At 5PM yesterday, Reputation.com sent an email to its customers revealing that their names, addresses, dates of birth, contact information, and passwords had been stolen by hackers. When your entire business model is built on protecting your users’ extremely sensitive personal data, losing that customer information is nothing short of catastrophic.

Reputation.com insists that because these passwords are encrypted, users have nothing to fear. They fail to mention what sort of encryption they use, whether the hackers have access to the key, or the risks their members now face going forward. Changing your password on Reputation.com doesn’t do much good if you use the same password on every other ecommerce site and the hackers have your email address.

In the spirit of fair play, let’s look at the things Reputation.com did right. Most importantly, they notified their users quickly, recommitted to transparency and took some sort of remedial action in an effort to rebuild trust (a year of free credit monitoring that users may claim within thirty days). Here’s the email they sent to their members:

Presumably Reputation.com’s partners–Equifax, for instance–have notified their own users of the breach. Reporting any instance, or possibility, of data loss is an obligation that all partners share. Additionally, Reputation.com’s partners need to do a little soul searching on the subject of data privacy and its priority in their own organizations. It seems inconceivable that these sorts of security questions wouldn’t have been addressed at the outset.

While it’s commendable that Reputation.com alerted its users quickly, the more important question is how such a breach could happen in the first place, and why data security wasn’t a higher priority for a company whose entire purpose is to protect its users from just this sort of privacy violation.

Safe Shepherd prides itself on privacy and protects user information in a variety of ways.  Besides the standard SSL and “hashed” and “salted” password spiel, we go a step further and encrypt photo identification with individual AES-256 encryption.  That is, the data in the database is individually encrypted and even better: our web-servers do not have access to decrypt that information.  Our servers are accessible only from white-listed IP addresses (hint, there’s one, and it’s at our office).  In short, we spend a lot of our time making sure that our users’ information remains safe in our hands.

In a story covering the event, Reputation.com’s passwords were “encrypted… so there’s almost no chance the attackers will be able to use the few they took.”  As a developer, and one concerned about privacy, this simply isn’t true.  The story makes no reference of what algorithm was used to hash the passwords.  How strong or weak the algorithm is determines when your password will be exposed.  Let me restate that: no matter what encryption was used, hashed passwords have been exposed, and they will eventually be decrypted.  If you use the same Gmail password as your Reputation.com password, you should change it.  Go ahead, do it right now.

At the end of the day, the most important outcome will be how the industry responds. Reputation.com can no longer be trusted to provide the service they’ve built their business upon, and it will be a long road to rebuilding its users’ faith in their practices. Let this serve as a warning to any company that handles sensitive data–if you’re not spending a substantial piece of your time, your creativity, and your money on data privacy and security, you’re doing it wrong.

Working in the mental health care industry, I feel that it is important that I strike a balance between providing enough information to connect with friends, family and colleagues and still maintain a professional image on social media. I don’t consider myself a private person, but I do feel that it is important to maintain a low profile on the internet.

I work with a variety of clients in a variety of settings: individuals with severe mental illness, traumatic brain injury, PTSD, veterans who just returned from Iraq or Afghanistan, children, adults and elderly. Regardless of their age, gender or diagnosis, they all have one thing in common: each one can find out very personal information about me online.

I have no control over whether or not they look up my information online, what they do with that information or how they will view me as a professional after they find information. However, I can control what information they can access.

When I started my doctoral program, the first talk that my colleagues and I were given was to “clean up” our online presence. Our professors suggested we first check Google, whitepages.com, pipl.com, etc. to see what information is available about us online. Then, do our best to remove anything that isn’t professional.

I followed their advice and was surprised at the results. Not very far into my search, I found a website that posted all of my previous addresses, my current address, a speeding ticket I received when I was 19 years old and a not-so professional description of why I was chosen as my best friend’s bridesmaid. I immediately thought, “This isn’t good. How can I get these down?”

So, my quest to scrub my online presence clean began. I asked my best friend to password protect her wedding landing page, called the court that issued my speeding ticket and asked them to remove my information from their website (no success) and looked into how I could get my addresses off the internet. After a bit of an effort, I couldn’t come up with a way to get my address or my ticket down. The best I could do was hope that my clients wouldn’t dig that deep.

As a mental health professional, the image that I portray is crucial in order for my clients to make progress. It effects how I establish rapport, my credibility, the therapeutic alliance and my client’s treatment engagement. No matter how hard I work to perfect my professional appearance, all that work can be undone with a curious mind, a click of a mouse and a publicly posted speeding ticket.

