Friday, January 06, 2012
In Just One Hour Online...
It took just one hour for internet experts to find out almost every private detail of one woman's life
Steve Boggan challenged web experts to see how much they could discover about his partner. The results were chilling...
As I sit writing this, I am feeling vaguely grubby — guilty even — in the way a neurotic husband might after hiring a gumshoe to go trawling through his wife’s secrets.
There is a 15-page report in front of me chronicling virtually every aspect of my girlfriend’s life: past and present. That includes her friends, education, embarrassing pictures, former boyfriends and long-forgotten relatives.
Much of the information is new to me. And the uses to which it could be put — uses I hadn’t dreamt of until this week — are chilling.
Armed with this information, criminals could use her identity to commit fraud or resurrect minute details of her past, her movements and friendships to lure her into scams or even dangerous liaisons.
It could be used to con her into revealing her bank details and credit card numbers.
My internet snooping began because the CEO of Google, Eric Schmidt — a man not known for worrying about internet surfers’ privacy — suggested recently that young people might want to change their identities in the future in order to separate themselves from a past lived too openly on the internet.
We all know Facebook pictures of you dancing at a party with a traffic cone on your head might come back to haunt you. But change your identity completely?
Surely, I wondered, there isn’t enough out there to warrant that.
So I decided to find out how much I could discover about my partner of 12 years, Suzanne, just by using the internet.
Before you think I’m a rat, I should point out that Suzanne, a 39-year-old with a soft furnishings business, agreed to it.
I began in the way lots of identity thieves do: with her name and address. Of course, I knew these details, but identity thieves often discover them by ‘dumpster diving’: looking through dustbins for a discarded piece of mail.
I passed Suzanne’s name and address — but no other details — to Adam Laurie, a 48-year-old computer security and internet privacy advocate.
He shared the information with Chris Sumner, 39, another security expert, who works for a multi-national corporation.
Or at least, that is Sumner’s day job; by night, he analyses vast amounts of information publicly available on the internet to see what it can tell him about criminal activity — in this case, how fraudsters are using social networking sites to choose their victims.
Using sophisticated and completely legal computer techniques, he looks for patterns in the behaviour of internet users to uncover otherwise hidden links.
In the case of social networking sites, he can see just how close two people, or groups of people, really are to each other.
He had met neither me nor Suzanne and knew nothing of her existence until given her name and address.
A day later, his findings dropped into my email inbox.
Picking Suzanne’s life apart, he told me, had taken him just over an hour.
This is because, in common with millions of people in Britain, Suzanne uses the social networking sites Facebook and Friends Reunited, and has signed up to the business networking site LinkedIn and Flickr, the photo-sharing website.
By also using the genealogy website ancestry.co.uk, Sumner was able to piece together the names of all but one of Suzanne’s relatives, including cousins.
Using electoral rolls on 192.com and by searching on Google, he found the addresses of her parents and lots of her friends and colleagues.
From her LinkedIn and Facebook profiles, he found the names of Suzanne’s primary and secondary schools, and a college she had attended in Derby. He also discovered she had studied fine art at Central St Martin’s College of Art & Design in London.
He also had details of Suzanne’s qualifications and pictures of her from her days at school. The snaps weren’t hers — an old schoolfriend had put them on Facebook.
There were some naff hairstyles, but that was as deep as the embarrassment went. Only you know whether a trawl of pictures of you would be more damaging.
But Sumner didn’t stop there. He was able to tell me that Suzanne had travelled extensively in Europe, Asia, the Caribbean and the South Pacific.
This was because she had used an application on Facebook that linked to the travel website TripAdvisor. You fill in where in the world you have been to keep your relatives up to date. But anyone can see it.
He was not only able to list all 41 countries she had visited, but also the 162 towns and islands to which she had been.
Sumner was able to tell me Suzanne’s exact movements by cross-referencing her TripAdvisor entries with photographs she had posted on Flickr.
When you click on a picture on Flickr, a small box gives you access to detailed information that is entered not by you, but by your camera. So, the date and time of the shot are included.
Now that phones and cameras have GPS, there are even concerns that the location of where you uploaded the picture — normally where you live — might be visible.
From a mixture of all of these websites, Sumner listed Suzanne’s likes, dislikes, hobbies, the 34 towns and cities she had visited in Britain, the places where she used to socialise in her youth and details of her former jobs in the newspaper industry.
In fact, it’s fair to say that after just one hour’s trawling he knew more about many aspects of my girlfriend’s past than I did.
Shocking? Perhaps. Yet also astonishingly easy. Suzanne had voluntarily signed up to these websites and, bit by bit, put most of this information out there herself — and forgotten much of it.
However, what I found even more disturbing is that much of what Sumner found was supposed to have been visible only to people whom Suzanne had accepted into her inner circle of ‘friends’ on each networking website. This turned out to be dangerously naive.
