Prying eyes

H-P scandal lays bare how the Web has become a personal info free-for-all

Jeff Smith, Rocky Mountain News

Monday, October 16, 2006

Consumers had plenty to worry about concerning online privacy before the Hewlett-Packard corporate spying scandal.

Internet search engines and a variety of Web tools such as "cookies" gather extensive information about a typical person's Web-browsing activities.

Identity theft is a growing problem, and the H-P fiasco shed additional light on how easy it is for someone to access a person's confidential records, such as private phone records.

In the H-P case, a Jefferson County subcontractor named Bryan Wagner allegedly established online accounts and accessed phone records with as little information as a name, phone number and the last four digits of a Social Security number.

"What's really stinky is that Colorado is one of about a handful of states that doesn't regulate private investigators," said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego, a nonprofit that helps educate consumers.

And if all of that isn't enough to concern consumers, here's a staggering figure: More than 93 million data records of Americans have been exposed to breaches since February 2005, according to the clearinghouse.

"And there's really nothing you can do about that," Givens said.

"You're at the mercy of any company or government agency that has your personal data."

While companies and public agencies have made strides in protecting data, the figures show that "in general they're not doing a very good job."

Consumers can help themselves by making sure they are using secured Web sites when conducting sensitive transactions, by making sure their computers are equipped with good software to prevent identity theft, and by reading the privacy policies of companies to understand how their information is being shared.

"Companies don't make it easy. There's a lot of fine print and legalese," Givens said.

To prevent the kind of pretexting illustrated in the H-P case, experts advise consumers to either turn off the online account feature or establish an online account with a very tough password to break.

And passwords should be changed often.

"Most people don't set up an online phone account," Givens said.

But it's relatively easy to do so, as proved in the H-P case. Once Wagner allegedly established online accounts of various H-P directors, he then was able to access their monthly bills and calling logs.

Consumers also need some help through better legislation, privacy experts say.

They are particularly concerned about how long search engines like AOL, Google and Yahoo keep the Internet search records of their customers.

Concerns about what information search engines keep and for how long were heightened last January when Microsoft, Yahoo and AOL reportedly complied with a Justice Department subpoena asking them to provide details about tens of thousands of search queries over a certain period.

The information supposedly was used for a case study of child pornography.

Only Google fought the subpoena.

Internet service providers like Qwest and Comcast themselves keep certain records of their customers - Comcast recently increased its data retention from 31 days to 180 days, while Qwest keeps data for up to a year.

"The long and short of it is that search engines shouldn't be collecting all this information about you," said Rebecca Jeschke, spokeswoman for the Electronic Frontier Foundation in California.

"Congress ought to step in. There should be some regulation."

Givens agrees, indicating she favors a policy adopted by Ixquick in The Netherlands where search logs are deleted every 48 hours.

She said law-enforcement agencies have a good point when they say they need search records to track down somebody trafficking in child pornography, but she believes they can use subpoenas to monitor the Internet activity of suspects.

Consumers also undermine their own Internet privacy when they give out personal information such as on social networking sites such as -MySpace.com, or through commercial transactions.

"People make these kinds of exchanges every day," Jeschke said.

Jeschke herself said she has made certain trades related to her personal information by signing up for automatic debit to travel along a toll road system in her area.

By signing up for that system, "there's a record of when I went over the (toll) bridges," she said.

"Definitely, this is the kind of information that is yours, and you can make trades about it."

And consumers do, every day.

For example, a credit-card company routinely keeps information about its customers, including what kinds of places a customer frequents, when and how often, and how much they spend each time.

smithje@RockyMountainNews.com or 303-954-5155