I feel that it is therefore imperative that all mental health professionals use a service like Safe Shepherd to protect their online presence, remove any less than professional information and to provide peace of mind that your information won’t get into the hands of your clients. Not only do our careers depend on it, but our client’s progress in therapy does as well.

About the author:

Shauna Geraghty is a doctoral student in Clinical Psychology and a content writer for the Talkdesk call center blog. Talkdesk provides call center software for SMBs at an affordable price.

This bill is potentially a really big deal–right now, there’s absolutely nothing to stop these companies from keeping track of your every click as you browse the web. Sure, efforts like Mozilla’s, and Apple’s by way of Safari, are great first steps that add a layer of protection to your browsing, but what no one mentions is that the ad companies and data mining outfits are under no obligation to comply with the Do Not Track requests generated by these browsers. It has been, thus far, an entirely self-regulating paradigm, and these companies have very little to lose and everything to gain by invading our privacy.

How far do these companies go? Abine has a fascinating blog post about one of the industry’s most flagrant violators, Mixpanel. This company has the hutzpah to announce to its customers that not only can it provide data on millions of web users, it can identify those web users by name. By address. By phone number. By photo. Not to mention their entire browsing history. Most of the big data brokers try to ameliorate privacy concerns by claiming their data are anonymized and that individuals should not fear identification. Mixpanel’s marketing strategy proves this isn’t necessarily true, and that we have no reason to trust that other companies aren’t treating their data the same way.

But back to the bill and how it might provide a light at the end of this very dark privacy tunnel. The way it’s written DNT does two important things that will help users control their privacy while they browse. First, it makes provisions for a browser standard that would let users opt out of all tracking by third parties with the click of a button. Second, it creates an enforcement regime that empowers both the FTC at the federal level and state’s Attorneys General to prosecute the companies that continue to surreptitiously violate individuals’ privacy by ignoring the Do Not Track requests. The hope is that empowering users to take control of their privacy settings in a transparent and standardized manner coupled with imposing real consequences upon the companies that continue to treat privacy like something to be ignored will be a watershed moment for individual online privacy.

Enter the Third Party Cookie. Third Party Cookies are the little trackers that follow you around the web and report every click you make to any number of advertising data mining companies that want to craft ads just for you. You’ve never visited the companies that use them. You’ve never given these companies permission to follow you around the web, and you’ve never even been made aware that these companies are tracking you.

The good news is that your brewer can help protect you! Mozilla announced last week that the newest upgrade to its browser, Firefox, will be a default setting that allows users to block third party cookies. If you’re using Safari, most of these third party cookies are already blocked by default. If you use Chrome or Internet Explorer, you will have to go into your browser’s privacy settings in order to block third party cookies.

Think of opting out of third party cookies like you think of putting your phone number on the federal Do Not Call list–it’s a good and necessary step toward letting you control your privacy and exposure to advertising in the face of a huge and hugely powerful industry, but it’s really just a first step. Good on Mozilla and Apple for making user privacy a priority in their browsers, but the unfortunate fact is that advertisers have the option to ignore Do Not Track requests without facing any consequences.

We need a way to hold these companies accountable for their privacy violations, and self regulation does not appear to be working. Senators Rockefeller (D-W.Va.) and Blumenthal (D-Conn.) have reintroduced a bill that would do just that. Look for a post later this week detailing the contents of the bill, how it can help protect your privacy while you browse the internet, and what you can do to convince congress to make online privacy a priority.

Gmail, after all, is operated by Google, the search master.  After signing in to Gmail, you’ve signed in to Google itself.  This means that your search history is saved, personally, under your email address.  Currently, Google claims to not share this potentially embarrassing information with anyone.  But at this point, all your queries are their property, and they are welcome to do whatever they wish with them.

In case you still want to enjoy the many awesome features associated with a Gmail account, there are two incredibly quick and simple ways to ensure search results are not logged under your name!

Method 1 – Sign out!

The easiest thing to do is to simply sign out once you’re done checking your email.  Just click your email address at the top right of your inbox.  A ‘Sign out’ button will be in the bottom right of the little box that pops open.  It’s always a good idea to sign out once you’ve finished on any website.  You never know who’s going to be using the web browser after you [even on your own computer!].

