NOTE: As of July 27, 2009, forty-five states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information according to the National Conference of State legislatures.

Speaking about the case and the involvement of Gonzalez in so many data breaches Erez Liebermann, an asst. U.S. attorney in the Justice Department’s New Jersey office, said it suggests that “perhaps the individuals capable of such conduct are a tighter-knit group than may have been previously thought.”

The indictment alleges that Mr. Gonzalez and his conspirators (11 have been indicted) reviewed Fortune 500 companies and selected which companies to target then visited targeted company stores to determine which payment systems were used. The criminals then launched attacks against these sites using flaws in the SQL programming language, commonly used for databases. Their malware programs intercepted credit card transactions in real time and transmitted the numbers to leased computers in the U.S, the Netherlands and Ukraine.

Sobering reality

Richard Wang, manager of SophosLabs, said the case demonstrates that retailers and banks need to strengthen industry standards. Current practices are that major banks only agree to encrypt this data only when it is stored, moving forward credit card numbers should be encrypted when passed between computers.

Mr. Wang also doubted that the world had seen the last significant theft of credit card numbers. “I’m not sure how likely it is that they [prosecutors] are going to get the Russian co-conspirators, obviously there are still plenty of people with the necessary expertise to pull off these kinds of attacks.”

To learn more about his case read



Threat Report – Cybercrimes Continue to Rise in 2009

July 26, 2009

New research just published by Sophos Security outlines the increase in sophistication of cyber attacks and the new vectors criminals are targeting for their exploits. It also points out that it is the US, not some foreign entity, that hosts more malware and distributes more spam than any other country – nearly 3 times the amount of China which ranks second on malware hosting, and 50% more than Brazil which ranks second in spam.

Sobering statistics from their report:

  • 23,500 new infected web pages are discovered every day. That’s one every 3.6 seconds, 4 times worse than what it was in the same period in 2008.
  • 15 new bogus anti-virus vendor websites are discovered every day. This number has tripled, up from an average of five detected per day, during 2008.
  • Approximately 6,500 new spam-related websites are discovered every day – accounting for one new website every 13 seconds, 24 hours a day. This figure is almost double what it was in the same period in 2008.
  • Over 99% of spam is sent from home computers that have become part of botnets because they were not properly protected with up-to-date anti-virus software, firewalls and security patches.

Existing exploits persist, and new threats emerge

Data loss/theft remains a top concern in 2009 as many corporations and government institutions have failed to protect employees and customers sensitive information.

Hacking legitimate websites so they distribute malware continues. Infected sites have included government and educational sites that consumers know and trust, yet simply visiting these sites, or downloading materials leaves users infected.

Email attacks continue and an even greater percentage of these come from the US in 2009 with 15.7% as compared to 14.9% in the same period in 2008.

Criminals have begun to leverage social networks in a concerted way to expand their methods of exploitation. Sophos found that 25% of businesses have been the victim of spam, phishing or malware attacks generated through networks like Twitter, Facebook, LinkedIn and MySpace.

2009 has also seen an increase in using USB sticks to spread malware, and hackers are moving beyond traditional programs to find and exploit security holes in programs and tools like Adobe Flash and PDFs.

Digital espionage in the first half of 2009 continued to expand in spite of governments increasing the shutdowns, arrests and harsher sentences for criminals involved in cybercrimes.

Bleak Predictions

Sophos believes Web 2.0 sites like Facebook, Twitter and MySpace will become the primary battleground for malware authors, identity thieves and spammers. Cybercriminals will increase the number of legitimate, but hacked, web pages. The variety, and number of attacks will continue to increase, as criminals find new security holes, adopt new techniques, and create new disguises to infect the unsuspecting. Compromised computers will continue to be the primary source of spam. ID theft will become an even larger problem and will adversely affect customer trust. Email and web attacks will increasingly use Word Documents and PDFs to trigger unseen downloads of viruses and Trojans.

Prevention is better than a cure

The report concludes by noting the current path does not have to continue. Detection of new malware threats is at an all-time high, and with solid security practices, up-to-date security software, and a commitment to stay safe we can go a long way towards defending home computers and business networks.

Click here to read the full report.



June 30, 2009

President Obama spoke to the nation last month about his plan and vision for securing the nations infrastructure against attacks from terrorists, countries conducting cyberwarfare, organized crime, and other forms of threats.

