Who’s WATCHING You ?

Everyone needs online privacy. The level of privacy, however, is purely personal choice. Many people are not concerned about privacy as such based on argument that they have nothing to hide, however, most of these people are generally not aware of the consequences that can haunt them at any point in their lives. Once you leave a digital footprint somewhere in some byte of data, there will always be a risk that it can be accessed or infiltrated by an unauthorized third party. To reiterate Douglas Adams’ lines from the Hitchhiker’s Guide to the Galaxy, “It’s always out there.”

Privacy is mainly evaded by 3 categories:
•By identity thieves, your personal or business competition
•By business and services that you use and depend on
•By governments and intelligence agencies

By identity thieves or your personal and business competitors:
The most widespread abuse of privacy of individuals is conducted by identity thieves for money or for personal satisfaction. Their motives can vary from financial gain to simply satisfying a personal ego. What they would want is to get access to the passwords of your key online accounts and use them to gain access to your personal as well as financial information. Generally, the identity thieves don’t directly use your data rather sell it in bulk to interested buyers through online forums and groups.

The most common practice for privacy evasion is through spamming, where the attacker gets hold of lots of emails addresses and sends them bulk emails with an attachment. He’ll send you an attractive topic that contains some interesting things like ring-tone or secret pictures or perhaps fake a “reply” to a random, believable subject, which will make some readers, open the attachment.

The attachment usually contains a Trojanhorse or Spyware which will record your keystrokes and send it back to the attacker. For instance, if you typed www.citibank.com followed by 2 words, the attacker would know that you typed username and password. He can then sell or use your information to find buyers who can abuse your information. In this case, the hacker is usually just a middle man who has the requisite expertise to get your information, but might not actually use it himself.

The hackers may also send you an email which may look official from a financial institution that you deal with, asking you to click a link which would take you to an officially looking website. This is usually simply a fake front of a site used for the verification of any information.

Because the average user doesn’t pay attention to the changing URL in the address bar of the browser, there are always a few unsuspecting victims that fall prey to this technique of Phishing.

A personal rival who may have access to your PC for a short duration may install a similar Trojan to log your keystrokes and later look into your family pictures that are present in your mailbox or access your chat logs.

As a business, there might be some competitors who are looking to steal your trade secrets and use them for their advantage. They may use the email techniques as explained above or they may get this done by buying out someone inside your organization. They could place someone as innocent as a sweeper or someone low in the foodchain, who might be given a task to plug a USB thumb drive with an autorun script that copies all the documents into the stick, or even a USB key logger to sit between the keyboard and the PC wirelessly transmitting all the information.

As technology becomes more advanced, if there are creative ways to secure your information, there is always someone working to develop innovative ways to break the system.

Business and services you use and rely on
Although this may not cause you damage as much as the identity theft, but your privacy may still be evaded without your consent in several cases.
Take Google as an example. When you Google something, it remembers the queries you searched for earlier and tracks you through several different ways.

The first way is that it stores a cookie in your browser and tracks anything that is searched for on your computer. Google tracks your computer via that cookie and profiles your personality based on your search habits. For instance if you are travelling with your laptop and you search for various things on your way, Google will know that you like Red Lobster, that you searched for local prayer times, and you also looked for addresses on their maps.

The company will track all this information based on the geo location of the IP address that you connected from.

One of the uses of this information is that Google follows your search habits, correlates them with your location and shows you contextual marketing ads when you go to use Google search or visit any site that runs Google Adsense. Secondly, if you have a Gmail account, it will link all the computers that you have ever checked your email from and also correlate with other people who used those computers. Google may also scan the contents of your email and update your profile for marketing and for any future purpose that even Google might not be aware at this time. The information is there and once it’s out there, it stays there.

Not only this, Google would have already profiled all your friends and colleagues with whom you might have shared your computer even once for checking your email account. The service also knows all your direct friends, family and people you do business with, based on your email transactions, and also knows the exact nature and content of those emails.

Now some people argue that there are hundreds of millions of users who use Gmail and Google will not have time to read everyone’s emails, especially for the innocent ones like the good IT Manager running a clean shop in his organization. But what if one of the guys whom you communicated with does something nasty and the authorities decide to manually scan the detailed history of the all the persons he ever communicated with? The digital footprint that you create only gets stronger with the passage of time.

The other example of privacy invasion is from the companies you do business with. For instance, the companies providing you credit card, mobile phone, discount shopping and online companies from where you purchased something may sell your information to marketing companies that may start calling you for things like insurance or loans. Telemarketing departments of companies, especially those in the financial sector, are known to do this.