Method 2 – Disable

If you just can’t bear to sign in every time you check your email, or if you know you’re going to forget, Gmail actually allows you to “pause” search history storage.  This pause is equivalent to a cancel button, as I clicked pause about 6 months ago and am still searching anonymously.  Seeing as it is phrased as “pause”, I recommend checking once a week or so, to make sure your searches still aren’t being logged.  If you’re searching for especially sensitive or embarrassing results [whatever happened to the Backstreet Boys, for example], it might still be a good idea to sign out and use one of those private browsing windows.

Method 3 – Private Browsing Windows

Most web browsers now have ways to mask at least some of your identity online.  Google’s Chrome dubs it “Incognito”, Firefox and Safari cleverly call it “private browsing”, and internet explorer labels it “InPrivate”.  This “Private” mode doesn’t guarantee anonymity however.  If you sign in to Gmail after entering private mode, your information might be tracked.  The private mode is mostly for keeping the sites you visit out of the history stored on your computer.

Chrome:

Firefox:

Safari:

As a parent (or privacy conscious student) most of these policies are great.  But any policy can be taken too far and school policies are no exception.  Here’s some information you’ll want to know as school starts again…

Privacy and School Laptops:

As technology is increasingly incorporated into classrooms, some schools are equipping their students with computers.  This is a great step forward for education, but it comes at a privacy price.  Several schools have been caught monitoring students while they’re at home; occasionally with dire consequences.  One student in Pennsylvania was filmed (unknowingly) eating Jelly Beans at home – which wouldn’t have been a problem – but the school thought that he was taking drugs and suspended him immediately.  It took some time before his parents were able to figure out where the accusation stemmed from and were able to get it over turned.

The Jelly Bean incident was taken care of before permanent damage was done to the student’s record.  But what about schools filming their students while getting undressed at night?  Or filming sensitive conversations between a parent and child.  Those are possible situations that couldn’t be fixed nearly as easily.  The best intentions of schools, which led to the spying in the first place are having a hard time avoiding privacy issues.

All of this is to say that both on school grounds and off schools have a lot of power over students and it no longer stops at the school house doors.  If you haven’t before, take a few minutes and read your school’s policies about what is and is not allowed on school grounds and pay extra attention to any policies about computer monitoring.

Cell Phones on School Property:

School policies about cell phones vary – a lot.  Some schools allow them to be used between classes, others ban them from campus entirely.  According the the ACLU, just in California school policies are different in almost every school.  Many policies respect students privacy and focus on keeping the phones from being a distraction in class, but not all of them.  Some schools are taking a more… proactive approach to cell phones and the issues that can arise with their use.  Those schools will confiscate and search phones in the name of protecting children from themselves.  For most students that won’t pose a problem.  But for any child who stores a psychologists phone number in their phone, or who has text message reminders of doctors appointments or who has sexts on their phone the story is very different.  The communication that was intended to be private has now been shared with school personnel who may, or may not keep it strictly to themselves.

Computers on School Property:

Computers on school property are great for research, for anything else the dangers probably far outweigh the benefits.  School computers are monitored and filtered for the safety of students but still public portals that can get all sorts of spyware on them.

So long as you’re familiar with school polices on cell phones and loaned computers you’ll have what you need to keep your principal out of your electronic communications and out off the web cam in your bedroom.

While you’re online, the same rules you learned in kindergarten still apply 

Don’t talk to strangers, don’t meet up with them and don’t give them your address.  Seriously.

Data Brokers Collect Data on All Adults, Even the New Ones

Once you’re 18 and out of your parent’s house you’re in a position to rent an apartment, get a credit card, have a phone in your own name and do all sorts of other adult things.  You should be aware that doing those things leaves an electronic crumb trail behind you that data brokers will collect.  Once your data is collected, data brokers package that information and sell it.  As a result, unlike most high schoolers, people can find you even if you haven’t given them your address or phone number.  You can cut down on some of the information that’s collected by getting a P.O. box or using a school mailbox address as often as possible.

Now is also a great time to set up a Google Alert on your name 

In addition to the vanity thrill of seeing where you show up online a Google alert will also help you stay on top of where your information is and how much of it is available.

Joining professional networks like LinkedIn

Before creating a profile anywhere, take a minute or two to look at what the site makes public.  LinkedIn makes almost everything public by default.  LinkedIn focuses on your professional past, which is information you’re usually pretty free with on your resume.  But it’s possible that the summer you spent working at Hooters isn’t what you want the recruiter at the investment bank finding at the top of your resume so give some thought to what you put up.  You also need to be aware of whether any of the information could answer security questions on important websites you use.  For example, your first job, your middle name or where you lived as a child.