His message was both powerful and insightful and because of this, his remarks in their entirety are printed below.


THE PRESIDENT:  We meet today at a transformational moment — a moment in history when our interconnected world presents us, at once, with great promise but also great peril.

Now, over the past four months my administration has taken decisive steps to seize the promise and confront these perils.  We’re working to recover from a global recession while laying a new foundation for lasting prosperity.  We’re strengthening our armed forces as they fight two wars, at the same time we’re renewing American leadership to confront unconventional challenges, from nuclear proliferation to terrorism, from climate change to pandemic disease.  And we’re bringing to government — and to this White House — unprecedented transparency and accountability and new ways for Americans to participate in their democracy.

But none of this progress would be possible, and none of these 21st century challenges can be fully met, without America’s digital infrastructure — the backbone that underpins a prosperous economy and a strong military and an open and efficient government.  Without that foundation we can’t get the job done.

It’s long been said that the revolutions in communications and information technology have given birth to a virtual world.  But make no mistake:  This world — cyberspace — is a world that we depend on every single day.  It’s our hardware and our software, our desktops and laptops and cell phones and Blackberries that have become woven into every aspect of our lives.

It’s the broadband networks beneath us and the wireless signals around us, the local networks in our schools and hospitals and businesses, and the massive grids that power our nation.  It’s the classified military and intelligence networks that keep us safe, and the World Wide Web that has made us more interconnected than at any time in human history.

So cyberspace is real.  And so are the risks that come with it.

It’s the great irony of our Information Age — the very technologies that empower us to create and to build also empower those who would disrupt and destroy.  And this paradox — seen and unseen — is something that we experience every day.

It’s about the privacy and the economic security of American families.  We rely on the Internet to pay our bills, to bank, to shop, to file our taxes.  But we’ve had to learn a whole new vocabulary just to stay ahead of the cyber criminals who would do us harm — spyware and malware and spoofing and phishing and botnets.  Millions of Americans have been victimized, their privacy violated, their identities stolen, their lives upended, and their wallets emptied.  According to one survey, in the past two years alone cyber crime has cost Americans more than $8 billion.

I know how it feels to have privacy violated because it has happened to me and the people around me.  It’s no secret that my presidential campaign harnessed the Internet and technology to transform our politics.  What isn’t widely known is that during the general election hackers managed to penetrate our computer systems.  To all of you who donated to our campaign, I want you to all rest assured, our fundraising website was untouched.  (Laughter.)  So your confidential personal and financial information was protected.

But between August and October, hackers gained access to emails and a range of campaign files, from policy position papers to travel plans.  And we worked closely with the CIA — with the FBI and the Secret Service and hired security consultants to restore the security of our systems.  It was a powerful reminder:  In this Information Age, one of your greatest strengths — in our case, our ability to communicate to a wide range of supporters through the Internet — could also be one of your greatest vulnerabilities.

This is a matter, as well, of America’s economic competitiveness.  The small businesswoman in St. Louis, the bond trader in the New York Stock Exchange, the workers at a global shipping company in Memphis, the young entrepreneur in Silicon Valley — they all need the networks to make the next payroll, the next trade, the next delivery, the next great breakthrough.  E-commerce alone last year accounted for some $132 billion in retail sales.

But every day we see waves of cyber thieves trolling for sensitive information — the disgruntled employee on the inside, the lone hacker a thousand miles away, organized crime, the industrial spy and, increasingly, foreign intelligence services. In one brazen act last year, thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world — and they did it in just 30 minutes.  A single employee of an American company was convicted of stealing intellectual property reportedly worth $400 million.  It’s been estimated that last year alone cyber criminals stole intellectual property from businesses worldwide worth up to $1 trillion.

In short, America’s economic prosperity in the 21st century will depend on cybersecurity.

And this is also a matter of public safety and national security.  We count on computer networks to deliver our oil and gas, our power and our water.  We rely on them for public transportation and air traffic control.  Yet we know that cyber intruders have probed our electrical grid and that in other countries cyber attacks have plunged entire cities into darkness.

Our technological advantage is a key to America’s military dominance.  But our defense and military networks are under constant attack.  Al Qaeda and other terrorist groups have spoken of their desire to unleash a cyber attack on our country — attacks that are harder to detect and harder to defend against.  Indeed, in today’s world, acts of terror could come not only from a few extremists in suicide vests but from a few key strokes on the computer — a weapon of mass disruption.

