When your personal data falls into the wrong hands

In an era defined by electronic connections, our personal lives can get caught up in the free flow of data. Here’s what happens when the erosion of privacy hits home.
Illustrations by Brian Luong
Date:1 February 2013 Tags:, , ,

In an era defined by electronic connections, our personal lives can get caught up in the free flow of data. Here’s what happens when the erosion of privacy hits home, because someone accessed your personal data.

By Davin Coburn

The 911 transcript is horrifying.

“Please help,” a young caller pleads. “My dad just killed my 4-year-old sister. He slit her throat. She’s bleeding to death. Please help!”

It’s August 2011 in eastern Pennsylvania, and the plea comes not from a traditional phone call, but rather AT&T’s Internet Relay Service, which allows the deaf to make phone calls from a text-based interface over the Internet. The grisly scene is unfolding in East Allen Township, responders are told, and an address appears on their computer screens. The caller says he’s 10 years old. “I’m (hiding) in the bathroom now,” he says. “Help me, please – I’m going to die!”

Moments later, four police cruisers race through the streets of a middle-class enclave, sirens wailing, and pull up onto the lawn of the Yagerhofer residence.
Inside, Lisa Yagerhofer gets up from the dinner table she’s sharing with her husband, James, and 16-year-old son, Tyler. She opens the front door to find a Pennsylvania State Trooper yelling, “Get out now!”

“What is going on?” Lisa stammers. “What is this all about?”

The answer, they would all soon learn: a game that Tyler had played hours earlier on his Xbox 360. He’d had a squabble with another player during online play, which triggered a terrifying modern-day prank. Tyler’s irked opponent had jacked into his Xbox Live profile, which contains billing address info, then called the police through a Philadelphia-based Internet Relay Service to hide his location. “There were state cops at my house,” Tyler says. “They pointed a gun at my face.”

The worst part of the prank is that it is surprisingly common. The sick joke, known as swatting, takes advantage of the 911 system by painting the scene of an unfolding crime so heinous that local police forces often unleash the full might of their para- military units upon an unsuspecting household. It has occurred hundreds of times over the past decade, costing US taxpayers up to R80 000 each time the cavalry rolls in. It has apparently been used to settle political scores – conservative bloggers Patrick Frey of Patterico’s Pontifications and Erick Erickson of RedState allege that left-wing activists are behind recent swattings of their homes – and to badger celebrities, including Ashton Kutcher and Justin Bieber. It is a minor miracle no one has been shot during these emergency responses – though two victims have reportedly suffered heart attacks from the shock of having had their front doors suddenly knocked off the hinges.

That is the moment a nebulous threat to privacy becomes a concrete instance of harm. Our personal lives have increasingly become public information: each day people enthusiastically post 400 million tweets and upload 400 million new photos to Facebook. Americans are routinely tracked through smartphone apps and instantly background-checked through surveillance cameras. We each leave a treasure trove of personal information in places that are surprisingly accessible – such as Tyler Yagerhofer’s Xbox Live profile – and so widespread that it’s impossible to keep track of it, much less secure it all.

This slow and steady degradation of personal privacy has become so pervasive that many citizens are inured to it. But when personal data suddenly falls into the hands of those willing to abuse it, victims get a chilling reminder of how exposed the free flow of that information has left them. So much of our information gets collected, traded and aggregated that it’s not difficult for a shady company, corner-cutting law enforcement officer, or snickering online troll with a twisted sense of humour to find out where we live, how we spend our time, and whom we care about, then wreak havoc.

Kimberly Mitchell of the Crimes Against Children Research Centre at the University of New Hampshire has studied the way kids use the Internet, and she says that there is considerable debate about whether people are genuinely nastier to each other online or if the Web simply provides a larger forum for bad behaviour. “The sheer amount of people on the Internet is the unique characteristic here,” she says. “You get access to people that you wouldn’t otherwise encounter.”

Vicious behaviour may not be more common online than off, but the Internet has the potential to amplify abuse. According to a 2011 study of teenagers by the Pew Research Centre’s Internet and American Life Project, 15 per cent of teenagers said someone had been cruel to them on social networks in the previous year. The same poll found that when teens witnessed mean behaviour to others online, 21 per cent of them admitted to occasionally joining in. Many of the stories of youthful cruelty are well-known – such as the case of Tyler Clementi, the Rutgers University student who jumped to his death from the George Washington Bridge in 2010 after his roommate used his computer to capture video of him kissing an older man – but adults can become victims just as easily.

The stories get horrible in a hurry. In 2006, days after the daughter of a man from n Orange County, California, was killed in a car crash, he was e-mailed photos of her corpse taken at the scene of the accident with the message, “Woohoo Daddy! Hey Daddy, I’m still alive.” Last year, a Houston man was arrested for online impersonation after creating profiles for his ex-girlfriend on a prisoner penpal site. Also in 2012, Leo Traynor, a blogger in Ireland, wrote about how he had been tormented for three years by anonymous anti-Semitic e-mails and Twitter direct messages to both him and his wife – his abuser even mailed a container of ashes to his doorstep with a note that said, “Say hello to your relatives from Auschwitz.” He ultimately discovered the source of the harassment – his neighbour’s 17-year-old son. Traynor confronted the boy and asked him why he had done it. The teen answered blankly, “I don’t know. I’m sorry. It was like a game thing.”

