Thursday, May 13, 2010

Cyber, Cyber Everywhere and Not the Time to Think

May 13, 2010, 8:40 a.m.

The IEDs Among Us: Copy Machines
(brought to you by*)

The latest assault on our privacy turns out to be that seemingly benign office copy machine.

At a warehouse in New Jersey, 6,000 used copy machines sit ready to be sold. CBS News chief investigative correspondent Armen Keteyian reports almost every one of them holds a secret.

Nearly every digital copier built since 2002 contains a hard drive - like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine.

In the process, it's turned an office staple into a digital time-bomb packed with highly-personal or sensitive data.

If you're in the identity theft business it seems this would be a pot of gold.

"The type of information we see on these machines with the social security numbers, birth certificates, bank records, income tax forms," John Juntunen [of the Sacramento-based company Digital Copier Security] said, "that information would be very valuable."

Armen Keteyian, "Digital Photocopiers Loaded With Secrets; Your Office Copy Machine Might Digitally Store Thousands of Documents That Get Passed on at Resale,"
CBS Evening News, April 15, 2010 (the transcript and the video); Cecilia Kang, "Rep. Markey calls for FTC to investigate copy machines' retention of user data," Washington Post, April 29, 2010 ("The copy machine has a better memory than most may think. And that's got Rep. Edward J. Markey concerned. The Democratic congressman from Massachusetts asked the Federal Trade Commission on Thursday to investigate the retention of documents on hard drives of digital copy machines. . . . 'I am very concerned that these copy machines can be a treasure trove for identity thieves, allowing criminals to easily access highly sensitive personal information,' Markey said in a release.").

Desktop and laptop computers are, for the most part, recognizable as such -- notwithstanding Apple's creative efforts. But the other devices in our lives that function as computers, or are at least controlled in some measure by computer chips, are less so. They may look like automobiles, microwaves, refrigerators, cell phones -- or copy machines.

When it comes to our privacy, our ability to prevent identity theft, these "computers" are the improvised explosive devices (IEDs) buried along the digital road.

The Internet is a wondrous thing to which I am connected, or potentially so, during most of my waking hours. But the networking of computers that it represents is creating cyber challenges for most sectors of our society.

For the military it is cyber-warfare -- what others can do to us, and what we can do to them. It is between 250,000 and a million attempted hacks a day into DOD computers. And the threats are not limited to the battlefields of Iraq and Afghanistan. It is the possibility of another nation, or more likely non-nation terrorists, closing down our electric grid, air traffic control, natural gas pipelines, communications satellites, and the financial networks that move trillions of dollars a day around the planet electronically -- and that's just for starters.

For law enforcement it is cyber-crime -- law breaking opportunities limited only by the human imagination.

For each of us individually it is the risk of identity theft. It is the sensation of being stripped naked electronically, as our every credit card purchase, the location and content of our every cell phone call, the content of our emails and text messages, the trail of our Web site hits, are being recorded -- along with the video tapes of our public movements. (Sylvia Hui, "New York Mayor Michael Bloomberg in London to view subway system CCTV network," Associated Press/Minneapolis Star-Tribune, May 11, 2010: "Bloomberg wants to ramp up the security camera network in New York City's subways to mimic that in London's underground train system . . . one of the largest in the world.")

See generally, "Times Topics: Privacy," New York Times.

George Orwell warned of the dangers of government intrusion into our lives. The ease with which search warrants can be obtained (or searches conducted without them), the ability of NSA, CIA and FBI to track our electronic lives, and the willingness of phone companies, credit card companies, Internet service providers,banks and others to give them information about us -- sometimes in violation of law, for which Congress granted the phone companies immunity after the fact, so we couldn't sue them -- is relatively well known.

What's less well known, perhaps, and in many ways more invidious than government snooping, is the extent to which commercial firms are gathering and selling information about our every electronic move -- with neither our permission nor knowledge. Of course, in the workplace nothing is protected: phone calls, email and Web visits can be, and are, monitored.

