What the Web knows about you

How much private information is available about you in cyberspace? Social Security numbers are just the beginning.

1 2 3 Page 2
Page 2 of 3

Source: Search engines

Information discovered: Age, phone numbers, Computerworld affiliation, Computerworld stories, blog posts, identifying photos, social network and nonprofit affiliations, editorial award

I continued my research with the commercial search engines, including Google, Yahoo Search, Microsoft's Live Search, Dogpile and Vivisimo's Clusty. I used combinations of my name, job title, business name and location, and I concerned myself with only the first few pages of results.

As I encountered new information, I added it to my search criteria and ran searches again and again. The search engines divulged my age, phone numbers, my identities on three social networking sites and dates when I had signed up, my positions with two nonprofit organizations, links to Computerworld stories, blog links, a few snarky remarks about my stories and an announcement that a Computerworld story I wrote won an ASBPE award in 2007.

For good measure, I also searched the Techmeme, Technorati and Computerworld sites directly, assembling a long list of stories I had authored, as well as comments about those stories and contact information.

Source: Image search

Information discovered: Computerworld publicity photos, Flickr photos

Here I stuck with Google Image Search and Flickr. The 429 Google image results included dozens of Robert L. Mitchell photos, but the correct one was buried five screens down in the results. Also, displayed were photos of people whom I have interviewed for Computerworld stories.

Google image search -- Robert L. Mitchell

A Google image search for Robert L. Mitchell. Where am I? Click to view larger image.

Flickr searches on variations of my name produced no photos of me, but I was able to find my account by searching members with the name "Robert Mitchell." On the third screen, my photo appeared next to an account name. By matching that photo with the Computerworld publicity photo, I was able to identify myself.

From there, I was able to view several hundred publicly shared photos associated with that account. But like much of the content on Flickr, those images are untagged. Finding photos of me in the long list was a painstaking process.

Source: Social network search engines

Information discovered: Computerworld stories, blog posts, social network friends and co-workers

Here I searched individual social networking sites, as well as two search tools that promise to provide information from social networking sites: Delver and iSearch.

iSearch people search -- Robert Mitchell

iSearch produced the same results I'd seen elsewhere. Click to view larger image.

With iSearch, users can search for social network content by name or by screen name. A name search on "Robert L. Mitchell" produced the same people search results I had seen before, and searches on all my screen names produced no results. A spokesperson stated that iSearch, a service launched by Intelius last September, was still building up the database for the service.

Delver, another social network search engine, indexes content and ranks its relevance based on what your social network of "friends" have to say about it. It indexes content from MySpace, Blogger, LinkedIn, YouTube, Hi5, FriendFeed, Digg and Delicious, as well as profile data from Facebook. A search on "Robert L. Mitchell" brought up 47,755 Web links. I found no personally identifying information but did find links to stories I have written.

I concluded by searching individual social networking sites. I didn't get much here, but private investigator Steve Rambam, who runs the Pallorium investigative agency in Brooklyn, N.Y., says the amount of self-contributed data available on many individuals is enormous.

"If you have a MySpace page, and Friendster, LinkedIn, Plaxo, Yahoo 360 and Monster.com, and you use Twitter and Flickr, in 90 seconds I'll have your photo, your likes and dislikes, where you live, what you do and so on -- all contributed by you," says Rambam. That search, he says, provides as much information as he used to gather during a 12-month investigation in pre-Web days.

If that sounds scary, the technology also has its limits. "You have the best defense against a casual investigation: a common name," says Rambam. To find people like me on social networking sites requires logging onto each one individually and using advanced search features to try to narrow down the field.

"Even then there are dozens of records that would have to be manually examined," Rambam says. But that just slows him down. "It would probably take a full day to compile a decent dossier on you," he says, while a unique name takes just a few minutes.

Source: Paid searches

Information discovered: Address history to 1985; real estate purchase dates, assessed values and mortgagors; 2004 property tax bill; nonprofit affiliations; Flickr account details; published stories; parents' names, address, phone number and first five digits of Social Security numbers; current and past neighbors' names, addresses, phone numbers, dates of birth and first six digits of Social Security numbers

At this point, I decided to invest a little money to see what premium searches would buy me.

Since no one had come up with my cell phone number, I decided to start small, with a US Search reverse phone lookup -- which means you provide the number and the company traces its owner. US Search indicated that the information was available on my number -- for a fee of $14.95.

I pulled out my credit card and purchased the report. US Search could not find any data initially. The next day it sent an e-mail that attributed the phone to "Josh (last name unavailable)." Address information was limited to a town name, which was incorrect. US Search refunded my money.

I tried other sites, also without success. One possible reason why: I never provide my cell phone number online or use it for business transactions.

Things did not go so well with USATrace.com, which claimed to offer an "SSN Search" background report on any Social Security number for $37.99. I had picked the company at random from a long list of businesses that came up after I ran a Google search on "Social Security number trace."

