Asset Protection BLOG - Mark Nestmann

Web-savvy employers and universities are increasingly employing a new tactic to screen applicants: conducting online research to unearth photos, blog entries, or other "digital dirt" you might prefer to keep private. 

Indeed, companies are springing up to dig up Internet postings that might be of interest to employers, government agencies, or whoever else might be interested.  For instance, you can view Web pages that were modified months or even years ago through the Internet Archive, also known as the Wayback Machine, at http://www.archive.org. 

But that doesn't mean you can't obscure your digital trail.  While I normally suggest that anyone interested in privacy avoid posting information to the Internet about themselves, if data you don't want others to see is already there, here are a few suggestions on how to cope:

Delete, delete, delete.  Start by deleting any photo, personal profile, or personal description on any social networking or dating Web site that is even mildly embarrassing.  For instance, I suspect Sergey Brin, the co-founder of Google founders, might prefer not to have this photo of him in drag immortalized.  While Sergey may be wealthy enough not to care, you may not be. 

Unfortunately, most social networking sites create archives in which your photos may reside permanently, even if you delete them from your profile.  Someone with a link to the original photo—or using the Internet Archive—might be able to find it. 

Do a search of yourself on Google.  Look for any links back to potentially incriminating or embarrassing posts or photos.  Unfortunately, Google won't remove content itself, but merely will refer you to the Webmaster posting the content.  If you can't figure out who's in charge of a Web site, search for the owner at www.whois.net.  Contact the owner of the site and ask that comments by or about you be deleted. In most cases the owner has no obligation to remove the content, but it may do so if you persist or threaten legal action.

Set up a Google alert for yourself.  You'll receive a daily e-mail update of the latest updates of whatever topic—yourself in this case—that you choose.  This is a great way to monitor what others are saying about you online.

Create favorable content about yourself.  You can do this in many ways.  For instance, create a professional Web site and/or professional blog.  For blogs, Wordpress, LiveJournal and TypePad all have high Google page ranks. You can also create a Wikipedia entry for yourself.  To further insure these sites are at the top of any Google search of your name, use title tags and headers to highlight information about you that you want people to see.  Don't forget to create a Google profile that contains the information about yourself you wish to highlight.  You can also leave comments on blogs and Web sites you respect under your own name. 

Use social networking sites intelligently.  It's almost impossible to permanently eliminate content you post to social networking sites, even if you unsubscribe.  However, you can also use these sites to your advantage, especially if you're setting up a profile for the first time.  Web sites like Facebook, MySpace, LinkedIn, Flickr, and Twitter are a good place to begin.  You don't even need to use these sites.  Just create a profile and add the content you want people to see.   Web sites that let you create a unique link with your name in it are especially useful (e.g., LinkedIn).  Those pages will show up ahead of most other sites that might contain content you don't want others to view.

Use protection.  There's no such thing as an Internet condom, but you can hire companies that will contact sites that have published material pertinent to your character.  One that has good reviews—although I haven't used it personally—is http://www.trackur.com.

Just don't forget that once you've posted something on the Internet, it's very difficult to permanently delete it.  So before you hit the "post" button, be absolutely certain that whatever you're about to send into cyberspace belongs there.

Copyright © 2009 by Mark Nestmann

If you live in the United States, you might have the naïve idea that police can’t enter your home without a search warrant.  That’s generally true, but the federal agency responsible for regulating electronic communications claims that it can.  If you own any electronic device that emits radio frequency (RF) energy, the Federal Communications Commission says it can enter your home any time to inspect it. 

Most of us, of course, own multiple RF devices.  Your cell phone, your wireless Internet connection, and even your garage door opener all transmit signals through the air.  All are fair game for warrantless inspection, the FCC says.

The FCC claims it is only interested in RF devices that use “unlicensed” frequencies.  For instance, if you operate a radio station out of your home, and didn’t bother to obtain a broadcasting license for it, the FCC may come calling.  That’s particular true if the signal is powerful enough to interfere with the signal from a licensed station.

