Return to Transcripts main page
Privacy and the Internet
Aired December 7, 2004 - 23:00:00 ET
THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS FINAL FORM AND MAY BE UPDATED.
MICHAEL HOLMES, CNN HOST: Celebrities are used to it, the flashing lights of the paparazzi, the splashy tabloid covers, photographs of the rich and famous all over cyberspace. But what about your privacy? The Internet is the window to the world and to your secrets.
Hello and welcome to INSIGHT.
Computers are undeniably convenient, they are quick, but they can be dangerous as well. Spyware can track your every move on the Web, your personal information just a click away.
On our program today, privacy and the Internet.
We begin with CNN's technology correspondent Daniel Sieberg.
DANIEL SIEBERG, CNN TECHNOLOGY CORRESPONDENT (voice-over): Ever wonder if your boss is spying on you? Well, Bill Bartlett had more than a sneaking suspicion when a camera was installed literally over his shoulder at a cell phone retail shop.
BILL BARTLETT, FORMER KIOSK EMPLOYEE: I felt it was intrusive in nature. I felt like I was being harassed, actually. I received a phone call from my son on Father's Day to wish me a happy Father's Day. And I saw the camera zooming on me to see what it is that I was doing.
SIEBERG (on camera): And did you have any sort of gut reaction at various times of the day?
BARTLETT: It was so close to me that I actually found myself kind of running around the kiosk hiding from it. And it was so close to me that I had to kind of restrain myself from actually knocking it off the attachment. When I approached the owners in management in regard, I was told to deal with it or to leave. So I left.
SIEBERG (voice-over): When contacted by CNN, the kiosk owner stated that the camera was installed to protect both the company and its employees from theft and liability.
BARTLETT: I'm a proud worker and I do my job to the best of my ability. But I think there should be some guidelines.
SIEBERG (on camera): What would you tell your son when he grows up about working in a situation like you were in?
BARTLETT: Well, do whatever you can to protect your civil liberties, you know. I felt it was intrusive.
SIEBERG: Bill's situation happened to take place here in this mall, but you could be watched while you're sitting at your cubicle, talking on the phone, surfing the Web. And while some employees aren't quitting their job, they are fighting back, using technology, even if it means they could get fired.
(voice-over): Computer programs like Anonymizer are now available. They claim to shield users from monitoring software. One called X Cleaner even claims to anti-spy your boss.
DOUG ISENBERG, FOUNDER, GIGILAW.COM: You install it at your own risk.
SIEBERG: Doug Isenberg is an Internet lawyer and founder of Gigilaw.com.
(on camera): Are you familiar with some employees who have decided to fight back or decided to quit or are just really fed up with this amount of monitoring, be it necessary or not?
ISENBERG: The very act of installing that software might violate a company's Internet or computer usage policy.
SIEBERG: Because a lot of employees maybe say, you know, I spend a lot of overtime working for the company, maybe they don't get paid for it, you know, I'm here early, I leave late, I've got kids to worry about, I've got bills to pay. I just don't have time to do all these things. I have to do them at work.
ISENBERG: And that's why a lot of employers will tolerate a reasonable amount of personal computer use. The employer may learn that its employees are using e-mail for personal reasons and choose to do nothing about it because it keeps the employees happy. And that should be tolerated.
SIEBERG (voice-over): Although most employers do have a written monitoring policy in place, experts say many companies still do not do a good enough job of informing employees about those guidelines.
NANCY FLYNN, THE EPOLICY INSTITUTE: Some employers will monitor telephone conversations. Some employers have installed cameras and other security devices. And other employers are monitoring computer activity. Let your employees know what you're doing when it comes to monitoring and let them know why you're doing it.
SIEBERG: According to a recent American Management Association survey, 90 percent of employees say they use company resources for some personal use. Over 60 percent of employers monitor their workers' computer usage and 25 percent of U.S. businesses have fired an employee for e-mail abuse alone.
FLYNN: Most employees tend to think my e-mail is my business. My employer has no right to read my e-mail messages, particularly if it's a message to a friend or a family member. But in reality, here in the United States the federal government gives employers the right to monitor all employee e-mail, instant messaging and Internet activity.