The revelations about copy machines maintaining a full record of every document we run through the office copy machine is just the latest. And this affects us primarily not from the copies we make and can be traced back to us, but the copies that may be made within other institutions. These documents may contain personal information about us: medical and student records, Social Security numbers, address and phone, criminal records, and so forth, as the CBS investigation, above, lays out.

In fairness to those who are snooping on us, a good deal of what they know is what we have voluntarily and knowingly chosen to reveal. Most of us find the convenience of a driver's license, bank checking account, ATM and credit card, cell phone, airline miles and other reward systems well worth whatever loss of privacy is involved. They are considered by many to be useful, if not essential services in our time.

Passwords to our computers don't have to be hacked by some 14-year-old geek genius if we've left them on a post-it note on our computer screen. Credit card numbers don't need to be hacked out of the credit card company if we leave the carbon copies with the merchant, ultimately to be deposited in a dumpster.

And currently on everyone's radar are the privacy abuses by Facebook of its 400 million users. But this is different from credit cards and cell phones. Those companies may keep more data, for a longer period of time, than is necessary for our business relationship. But if a credit card company is going to bill us accurately there needs to be some record keeping, for our sake as well as theirs.

Facebook, by contrast, is neither a necessary service nor one that requires any particular information about us to function. Our decision to "join" is voluntary. If college students post pictures of themselves at their binge-drinking worst it's not really Facebook's fault when a future potential employer sees them and decides to hire someone else. If a Facebook user includes their birthday as a part of their public profile it's not Facebook's fault if a thief makes use of it when emptying that user's bank account.

Of course, it is Facebook's fault when it makes it nearly impossible for users to limit public access to their private data (it's "opt out" not "opt in," the manual is longer than the Constitution, and the FAQ explanations run 45,000 words), when it changes the rules without notice, or when it keeps, utilizes and sells this private data to others long after the user has come to their senses and "deleted" their information. These concerns, and others, are coming to be larger and clearer to the public. Nick Bilton, "Price of Facebook Privacy? Start Clicking," New York Times, May 13, 2010, p. B8; "Facebook Privacy: A Bewildering Tangle of Options" (interactive), New York Times, May 12, 2010; Erica Naone, "The Changing Nature of Privacy on Facebook; Microsoft's Danah Boyd on social networking," MIT Technology Review, May 3, 2010.

The terms of the bargain people make with social networks — you swap personal information for convenient access to their sites — have been shifting, with the companies that operate the networks collecting ever more information about their users. That information can be sold to marketers. Some younger people are becoming more cautious about what they post. “When you give up that data, you’re giving it up forever,” [one of the Diaspora creators, Max] Salzberg said. “The value they give us is negligible in the scale of what they are doing, and what we are giving up is all of our privacy.”
Jim Dwyer, "Four Nerds and a Cry to Arms Against Facebook," New York Times, May 12, 2010, p. A19.

But copy machines spying on us, and employers disposing of the old machines without removing or cleaning the copy machines' hard drives?! That's a new one. That's the latest. Unfortunately, it won't be the last.

* Why do I put this blog ID at the top of the entry, when you know full well what blog you're reading? Because there are a number of Internet sites that, for whatever reason, simply take the blog entries of others and reproduce them as their own without crediting the source. I don't mind the flattering attention, but would appreciate acknowledgment as the source -- even if I have to embed it myself.
-- Nicholas Johnson
# # #

1 comment:

Nick said...

Advertising Notice

Notice Regarding Advertising: This blog runs an open comments section. All comments related to blog entries have (so far) remained posted, regardless of how critical. Although I would prefer that those posting comments identify themselves, anonymous comments are also accepted.

The only limitation is that advertising posing as comments will be removed. That is why one or more of the comments posted on this blog entry, containing links to businesses, have been deleted.
-- Nick