Friday, February 17, 2006

Privacy Concerns with Google Desktop Search

Google has just released the latest version of its desktop search software, and it some new features. One of them is the ability to share documents across multiple computers. While some may find this feature convenient, it may users to privacy intrusions or even worse.

 

The new feature, called “Share Across Computers” actually stores a variety of information and documents on Google servers. Specifically, users will find that their web browsing history, MS Office documents, PDF files, and text files are copied to Google’s servers. After initial indexing and storage, users can search for documents remotely.

 

While the service is not intended to provide access to these documents without a password, determined hackers will certainly be able to access information that document creators consider to be private. Anyone who has highly sensitive documents, such as tax forms that contain their Social Security Number, will be needlessly exposed to identity theft.

 

The feature also opens up users to greater scrutiny by the government. If the government wants to gain access to documents stored on a personal computer, it needs to obtain a search warrant. But if those documents are stored on Google’s servers, only a subpoena would be needed. Thus, there is virtually no standard of court supervision to gain access to personal documents.

 

The subpoena issue is not trivial. Just last month, the government attempted to subpoena Google’s search records. Google is fighting that subpoena, and we support them in their fight. But there is absolutely no assurance that Google will win its fight. And even if they do win, there is no assurance that they will fight subpoenas that might impact only a single Google user with as much dedication as they are using to fight the current subpoena, which impacts all Google users.

 

The same subpoena standard would also apply in matters of private litigation. This means that an estranged spouse or an upset client could subpoena Google to gain access to documents that might not otherwise be available to them.  

 

Companies should be particularly concerned about the data security issues associated with any employee who uses the Search Across Computers feature. Not only will sensitive documents be subject to hackers or subpoena, but they could also remain available to terminated or former employees. This could potentially lead to trade secrets being revealed to competitors.

 

Google does allow users to use a “clear my files” feature which will manually removed files from their servers. There is also a feature to exclude specific files. But both of these features present problems. Users have to remember to clear files on a regular basis. Alternatively, they would need to manually exclude new files that they create if they don’t want them listed.

 

The entire feature can be turned off which is what we would recommend for anyone who ultimately decides to use the software. Users who have an older version of the Google Desktop may want to avoid upgrading. Parents should warn their children not to install of upgrade the software, especially if the computer that they do their taxes on is the same one that their children use. And companies should not install, or allow employees to install this software on the computers they use.

Thursday, February 16, 2006

Are Insurance Companies Sharing Data On Homeowners Claims? Get at CLUE!

If you own a home, you may want to think twice before filing a homeowner’s claim with your insurance company. That is because 90% of the insurance companies in the country now share claim information through two databases. One which is run by ChoicePoint, called CLUE. The other run by Insurance Services Office, called A-Plus. Typically, reports issued by either database are referred to as CLUE reports.

 

If your home is listed in one of these databases, it could be uninsureable through private companies. This in turn could have a real impact on the value and salability of your home.

 

Unfortunately, most consumers are unaware of CLUE until they are impacted by it. This usually follows the filing of an insurance claim.

 

It is not uncommon for insurance companies to pay claims and then send notice of policy cancellation. Since Hurricane Andrew hit Florida in the early 1990’s, followed shortly thereafter with the Northridge Earthquake in California, insurance companies have made it more and more difficult for consumers to keep their policies active after filing a claim. Insurance company losses in these two disasters were staggering.

 

Many insurers were also heavily invested in the stock market when it started to drop in 2001. While you may think this issue should fall into the category of “Not my problem”, stock market losses, combined with disaster payouts have left the insurance industry scrambling to find ways to minimize risk. In other words, they have made it your problem.

 

Insurers are especially sensitive to any water damage. They are concerned about the liability they may incur for claims of mold, which some believe have health consequences that could make a home uninhabitable.

 

If you file a claim for water damage, even if it is minor, you could find that your house is written up in CLUE, you policy is cancelled and your property difficult or very expensive to insure. It could also hit you right in the wallet by making your property less desirable to potential buyers.

 

Because CLUE is relatively new, only roughly 30% of homes actually have CLUE reports. With the average homeowner filing one claim every ten years, it will be some time before the majority of homes are covered.