However, the FCC says that it can also inspect equipment using “licensed” frequencies.  And that includes every household in the United States, with the possible exception of groups like the Amish, who eschew modern electronic devices. 

The FCC doesn’t have the right to seize anything—only to inspect any broadcasting RF devices.  However, if agents see anything in your home that’s “suspicious,” they can notify police, who may then be able to obtain a warrant for a more thorough search.

According to the FCC, its authority to search private homes comes from a 75-year old law authorizing warrantless administrative searches of radio transmitters.  Back in 1934, of course, there were no wireless routers, cell phones, or RF-activated garage door openers. Today, almost everyone does, yet the FCC still claims the same powers.

The saving grace to this policy is that the FCC won’t simply barge into your home if it wants to inspect any of the RF devices you own.  Instead, it will leave a note on your door announcing its intention to inspect whatever unlicensed (or licensed) RF devices in your home. 

If such a notice appears on your door, don’t call the FCC to schedule an inspection.  Call your lawyer.  You have a right for your lawyer to be present for any warrantless inspection of your home. 

Copyright © 2009 by Mark Nestmann

U.S. Supreme Court Justice Antonin Scalia doesn't think you have a right to privacy in most aspects of your life.  But he doesn't care to have his own privacy invaded—although he admits it's perfectly legal.

Back in January, Scalia spoke at a privacy conference organized by the Institute of American and Talmudic Law.  While his speech wasn't recorded (apparently at his own insistence), one of his remarks was a statement to the effect:

"Every single datum about my life is private? That's silly."  Some information should remain private, "but it doesn't include what groceries I buy."

Scalia also said he wasn't bothered by anyone tracking him on the Internet.  "I don't find that particularly offensive…I don't find it a secret what I buy, unless it's shameful."

Taking a cue from Scalia's remarks, Fordham Law Professor Joel Reidenberg decided to give the students in his Information Privacy Law class a special assignment: find everything they could about  Scalia on the Internet, and compile a dossier on him.  Among other findings, students discovered Scalia's home address and home phone number, his wife's personal e-mail address, and his food and entertainment preferences.

Scalia's reaction wasn't surprising.  He didn't like having this information published.  Said Scalia:

It is not a rare phenomenon that what is legal may also be quite irresponsible. That appears in the First Amendment context all the time. What can be said often should not be said. Prof. Reidenberg's exercise is an example of perfectly legal, abominably poor judgment. Since he was not teaching a course in judgment, I presume he felt no responsibility to display any.

Well, well.  Nothing like being dressed down by a Supreme Court justice! 

But perhaps Justice Scalia should give the matter some more consideration.  Not everything that should remain private, for instance, is shameful.  Your bank account transaction data may not be shameful (well, perhaps it is…), but that doesn't mean anyone should be able to view it.  Nor is your Social Security number shameful—but it's not a good idea to broadcast it to potential identity thieves.

Still, the most revealing portraits come from not just one or two data points, but the aggregation of volumes of data, all freely available to anyone who cares to gather it.  Taken together, this information paints a remarkably detailed portrait of "you."  And it's perfectly legal to compile, even if, as the good Justice Scalia reminds us, the person gathering it, or using it, may be exercising "bad judgment." 

Copyright © 2009 by Mark Nestmann

Click here to learn 109 ways you can begin to use today to protect what's left of your privacy

You might think that it’s illegal to wiretap telephone calls.  But that hasn’t stopped a growing number of companies from offering a full line of wiretapping software for dozens of cell phones.  And while using the software is illegal in most countries, that’s not stopping these companies from selling it. 

To install these programs, which go by names such as FlexiSPY or Mobile-Spy, all you need is access to the targeted cell phone.  Once you install it—a process that takes about five minutes—you can listen to your target’s phone calls and read his or her text messages, call detail (number, time, duration) and any e-mails sent from the phone. 