In one of the most serious cyber incidents to date against our military networks, several thousand computers were infected last year by malicious software — malware.  And while no sensitive information was compromised, our troops and defense personnel had to give up those external memory devices — thumb drives — changing the way they used their computers every day.

And last year we had a glimpse of the future face of war.  As Russian tanks rolled into Georgia, cyber attacks crippled Georgian government websites.  The terrorists that sowed so much death and destruction in Mumbai relied not only on guns and grenades but also on GPS and phones using voice-over-the-Internet.

For all these reasons, it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.

It’s also clear that we’re not as prepared as we should be, as a government or as a country.  In recent years, some progress has been made at the federal level.  But just as we failed in the past to invest in our physical infrastructure — our roads, our bridges and rails — we’ve failed to invest in the security of our digital infrastructure.

No single official oversees cybersecurity policy across the federal government, and no single agency has the responsibility or authority to match the scope and scale of the challenge.  Indeed, when it comes to cybersecurity, federal agencies have overlapping missions and don’t coordinate and communicate nearly as well as they should — with each other or with the private sector.  We saw this in the disorganized response to Conficker, the Internet “worm” that in recent months has infected millions of computers around the world.

This status quo is no longer acceptable — not when there’s so much at stake.  We can and we must do better.

And that’s why shortly after taking office I directed my National Security Council and Homeland Security Council to conduct a top-to-bottom review of the federal government’s efforts to defend our information and communications infrastructure and to recommend the best way to ensure that these networks are able to secure our networks as well as our prosperity.

Our review was open and transparent.  I want to acknowledge, Melissa Hathaway, who is here, who is the Acting Senior Director for Cyberspace on our National Security Council, who led the review team, as well as the Center for Strategic and International Studies bipartisan Commission on Cybersecurity, and all who were part of our 60-day review team.  They listened to a wide variety of groups, many of which are represented here today and I want to thank for their input:  industry and academia, civil liberties and private — privacy advocates.  We listened to every level and branch of government — from local to state to federal, civilian, military, homeland as well as intelligence, Congress and international partners, as well.  I consulted with my national security teams, my homeland security teams, and my economic advisors.

Today I’m releasing a report on our review, and can announce that my administration will pursue a new comprehensive approach to securing America’s digital infrastructure.

This new approach starts at the top, with this commitment from me:  From now on, our digital infrastructure — the networks and computers we depend on every day — will be treated as they should be:  as a strategic national asset.  Protecting this infrastructure will be a national security priority.  We will ensure that these networks are secure, trustworthy and resilient.  We will deter, prevent, detect, and defend against attacks and recover quickly from any disruptions or damage.

To give these efforts the high-level focus and attention they deserve — and as part of the new, single National Security Staff announced this week — I’m creating a new office here at the White House that will be led by the Cybersecurity Coordinator.  Because of the critical importance of this work, I will personally select this official.  I’ll depend on this official in all matters relating to cybersecurity, and this official will have my full support and regular access to me as we confront these challenges.

Today, I want to focus on the important responsibilities this office will fulfill:  orchestrating and integrating all cybersecurity policies for the government; working closely with the Office of Management and Budget to ensure agency budgets reflect those priorities; and, in the event of major cyber incident or attack, coordinating our response.

To ensure that federal cyber policies enhance our security and our prosperity, my Cybersecurity Coordinator will be a member of the National Security Staff as well as the staff of my National Economic Council.  To ensure that policies keep faith with our fundamental values, this office will also include an official with a portfolio specifically dedicated to safeguarding the privacy and civil liberties of the American people.

There’s much work to be done, and the report we’re releasing today outlines a range of actions that we will pursue in five key areas.

First, working in partnership with the communities represented here today, we will develop a new comprehensive strategy to secure America’s information and communications networks.  To ensure a coordinated approach across government, my Cybersecurity Coordinator will work closely with my Chief Technology Officer, Aneesh Chopra, and my Chief Information Officer, Vivek Kundra.  To ensure accountability in federal agencies, cybersecurity will be designated as one of my key management priorities.  Clear milestones and performances metrics will measure progress.  And as we develop our strategy, we will be open and transparent, which is why you’ll find today’s report and a wealth of related information on our Web site, www.whitehouse.gov.