 

Consumers who find that their home is included in CLUE do have certain rights, similar to those associated with credit reports. If you are turned down for insurance or if there is some other adverse action taken by an insurance company based on a CLUE report, you have a right to a free copy of the report. You also have a right to submit corrections in the event you find errors on the report.

 

If you just want to see a copy of your report, you can purchase it for anywhere from $9 to $13, depending upon which report you buy. At present, only property owners and insurance companies have access to CLUE. If you are purchasing a property, you have no right to the report, but there are some things you can do to protect yourself in the event the home you are buying has adverse information in CLUE.

 

First of all, you may want to have your realtor write into your purchase agreement that if the house is turned down for insurance based on information contained in CLUE, you have a right to back out of the sale.

 

Secondly, you should apply for insurance as soon as your offer is accepted. This will insure that you find out if there are any problems quickly.

 

As with credit reports, CLUE reports contain enough information for an ID thief to steel your identity. If you pull such a report on a property you own, keep the report in a safe place. If you dispose of it, don’t throw it out. Shred it.

 

There is a concern among privacy activists familiar with CLUE that access to the database within the insurance industry may be too wide spread. That people without a need to know may have access to your private information. Unfortunately, unlike with credit reports, you don’t have a right to know when an insurance company pulls your CLUE report. Furthermore, there is no way for you to freeze your information in CLUE. The best protection that you may have is to be aware of what, if any data on your property is contained in CLUE.

 

You may also want to think twice before you file an insurance claim on your home. Although it may not seem fair, current laws do not prohibit insurance companies from sharing data with each other. If you file a claim, it could cause your property value to drop. It could also be giving people who work within insurance companies the ability to steal your identity by providing access to information that you want kept private.

 

Technorati Tags : , , , , ,

Wednesday, February 15, 2006

How Much Do You Spend at Victoria’s Secret? The IRS Wants to Know!

February 15, 2006 – If you think you don’t have much in the way of financial privacy right now, you are correct. Banks can disclose your information to their affiliate companies without your permission (You can thank Congress for that). Database companies gather, store and resell your information (including your Social Security Number) to the highest bidder. But if you think financial privacy is lacking already, the Bush Administration is trying to hard to make the situation even worse. If they get their way, copies of your credit card bills and your ATM card purchases will be sent straight to the IRS. So much for due process!

 

If you over 35 years old, you probably remember hopping on your bike and riding down to the local bank. In fact, banks wanted you to come through the door an open an account. If you could talk and reach the counter with your piggy bank, they were happy to open an account for you. The teller would even gladly help you count your change.

 

You didn’t need a Social Security Number. You didn’t even need to know your address. You could come back with your parents and have them supply that for you.

 

When banks started using ATMs, they would send you a card. It didn’t matter if you were under 18 years old. You could make deposits and withdrawals. You could use the ATM. You got interest on your money and there were no fees! It was a different time. A time in which parents and society encouraged their kids to save.

 

But as with many good things, politicians got involved with the system and totally screwed it up. They passed laws that required Social Security Numbers for anyone opening a bank account. They passed laws that made it illegal for minors to have control of their own bank accounts. In fact, banks are not even allowed to furnish ATM cards to anyone under 18 years of age.

 

The reason for all of these laws was that the government, specifically the IRS, wanted to know everything about our finances. And over the past twenty years, the IRS has pretty much gotten its way. Banks are now required to report any transaction of $10,000 or more. But they also report smaller transactions if they are “suspicious” in nature.

 

But it is not just banks that are involved in this kind of financial surveillance. Even the Post Office has gotten into the game. The Post Office training manual tells employees that when someone is purchasing a money order and using cash, they should try to get identification from them. If the customer won’t provide it, then they are encouraged to try to identify them by getting a license plate number or by following them. This information can then be reported to the FBI or IRS for follow-up.

 

Now, convinced that we are all a bunch of tax cheats, the Bush Administration is suggesting to Congress that it pass legislation that would report aggregate payments to merchants that are made using credit or debit cards. While this type of reporting would not cover specifically what you purchase, it would tell the IRS where you shop and how much you spend.