By the Governments or intelligence agencies
This also does not bother most people, but privacy advocacy groups in the West, strongly highlight this issue. Wiretapping without warrants has been exposed several times in the US where the Internet, telephone and mobile communications have been known to be recorded and analyzed. In UK, ISPs are required by law to log every single email sent and received by their subscribers for a year.  They are also working on an ‘Interception Modernization Program’ where details of every SMS or email sent, phone call made and website visited is going to be profiled into a single database for every UK resident. So now, not only will your communication be logged, it will also be stored to reflect the habits and behavior or every individual. Remember how in the Hollywood movies, the satellite imagery focuses down to the single individual as an RFID tag? Well, all of this is already happening here!
There have been stories where Microsoft and the NSA (National Security Agency) have put a code in every OS copy
to facilitate Government spying.

Read this document and you’ll get a better idea:

http://www.heise.de/tp/r4/artikel/5/5263/1.html

It has also been revealed in the past that the spy agencies have used the surveillance for business advantages to steal deals worth billions of dollars from foreigners, converting actions in their favor.

This BBC report sheds some light on the subject matter at: http://news.bbc.co.uk/2/hi/europe/820758.stm

Although most people are not too concerned by these actions, there does need to be a clear line drawn for the individual’s ‘space’, after which authorities should not be allowed to invade your privacy in the name of national interest.

Staying Private:
There are an endless number of ways through which others can invade your privacy. I will give few examples of counter techniques that you can use in attempts to safeguard your privacy. Having said that, please understand that these techniques are being shared purely as examples. There are no guarantees that they are actually effective in keeping you off the grid.

In order to avoid becoming a victim of identity theft, you should resist the temptations of opening every email attachment or downloading cool software that may enhance the functionalities of your windows, especially of your browser and chat clients. If you can afford to or are tech-savvy enough, then you should avoid Windows completely and switch to Mac or Linux. If you use a Windows platform, then make sure that your routine Windows account does not have Administrator privileges and latest suite of Internet security software is installed on your machine. The same goes for the IT and IS managers running the smaller organizations.

You should also learn to identify between the original and the phishing sites. For instance, https://www.paypal.com is the real site and http://paypal.database-confirmation.com/index.htm is a phishing site. The front end interface however they look identical and trick users into getting their bank account and credit card information.

In business, you should hire people only after having their background checks verified. You should also get  your systems audited and have some standard security policies made for your organization through an independent security consultant.

Evading and avoiding Google is not easy. There are several search engines available online, but the Google search results are usually most relevant.

If you have several computers in an office sharing an Internet connection, you can get a local proxy server installed, which could be configured with security policies to hide the fingerprints of your local machines. You can use dual browsers on your machine, one with general searching and other for private searching. Browsers like Safari offers switching to private mode, which restricts any trace of your web visits to be stored on your computer, and also doesn’t allow any cookie to be stored from any site on your machine.

For emails, try to avoid public emails accounts all together. You should host an internal email server inside your office for emails between your colleagues. You may also restart your DSL modem daily to renew your public IP address.

Many businesses in the UK have policies in place to block access to public email servers from their offices. This is a practice as part of many multinational companies that operate in Pakistan.

Evading the Government surveillance is even harder. In case you suspect that your ISP is logging everything illegally, you may choose to host a server in a data center in Switzerland, for example, where laws offer best privacy for personal data. You can then run an IPSEC tunnel with high grade encryption between your local office and Switzerland, and use the tunnel for emails, web and even voice traffic. VPN clients are also available for all modern phones that can be used for emails and browsing on the move.

Although IPSEC encryption is very strong and safe, some countries like the UK are making it mandatory for business and individuals to handover their IPSEC secret keys to the police or face imprisonment. According to a news article, UK law enforcement has the legal binding through Part 3 of the Regulation of Investigatory Powers Act (RIPA). Introduced in 2000, the government has held back from bringing Part 3 into effect. In 2006, more than five years after the original act was passed, the Home Office was exercising its muscle to enforce Part Three of RIPA.

Cyber Crimes in Pakistan: An Invasion of Privacy?
While a great deal has been published about Cyber Crimes Act in Pakistan, the premise of the law seems to be faulty. If you compare the local Cyber Crimes to that in effect in other countries, the language seems to be more vague, giving law enforcement even more risky authority than is advisable.

While the Cyber Crimes laws were devised and put into effect at the time of Daniel Pearl’s kidnapping, the language since then, has turned into encapsulating most activity online, and categorizing it as illegal.
While there is no question about the critical importance of the law itself, the unquestionable authority it gives to trigger-happy untrained law enforcement agents or judiciary who may not understand how IPs are spoofed or firewalls are circumvented, puts the average user, at risk.

Privacy is an ethical, legal and birth right of every individual on the planet. Who decides when it is okay to log your SMS or telephone conversations, is something that has been up for heated debate in all corners of civil society.

The integrity of your business is at stake if clients who use your services, can be exposed to unauthorized third parties perusing their personal information. That is a business risk. Laws are meant to facilitate and enable trade, not destroy it.

As more and more of our lives get integrated into the Cloud, it is more realistic that our every move is being tracked in real time. But practicing a few safeguards and measures will help to keep you and your information, well, safe. Privacy is your right. Know it. Fight for it.