Be careful what you put up on Facebook

Even if you think you’ve locked down your Facebook profile, there’s no guarantee that anything you put up will actually remain private. That supper funny picture of you pretending to pee on nachos at work could easily come back to haunt you.  Or at least get you fired from your after school job.  And that mean thing that sounded hysterical in your head, could land you in jail.  That’s not to say you shouldn’t enjoy your new found ability to participate online, it’s just that you should avoid putting anything up online that you couldn’t show to your Grandma.

Facebook is an amazing place to stay in touch with friends and share what’s going on in your life.  Posts can be funny, touching, sad or just weird.  But here’s the thing, once they’re up, they’re out of your control forever and what you think is hysterical might confuse or even worry your friends and family.  One of my teammates posted a funny paragraph complaining about his “co-workers”.  For anyone familiar with Scooby Doo it was a funny little paragraph spoofing the cartoon and had nothing to do with his actual job.  In fact, the whole team had a laugh when we read it a few minutes after he put it up.  But for the next three days he got concerned messages from friends and family warning him that his job might be in peril if his boss found out that we was complaining about a stoner co-worker with an over excitable dog.

The lesson is that the funny or edgy things we share with friends in context might not translate well in public (one of the many reasons most of us aren’t on SNL).  Out of context, edgy comments rapidly go over the cliff of insensitivity.  You don’t have to have a career planned in politics to worry about what innocent comment might turn out to be a problem.

So while you enjoy all the new opportunities that being a freshman brings, just remember, after English, lock down your social profiles.

First, the President has said we need this legislation to protect our economy, its industries, and all citizens that rely on them.  To support his argument he pointed to several hacks that happened recently, including one at a water sanitation plant. According to President Obama in an op-ed for the Wall Street Journal, a cyber threat to our nation is one of the most serious economic and national security issues the US faces. Why? The President explains that he conducted a simulation last month, in which hackers successfully inserted harmful software into the computer networks of our private industries, and as a result,  “across the country, trains had derailed, leaking toxic chemicals into the atmosphere, and water treatment plants in several states had shut down, contaminating the drinking water of our citizens.“

But as Techdirt pointed out, each of the attacks he mentioned are attacks that could have been prevented without any new legislation at all.  Why do we have computers controlling our water filtration on the Internet in the first place?  The most surefire way to prevent a cyber attack isn’t to increase the amount of information the government can access on individuals; it’s to get more systems offline.  I know, we live in an Internet age, and I’m not suggesting that every company or plant or organization should go offline, I’m just saying that unless there’s some really good reason why sensitive systems have to be online, they shouldn’t be.  Computers have gotten incredibly cheap in the last 20 years.  We now have more computing power on our phones than NASA had in 1969.  If a company needs to have an online system and an offline system it really shouldn’t be a problem anymore.

My second issue with the Cybersecurity Act of 2012 is that the government still hasn’t clarified WHY this legislation is needed. The new legislation would give private sector corporations (Microsoft, Google, etc.) the ability to share user information with the government, and would also make these corporations unaccountable for the type of information they pass along to the feds. The National Security Agency (NSA) already gathers an incredible amount of information on US citizens through methods such as wiretapping, but the government now wants the power to read our emails and chats, snoop through cloud storage, and view any personal information we have given to private companies in what we thought was confidence. Why does the government need this information, and how do officials plan on using it to protect our country?  Furthermore, what law currently exists that blocks that kind of info-sharing. Until the government clarifies this, the Cybersecurity Act just seems like another excuse to spy on American citizens.

These laws are arguably more important than SOPA and CISPA as they would have a broader impact on the privacy of Americans, but they have gained far less engagement from the public. There is still hope, however, because there is time left. The law is still being staunchly debated amongst government officials, so why not use this to our advantage and build a strong opposition to the bill. Do something before it is too late: write to your senator, start a petition, whatever it takes. Privacy valued in this country, defend it.