 

The reason for suggesting this legislation has to do with an audit conducted by the IRS on underreported taxes for 2001. The IRS randomly reviewed 46,000 returns and then combined this information with other data. Based on their findings, the IRS estimated that American’s underpaid their taxes by $345 Billion in 2001 alone. $197 Billion of this shortfall came from individuals, with the rest being from business underreporting.

 

While the amount underreported is significant, IRS Commissioner Mark W. Everson admits that a large part of the problem may be due to confusion over the tax code. Complexity of the tax law contributes to noncompliance, Everson said, both by confusing taxpayers and by providing "opportunities for skirting the line."

 

Based on Everson’s comments, a logical first step for better compliance is simplifying the tax code. Not forcing Americans to give up more of their financial privacy.

 

But the chances are that it is financial privacy that will suffer, long before tax simplification. There are just too may special interests who make big campaign donations for us to believe that Congress will do the right thing.

 

So if you don’t want anyone to know where you shop, you might want to consider using cash. It may not be the most convenient thing to do but it is still relatively private.

 

Technorati Tags : , , , , , , , , , ,

Tuesday, February 14, 2006

RFID Chips in Passports Proven to be Insecure

February 14, 2006 – ACCESS has been concerned for months that the State Department’s plan to include RFID chips in passports has not been well thought out. The original plan would have placed an RFID chip in every passport which would have contained unencrypted data about the passport holder. After a storm of protest, the State Department revised the standard to include some encryption. Now, a Dutch television news program has along and broken that encryption in less than two hours. The ramifications of this to passport holders are anything but positive.

 

The news program hired the research firm Riscure to see if they could break the RFID encryption in a prototype of a new Dutch passport. The encryption standard that the Dutch are using is identical to the one that the United States plans to use.

 

According to the Practical Nomad, Riscure was able to intercept data contained in the passport using an RFID reader. Although the data was encrypted, Riscure was able to read the entire data stream and store it on the hard disk of a laptop computer. Once the data was stored, it took them less than two hours to hack into it and read it in an unencrypted form.

 

The ramifications of this are disturbing. The data that will be included in passports includes the passport number itself, and a stream of personally identifiable information including the nation issuing the passport and the name and picture of the passport holder, along with other personally identifiable information. Once the data stream has been intercepted, a resourceful crook would be able to make slight manipulations to it, imprint it on a new RFID chip, and then make a counterfeit passport.

 

Beyond counterfeiting, there are even more disturbing elements to this story. The Dutch passport used exactly the same chip set and encryption standards as the US Government is using. The data contained on the passport RFID chip can be read from distances of greater than 30 feet. At that distance, US citizens could easily be singled out and targeted by terrorists or kidnappers in their travels. Someone interested in this type of crime could simply walk down the hall of a hotel and read passport data without ever having a need to enter the room. It would only take them a matter of hours to determine which hotel guests were Americans and what rooms they were staying in.  In this day and age, that information can present a real danger if winds up in the wrong hands.

 

Intercepted data could be used to steal the identity of the passport holder. Just as importantly, an American Passport identifies the holder as a US Citizen. With a forged passport that contains accurate data, anyone can gain entry to the country, open a bank account, get a driver’s license, or even register to vote.

 

Use of RFID in passports is unnecessary. Designers could just as easily have encrypted data on a magnetic strip. This type of data storage would have required physical contact with a passport in order to read it; a significantly more secure setup.

 

But not only did the United States make an internal push to use RFID, it also pushed a variety of other nations to adopt a particular standard and then use it. Unfortunately, this new standard appears to be fatally flawed (which is something that we warned about more than six months ago), and if implemented could actually weaken both national and personal security.

 

The State Department has been forced repeatedly to delay the wide-scale distribution of RFID in passports. Originally, they had hoped to deploy the system last year. Now, they are pushing for a late 2006 implementation. ACCESS is hoping that better encryption will be added to the data stored in passports, and would very much like to see RFID chips eliminated entirely.

