• PC World
• »Security

Fumbling the Data

Even online businesses that don't change their policies or track your whereabouts can threaten your privacy: Companies that collect information on their servers can't seem to keep a lid on the data.

Last year, hacking incidents and other security gaffes revealed customer information for the world to see at sites such as CreditCards.com, Eve.com (which later went out of business), and Amazon.com.

In January, the names, e-mail and home addresses, and phone numbers of 50,000 or so Travelocity customers were exposed to possible theft; investigators determined that the information may have been out in the open for more than a month.

Be prepared for more of the same, because Web sites clearly have not done enough to secure the information on their servers. Last year, PC World sat down with security experts from Sanctum (then called Perfecto Technologies). The company audits the security of client Web sites by trying to break in. When successful, Sanctum suggests remedies.

At the time, the company had audited 50 big-name sites and found security breaches in all of them. In eight cases, they were able to access any file they wanted--including customer data. Today, the overall situation remains unchanged.

"We wish we could say there's been progress over the past year," says Izhar Bar-Gad, Sanctum's chief technical officer. "Sites have not taken the necessary measures to protect themselves and their customers' data. We haven't found a single site that wasn't vulnerable."

During a recent audit of an airline Web site, Sanctum downloaded the entire source code and built a replica site. "It's not a matter of the bigger the bank, the better the security," says Bar-Gad. "The bigger the site, the more holes it has."

21st-Century Privacy

Soon, Web sites won't be the only entities that can gather information on their users. Wireless devices and interactive television sets will be able to communicate with company servers.

In 1996, the Federal Communications Commission launched Enhanced 911. Among other things, the E911 initiative requires cell phone companies to add features to new and existing phones that allow them to locate, within 100 feet, a wireless 911 caller. Implementation of the initiative is due by October of this year.

"It's a good idea," says Smith, noting that authorities already know where 911 calls from wired phones originate. "When I'm on a cell phone and I need to call 911, I don't want to worry about where I am--sometimes I won't know."

But setting up such a system will cost wireless companies money, and how they recoup some of the expense may cause controversy. Marketers are lining up to use this location-identification technology to aim wireless ads at customers. For example, when you stroll down the street near a McDonald's, you might get a wireless coupon for 50 cents off a Big Mac.

Industry groups and the FTC are working to establish guidelines for wireless marketing. Jules Polonetsky, chief privacy officer for DoubleClick, believes that strict rules will be in place before the debut of E911 and wireless ad serving.

"Wireless ad serving is in its infancy," says Polonetsky. "We can apply what we've learned on the Web to rules for the wireless world. Users should receive marketing information on their cell phones and handheld devices only if they ask for it."

In addition to wireless devices, interactive TV technology--such as WebTV, TiVo digital video recorders, and two-way digital cable--can send information about what you watch back to company servers. The threat here is analogous to the way Web sites track your surfing habits online.

"As on the Web, the question will be how these companies let users know they're being tracked and what they do with the information they gather," says Smith.

Big Brother Gets Bigger

Even if the prospect of being watched by fast-food companies doesn't bother you, the notion of Uncle Sam spying on you might. Perhaps the most controversial proposed surveillance system is the FBI's DCS1000. Formerly known as Carnivore, the system will be installed at ISPs to monitor e-mail messages for information about people under investigation. Think of it as an Internet wiretap.

No one disputes the need for law enforcement officials to conduct warranted searches of the electronic communications of suspected criminals, but privacy groups and some members of Congress worry that the system can be used to spy on people not under investigation.

A second government-proposed system called Public Access to Court Electronic Records also has privacy experts concerned. Under the PACER system, anyone with a Net connection and some loose change can download federal court case records for 7 cents a page.

Though the most confidential records won't be available, people will still have access to files that may include Social Security numbers, credit card numbers, and other personal information. Paper versions of these court records have long been available to the public, but privacy-rights groups contend that easy access over the Internet will encourage unscrupulous parties to go on low-cost fishing expeditions to collect personal information.

Gene Youngblood of Moses Lake, Washington, was shocked to find his name, case number, and Social Security number posted on a Washington bankruptcy court site. Youngblood, a flexographic printer operator, and his wife filed for bankruptcy in May 2000.

"I never had to give anything to receive this information," says Youngblood. "Not a log-in, a password, an identification, or a dime of money. Anyone can download the Social Security numbers of every person to file for debt relief in eastern Washington since 1997. And with a bit more diligence, they can find debtor's addresses as well as other personal information. I tried searches for people I work with and found three cases. If I were the criminal kind, I could easily steal their identities."