With a GPS-enabled phone, you can obtain the location where your target made each call.  And switch on “Spycall” mode (FlexiSPY) and you can listen in to any conversation in the vicinity of your target’s phone—not just phone conversations.  In some cell models, you can monitor conversations even if the phone is turned off. 

The software delivers all this data to an online account, where you can view it from any these Internet enabled cell phone or PC.

Manufacturers of these programs claim they’re legal.  For instance, the FlexiSPY Web site states: 

The product is not illegal, but the way in which it is used may break local laws. In general, you may use it on a phone that you own, for protecting your children, for archiving data, for enforcing explicitly stated business use guidelines and so on. We do not support any illegal use of our products, and the term of sale means that you agree to abide by your local laws.

Maybe that’s true in Thailand, where FlexiSPY is based.  But it’s not true in most other countries.   

You’re bugging someone’s phone and listening in on everything said and all data transmitted.  And that’s illegal in the United States, the United Kingdom, and almost everywhere else, unless you obtain a search warrant or other legal authority to do so.

 But meanwhile, sales of what one wag on the Internet calls “spouseware” appear to be booming.  So even if it’s illegal to bug someone’s phone, lots of people are doing it.  And the consequences could obviously be catastrophic if you discuss anything on your cell phone you wouldn’t want published on the front page of The New York Times.

How can you protect yourself?  One strategy is to use a phone that spouseware makers don’t support.  Click here for a list of supported phones for FlexiSPY.  

Second, never let your cell phone out of your possession.  While intelligence agencies can likely download spy software to your cell phone surreptitiously, all the commercial wiretapping software I’ve seen requires the eavesdropper to have physical possession of the target phone to install the application.

Third, use a log-on password for your cell phone.  This won't defeat a government eavesdropper, but it will frustrate efforts by a non-professional to monitor your cell phone data.

Fourth, if you want to make sure that your cell phone isn’t being used as a bug, take the battery out of it.  Obviously, you can’t use it in this situation, but at least it won’t be broadcasting your conversations to persons unknown.

Fifth, be alert to your phone battery being depleted more quickly than normal.  That might indicate a worn-out battery, but it could also be a clue that your phone is transmitting surreptitiously.

Sixth, be alert to how warm your phone is.  It’s normal for it to be warm after an extended conversation.  But if it’s warm and you haven’t used it recently, that raises the possibility it’s transmitting data without your permission. 

Seventh, if you use a GSM phone (common throughout the world except for the United States), walk toward a set of stereo speakers.  Buzzing interference from speakers is common with GSM phones.  If you hear buzzing when you’re not making a call, however, your phone could be bugged.

Copyright © 2009 by Mark Nestmann

No, it's not an April Fool's joke.  If only it were…

Imagine you're a lawyer working on an important legal brief for a client at a coffee shop, airport or other public location.  Unknown to you, your legal opponent is sitting on the other side of the room.  Using an oscilloscope and an inexpensive wireless antenna, he sits down at his own laptop, and activates monitoring software.  Thanks to a tiny antenna between your keyboard and the computer processor, your adversary can read everything you're typing into your laptop, with up to 95% accuracy, more than 60 feet away.

Even encrypted wireless keyboards are vulnerable, because each key still gives off a unique electromagnetic signal, which can be picked up with an antenna.

If that's not bad enough, if you're in the line of sight of your adversary—even hundreds of feet away—he can aim a laser microphone at your laptop to read what you've written.  Using the laser's precise rendering of the vibrations your keystrokes leave on the screen, he can monitor what you've typed. 

An attacker can pull off the same exploit, with similar results, on your home or office PC.  It's even easier, in fact, because desktop monitors are larger.  Plus, if you use an older PS/2 keyboard, hackers can pull the same information out of a nearby power socket.

Defense researchers have know for more than 50 years that it's possible to recover data from "leaks" in electronic equipment.  Most of their research—which at one time was code-named "Tempest"—is still classified.  But in the meantime, civilian researchers have discovered numerous ways to recover data using off-the-shelf components.  Indeed, the laptop keyboard sniffer I just described can be constructed for less than US$5,000. 

