Privacy Threats Everywhere

By David Rittenhouse  |  Posted 2002-05-28 Print this article Print

Many different kinds of individuals and agencies seek personal information, each using differing methods. These groups, and the methods they employ, will be examined below. Individuals
This group includes co-workers, family members, and hackers/crackers. Their motivation for accessing personal information could range from professional jealousy, curiosity, to mistrust or malicious/criminal intent. The methods employed by individuals are primarily exploitation of inherent system weaknesses, "social engineering" tactics--such as simply asking for information that allows access, or use of specialized software tools such as monitoring programs, password cracking programs or Trojan horse programs.
One of the most well known home computer monitoring programs, called Spector from, sells for under $70. Hundreds of password cracking and Trojan programs are freely available on Internet on sites such as In recent years, password cracking tools have evolved from tools that required you to have an intricate understanding of computer systems into more simplified tools that are very user friendly. The freeware password cracking tool called Cain from is an example of this simplified type. Within minutes of installation, Cain can reveal passwords for screensavers, Internet dial-up logons, internal networks, and other passwords that have been used on a Windows based computer system. When I first tested Cain, it correctly identified the password that would allow access to make changes on my personal web page.
This group includes any commercial organizations that utilize tools to gather, analyze, and maintain personal information about individuals without the individuals knowledge or consent. The techniques used include data mining to correlate data and deduce previously unknown facts about individuals, using web page cookies to gather data surreptitiously, and offering software spyware programs to the public which contain hidden functions to send information secretly back to the manufacturer. Programs classified as spyware are too numerous to list, but include such popular programs as: RealPlayer, Download Accelerator, Comet Cursor, PKZip, Cute FTP, GoZilla, and Kazaa. One extensive list of spyware infested programs can be viewed at: Microsoft uses a tracking device called a Globally Unique Identifier (GUID) in its Windows Media Player application and many other Microsoft-owned properties. Alternatively referred to as a "super cookie", it can be used to secretly track the Web surfing habits of a particular user across MSN, Hotmail, and Note that as various forms of spyware become known or tracking subterfuges are exposed, companies modify or eliminate their data-gathering techniques. Some of the products listed above have recently removed or modified their spyware aspects, while others, such as Kazaa, have only recently been announced. The underlying ability remains, however, and the temptation is strong. In addition to data gathering for dubious purposes, businesses can also constitute a threat to individual privacy by mishandling information they control. Two recent examples of this were the disclosure of the names of 600 Prozac users by pharmaceutical company Eli Lilly, and the disclosure of 400 organ donor names by the University of Minnesota. Government Agencies
This group could include any state or federal agency which does not take its information management responsibilities seriously, however, the majority of privacy issues stem from just four federal agencies; the Internal Revenue Service (IRS), Central Intelligence Agency (CIA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI). The IRS and CIA have both had highly publicized incidents where they failed to safeguard the private information within their possession. According to Iowa Representative Greg Ganske, IRS employees have been repeatedly caught improperly using information in the custody of the agency, but the General Accounting Office found that only 2.3% of those caught were actually fired. As recently as March of 2002, the CIA was embarrassed by having its network mapped and the names, phone numbers and e-mail addresses of numerous agents posted on the Internet. The situation with the CIA was further exacerbated by the fact that this occurred after the September 11th terrorist attacks, and was accomplished in merely two days using freely accessible and unclassified information found on the Internet. While the IRS and CIA may cause privacy concerns by mishandling information, it is the information gathering methods of the NSA and FBI that sometimes places those agencies at odds with individual privacy. Agencies of the U.S. Federal Government have long used technology to gather information on citizens. The first telephone wiretap in the United States occurred in 1885 – only four years after the introduction of the telephone. According to Justice John Paul Stevens of the U.S. Supreme Court, the FBI had amassed records on 24 million people as of 1989. In comparison, the 1999 CNN special report "Cold War" disclosed that the former East Germanys Stasi, or secret police, amassed records on only 6 million people. The FBIs use of secretly installed keystroke logging software was recently made public by the case of Nicodemo S. Scarfo (United States v. Scarfo, 2002). In that case, the FBI obtained court approval to covertly enter Mr. Scarfos premises and install software that recorded every keystroke made on Mr. Scarfos computer including his typed passwords. The FBI also uses another information-gathering tool, DCS-1000, formerly called CARNIVORE. This system consists of hardware connected to an Internet service providers equipment that allows the FBI to intercept all e-mail traffic sent or received by a specific individual without their knowledge. Unlike traditional telephone wiretaps, which must be narrowly focused, to intercept specific targeted conversations, DCS-1000 searches and intercepts all communications of an individual. Title 18, section 2518(4) of the United States Code gives Internet service providers no choice in cooperating with electronic surveillance. In November of 2001, an FBI response to a Freedom of Information Act request, admitted the existence of "an enhanced CARNIVORE project" called "Magic Lantern" - a remotely installable key logger that can be sent to a computer via e-mail. The NSA uses a much larger system for interception of communications data. It is called ECHELON, and consists of a global network of satellites and monitoring stations that screen all telephonic, e-mail, and facsimile transmissions. Obviously, processing all such data would be impossible; however, the system does not process all of the data, but rather carefully screens it for specific keywords and phrases, and captures only transmissions that meet pre-defined criteria. All of the captured data is then analyzed to extract pertinent information. Both CARNIVORE and ECHELON have evoked grass-roots protest movements. Another method of government information gathering that could possibly pose a privacy risk is monitoring of TEMPEST emanations. These electronic signals are created by a computer monitor, and can be intercepted and used to re-create the screen image. This technology requires sensitive reception equipment that must be in close physical proximity to the computer being observed. Such reception equipment is illegal for individuals to possess, use, or sell in the United States. This concludes Part One of Privacy and Security on your PC. The second installment covers a layered approach to computer security. As we go through the six levels, well give you links to tools that can help you secure your system and keep your personal data private. Click here to continue on to Part II.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel