WombatNation

The EFF has posted a very interesting and sensible article on locational privacy. The solutions to the problems are not trivial, but they do exist, at some cost.

Locational privacy (also known as “location privacy”) is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use.

The first example the article details is road tolls. Every system in use I know of uniquely identifies the car by a transponder, and thus tracks a location. If the car goes through multiple toll sites, the monitoring system can begin to put together a detailed history of your travels, as well as make inferences about where you might have or couldn’t have been. Or even issue you a ticket if you traveled between two sites faster than the speed limit would allow.

Of course, these systems are tracking the transponder and not you, but they also photograph the license plate(s) of the car. What if the camera up front just happens to be positioned so it also photographs the driver?

The article proposes an alternative that uses cryptography to anonymize the transponder. One catch is that the proposal requires you connect your transponder to your computer so it can communicate with the company’s systems to calculate what you owe. Obviously, it would be simpler if it could do this wirelessly, but that brings up other locational privacy issues.

The biggest problem I see goes back to the photographs. Some drivers will go through the toll site without a transponder, either because they never had one or because they thought they had it when they didn’t (perhaps they took it into their house to connect to the computer to anonymously pay their tolls and then forgot to put it back in the car). Also, in a case that has happened to me, the transponder was on the dashboard, but not detected. When that happens, the system falls back on photos of license plates and optical character recognition software.

I don’t think the toll taking companies are going to give up those images easily. Perhaps they could be convinced to delete them if a valid transponder was detected. However, I think they will still want them, even in that scenario, for non-repudiation. Until they get paid, they are likely to retain the images. As long as the images exist, they are subject to abuse. The EFF article acknowledges and explores this issue.

The EFF article brings up several other important areas where your location info can be pervasively tracked and easily abused. A big challenge is that the proposed anonymizing solutions involve additional effort and cost for the provider. In many cases, this is a double whammy, since the provider must shoulder more implementation and maintenance cost and no longer has as much marketing data to sell. This can be offset if the service is valuable enough to consumers to pay more for. Unfortunately, though, I’ve read about a couple of studies that have shown that most consumers don’t value privacy very highly when it comes to paying for it. I think that often this is due to a lack of awareness of how their data can and is being used. Hopefully, the EFF’s very important work will change this.

The only electronic cash system that seems to have had much success is Hong Kong’s Octopus Card system, which is run by a private company. However, according to the Wikipedia article it seems to have succeeded by forced migration (to transit systems gave users only 3 months to switch over from old cards), misconception (residents thought older coins were becoming more valuable than face value, so they stockpiled them) and forced inconvenience (buses began requiring exact change). The popular On-Loan cards are anonymous. A Personalized card has additional uses beyond electronic cash. Although some coercion was involved, the fact that convenient, anonymous solutions succeeded at a large scale is very promising.

If you’ve been subject to identity theft like me (twice so far), you should strongly consider having access to your credit report frozen. This will greatly decrease the chance of someone else establishing a new line of credit using your identity. Consumers Union has a great summary of the details for all the states that currently allow you to freeze access to your credit report. The credit industry doesn’t want you to do this, of course, so they have fought it for a long time and tried to make it hard to accomplish.

One downside is that it can make it hard to for you to get quick access to credit. But, maybe not being able to walk into a Lamborghini dealership and walk out with $100,000 of debt isn’t such a bad thing. However, if you really are trying to line up new credit for a well thought out reason, such as when buying a house, you do have to remember to unfreeze access in advance. You definitely don’t want to lose a house because you couldn’t get the funding together quickly enough.

Thanks to Dan Wallach (Go Rice Owls!) for his informative post on Fredom to Tinker.

Since I’ve posted several times before about spoofing the caller ID for a phone call, you might think I would be interested in the Truth in Caller ID Act of 2007 that was recently introduced in the US Senate. And you would be correct.

Originally introduced in the House as H.R. Bill 251 and passed by voice vote, the bill has moved on to the Senate. A very similar bill, the Truth in Caller ID Act of 2006, was also introduced and passed in the House last year, but never made it out of the Senate. Both of these Acts were designed as amendments to Section 227 (RESTRICTIONS ON THE USE OF TELEPHONE EQUIPMENT) of the Communications Act of 1934.