SIEBERG: Ultimately, experts say companies need to find a balance between clamping down too hard and lowering employee morale and mitigating any legal hot water.
Daniel Sieberg, CNN, Coral Springs, Florida.
HOLMES: Well, more to come when we come back after the break. Fighting fraud on the Internet.
HOLMES: There's a new kind of fishing and a new kind of bait and computer users are paying the price.
The scam is called phishing. That is phishing, with a "ph". The FBI says it is the fastest growing online fraud scheme.
Again, Daniel Sieberg explains how it works.
SIEBERG (voice-over): Susanna Trotter of Richmond, Virginia bought her first computer in 1999. Within three months, her credit card number was stolen.
SUSANNA TROTTER, VICTIM OF INTERNET FRAUD: I got an e-mail from AOL saying that they needed to check my billing.
SIEBERG: Though the message looked real, it was not from AOL -- a corporate sister of CNN, by the way. It was from an online con artist and when Susanna clicked on a link inside the e-mail, it directed her to what appeared to be a customer service page, complete with legitimate links, logos and all the right language. It even had dropdown menus to select her choice of credit card. She was being duped by a very clever identity thief.
TROTTER: Well, the first thing I noticed was on my credit card that there was a charge that I didn't recognize.
SIEBERG: The thief had used the stolen credit card number to purchase some rather lewd content online.
TROTTER: And I called and it was a company out in California. And after much cajoling, I got the girl to tell me that it was an adult entertainment site. And I knew I hadn't signed up for that.
SIEBERG (on camera): The company, of course, was tricked, too. It had nothing to do with Trotter's stolen credit card information. The scheme is called phishing, spelled with a "ph", not an "f". And scammers cast wide nets in the form of mass e-mails, hoping to reel in unsuspecting victims who think the messages are legitimate.
Sometimes, however, their tactics backfire and they hook the wrong guy.
(voice-over): An FBI agent in the Norfolk field office received the same phony AOL message as Susanna. His name is Joe Vuhasz, but we can't show you his face for investigative reasons.
JOE VUHASZ, FBI AGENT: I think there is some sort of irony in the fact that they were sending the e-mail messages out in such abundance that it just so happened that I happened to get one. And one of the things that I specialize in is cyber crime. So I think there is some sort of poetic justice.
SIEBERG: The phishers had hooked an FBI agent and he had the means to track them down. Helen Carr and George Patterson are now serving time in federal prison. Their lure of choice was AOL, but other common phishing e- mails purport to be from eBay, PayPal, Citibank and U.S. Bank, among others.
EILEEN HARRINGTON, FTC CONSUMER PROTECTION BUREAU: Phishers send out huge volume of e-mail to people who may or may not have accounts with the companies that they pretend to be on the theory that these companies do so much business that some of the people who receive these e-mails are bound to have accounts or have done business with them and will bite.
SIEBERG: According to one study, 57 million U.S. adults believe they've received a phishing attack e-mail. It's estimated that 11 million of those people actually clicked on the e-mail's links to the fake Web sites.
And the trend is on the rise, according to the Anti- Phishing Working Group, with a 52 percent average monthly growth rate through June 2004.
The Federal Trade Commission operates the largest consumer complaint databases in North America. Eileen Harrington says phishing is becoming a huge problem, but it's a crime that's completely preventable.
HARRINGTON: Do not ever provide account information, a PIN, a social security number, any kind of personally identifiable information like that in response to an e-mail, even if you think it's from a legitimate and reputable company, because that's not the way that these companies do business.
SIEBERG: Susanna was able to reverse the charges on her credit card, but was rattled by the whole experience.
TROTTER: I had felt like I was safe. I didn't know enough to realize I wasn't safe. And sure, ever since that happened, I'm very, very careful.
SIEBERG: On the Internet, seeing is not believing. The logos, language and look of anything online are very easy to copy. If you think your billing records need updating, don't take the e-mail's word for it. Contact the company independently and directly yourself.
Daniel Sieberg, CNN, Atlanta.