Image by TCC Press Images (https://secure.flickr.com/photos/ttc_press/5088484205/sizes/m/in/photostream/)

I doubt that privacy alone accounts for the success of Fifty Shades of Grey – after all, women have been reading steamy romance novels for decades without shame – but I love the idea that Americans have found a new space where they can retain their sense of privacy without having to give up technology.  The e-reader as private reading room can be a tremendous leap forward in the quest to provide people with the space necessary to explore new ideas (and blush-worthy novels).  Imagine the stereotypical cheerleader in high school being able to read Feynman without social fall out, or the college freshman being about to read about depression without having to meet the eyes of the library checkout clerk, or the stay at home parent who wants to know about divorce law, or the adult daughter sitting by her parent’s hospital bed learning about the legal requirements of wills and trusts.  All of these are things that we would like people to be able to explore but depending on where you live or where you’re traveling you may not be able to read what you need without condemnation or embarrassment.  True privacy in e-readers would provide another path to educating people living under oppressive political regimes.  A jail broken e-reader looks the same as any other but might let curious citizens in China or Iran read about topics like Tienanmen Square or voting rights for women.

Considering how many possibilities an e-reader comes with it’s too bad that the technology behind e-readers isn’t nearly as private as one would think.  E-books collect and report back on what you read, when and how.  Amazon (maker of the Kindle) and Barnes and Nobel (maker of the Nook) are well aware that you downloaded that Pulitzer prize winner and then stopped reading it after the fourth page.  Now that Microsoft owns a 17.6% stake in Nook, they may know that too.  Combine that information with a search for roma

ntic first dates and the most recent name you’ve searched and Microsoft could know that you downloaded that book before a first date with someone who regularly comments on Pulitzer prize message boards.  And that, since you stopped reading the book, Microsoft could know that the first date was also a last date.  That may be more funny than worrisome, but combine information about an e-book on divorce with Bing searches for domestic violence shelters and Microsoft may think that you’re trying to leave an abusive spouse.  If that information leaks or is turned into a District Attorney your loving spouse could be painted an abuser when the truth is that the information was for a friend or a paper.  Consider what our reading habits say about our interests and knowledge needs; suddenly reading an ebook becomes the furthest thing from private.

But the theory that people explore new things and read differently when they believe they are in a private environment remains and remains full of great potential.  So go on, Amazon, Barnes and Noble and Microsoft, make our wish a reality and give us the private experience we think we’re already getting.

Over the past few months, users have reached out to me asking to be removed from a site called Mugshots.com.  Mugshots (and similar sites) scrape police databases for mug shots and then display the pictures and other arrest information on their website.  Many police records are legally required to be made public (registered sex offenders), but having every arrest record published to the Internet becomes an invasion of privacy.  Due to regulations most Americans don’t have to worry about an arrest record tarnishing their reputation, but unfortunately for citizens of Florida, the state’s Sunshine Laws make all arrest records public, meaning that if you were ever arrested in Florida your mug shot will be on the Internet – forever.

Last month I was contacted by Linda and Robert about removing their son Ben’s arrest record from Mugshots.com.  Ben had been arrested for public intoxication in Miami, and now thanks to Mugshots, the arrest was prominently displayed on the first page of Google when anyone searched for his name.  Since other people search websites provide a free way to remove information from their database, I assumed it would be the same with Mugshots.com.  I couldn’t have been more wrong.

I quickly found out that in order to remove your mug shot from Mugshots.com you are required to pay a third party affiliate $399 to conduct the removal.  This surprised me because no other databroker website can charge to conduct opt-outs (except US Search with their Privacy Lock product, but this was quickly shut down by the FTC).  With no other options available to remove your picture from Mugshots.com, paying $399 to remove your record more than borders on extortion.

Perhaps the most concerning part of Mugshots.com is that your picture is posted immediately after the arrest, so even if you are never convicted of the crime, your mug shot will still be immortalized on the Internet…unless of course you pay the $399.  With no other options available to remove Ben’s arrest record, Linda and Robert decided to pay the third party affiliate unpublishmugshots.com to conduct the removal.  After their check cleared, Ben’s entry disappeared from Mugshots.com 24 hours later.

Laws around data aggregation are blurry and the expectation that sites like Mugshots will police themselves is naive and dangerous.  Amidst the current maelstrom of Internet legislation (SOPA, PIPA, and now the Intellectual Property Attache Act), an enormous challenge will be passing laws that incubate innovation while still protecting basic rights like privacy.

For us to solve the Mugshots problem, we need your help standing up for what is right.  Share this post and help stop the extortion of people who aren’t given a choice.

-Noah

@noahtorious

noah@safeshepherd.com