Here are the major differences:

• Changed “telecommunications service or VOIP service” to “telecommunications service or IP-enabled voice service”
• Removed the qualification of “with the intent to defraud or cause harm”
• Added exemptions for “any authorized activity of a law enforcement agency” or “a court order that specifically authorizes the use of caller identification manipulation”
• Added a statement that implies (at least to me) that the FCC can include exemptions that the “Commission determines appropriate”
• Added a statement that the FCC shall report back 6 months after enactment as to whether additional legislation is required to cover new technologies that have emerged
• Added explicit civil forfeiture penalties and criminal fines for each violation (including up to $10,000 for each violation and treble damages per day for continuing violations)
• Specified a 2-year statute of limitations on events ocurring after a violation notice has been delivered (here’s an example of a real notice as defined by the Communications Act of 1934)
• Added explicit statements regarding enforcement of the Act by States (though States must wait in line if the FCC is already taking action for an alleged violation). This section of the Act is intended to replace section 227, sub-section f, of the Communications Act of 1934, at least in regards to violations that involving Caller ID spoofing.

One of the challenges faced by the authors of the Act is not to disallow legitimate uses of caller ID spoofing. When outbound calls are placed by an outbound calling service, the trunks that are used do not normally accept inbound calls. Although many outbound trunks may be used simultaneously, it typically makes sense that returned calls would go to a single recognizable number. Let’s say an emergency notification system were established to place outbound calls to a community in case of an accident at a nearby oil refinery or chemical plant. Obviously, many calls must be made very quickly, so lots of outbound lines would be used. In this scenario it makes sense to spoof the caller ID for each outbound line to a single inbound number that distributes the calls to people who are trained to answer questions about the notification.

The 2006 Act stated that it applied to cases where spoofing the caller ID was done “with the intent to defraud or cause harm”. While I can understand the desire to avoid having to prove the intent of an alleged violator, I’m worried that the new Act removes this statement and leaves it at – “transmit misleading or inaccurate caller identification information”. While my above example illustrates a case where the spoofed information is not misleading, one might technically argue that it is inaccurate. Maybe I’m splitting hairs, but I can think of several cases where “inaccurate” caller ID information is not necessarily harmful.

This Act covers more than just the calling party number (which is, strictly speaking, the caller ID). The Act also covers any other information that is also provided as part of a calling number identification service, such as a brief alphanumeric name that can optionally be requested along with the phone number, depending on the service provider.

Regardless of whether this Act passes, you should change your mobile phone voicemail account (if you haven’t done so already) so that it requires a password. The typical default setting is not to challenge you for a password if the caller ID for the call matches your mobile phone number. Convenient, but terribly insecure. You don’t want me listening to your voicemail, especially since I already read your email.

In response to the notification from Avaya that my personally identifiable information may have been compromised, I decided to try the automated phone systems used by Equifax, Experian and TransUnion for adding a fraud alert to my credit file. All three automated DTMF/voice applications were pretty bad.

Equifax

The app used two significantly different male voices. What was really bad, though, is that the app played essentially the same long winded message in both voices informing me that Equifax would automatically request that Experian and TransUnion place a fraud alert on my credit file. You almost get the feeling they don’t want you to set up a fraud alert.

The Equifax app also had the absolutely useless intro message of “Please listen carefully, as our menu options have changed.” Who would ever call this app enough times to have memorized the options? Also, when did the options last change? Yesterday, two years ago? About the only reason an app should have this prompt is if it is frequently used by power users and the options really have changed very recently.

The app provided no confirmation of spoken digits, even when I intentionally spoke them quickly and slurred the numbers. When I slurred the digits so much that it didn’t hear all of them, I got a prompt indicating that the number needed to be ten digits.

The app failed to place a fraud alert on my credit file, very likely due to the fact that it probably collected incorrect numbers that it failed to confirm with me so i could correct them.

Experian

The app was DTMF only, so there was much punching of digits on the keypad. This made the data collection process slower and more painful than for Equifax and TransUnion.

The app started with a menu of options. Setting up a fraud alert wasn’t one of them. By stepping through several layers of menus, I finally got to the point where fraud alerts were mentioned.

