Consumer Watch: Watch Out for Spies With Friendly Faces

Illustration: Bill Duke
As tech-savvy people, we know by now that we have to worry about technology being used to invade our privacy. But we tend to focus on the stuff that's deliberately snooping on us: spyware, keyloggers, Trojan horses, and other software and hardware designed with malicious intent. An even bigger risk, though, can come from the tools we usually trust--helpful gadgets and programs that weren't built to spy on us but can be used that way.

Most new cell phones can allow police to find you in an accident or permit the local mall to send you phone spam. Desktop search tools can help you locate a long-lost spreadsheet or provide one-stop shopping for hackers looking for your Web passwords. Error messages can help developers improve their software or send strangers personal data from your PC.

You don't have to be paranoid, but do be careful. "It's a balancing act," says Eric Gertler, privacy expert and author of Prying Eyes, a book on protecting your privacy (Random House, 2004). "Each individual needs to weigh the advantage of the tool or technology against the information [it's] providing." Fortunately, in some cases it takes only a few clicks to prevent your conveniences from turning creepy.

The most common digital tattletales are cell phones. Imagine this scenario: It's Saturday morning, and you're out running errands. As you pass a nearby megastore, your phone bleats. It's the megastore calling. You haven't been in recently, so it's offering a discount coupon you can use right now, while you're in the area.

GPS Abuse?

Maybe we don't have to worry about retail giants pelting us with ads just yet. But such a scenario is possible with the E911 chip, a potentially life-saving GPS technology that's built into most current cell phones to help emergency services locate wireless callers more efficiently.

Wireless carriers are just starting to deploy E911 service for consumers, and companies and lawmakers are somewhat vague about how the technology will be regulated, hazily referring to opt-out opportunities and consumer consent. But the potential for privacy abuse inherent in any technology that reports users' physical locations at any given time is frightening.

Several services, including AccuTracking and Ulocate, allow individuals to track movements of certain GPS-enabled cell phones. Once someone with access to a particular cell phone loads the companies' software on it, that phone's movements can be tracked on the Web. Some privacy safeguards will be in place, and not just anybody can sign up to find out where you go. But if you have a boss or a spouse who shares your wireless phone account, that person may be able to.

The best defense is to look for a way to turn off your phone's GPS for everything but emergency uses. If you can't find the right combination of keys to accomplish this, ask your service provider for help.

The next time you rent a car, you might want to check for stowaways. A few years ago, a Connecticut rental car company fined a customer $450 when the GPS device in his car indicated that he had been speeding. And there have been other reported instances in which companies have monitored the locations and driving practices of their clients. A British insurance company, for instance, has even experimented with installing the devices in its clients' own cars--the idea being that the company could offer lower premiums for proven safe drivers.

The practice of installing GPS devices in rental cars is quite common, and it can be a great service for consumers who become lost or have an accident. But what if you don't know that the device is in the car and that you're being monitored?

When it comes to location tracking services, the legal parameters of privacy protection are fuzzy, but you can protect yourself by understanding the terms of service before you enter into a contract with a company that might use such technology. Whether you're buying a wireless service plan or renting a car, it's important to understand the implications of the contract before you sign on. Find out whether you can opt out or disable tracking, and ask what information will be collected and how it may be used. If you're not comfortable with the answer, let the company know and move on.

Speaking of moving on, if you spend any time behind the wheel, you might be using one of those automatic toll collectors that let you breeze through the allotted lane, blithely bypassing us schlubs as we frantically grope under the seats for loose change. Such systems use an RFID chip, usually attached to the vehicle's windshield, that responds to a radio signal as you pass through the toll plaza. The data that the chip broadcasts is then matched with your account, and the appropriate amount is debited electronically.

It's all very convenient and efficient, but remember that every time you pass the reader, it creates a record of your whereabouts. That might not seem too troubling to folks who are just trying to get to work on time, but consider the potential for misuse by law enforcement officials.

Chris Hoofnagle, associate director of EPIC (the Electronic Privacy Information Center), explains, "The general problem is that these [tracking] products were developed without privacy in mind, and as a result they create digital trails. Any service that tracks who and where you are becomes a honeypot for anyone who's interested in tracking you down." The information attracts hackers, and without legal protections it also becomes a rich source of private data for law enforcement and other government officials.

Even if you rarely venture beyond your home office, your personal information could be at risk, depending on who else has access to your computer. Google's Desktop Search application, released last year, provoked a flood of warnings to users about possible privacy breaches.

And you have good reason to be concerned, particularly if there's any chance that your computer could be used--even for a short time--by someone other than you. GDS creates an index of every file, Web site, e-mail, and IM session you have ever seen. The index includes secure Web sites, too, which means that, for anyone on your machine, getting hold of your bank account numbers or other sensitive information is a simple matter of typing the right search phrase.

Even if you don't share your computer with anyone else, the GDS index provides hackers a convenient place to find sensitive documents. The hacker no longer has to install a keylogger to see what you do on the Internet because GDS maintains a thorough history of your Web activity.

Also, GDS keeps a copy of everything--even files or e-mail messages you've deleted (though the tool does let you delete the cached version of the deleted item).

My advice? GDS can be a handy tool, but don't even consider installing it if your computer could be used by others (unless you're willing to accept the risk that someone may access your personal data). If you do install it (find it here), get familiar with the program's settings and preferences; you can, for example, set it so that it won't index secure Web sites or IM chat sessions, and you can customize it in other ways to make it more secure.

Sometimes you shouldn't even trust people who say they want to help you (especially if the helper's track record on security falls somewhere between abysmal and tragic). I'm talking, of course, about Microsoft's earnest invitations to "send an error report" whenever you hit a brick wall in Windows XP.

The Windows Error Report is Microsoft's way of collecting details on users' problems and conflicts so that it--and a long list of other participating software vendors--can offer fixes. Error report details are encrypted and generally anonymous, but in some cases identifying information may be included; for example, a report could contain part of a document with your name or with confidential information you recently sent to a Web site.

If you have doubts, don't send the report. Instead, check the company's Web site for fixes, or reboot. Microsoft has enough problems of its own to deal with.

Subscribe to the Security Watch Newsletter

Comments