Second, we will work with all the key players — including state and local governments and the private sector — to ensure an organized and unified response to future cyber incidents.  Given the enormous damage that can be caused by even a single cyber attack, ad hoc responses will not do.  Nor is it sufficient to simply strengthen our defenses after incidents or attacks occur.  Just as we do for natural disasters, we have to have plans and resources in place beforehand — sharing information, issuing warnings and ensuring a coordinated response.

Third, we will strengthen the public/private partnerships that are critical to this endeavor.  The vast majority of our critical information infrastructure in the United States is owned and operated by the private sector.  So let me be very clear:  My administration will not dictate security standards for private companies.  On the contrary, we will collaborate with industry to find technology solutions that ensure our security and promote prosperity.

Fourth, we will continue to invest in the cutting-edge research and development necessary for the innovation and discovery we need to meet the digital challenges of our time.  And that’s why my administration is making major investments in our information infrastructure:   laying broadband lines to every corner of America; building a smart electric grid to deliver energy more efficiently; pursuing a next generation of air traffic control systems; and moving to electronic health records, with privacy protections, to reduce costs and save lives.

And finally, we will begin a national campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms, and to build a digital workforce for the 21st century.  And that’s why we’re making a new commitment to education in math and science, and historic investments in science and research and development.  Because it’s not enough for our children and students to master today’s technologies — social networking and e-mailing and texting and blogging — we need them to pioneer the technologies that will allow us to work effectively through these new media and allow us to prosper in the future.  So these are the things we will do.

Let me also be clear about what we will not do.  Our pursuit of cybersecurity will not — I repeat, will not include — monitoring private sector networks or Internet traffic.  We will preserve and protect the personal privacy and civil liberties that we cherish as Americans.  Indeed, I remain firmly committed to net neutrality so we can keep the Internet as it should be — open and free.

The task I have described will not be easy.  Some 1.5 billion people around the world are already online, and more are logging on every day.  Groups and governments are sharpening their cyber capabilities.  Protecting our prosperity and security in this globalized world is going to be a long, difficult struggle demanding patience and persistence over many years.

But we need to remember:  We’re only at the beginning.  The epochs of history are long — the Agricultural Revolution; the Industrial Revolution.  By comparison, our Information Age is still in its infancy.  We’re only at Web 2.0.  Now our virtual world is going viral.  And we’ve only just begun to explore the next generation of technologies that will transform our lives in ways we can’t even begin to imagine.

So a new world awaits — a world of greater security and greater potential prosperity — if we reach for it, if we lead.  So long as I’m President of the United States, we will do just that.  And the United States — the nation that invented the Internet, that launched an information revolution, that transformed the world — will do what we did in the 20th century and lead once more in the 21st.

Thank you very much, everybody.

Watch McAfee’s Hcommerce: The Business of Hacking You Video Series

June 13, 2009

If you aren’t yet aware of, or just haven’t been following McAfee’s 6 short video series on Hcommerce, you need to check it out at stopHcommerce.com.

Hcommerce stands for “Hacker commerce”, the economic model behind online crimes and the ways criminals use internet services and tools to exploit consumers.

The compelling series focuses on real victims of cybercrime, and how one family ultimately lost over $400,000 in a scam promising inheritance money from a dead family member. It shows how the criminals went about the scam and will help you understand both the scope of cybercrime today and how quickly you can fall victim if you fail to take some basic safeguards.

Most internet users still do not understand how vulnerable they are to cybercrime. A Consumer Reports research survey was cited by President Obama in his May 29th address to the nation: “Millions of Americans have been victimized, their privacy violated, their identities stolen, their lives upended, and their wallets emptied.  According to one survey, in the past two years alone cyber crime has cost Americans more than $8 billion.”

If you have been procrastinating about securing your computers and learning how to identify Internet scams, it’s time to take action now. McAfee has created a 2-page handout to help you learn more about cybercriminals and what you can do to protect yourself.


What went wrong online?… And who’s to blame for Internet safety risks?

February 15, 2007

Predators are ‘equal opportunity offenders’ happy to target victims of any age. Youth represent one segment, but many adults and seniors are equally at risk, though the exploitation of these groups is more often for financial gain.

Adults are nearly as likely as youth to expose their name, address, phone number, and other identifying, or emotionally vulnerable information. They may do it in different ways like through online resumes or a corporate bio, or they may be exposing it like youth through dating sites, personal blogs, etc.