Along the way, I was offered the option to hear an eight-minute recording of California rights, since I called from a California area code. Neither Equifax and TransUnion offered this. I don’t know if they are supposed to, but I can pretty much guarantee no one will listen to it. Since Experian is paying the toll charges for the phone call, they don’t want you to listen to it, either.

The app was very repetitive. It presented the same info in several ways. Many of the prompts repeated themselves. It was repetitious.

One good thing about the app was that it used a single female voice for the prompts. The VUI design was not very good, though. The confirmation dialogs were particularly painful.

Several prompts in, I was informed that to place a fraud alert, I would need to be transferred to a separate secure system and that I would not be able to return to the main menu. Which made me wonder, why did I start out in the insecure system? What made the secure system secure? It’s not like our conversation was suddenly being encrypted.

The best thing about the Experian app is that I was able to use it to successfully add a fraud alert. It was a painfully slow, mind numbing experience, but it appears to have worked.

TransUnion

The TransUnion app started with a very specific fraud alert intro. It also used a single female voice throughout the app. Like the Equifax app it accepted spoken digits and yes/no, in addition to DTMF digits.

The confirmation dialogs for digits were clunky “We captured one two three four five”, but at least they were there. I’m still wondering who the “we” was. I only heard one voice. Maybe it was the royal “we”.

Summary

The VUI for each of the apps appears to have been designed by someone with little experience in IVR application design. As far as usability goes, I would rank them as follows:

1. TransUnion
2. Equifax
3. Experian

However, I have to give Experian some extra points, because it was the only app that alowed me to successfully place a fraud alert on my credit file. Nonetheless, it’s hard to call any of them a winner.

While plodding through these automated systems, I took the opportunity to clean up dead links and out of date info on my privacy and security page.

I just received a letter from Avaya informing of the theft of an employee’s laptop that may contain my personally identifiable information (PII). The letter suggests that I contact one of Equifax, Experian or TransUnionCorp to have a fraud alert placed on my credit file. If you contact one, they will allegedly automatically contact the other two.

While I’m glad to have received the notification so I can take action before something bad happens, I wish Ross Senholzi, Director, Finance, (or more likely, one of the people in his group) had spent a few more minutes proofreading the letter. One glaring error in the letter is the URL for filing a complaint with the FTC. Somehow I don’t think that www.consumer.gov/idtehft (sic) is the correct URL. Unless, of course, the people managing the website at the FTC can’t spell “theft” either. At least this is an obvious mistake that virtually everyone will correct if they type it into a browser.

A far worse error is an incorrect number for Experian. The correct number is 888-397-3742, not 800-397-3742. In Avaya’s defense, lots of other people get this wrong, too. Search on “800-397-3742″ and you will find a lot of sites listing this as the Experian fraud alert line. But they could have at least tried calling the number once.

If you call 800-397-3742, you get an amazingly bad DTMF app. After a welcome message “Hello and thank you for calling” that never mentions Experian, you are presented with a one choice menu, “To hear how we can easily help repair your credit by removing negative or erroneous items from your credit report, please press 1 now”. If you don’t do anything, the prompt repeats. A few seconds later, the app hangs up on you.

Here’s the rub, though. If you do press 1, you get a sales pitch from the “Consumer Information Bureau” for a paid service to repair your credit record. If you press 0 to try to reach an agent, the app hangs up on you. The owner of this number appears to be some other company that has latched on to the fact that many websites have the wrong phone number for Experian. A reverse lookup on 888-397-3742 returned Experian as the owner of the number. A reverse lookup on 800-397-3742 returned nothing.

This is very, very bad.

This week an AP originated article appeared in the Oakland Tribune on caller ID spoofing. My previous post on caller ID spoofing generated quite a few comments, including a lot of email requests for the source code or for me to provide it as a paid service. Just to cut short further requests, I have no interest in doing that.

As I wrote long ago and the article also states, you shouldn’t absolutely trust the phone number that shows up on your Caller ID service as being the phone number of the person calling you. It’s quite easy to fake for someone with a reasonable level of technical savvy. I originally did it via a VoiceXML application on a hosted VoiceXML service, but you can also do it if you manage your own PBX, such as Asterisk. For the less technical, you can just pay a service to handle it for you.