The Internet’s avenue for adolescent nastiness can lead to unpredictable and dramatic invasions of personal privacy, but it is the institutional and governmental intrusions into our lives that are, arguably, more unsettling. If you live in Minneapolis, New York City, San Francisco, or many other cities in the United States and you drove to work today, the licence plate of your vehicle was very likely scanned by an automatic licence plate recognition (ALPR) device, logged into a database, and checked against police records of stolen cars and wanted criminals. “ALPRs tag each photo with the time, date and GPS location of the photograph,” says Allie Bohm, a privacy advocate at the American Civil Liberties Union. “(The police) collect information not just about people
suspected of crimes, but everyone in the camera’s field of view. And they’re storing all the data they collect – sometimes for years, sometimes pooling it in state and regional databases. These systems are popping up everywhere in America; if the pace continues, they will be on every single corner a decade from now, and it will be the equivalent of monitoring every vehicle on the road with a GPS tracker.”

These tools have obvious benefits – stolen cars can now be found with ease, and ALPRs have helped find missing persons and catch fugitives – but they have also swiftly slipped beyond the bounds of basic law enforcement. In 2012, the privacy advocacy group Electronic Privacy Information Centre (EPIC) discovered that US Customs and Border Protection had shared licence plate data collected on millions of vehicles at the Mexican and Canadian borders with insurance companies. Many police departments make their licence plate reader databases available to the general public, opening up the possibility that private citizens could track each other’s travels with almost no oversight. This is already being exploited by automotive repo agents who use police databases (and sometimes their own ALPRs) to track and seize the vehicles of delinquent clients. At least one city has used ALPRs to do a little repo work of its own – the New Haven, Connecticut, tax collector’s office has used mobile cameras to hunt down and tow the vehicles of thousands of citizens who owe back taxes.

Over the past decade, vast networks of police surveillance cameras have also been trained on pedestrians in cities such as New York City, Baltimore, Detroit, and Long Beach, California. Currently many systems use video analytics to automatically alert authorities to suspicious movement or behaviour. But recent improvements in the technology of facial recognition at a distance means that it won’t be long before surveillance cameras will be able to ID faces as easily as they do licence plates. And law enforcement facial-recognition databases are already under development. As part of its R8 billion Next Generation Identification system, the FBI is currently testing facial-recognition technology in Michigan and expects the system to be operational by 2014.

As large databases that profile the movements of private citizens build up with little oversight, it is difficult to know whether these systems are being abused. But evidence collected from law enforcement databases that are monitored shows that, even though the vast majority of police officers use the technology for legitimate purposes, there are always a few rule-bending cops willing to use these tools for illicit ends.

In 2010, rookie LAPD officer Gabriel Morales printed out information on witnesses in a murder trial from the California Law Enforcement Telecommunications System and gave the information to his girlfriend’s father – whose son happened to be the defendant. In 2009, Cincinnati police officer Barry Carr used the computer in his police cruiser to look up information on a woman he was attracted to, then proceeded to pull her car over multiple times and make passes at her. Similar database access outside official duty has been detailed in other regions. In 2000, the Indiana State Police even suspended the Highland Police Department’s access to the FBI’s criminal database because of chronic misuse.

And police have not been shy about tracking citizens with the technologies already available to them. In an August 2011 review of 230 US police departments, the ACLU found that virtually all track citizens’ cellphones, yet only a tiny minority consistently demonstrated probable cause before doing so. Police training materials prepared by California prosecutors in 2010 advised officers on “how to get the good stuff”, adding that today, “subtler and more far-reaching means of invading privacy have become available to the government”. Cellular provider Sprint’s electronic surveillance manager mentioned at a 2009 industry conference that the company had provided police with 8 million location data points in one 13-month span – enough that they simply set up a dedicated Web site for police to access tracking information from their desks.

But for all the sophisticatedtechnology available to government, no one has greater access to the intimate details of your life than the private companies you do business with every day. “We leave a lot of our digital detritus with phone companies, Internet service providers, e-commerce sites – about who we are, what we do, whom we associate with,” says Mark Rasch, former head of the Department of Justice’s computer crime unit and now director of cyber security and privacy consulting at technology company CSC. “Because no legal paradigm exists to oversee it, the assumption is that your data belongs to whomever collected it.”
By now most Internet users are aware of the cookies that track their movements online, but the scope and depth of the information gathering still has the power to astound. Using the Firefox plug-in Collusion, which monitors online tracking, PM conducted a simple experiment, surfing popular websites to shop for children’s toys and research a trip from New York City to Orlando in Florida. We visited just five sites, yet our browsing information was shared with more than 30 data-tracking and -aggregation firms with names such as BlueKai, AppNexus, Atlas and Collective Media.
And the tracking continues when you shut down your computer. Facebook recently allowed data-mining firm Datalogix to combine personal information from the social network’s users with the real-world information Datalogix collects from brick-and-mortar stores – so Facebook users could be tracked offline.