Adults are more likely to provide automated email responses announcing they will be out of town or blog from Africa about their 6 month expedition. Either way they inform criminals of when & where to find an empty home of an individual wealthy enough to be gone. Seniors post genealogy information that exposes entire extended families – birth dates, birth places, mother’s maiden names etc. – how often is this information the password reminder for your banking? Adults show photos and brag about their children & grandchildren and may inadvertently be posing the greatest threat to a child, a teen or their own safety.

Few adults, seniors, teens or children would stand on a street corner and shout out personal information, or deliberately expose themselves to risk. What is different online?

Seven key factors contribute to the current state of affairs:

  • Failure to define or understand ‘internet safety’ Few industry insiders, let alone consumers, can define the difference between internet security and internet safety. Most incorrectly assume that by enabling security they’ve covered the issues. However, internet security is aimed at protecting data and devices; Internet safety is about protecting people. There is considerable overlap in these two areas, but there is also unique distinction.

A company can build a nearly ‘secure product’, that no one has hacked into, yet it may utterly fail to protect the consumers who use it. MySpace is a great case in point. Virtually all products that enable social networking have safety failures – other Internet services have their own failures. The public outrage over MySpace is not because their databases were compromised, it is because the product itself fails to protect or even adequately warn consumers.

  • Lack of industry focus on Internet safety Safety was not built into existing products for the simple reason that internet providers didn’t see how to make money from it. They also seriously underestimated the exploitation potential in spite of repeated warnings. One fallout of the dot.com bubble bursting is that if a ‘feature’ doesn’t make money the feature doesn’t get built – unless there’s a regulation requiring it. Security & privacy tools are big business with high demand by companies willing to pay to keep services running and comply with regulatory requirements.

Businesses (incorrectly) believed safety was a consumer-only concern without real revenue potential. The few halfhearted attempts by large companies to provide internet safety boiled down to two dimensional ‘parental control’ products (Block and Filter) that were poorly funded and never got past a ‘v.1’ level. They were (and are) pricey, cumbersome, largely ineffective and gravely misunderstood what families were asking for. Predictably they failed miserably and were ‘deprioritized’. None of these tools is even close to a standard that can adequately respond to today’s Internet services.

It is only in the wake of serious media, regulatory and consumer focus on the lack of inherent safety in products that companies are revisiting their priorities. Even now very few companies are making an adequate investment to rectify the situation. Most still see safety features as a ‘tax’ rather than a benefit to their bottom line, and developers are rewarded for building ‘cool’ features that increase the number of users, not safety.

  • Insufficient understanding of human interactions and predators Internet companies don’t hire many sociologists; they hire developers without training in social dynamics, social engineering or predatory behavior. The few companies that did hire sociologists largely set aside the concerns that were raised in the same way the industry as a whole disregarded the warnings from outside experts.
  • Lack of immediate cause and effect Criminals don’t leave business cards. Most people won’t know that the crime they fell victim to was enabled by an action they, their friend,  their child or someone angry at them, took on the Internet. That the reason their home or car was burgled is because someone made a comment online or posted information online that they would be away, or bragged about possessions. They won’t know if their credit card or ID was stolen by someone dumpster diving, a waiter in the restaurant last month, or an online scam. Or that the reason they were targeted for a hate crime or harassment, or became the target of a sexual predator was information found online. Possibly the specific online activity that triggered the crime happened months, even years, earlier.
  • Inadequate, fear based safety messaging Too much of the current ‘Internet safety’ messaging is fear based, and lacks useful information about real products. Using fear to ‘scare’ people into safer internet practices isn’t only ineffective; it damages the credibility of any safety messages – especially when frequently cited.

Advice akin to “never post a photo” is absurd. Posting a picture of a mountain scene isn’t likely to cause harm. Nor is posting a very personal photo that can be accessed only by family or close friends. Effective safety messaging needs to teach principles like how to recognize the information displayed in a photo (and accompanying text, video, audio, attachments, links, etc.), and help you consider who you may want to share or not share the information with.

“Online Stranger Danger” messages are as misguided as ‘offline stranger danger’ messages. Most victims of sexual crimes are abused by someone they know. Effective prevention messaging teaches that some actions, attitudes and conversations are never appropriate – whether they are from a stranger, from the neighbor, from uncle bob, or from mommy. The message is relevant whether taught to a child or a senior.