(END VIDEO TAPE)
HOLMES: This is a growing problem. What can computer users do to protect themselves from such Internet scams as phishing?
Well, joining us now to talk about this is Parry Aftab a lawyer who specializes in cyber crime and is the executive director of WiredSafety.org.
Thanks so much for your time.
One figure I read was that 5 percent of people fall for phishing expeditions, if we can call it that. That is a lot of money potentially.
PARRY AFTAB, WIREDSAFETY.ORG: It's a lot of money and it's a worldwide problem, not just one in the United States.
HOLMES: How much money are we talking about?
AFTAB: Billions and billions and billions, because we have no way of really knowing. And the interesting thing is that you talked about the FBI agent who was phished. I've been phished. And when people come to the person who runs a group with thousands of volunteers to protect others, you know that if I am almost caught, other people who don't know as much will be caught for sure.
HOLMES: Tell me this, what is the first indication that you've been had? Is it that suspicious purchase on your credit card? Is that normally the first anyone knows that they've been phished?
AFTAB: Well, if they're phishing your credit card, you'll found out on a statement. And in the United States we have different legal protections than you do outside of the United States on being able to challenge your credit card for fraud.
However, if they're phishing your identity, so they've sent you an application for a new credit card or something special that you need to put in that may have your tax identification number or some social identification numbers to allow them to go in and apply for new credit under your name, you may not know until you're denied credit or someone starts sending you bills for something you didn't buy.
HOLMES: While some people have probably not heard about phishing, many have. I'm curious whether many people get caught for doing this.
AFTAB: So many get caught doing it. The first time I received it, it was in the guise of PayPal, and someone asked me to sign in to our charitable account because there was a problem.
If I had had our code name, I would have done it. Instead, I sent it to the head of our security and our fundraising group, saying put it in, and luckily the head of security said Parry, you were caught.
They also masquerade as sites where you can buy software at much reduced prices or even download pirated motion pictures before they hit movie theatres, asking for your credit card. Then that site doesn't charge you, but they sell your credit card information to another that will.
HOLMES: How hard is it to catch these people?
AFTAB: Well, it's hard because most people don't know how to give up the evidence we need to be able to track where it's coming from, and the sites are quite good. They may counterfeit a seal for BBB online or trustee. They have all of the links in place that look right. And every once in awhile, unfortunately, a legitimate company sends out an e-mail that looks like a phish but isn't.
So you're never really sure. The answer is, if you get anything that comes to you from your bank, from a company you want to buy from, from anybody, and asks you to sign in to a link, get out of there and log into the site the old fashioned way, through your browser, and don't ever give any information to anyone you get on e-mail, even if it looks legitimate, even if you have an account with them, even if you're absolutely sure they're trustworthy, because in all likelihood they're not.
HOLMES: I was looking around your Web site today. You cover a lot of other issues as well. If we can touch on some broader issues of privacy on the Internet in a general way, there is so much information out there that pretty much there are people who say that they can find out anything about anybody. Are we safe to do anything on the Internet?
AFTAB: Well, you're safe doing things on the Internet if you're careful. So what you need to do is not give out personal information. Don't give out your name, address, telephone number. When you're applying to register at a Web site, use a special e-mail address that you've created with hotmail or Yahoo! or one of the other free Internet accounts just for signing into sites. That will get all of the spam and all of the junk mail and hopefully all of the phishing. You'll check it when you need to because you registered, but people won't be able to find you otherwise.
Google yourself. Check your name, address, telephone number, your mobile number, and see if anyone has it upline you can find. If they do, ask them to take it down. You can really protect yourself from most of this online.
HOLMES: You know, cyber commerce is so enormous now and I have this debate with my own mother, who will not buy anything on the Internet. I buy just about everything on the Internet. My argument to her is it's no different than giving your credit card up at a restaurant if you're on a reputable site. We don't want to frighten people, do we?
AFTAB: Absolutely we don't. And e-commerce is fabulous, and your mother, you should tell, that she can shop from midnight in her bunny slippers without having to go out in bad weather. So it's a wonderful place.