Cellular provider Verizon came under fire last year for gathering a mountain of app, browsing and location information from its customers and selling it to marketers. “We’re able to view just everything that they do,” Bill Diggins, a Verizon Wireless marketing executive told a business intelligence conference last May. “Data is the new oil.”

Most of the time the data collected by our devices on behalf of companies we do business with is used to refine ever-more-efficient marketing efforts. But sometimes personal devices are hijacked for more dubious business reasons.

In 2010, Brian and Crystal Byrd found out just how far a company was willing to go to peer into the private lives of its customers. In July of that year the couple signed a rent-to-own agreement for a Dell Inspiron 14 laptop with the local branch of the big leasing company Aaron’s.

The couple had agreed to pay off the computer by 15 November of that year; the Byrds beat that timeframe and paid the final installment on 1 October 2010.

Due to an administrative error, Aaron’s never logged the final payment. So on 16 November, believing the Byrds were in arrears, store employees activated snooping software, called PC Rental Agent, installed on the computer. Created by Pennsylvania firm DesignerWare, PC Rental Agent includes a Detective Mode that allows operators to remotely access, monitor and intercept keystrokes and electronic communications. That includes the user names and passwords for email accounts, social networking sites and online banking, as well as Social Security numbers and medical records.

Ostensibly intended as a long-distance kill switch for stolen hardware, PC Rental Agent also grants third-party control of the computer’s camera: “When activated, Detective Mode can cause a computer’s webcam to surreptitiously photograph not only the computer user, but also anyone else within view of the camera,” the Federal Trade Commission (FTC) explained in a sweeping 2012 lawsuit against DesignerWare, Aaron’s and five other companies that installed the software on rental computers. “(These) webcam activations have taken pictures of children, individuals not fully clothed, and couples engaged in sexual activities.” Worldwide, the seven companies had installed the software on more than 400 000 computers.

The program ran on the Byrds’ computer for more than a month, with outsiders accessing the couple’s Dell almost 350 times. In December, store manager Christopher Mendoza came to the Byrds’ home to repossess the computer – and presented, as evidence that it was still in use, a webcam photograph of Brian lounging on the brown leather couch in his living room. “It feels like we were pretty much invaded, like somebody else was in our house,” Byrd told the Associated Press. (Due to a pending lawsuit, the couple declined an interview with PM.) “It’s a weird feeling. I can’t really describe it. I had to sit down for a minute after he showed me that picture.”

With privacy laws so vague, the US government responds to only the most egregious violations. Outright digital harassment is illegal in most states. But that discourages only those who follow the law in the first place. For online assailants who believe they are beyond the reach of legal reprisal, there’s always karma. That’s what happened to Stephen (not the minor’s real name), the 13-year- old gamer who boasted about his takedown of Tyler Yagerhofer by posting the 911 transcript on the hacker code-sharing site Pastebin a week after the incident. Less than a month later the prank hit his own northern Michigan home shortly after he played Gears of War. Local police heard from an unidentified caller that a hostage situation was in progress and they sent police to Stephen’s address. Even now it’s difficult to discern if the teenager learned his lesson. “My mom was flipping out,” he wrote on another hacker forum after the event. “Hahaha, very funny.”

Online harassment
We’re human, so exchanging salty words online is bound to happen. But according to Michelle Boykins of the National Crime Prevention Council, it’s a bad idea for children (and, frankly, adults) to respond to and potentially escalate harassment. It’s even more important to keep personal information out of the hands of strangers. “Nobody needs to know where you live, no one needs to know your phone number,” she says. When registering for social networking sites, she says, don’t include your personal e-mail. However, if an incensed cyberbully manages to uncover your email – or worse yet, your address – record and save any threats made against you, then contact local law enforcement, as well as the service the bully is using to attack you, and report his or her behaviour.

Computer hijacking
Today’s all-in-one spyware suites allow remote monitoring and control of your PC, including access to your keystrokes and webcam. If your system is running suspiciously – the webcam light turns on by itself, apps suddenly start working extra slowly – take a look at your running processes using Windows Task Manager or Activity Monitor on OS X. If you encounter any odd-looking programs hogging system resources, look them up on Google. If you find anything with a bad rep, delete it. If the problem doesn’t go away, reinstall your operating system.

Web tracking
The private browsing mode of most browsers prevents cookies and blocks local storage of your browsing history – but that won’t stop outside sites from tracking you via your IP address. But a new feature called Do Not Track tells sites not to follow your activities online. You can enable it in Mozilla’s Firefox, Microsoft’s Internet Explorer 9 and higher, Google’s Chrome version 23, and Apple’s Safari for OS X 10.7 and higher. Check donottrack.us for information on browser settings.

Smartphone tracking
Smartphones track user behaviour and location natively and through third-party apps. To find out which apps are accessing personal data on Apple iOS devices, check the Privacy settings menu. You can also limit targeted advertising and stop Apple from collecting user activity data in the About menu under General settings. On Android devices, find and delete info-sniffing apps from the Application Manager.