Online safety skills are not just for ‘youth’. Consumers of every age and level of technical expertise are sorely lacking in online safety education – including, those developing internet products.

Internet scaremongering is the latest version of witch hunting and boogeyman tales. News headlines hyping Internet risks can be compared with news titles in the vein of  ‘Roads kill over 40,000 people every year in the US’. It’s true, but if the proposed solution was to abolish roads the ‘expert’ would be laughed off the stage.

Safety messaging needs explain both potential risks and how to evaluate what risks you are comfortable with. Risk aversion or risk tolerance thresholds, like morality based filter options, are personal & familial value choices not dictated by companies, governments, or any educational program.

  • Failure to define roles & responsibilities of stakeholders There are 5 key stakeholder groups – 1) Industry companies & organizations, 2) governments & regulators, 3) law enforcement & oversight boards, 4) individuals & families, and 5) schools & other educational resources.

Without concerted efforts by all stakeholder groups the web of safety society needs will continue to have gaps. While integration of effort is complicated, the level of collaboration required is nothing new. These stakeholder groups have had to coordinate efforts to tackle responsibilities many, many times – road safety, drug safety, health issues, etc. Somehow society and companies fail to anticipate these requirements with each new product area. There is failure today to build in the safety requirements of video sharing, VoIP. One bright spot is the preparation some mobile providers are investing in to avert the mobile Internet safety issues, and they should be commended for doing so.

  • Three intertwined myths – 1) Internet risks are new, 2) The problem is the lack of education, and 3) those most responsible for solving the problem are parents How convenient – it’s YOUR fault.

1) Internet risks aren’t new The public outcry around the dangers of chat rooms in 2003 i (a more primitive form of social networking by an old and now tainted name) forced major companies to shut down, or significantly increase their monitoring of chat services years ago. The plague of spam and the scams involved in it has hounded the industry in spite of prophetic statements regarding its cure ii.The lesson should have been learned by mistakes made years ago that building products without safety features in place is a game of roulette where consumers always lose.

2) The problem isn’t lack of education – education alone isn’t a panacea The problem is the lack of education + lack of products designed and built with safety in mind so that the entire infrastructure provided safety + and lack of enforcement to ensure that products comply with safety standards, consumers comply with safety requirements, and criminals can be caught and punished.

The only way to get safer products is to build safer products. To ensure safer products are built, there must be standards that products are tested against to enforce safety – and there must be motivation for companies to meet those standards and to do so in a way that enables consumers of all skill levels to understand products and use them safely…And there needs to be safety education provided in a concerted way by companies, families, schools & other educational groups, law enforcement and governments, so that real safety is consistently taught and reinforced.

3) Claiming that parents own the primary responsibility iii for protecting minors online is like claiming parents are primarily responsible for traffic deaths of teens Families are responsible for teaching minors to be safe in traffic and even physically set boundaries – doors, locks, fences, etc – to ensure safety. But we also demand that the roads are safe and safety is enforced.

If someone hands a 14-year-old keys to a faulty car and says “go have fun” would society blame the parents for the ensuing crash? Each of the 5 stakeholder groups has some ‘primary responsibility’.

Companies have primary responsibility when they provide minors access to products that can hurdle them through cyberspace at warp speed but don’t provide a user manual, require drivers’ education, provide brakes, locks, airbags, fenders on sharp turns, banked roadways for safer navigation – or speed limits. Usually companies have provided access without parental consent or knowledge. You can’t get a drivers license in the real world without proof of age and, for minors, parental consent.

Companies have primary responsibility to post notice that a once sleepy country lane is about to become an 8-lane freeway and to inform consumers about ‘upgrades’ that will add turbo engines to once-humble products. Many adult IM users are surprised to discover that IM is far beyond the ‘real-time email’ service they thought they knew. IM now includes:

  • Rich Profiles (no filter for images or text, may include location data)
  • Avatars and winks (but no feature to filter for appropriate images)
  • Extended networking ala friends of friends (about 30% of teen’s IM friends are people they’ve never met, this potentially extends access strangers friends)
  • Image & File sharing (no feature to filter files)
  • Video, and music player (no feature to restrict content by rating)
  • Buddy searches (where a ‘friend’ can steer the search)
  • Online auction & dating integration
  • Remote access (that can give control of the entire PC to someone else)
  • Shopping
  • Bots, gadgets that can manage things like tracking friends locations
  • Etc.