Over the years, standard privacy settings— notably for Facebook — have changed, so what you once thought was private has become public.
You are notified about these changes, but if you forget to adjust your individual settings to return to the old level of privacy (which can be fiendishly complicated) then some of your private information becomes available for everyone to see.
‘There are some weird, strange quirks that let you into places you aren’t supposed
to go,’ says Sumner.
‘For example, on Facebook you may not be allowed to see someone’s photographs because they’re private. But if they post a message with one of their photos attached, you are given the option of seeing their whole album. And as you can imagine, that can be embarrassing.’
According to Sumner and Laurie, organised criminals are using this information
in increasingly sophisticated ways to target victims.
‘Criminal gangs are carefully fishing for victims,’ says Laurie. ‘In the past, they would have sent out thousands and thousands of spam emails in a scattergun fashion — and many still do.
‘These are called phishing scams and involve fake requests from banks asking
people to confirm their account details, passwords and so on. The hope is that, once in a while, someone would be silly enough to reply.
‘Today, they are much more targeted. For example, with the information we got about Suzanne from Flickr, you would be able to see where she visited, when, and, if there were captions on the pictures, with whom.
‘After that, the criminals (or romance scammers) would tailor a scam. If they noticed that, say, she was a regular visitor to Malawi, they would make an introduction online, claiming they were a friend — for example, called Dave — of someone she visited there with five years ago.
‘Surely she remembers them? From that beach — her friend was there, too ... yes?
‘Usually people are too embarrassed to say they don’t remember. Then ‘‘Dave’’ claims he is setting up an orphanage — would she like to make a contribution towards it?
‘Or they might simply say they’re a friend of a person you were with and say he’s gone back there, broken his leg and they’re having a fund-raising collection to airlift him home. It’s crude, but effective.’
Sumner says it can get even more complex, with software tools that can work out who is friends with whom among your online groups of contacts.
‘Once you have established a person’s inner network, you go back into their history to find someone they knew at school who isn’t in that network of close friends and who hasn’t signed up to networking sites,’ he says.
‘Then you join those sites in their name, establish yourself with their online identity and ask your original target to accept you as a friend on, say, Facebook.
‘Before you know it, you are inside their life as a trusted person they think they used to know.
‘Once you are in, you can read about what your target and their friends are up to, such as when they are going on holiday. With that information, you can burgle their homes.
‘You can even ask to be Facebook friends with their children. This is a particularly frightening way for someone to stalk you or your family. They can introduce themselves as a Facebook friend of Mum or Dad. And then it’s only a couple of steps away from something awful happening.
‘Teenagers, in particular, are very indiscreet and post hundreds of pictures of themselves, sometimes drunk with their friends in the living room in front of the plasma screen TV or home cinema.
‘Not only are these the sort of pictures that will come back to haunt them in the future — potential employers aren’t supposed to look at these, but they do — but it’s also a dumb way to show burglars what property you have and where it is.
‘Especially after your children have told all their “friends” when the house is going to be empty.’
Sumner described how some of the information he gained from Suzanne would have helped him to get hold of her bank and credit card details. I won’t reveal exactly how he did it, but it involved using some of her social networking information to gain her confidence, then posing as a friend and asking if her business would make some curtains for him with a sample of material he’d seen on another website.
The catch would be that he had set up that other website himself and when she visited it some rudimentary programming he had installed would help him acquire her credit card details.
I ask Suzanne if she would have fallen for the scam. ‘It’s hard to know, but based on what he said, why wouldn’t I have gone along with the requests of a potential customer?’ she says.
There are other ways, too, that criminals can use personal information harvested from the internet. For example, people often use the names of their children or
pets as passwords for online shopping sites.
If criminals can find these names, by gaining access to your social networking circle, they can try to hack into your accounts on popular shopping sites such as Amazon and view your shopping history, or even order expensive goods to be sent to a pick-up address. (I did not ask Laurie or Sumner to attempt this because it would be in breach of data protection law.)
What can we do about all this? Well, not a lot, other than to be aware your information can be used in more sinister ways than you can possibly imagine, and to be on your guard.
As for your children, they can be warned to modify their behaviour and to think twice about what they write and post online and whom they accept as ‘friends’.
According to Linda Weatherhead, principal policy advocate for the campaign group Consumer Focus, social networking sites bear much responsibility for this explosion of potentially useful information.
‘It is a complex problem, but one simple way of making things safer would be to have all our information kept private as the default setting,’ she says. ‘Then it would be up to you how much you want to relax them as you decide to share more of your private
‘Beyond that, we just have to be careful what we put out there — you can advise children about what they are doing, but you can’t wrap them in cotton wool. You can never make anything completely safe.’
But if Adam Laurie and Chris Sumner are right, then the risks of social networking extend far beyond a few embarrassing photos.
In particular, be careful who your ‘friends’ are; they could turn out to be your worst enemies.