Wednesday, June 24

Online Identity Privacy - Users Don't Take Precautions

One of my tenets for online privacy is:
Don't do anything online that you absolutely want to keep private.
Case in point:

I was looking through the form submissions to my company's web site. There is consistently some percentage of submissions that are auto-submitted SPAM. Sometimes, it's obvious and sometimes not.

Today, I was researching one submission and googled her name and email. The search brought me to a page that listed a spreadsheet of form submissions to another site - complete with names, email, phone numbers, and comments. Some obvious spam, but others obviously real.

They're showing up because of a technical glitch or security issue on the site. The google search brought me directly to the site's administrative page with no logon.

What makes this story interesting is that the site is a Las Vegas escort service and some of the form submissions read as follows:
  • From a student ( - "very interested"
  • From a student ( - "I need a price on ____"
  • From someone claiming to work at Microsoft - "Hi, I'm planning a trip to Vegas with my fiance but I wanna get away from her for one night. What is the limit to your services and who would you recommend? I need a girl with _____. Thank you for your time." (how polite) ...he may not have put his real company, but another quick search found his email address with a profile telling me that he lives in Seattle(!)
  • From a Web Developer in MN - "I am interested in an escort to accompany me to dinner" - (I found his LinkedIn profile because he provided his real company name) get the idea.

Two lessons:
  • First, the obvious one - don't trust web sites to keep your information private.
  • Second, (to the security practitioners who read this blog) - don't underestimate how willing people are to give up their personal information to even the most suspect organizations.

btw - Who thinks this privacy breach will be reported?


Anonymous said...

That web developer is the guy who created the escort site.

The other entries may be bogus as well.

Matt Flynn said...

Thanks - I contacted the developer to inform them. Hopefully, he'll correct the issue.

Anonymous said...

what are the precautions that individuals could take to protect themselves against online privacy?

Matt Flynn said...

Well, that's not an easy question to answer and there are probably many differing opinions. I was serious about saying 'don't do anything online that you absolutely want to keep private' - there's no 100% secure system.

Doing your best means:
- Keep your system up to date (OS, browser, antivirus)
- Don't submit a form without confirming the SSL certificate and form ACTION tag (where it will submit to)
- Disable javascript, ActiveX, and Flash when not required
- Don't click suspicious links

...and more like that. But, these practices need to be balanced with what you hope to gain from using the web. Everything is a balance. You're completely safe if you turn off the computer, but then you can't use it either and enjoy the funny videos (that might be suspicious), online banking (that is high-value), and other tasks.