Camophone is no longer taking new customers, but Spooftel, Telespoof, Spooftech, and Spoofcard are currently active. Interestingly enough, the star38.com domain for the earliest (at least, earliest known to me) Caller ID spoofing provider now redirects to cia.gov. Conspiracy theorists, start your engines.
One obvious concern is any service that authenticates the user based just on Caller ID. One example is credit card activation. Some companies will automatically activate credit cards if the Caller ID for the incoming call to the activation line is the same as the number used when appying for the credit card. That could allow someone to activate a large number of credit cards in a very short period of time by using fake phone numbers.
A dangerous privacy-related example for consumers is voice mail systems that don’t require a password if you call from the number associated with  voicemail box. Many mobile carriers use this as the default configuration. If someone knows your mobile number, they can call the main number for voicemail access and spoof your number. They can then listen to your stored messages.

Recently I posted about being one of the people whose personal information was potentially exposed due to allegedly lax security at Seisint (owned by LexisNexis (0wn3d by hackers)). Today a story appeared on Wired.com on the hackers who claim to have initiated the break-in. At first I was relieved to read that it was a “cyberjoyride that got out of hand”.

Further into the article, though, I learned that these teen hackers created lots of extra accounts and shared them with others. So, while they may have broken in for entertainment and ego gratification, they have no idea what anyone else may have done.

It’s got to be painful for the people at LexisNexis to read the following quote from the Santa Clara County Deputy DA:

I’m just saying it’s not one group that’s compromised LexisNexis. Their security is really bad. This isn’t a situation where you’re talking about needing an überhacker to compromise (the system). Their passwords weren’t as secure as your average porn site.

While I’m happy to get a year of free access to the Experian Credit Watch service out of the deal, I’m not sure it’s really that valuable. The first alert I received indicated that the blanace amount changed on one of my credit card accounts. Great. I’m going to get an email everytime a credit card company sends me a bill, even though I’ve paid off all my accounts in full every month since I graduated from college.

Worse, though, is that the link in the HTML email was bad. The actual link started with “https://https://”. I’m still not sure why, but the link actually sent me to PayPal. That seemed really suspicious, but I spent a bunch of time verifying that it was the real PayPal site. I sent email to the customer service account on the Experian website, but I received only a very generic form letter response that ignored my question and told me nothing useful. I persist in believing that companies will provide good quality support by email, since it cheaper than providing support by phone. However, my experience has been that email support is generally far worse than phone support. Not just a little worse, but a lot worse. Fortunately, there are a few exceptions, such as the company that hosts my website. But I digress.

A few weeks ago, I learned that I was one of the few hundred thousand victims of Seisint’s carelessness in monitoring the users of their public and private data record aggregation service. Seisint is owned by LexisNexis, which is owned by Reed Elsevier. At first, LexisNexis thought 32,000 individuals were affected. Now the number is believed to be over 300,000.

In the ChoicePoint debacle, crooks fraudulently obtained accounts by posing as legitimate businessmen. In the Seisint case (actually, some of the intrusions were in unrelated parts of LexisNexis), crooks managed to get access to the usernames and passwords of legitimate users. Then again, LexisNexis hasn’t revealed whether the legitimate users might have been in collusion with the crooks, so maybe the scenarios are actually quite similar. I like that one of the services that Seisint allegedly offers to other businesses is “detecting fraud”.

To LexisNexis’s credit, they did more than just send me a letter saying something like, “We screwed up and let bad guys get access to your Social Security Number. Watch your back.” In addition to the letter, they arranged for me and the other 300,000+ unfortunate souls to get a free 12 month subscription to a service from Equifax that allows one to get a 3-in-1 (Equifax, TransUnion, and Experian) credit report online each month, and to have alerts sent whenever someone accesses your credit record or whenever there is a material change in your credit record.

I finally got around to signing up for it tonight. It was fairly straightforward to do, though I’m glad I didn’t have to pay the $130 annual cost for the program. After signing up, I quickly scanned through the three reports. The reports themselves were fairly well organized and easy to peruse.