How can you protect yourself?  The most basic precaution is to not use a PS/2 keyboard.  Beyond that, you can purchase a "Tempest" laptop or PC certified to meet military standards.  They cost considerably more than ordinary PCs, but if you believe someone might target you for this attack, they're worth every penny.  Search the Internet for "Tempest laptop" or "tempest PC" to find suppliers.

Copyright © 2009 by Mark Nestmann

One of my standing recommendations to clients is that they hold investments traded on a securities exchange, rather than on the balance sheet of a financial institution. This strategy largely avoids the possibility of loss if the financial institution becomes insolvent, although it does not eliminate the market risk for the securities investment.

Basically, the reasoning here is that you don't want your investments to be a hostage to the safety (or lack thereof) of your bank or brokerage.  So, for instance, instead of holding short-term investments in a brokerage's money market fund, consider holding them in a short-term Treasury bill fund traded on the NYSE or other exchange. 

This strategy paid off big-time for investors who maintained brokerage accounts with Stanford Private Wealth Management.  This company is now under investigation in an alleged US$8 billion Ponzi scheme masterminded by its founder, R. Allen Stanford. 

Last month, a U.S. court froze 32,000 investor brokerage accounts with Stanford when the SEC sued Stanford, two associates and three affiliated companies.  Most of these accounts (more than 28,000) were quickly unfrozen.  However, on March 12, a federal judge in Dallas indefinitely extended the freeze on more than US$1 billion in about 4,000 remaining Stanford accounts.  To recover these monies, the receiver (i.e., the official appointed by the court to recover assets to repay victims of the Ponzi scheme) may require investors to submit proof that their funds aren't tainted by fraudulent activity.

Since many of these 4,000 accounts belong to Stanford employees, this proposal is not unreasonable.  However, not all the account-holders are Stanford employees.  Many of them merely purchased high-yield certificates of deposit throughAntigua-based Stanford International Bank.  These CDs aren't traded on any exchange and appear to be part of the bank's balance sheet.  Although we don't know how things will shake out in court, the account-holders who purchased these CDs may well be considered unsecured creditors of the bank.  They'll need to wait in line with all other unsecured creditors to divvy up whatever proceeds the receiver can recover.  It's entirely possible they'll lose close to 100% of their investment.

The lesson should be clear.  Particularly in these times of extreme financial uncertainty, avoid keeping significant investments on the balance sheet of any financial institution, unless you're very confident of long-term solvency. 

Copyright © 2009 by Mark Nestmann

Nothing is "too much" when it comes to protecting our children.  Especially your privacy.

Republicans in the U.S. Senate and House have introduced companion bills that would force Internet Service providers (ISPs) to retain user data from every subscriber for up to two years.  Key congressional Democrats and the Obama administration appear to endorse their proposal.  And it's all intended, supposedly, to protect children from sexual exploitation by adults.

What's to be recorded?  Everything, according to the proposed "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act," or Internet Safety Act.  For starters, your e-mail messages, your Web browsing records, and most likely, the contents of any telephone calls you make or receive over the Internet.

And it's not just commercial ISPs that will be affected.  Iif you have a wi-fi router at home, you're supposed to surveil yourself.  Hotels, libraries, universities, local coffee shops—indeed anyone offering Internet access anywhere in the United States—will need to keep and maintain these records.

Consider for a moment what these records might contain.  Every day, billions of spam messages promoting pornographic websites are sent to millions of email addresses—perhaps yours.  Naturally, the Internet Safety Act requires that your ISP save these messages (or you, if you have a wireless Internet connection).  In addition, many Internet pages display pop-up messages that contain pornographic images.  You must save those images, too, even if you have absolutely zero interest in child pornography, or any kind of pornography.

Under existing law, if any of these images are of people in nude or sexually suggestive poses who appear to be under the age of 18, you can be arrested for possession of child pornography. 