But we need to be as intelligent as we are when we're in a supermarket or we're in a restaurant, we hand off our credit card. But we don't, say, hand it to somebody at the next table or hand it to a stranger outside the restaurant. We have to use common sense and always don't believe everything we see. We just need to be a little skeptical, make sure that we're protecting ourselves and know where to go when things go wrong.
HOLMES: Two things I want to cover very quickly, if I can. One is adware and spyware. There are a couple of programs out there that will track down these things, just to let people know what that is, because a lot of people, it appears on their computers, they just don't even know it's there.
AFTAB: Well, you know, where they recognize it is when these things popup on the screen, even when they're not online. So you may be surfing something and find ourselves encountering pornography or something else you don't want, ads for Viagra. So that usually comes from adware, spyware, or what we call malware.
There are some good programs out there. Lavasoft makes one called Ad- Aware and it's free as long as you run it every time you need to. Spybot is very good as well. And we have a lot of that information at WiredSafety.org.
We're a charity and you can trust us when we review a product.
HOLMES: I use both of those, actually.
The final thing I want to ask you about is there are some of us out there who get mad when people try to do these things. Can we track them down? What do we do if we want to report this?
AFTAB: Well, you shouldn't track them down. You need to go to professionals.
What you can do is you can come to WiredSafety and our security team will tell you what we need to get from your e-mail communication. You need to save a header and you need to make sure not just forwarding the e-mail, but everything, including the electronic things that go before it, so we can track it.
You can go to the Anti-Phishing Working Group site, which is AntiPhishing.org, or you can come to us at WiredSafety.org, and we'll help you. We actually are going to be using Spider Man and all of his friends on Internet safety awareness on spyware and phishing around the world, including some special custom comics, and we hope to get a lot of those in Europe and in Asia involved as well.
HOLMES: They're both great Web sites. I was looking around them today.
I want to thank you, Parry Aftab, a lawyer specializing in cyber crime. WiredSafety.org is the Web site. Thanks so much.
AFTAB: Thank you very much. I appreciate it.
HOLMES: Good information there.
Well, just ahead, something very interesting. Biometrics. It could be coming to a store near you.
(BEGIN VIDEO CLIP)
UNIDENTIFIED FEMALE: They knew where I was from. They knew what cigarettes I used to smoke and everything they did. They must have watched on the Internet.
HOLMES (voice-over): In the 1995 movie "The Net," Sandra Bullock plays a computer engineer whose identity is wiped out in cyberspace.
UNIDENTIFIED MALE: I don't know how these things happen. You know, I just ordered that security program last week. What's it called? Gatekeeper?
HOLMES: What was fiction then has become fact for hundreds of thousands of people.
(END VIDEO CLIP)
Welcome back to INSIGHT.
Phishing, as we have seen, is one way your identity can be stolen online. It can also be done the low tech way: going through your garbage. Some experts say biometrics is the key to preventing identity theft. It is the way of the future.
It is when a computer recognizes your physical characteristics, like your fingerprints, your voice patterns perhaps.
Again, Daniel Sieberg to see how this technology may change our lives.
UNIDENTIFIED FEMALE: I might forget my credit card, but I'm not forgetting my finger.
SIEBERG (voice-over): When Michelle Debose (ph) shops for groceries at her Piggly Wiggly in South Carolina, a scan of her index finger takes the place of writing a check or swiping a credit card. Shoppers can enroll in the pay-by-touch biometrics system by providing a driver's license and their checking or credit card information.
UNIDENTIFIED FEMALE: It's easy. It's quick. And you're not fumbling for your debit card and your checkbook to write it down.
SIEBERG (on camera): The Pig, as it's known here in the South, is testing the technology in four different stores before it rolls it out nationwide. Like any new technology, there's always a learning curve. Think back to ATM machines or buying something online. And so they want to make sure that they can balance convenience with security and privacy. I've already registered, so I can just go ahead and use my finger.
(voice-over): And fingers aren't the only body parts with characteristics that can be used for security. There are at least half a dozen others that act as your personal password.
(on camera): I am Daniel Sieberg. I promise you I am who I say I am.