All of these features have great, positive uses and service providers aren’t done upgrading products yet. There is no reason to opposed to any one of these features…but, consumers have the right to be informed about each new feature that potentially changes exposure to risk and be able to determine whether the risk potential is appropriate for their families. Consumers have the right to expect that content settings established for search results are also applied to content found within the products. The modern method of automatic ‘upgrades’ without notification bears resemblance to the old ‘bait and switch’.

Government has primary responsibility To ensure roads aren’t built without proper traffic and pedestrian impact evaluations and that there are clear safety regulations that are adhered to when building the roads. 8-lane freeways are not allowed through suburban neighborhoods where children play on the streets. Whenever pedestrians – or even slower traffic is involved – regulations require public hearings, overpasses, underpasses, rerouting, warning lights, barriers, reduced speed limits, etc. Government is also responsible for public service messages about traffic safety.

Law enforcement has primary responsibility To monitor society’s safety, prevent crime and bring to justice those who break the law. Yet, adequate laws & regulations are missing to facilitate enforcement, and adequate safety features weren’t built into the products to reduce the potential for exploitation. Additionally there has been a critical failure to allocate for law enforcement the funding, training and resources they need in order to provide the level of safety we expect.

Crime has always enjoyed better funding than law enforcement, but without assurances of basic safety enforcement the public will not be able to fully realize the tremendous opportunities the Internet has to offer.

Schools have primary responsibility for teaching youth the tools and skills they need to be successful members of society. Mastering the Internet and Internet safety have become critical life skills. But, who taught teachers how to teach Internet safety, or provided curriculum for classrooms – especially when too much of the existing ‘safety messaging’ is fear based and inaccurate.

Who’s to blame for failing in their primary responsibility? Families that didn’t even know a company gave their child access to a product that is missing basic safeguards?

Companies that failed to build basic safeguards into products or inform consumers of risk?

The government who failed to set regulations requiring safeguards of companies who failed to adequately self regulate, then failed in adequately fund law enforcement or provide curriculum & funding for schools?

Schools for failing to teach kids critical online safety life-skills and failed to develop a curriculum? Failed to send home adequate notices to families?

Families who failed to demand adequate safety of companies and failed to demand governments regulate the industries, or pay for increased law enforcement needs?

There is enough blame to fodder lawsuits for years to come.

In the meantime, each of the 5 stakeholder groups must invest more in Internet safety in order to deliver on their responsibilities in each of the three action areas – education, safer product infrastructure, and enforcing safety, and we need to do so in a far more coordinated method than has happened to date.

We can do this. We’ve done it in other industries and on other issues, but there is no time to waste.

[i] Microsoft to Shut Down Chat Rooms

Reuters Sep, 23, 2003

LONDON — Microsoft said Wednesday it would shut down its Internet chat rooms in 28 countries, saying the forums had become a haven for peddlers of junk e-mail and sex predators.

“The straightforward truth of the matter is free, unmoderated chat isn’t safe,” said Geoff Sutton, European general manager of Microsoft MSN.

[ii] Gates: Spam To Be Canned By 2006

(AP) A spam-free world by 2006? That’s what Microsoft Corp. chairman Bill Gates is promising.

“Two years from now, spam will be solved,” he told a select group of World Economic Forum participants at this Alpine ski resort. “And a lot of progress this year,” he added at the event late Friday, hosted by U.S. talk show host Charlie Rose.

[iii] Texas judge tosses MySpace lawsuit

Feb. 15 2007 — A federal judge in Texas has dismissed a lawsuit filed against MySpace.com by the parents of a girl allegedly assaulted by a man she met on the Web site.
“If anyone had a duty to protect Julie Doe, it was her parents, not MySpace,” Judge Sam Sparks wrote in a ruling dismissing the case, the Los Angeles Times reported Thursday.

The parents of the 13-year-old girl had sued News Corp., which owns the popular social-networking Web site, for $30 million, saying the site doesn’t protect its members sufficiently. The Times said at least four similar cases are pending in Los Angeles County Superior Court.

In the Texas case, authorities in Travis County have charged a 19-year-old man with sexual assault. Julie Doe listed her age as 18 when she joined MySpace, court documents said. Judge Sparks, of the U.S. District Court in Austin, applied the 1996 Communications Decency Act, holding MySpace to the same standard as Internet service providers, the Times said.