 

Technorati Tags : , , , , , , , , ,

Monday, February 13, 2006

Tax Time Fraudsters Working Overtime


With tax time fast approaching, the scam artists are out in droves. They are using a variety of ploys to fool consumers and engage in identity theft. Although most of these tricks have been used in the past, consumers continue to fall for them.

Most of the scams that people fall for use either e-mail or telemarketing to make contact. And many of them will claim that the contact is being initiated by the IRS. The first thing you need to know to protect yourself is that the IRS will not call you and ask for your Social Security Number. They already have that information. Nor will they call and ask for bank account or credit card numbers. Anyone receiving a call like this should immediately be on their guard.

Here is a rundown on some of some of the most popular scams this year:

Tax-Refunds.IRS.Gov

This is a phishing scam. Victims receive an e-mail message that appears to come from the IRS. The URL used is either tax-refundsirs.gov or tax-refunds.irs.gov. The e-mail message appears to be from the IRS and requests detailed financial information from the recipient which may include SSNs and bank account numbers.

Those that fall for this scam will find that their identities are quickly stolen and their bank accounts may be drained.

Consumers should know that the IRS never requests detailed financial information via e-mail. You should also know that e-mail is not a secure method of providing this type of information to anyone. You should never include your SSN in an e-mail message or a message attachment.

Anyone receiving this kind of message can call the IRS at 800-829-1040 to report it.

W-2 Fraud

Some con artists are contacting consumers and offering to issue fake W-2’s which show that they have overpaid their taxes. Consumers are asked to supply their Social Security Numbers, which the con artist will use to generate the W-2 and a phony tax return. Consumers are told that when the refund arrives, it will be split with them.

Any consumer who falls for this is not only a victim, but may be a criminal too. They are conspiring to defraud the United States Government, which can lead to a prison sentence.

Military Service Refunds

Victims are contacted and told that they are eligible for a $4,000 tax refund because of a relative’s military service. They are asked for a credit card number to pay a fee between $25 and $50 to cover postage and handling.

The IRS does not charge any fees for postage and telephone agents are not authorized to collect credit card information from consumers.

Social Security Refunds

Consumers are contacted and told that they are entitled to a refund of some of the Social Security taxes that they have paid over their lifetime. Victims are asked to pay a paperwork processing fee along with a fee covering a percentage of the anticipated refund.

Current law does not allow for Social Security tax refunds.

Home Based Business Setup

In this scam, victims are told that if they setup a home based business that they will be able to write off most of their personal expenses. They may be told that these include principle payments on their mortgage, utility payments and automobile payments. They are asked to pay corporate filing and paperwork fees that can exceed $1,000.

While the victims of this scam may wind up with a shell company, that’s about all that they will get. The IRS regulates closely the deductions that people can take for home based businesses. Any deductions that consumers attempt to take that are outside of the law will be denied and the consumer can find that they not only have to pay the back taxes and interest, but penalties too. If it can be shown that the consumer blatantly violated the law, prosecution is also a possibility.

Pay the Taxes, Get a Prize

This is one of the oldest scams around. Consumers are contacted and told that they have one a great prize. It could be a boat, a car, a house or a trip. All they have to do to collect is pay the income tax on the price. They are then asked to provide a credit card number or mail in a check.

Any company that is awarding a legitimate prize will issue an IRS form 1099 to the consumer. It is the consumer’s responsibility to pay the taxes directly to the IRS, not to the company awarding the prize.

Tax Collector at the Door

This scam is a little different because it involves people going door to door.

Consumers receive a knock at the door from someone claiming to be with the IRS. They are there to collect back taxes, or perhaps to inventory assets. Many consumers are so afraid of the IRS that they automatically open their doors and let these people into their homes.

If the IRS is coming out to your home, they will normally call to schedule an appointment. If anyone shows up at your door and claims to be from the IRS, you should get their identification. All IRS agents and collectors carry official identification and will be happy to let you examine it. If someone simply flashes a badge at you but refuses to let you closely examine it, or if you have any reason to suspect that the person at the door is not from the IRS, lock your door and don’t let them in. Call the police and then call the Treasury inspector general's hot line at 800-366-4484 to report the incident.

Technorati Tags : , , , , , , , , , ,