In other words, the Internet Safety Act would, by its very purpose, open the door for virtually anyone who uses the Internet to be arrested on child porn charges.  However, I suspect that the data won't be used to fight child pornography as much as it's used in other types of investigations.

But, incredibly, that's not the worst part of this bill.  The worst part is that the stored data will be an identify thief's pipe dream.  Consider what you'll have to do once this law comes into effect if you have a home or office network.  First, you'll need to install some very expensive storage devices that can store two years of data for everything you do online.  You won't have access to the stored data—after all, you might delete it, and that would be illegal. 

So now you have millions of Americans possessing at home (or perhaps in an online repository) data reflecting everything they've done online for the last two years.  Your user IDs, passwords, and other confidential data will be there for the taking by any hacker smart enough to get past whatever security measures are put in place.  And don't think those measures will be impenetrable.  If hackers can clone supposedly "ultra-secure" RFID passports (which they have done already), how safe do you think your data will be?

But the most laughable aspect of this proposal is how easy it will be to evade it.  If you take the simple precaution of subscribing to a "virtual private network" (VPN) your ISP will see only an encrypted data stream flowing through your online connection.  So, I anticipate that a companion bill to the Internet Safety Act will force that VPNs turn over their encryption keys over to the Department of Justice for "safekeeping."  That will naturally cause anyone seeking privacy to subscribe to non-U.S. VPNs, although the Obama administration apparently wants to extend these requirements globally.

If they achieve this goal, the only way left to communicate privately may be to do what I did as a child—string two tin cans together with a wire. 

"Hello, can you hear me?"

Copyright © 2009 by Mark Nestmann

Whether you're browsing the Internet, sending or receiving text messages, or chatting on your cell phone, information you may think is private very often is not.

That's why it's important to educate yourself on counter-surveillance strategies to reclaim your electronic privacy.  And now, the Electronic Frontier Foundation (EFF) has created its Surveillance Self-Defense project—an online how-to guide for protecting your private data against government spying. You can read about the project at http://ssd.eff.org.

I view myself as fairly knowledgeable about electronic surveillance threats, but I learned a great deal I didn't know when I reviewed the guide.  For instance, you probably have heard of "cookies"—those bits of code that record your use of a Web site and your user preferences.  Modern Web browsers give you ability to discard cookies periodically or even every time you close the browser. 

However, new "super-cookies" can't be deleted as easily.  For instance, the Firefox Web browser has a feature called "DOM storage" that tracks your visits to Web sites using this technology.  Surveillance Self-Defense tells you how to turn this feature off so that hackers, government investigators--or anyone else--can't track your movements on the Internet.

There's lots of other good stuff in Surveillance Self-Defense on subjects ranging from encryption to securing instant messages.  I recommend that you read Surveillance Self-Defense and take its suggestions to heart.  Doing so will give the government—and anyone else—a lot less information to search, seize, subpoena or spy upon.

Copyright © 2009 by Mark Nestmann

Do you carry an American Express card?  If you do, you need to know about new new terms of service effective April 2, 2009 under which AMEX can try to contact you at any phone number even remotely connected with your account.

Here's an excerpt:

"You authorize us to call or send a text message to you at any number you give us or from which you call us, including mobile phones. You authorize us to make such calls using automatic telephone dialing systems for any lawful purpose, including but not limited to: suspected fraud or identity theft; Account transactions or servicing; offers of American Express products and services; and collecting on your Account.  You authorize us to place prerecorded calls in connection with the status of your account, or security and identity theft matters.  You agree to pay any fees or charges you incur for incoming calls or text messages from us without reimbursement."

If you don't accept these new conditions, you need to contact AMEX immediately and cancel your account.  When I called AMEX to inquire about the new policy, a customer service representative told me that I could opt out of any marketing-related phone communication under the new policy. 