As I feared, my address and former address were wrong with TransUnion and my former address was wrong with Equifax. This was a result of a thief fraudulently impersonating me in 2002 and setting up 9 credit accounts using my social security number. Even worse, an account the thief set up with Radio Shack was still on my record with Equifax. TransUnion and Experian had both already removed it.

Fortunately, there are online forms for initiating disputes. The Equifax dispute form was much less well designed than the credit report review pages. After battling with a text edit box that would let me enter only 250 characters, but then not let me delete characters after reaching 250 characters while mid-word, I managed to submit the dispute. The TransUnion form was nicer, but longer and less helpful. Anyways, hopefully I will finally get the mess from 2002 cleared up and not have a new mess initated from the Seisint miscue.

If you live in the Western United States, as of today you can get a free credit report from each of TransUnion, Experian, and Equifax. You can do this once per year. Check out AnnualCreditReport.com to see when you get your chance if you don’t live out west.

Update 12/9: I corrected the above URLs. Thanks for pointing out my mistake, Richard!

I was able to view my reports from TransUnion and Experian instantly online. Unfortunately, I will have to fill out a form and mail it in to Equifax to get my report from them.

You might be wondering, why are the credit bureaus doing this for free? I have no idea if the FTC forced them to make this offer, but they each take the opportunity to market a lot of their other services while you’re signing up for the free credit reports. I’m very pleased that the credit bureaus have made credit reports available for free annually, but they are definitely getting a lot of marketing value from the effort.

If you’re like me and have been a victim of identity theft, you’ll definitely want to take advantage of this offer as soon as possible. While you get a credit report for free if you have been a victim of fraud in the previous 12 months, it’s good to check up your credit report after that time period, especially if you don’t know if the thief was ever caught. The good news for me is that the bad credit card info has been removed from my TransUnion and Experian reports. The bad news is that those reports still contain bad phone numbers, addresses, and names. Some day I’ll get around to adding this info to my Privacy and Information Security page.

Update 12/2/2004 – It turns out this was required under the terms of the Fair and Accurate Credit Transactions (FACT) Act that was passed in 2003.

Although the ability to spoof caller ID has been around for quite awhile, I wasn’t aware of any public services that offered that capability. On August 31, a company called *38 launched a service for spoofing caller ID. With stories quickly appearing on SlashDot and the New York Times (registration required), *38 picked up a lot of publicity very quickly.

Perhaps too quickly for founder Jason Jepson, as an article in the Houston Chronicle revealed that he received “harassing e-mail and phone messages and even a death threat taped to his front door”. Since the *38 website suggests that the service would primarily be targeted at bill collection agencies, I presumed the threats would have been from people running from the repo man. But, he contends that they are coming from hackers who are upset that a tool available only in the underground was suddenly now available to anyone, somewhat like how magicians get mad when another magician reveals how a popular trick works.

I would have thought a more likely source of the threats would be the big phone companies, since caller ID is nearly pure profit for them. If people stop trusting caller ID, there goes a fantastic source of revenue for them.

As a sheer coincidence, early last week I built a caller ID spoofing application on our speech platform at work. It was a really simple app to write, and it works like a charm. The very next day I saw the article on *38 on Slashdot.

With their service, you first register your phone number with them and agree to pay $20/month plus 7-10 cents per minute, based on calling volume. Then, you go to their website and enter a number to call and the calling number you want to spoof. An automated service calls you back, dials the first number, while spoofing the caller ID with the second number.

I like my implementation better, since it doesn’t require Internet access. I call a toll free number that connects me to my application hosted by a VoiceXML service provider. My app then asks you to enter (speech or DTMF) the number to call. Then, it asks you for the number to spoof. Seconds later, the phone at the first number is ringing, but the calling number that that person sees (assuming they have caller ID support) is the second number.

From the NY Times article:

“The developers of Star38, who say they required only 65 lines of computer code and $3,000 to create their service …”

Heh, the original version of mine was 51 lines of commented code and took me only about four hours of coding and testing time to complete. Even if I was charging 1999 dotcom era consultant wages, that would come in well under $3,000. If I had written it in static VoiceXML, it would have been about twenty-five lines of code (and that’s human readable code with no wacky obfuscations to shorten the length). I could easy rewrite it in fewer than twenty lines of clean, albeit uncommented, code on our platform, which dynamically generates VoiceXML.