(voice-over): At the University of West Virginia's Center for Identification Technology Research, other studies include voice recognition.
MATTHEW MONACO, UNIVERSITY OF WEST VIRGINIA: This is actually the frequency or pitch of your voice. This is an iris scan. This is actually the most accuser biometric system in use today. This essentially is reading your palm.
SIEBERG (on camera): Not a fortune teller?
MONACO: No. It's actually --
MONACO: I'm trying to see if you are actually who you say you are.
What it's measuring here is actually 14 different measurements.
SIEBERG (voice-over): Some other measures include hand geometry and facial geometry. Researchers here say a biometric can be more secure than a password or an I.D. card.
PROF. ARUN ROSS, UNIVERSITY OF WEST VIRGINIA: If I give my I.D. card to someone or someone stole it, then they would probably be able to misuse it. However, in biometrics, the person has to be at the point of transaction and he has to offer his biometric trait at that point.
SIEBERG: Before September 11, the focus of biometrics was mainly on making life a little easier for consumers while still helping to prevent identity theft. That focus changed dramatically after the terrorist attacks and the priority shifted to national security.
Legal experts are working directly with scientists on new security measures based on these physical characteristics.
PROF. LISA NELSON, UNIVERSITY OF PITTSBURGH: People are very apprehensive about biometric technology and that fear means that they're going to be less willing to accept it as part of their daily routine. So the more that they -- the less they understand about it, the more fearful they are, which means, I think, that drive, the need for legislation, the need to build in privacy protections.
SIEBERG: Secure biometrics systems extract details from a fingerprint, iris scan or other body part, then get rid of that raw data so it can't be stolen.
PROF. LARRY HORNAK, UNIVERSITY OF WEST VIRGINIA: And one of the basic principles here is to make sure that you design the system and the algorithms such that you can't go backwards.
SIEBERG: Hollywood helps fuel one bizarre but common myth about biometrics. Might someone chop off my finger to get access to all my stuff? After all, it worked for Arnold Schwarzenegger in "The Sixth Day."
Well, scientists say a new sensor, developed in 2003, will give a dismembered digit a definite thumbs down. Older sensors could not.
HORNAK: We've looked at the perspiration pattern that comes from the pores that you can then pick out living individuals relative to spoof or cadavers.
SIEBERG: But fingerprints can be faked -- PlayDoh, melted Gummi Bears and a handful of other spoofing tools are used to create then fix vulnerabilities. A stolen fingerprint on Play Dough is a common fraud attempt.
HORNAK: With one of these, you really have only one try and then you've already deformed the spoof enough that it's not going to image very well.
SIEBERG: While biometric tools can work well for company security and retail sites, some privacy watchdogs warn that the technology is being peddled as a silver bullet for enormous tasks like securing airports and builders.
LEE TIEN, ELECTRONIC FRONTIER FOUNDATION: Our feeling is that it's just not ready for prime time right now. You can change a password. You can re-key locks. But, you know, your fingers, you know, your iris, your voice, they're you. So when someone compromises the security of that kind of biometric, you're stuck.
SIEBERG: So before getting stuck, biometric users must decide how high to set the bar to determine what's a match and what's not.
ROSS: The question is what is the cost of making an error? What is the cost of falsely accepting an imposter? If I'm falsely rejected, maybe I'm going to be upset for a couple of seconds, but I could place my finger again. But if it's a false accept, you just let the wrong person into the nuclear facility.
SIEBERG: Some systems combine two different traits, say, a fingerprint and an iris scan, that could dramatically improve security.
So as this technology grows, the next time you go to the grocery store, the cashier's question might not be paper or plastic, but rather finger or eye?
Daniel Sieberg, CNN.
HOLMES: Fascinating stuff.
That is this edition of INSIGHT. I'm Michael Holmes. Thanks for being with us. The news continues.
TO ORDER VIDEOTAPES AND TRANSCRIPTS OF CNN INTERNATIONAL PROGRAMMING, PLEASE CALL 800-CNN-NEWS OR USE THE SECURE ONLINE ORDER FROM LOCATED AT www.fdch.com