However, opting out isn't legally binding, although if you decide not to cancel your AMEX account, I recommend you opt out of as many types of communications as possible.  Otherwise, AMEX can call you anytime, day or night, with pre-recorded sales pitches, text message spam, or for any other reason. And what happens if someone steals your cell phone and a phone or text message arrives broadcasting your personal information to the thief?  That's an invitation to disaster. 

Plus, if AMEX calls or texts you on a cell phone, you may be paying to listen to their sales pitch.  If you travel frequently on an expensive international roaming rate, you could easily pay several dollars each time the company tries to contact you.

Then there's the question of having AMEX contact you at any number from which you call.  That means if you contact AMEX from a phone owned by a friend, family member, or business associate, the company can spam that number, too. 

I'm a consultant, and I've toyed with the idea of offering clients a "hot line" that they could use to contact me anytime, day or night, in an emergency.  If I offered this service, I would probably sell it for thousands of dollars per year.  Yet, AMEX claims the right to do the same thing, without paying anything!

Hopefully, if enough people complain to AMEX, the company will reverse this policy.  At a minimum, AMEX should modify the policy to make clear that cardholders have a clear option to opt-out of all but emergency contact by a human being—not a prerecorded message—in case of suspected credit card fraud.

Copyright © 2009 by Mark Nestmann

A prevailing feature of the ongoing War on Privacy is a technological game of leapfrog.  A technical innovation that protects privacy (or reduces it) leads to a countermeasure to temporarily restore equilibrium.  Then another innovation comes along, and the cycle repeats. 

Such is the story of caller ID, a technology that originated in the early 1990s.  From the outset, you could shield your phone number on a call recipient's caller ID screen (at least in the United States) by dialing *67 before you dialed.  Alternatively, you could ask your phone carrier for caller ID blocking for all outgoing calls.

Naturally, there were exceptions.  Caller ID doesn't block calls to 800 numbers, because the recipient pays for the calls.  It doesn't work for 900 numbers, either.  And apparently, calls to law enforcement and other emergency services (e.g. 911 calls) aren't blocked, either.   

Privacy advocates didn't like caller ID for obvious reasons.  Advocates for victims of domestic violence insisted that caller ID blocking be made freely available.  Thanks to their efforts, it was.

On the other hand, some people didn't want to receive calls they couldn't identify (e.g., from telemarketers, and old flame, or whoever).  So telephone companies began to offer "anonymous call rejection" services.  If a call comes in without a caller ID, the call originator must unblock caller ID to complete it. 

The next step in this technological game of leapfrog came when caller ID "spoofing" services sprang up.  These Internet-based services allow privacy seekers to assume the identity of another caller.  For instance, you could make it appear that your call is originating from the White House, the FBI, or anyone else.  Whatever number you tell the spoofing service to insert is what appears on the recipient's caller ID display.

The latest innovation threatens to make caller ID blocking obsolete.  A new service called TrapCall (http://www.trapcall.com) allows cell phone users to unmask blocked caller ID on incoming calls.  You can obtain the caller's phone number—and in some cases their name and billing address as well. 

The basic service is free, although it currently works only with AT&T and T-Mobile subscribers in the United States. It works by exploiting the fact that calls to 800 numbers aren't anonymous.  So when you receive a blocked call on your TrapCall-enabled cell phone, it's automatically routed to an 800 number and back to you, in a matter of seconds.  The caller originating the blocked call only hears the phone ringing—there is no clue you're unmasking his or her identity.

For the moment, the only way I know of to reliably defeat TrapCall is to use a caller ID spoofing service—which one of TrapCall's affiliates, SpoofCard (http://www.spoofcard.com) will gladly provide.  Or you can make your call from a payphone—or borrow someone else's phone. 

Perhaps someone will come along with another technology to defeat caller ID unblocking services like TrapCall.  But until that happens, before you pick up the phone, ask yourself if you're willing to have the recipient of your call knowing not only your phone number, but also your name, and where you live.

Copyright © 2009 by Mark Nestmann