The company processed my transaction, but I received no report. Over the next few days, several phone calls and e-mails went unanswered. I ended up challenging the charge on my credit card bill -- a process that eventually resulted in a refund from American Express. Caveat emptor.

I then approached Intelius, a bigger name that also provides data to business partners such as ZabaSearch. Intelius waived its $49.95 background search charge for the purpose of this story. I requested a few extra bells and whistles, which would have brought the total cost to $77.

Among other things, the report included searches of criminal records, civil judgments, sex offender records, address history, real estate property records and death certificates. Intelius gets its information from public records, marketing databases and information that is scraped off the Web, says Ed Petersen, co-founder and executive vice president at Intelius. Much of the information is purchased from other data providers.

Intelius people search -- Robert L. Mitchell

The Intelius people search results.

Click to view larger image.

Inaccuracies in the data and the abundance of data on people who were not me made combing through the 67 pages of results a bit of a chore. After removing the irrelevant content, I was disappointed to find that the report contained just one piece of data that I had not found through my previous, free searches: a June 2004 property tax bill in the amount of $1,857.

Despite the fact that I'd entered my address and Social Security number, the bulk of the report consisted of state and federal criminal records of 156 Robert Mitchells from all over the country, none of which were me. It included incorrect names of "relatives" as well as records with my correct phone number attached to the wrong address and vice versa. It did not find my primary legal residence address or phone number at all. (We moved one year ago.) The business records section of the report did not turn up my position at Computerworld or my business phone number.

Intelius did aggregate a lot of data about me that I had already discovered, and might have saved some research time. However, I would still have had to do additional work to resolve the inconsistencies and other errors.

Next I tried a service called ReputationDefender, which tracks both what is being said about you (the MyReputation service; $9.95 per month) and personal information available about you on the Web (MyPrivacy; $4.95 per month). After a few days, the service uncovered my residential phone numbers, information about my work with a nonprofit organization, details of my Flickr account and a couple of Web sites I set up.

Finally, I tried searching public records through LexisNexis. Computerworld's subscription includes a search function that combines data from public records databases ranging from motor vehicle records to court documents to hunting and fishing licenses. While much of the information LexisNexis returned was the same as what I'd found previously, it produced more information overall, and data accuracy was somewhat better.

LexisNexis people search -- Robert L. Mitchell

LexisNexis returned the most accurate information. Click to view larger image.

I came away with a listing of past and present neighbors' addresses, phone numbers and partial Social Security numbers and a historical list of my real estate property transactions that included the amount paid, date of purchase and mortgage lender name. I found the assessed value for my residence for the year 1997. Also available: my mother's and father's names, ages, address, phone number and partial Social Security numbers.

While LexisNexis allows voter registration list searches, no information appeared for my name in New Hampshire. Voter registration lists have been consolidated into a central database to meet federal requirements. Currently, that database is exempted from New Hampshire's Right-to-Know Law, but legislators have given the Democratic and Republican parties exclusive access to it, says New Hampshire State Representative and privacy advocate Neal Kurk, a Republican.

"The parties take this information and sell it to candidates, and you can be sure that a disc containing all of this information goes to various marketers or charities or whoever," he says. So far, though, it wasn't accessible to me.

I also could have searched for other, more sensitive data, such as driver's license and motor vehicle registrations, on LexisNexis. Access to that data is controlled by government regulations, but to see it I simply had to pick a "permissible" use (litigation, debt recovery, insurer, etc.) from a drop-down list. While LexisNexis' terms and conditions do state that it keeps track of who has accessed regulated data, as far as I could tell, anyone can conduct a search without any verification of a permissible use claim.

At other sites, permissible use is simply a generic checkbox item under Terms and Conditions. At US Search, for example, the terms of use state that "By purchasing US Search services you agree that ... You will use the Service only for appropriate, legal purposes, and in compliance with all applicable federal, state and local laws and regulations." Not too reassuring.

What else is out there?

Did I find everything that was out there? Private investigator Rambam says the information I gathered in a few days of work was just the tip of the iceberg of what is available about individuals online. Rambam runs PallTech, an investigative database service for law enforcement and security professionals. Its 25 billion records on individuals and businesses include aggregated public records, telephone listings, marketing data, and more sensitive, regulated data such as vehicle registrations.

A single query performs 62 different searches and produces an average of 230 pages of results in 90 seconds, Rambam says. He quickly found my Social Security number, driver's license number, vehicle registrations, date of birth, e-mail address and other information.

PallTech's database isn't open to the public, but Rambam says much of the same information is out there for anyone who's determined to find it. For example, I didn't find my medical records or banking records online; both types of information are regulated. But, says Rambam, "Any competent social engineer can get that information. There's just too many places where it's available."

For instance, Rambam says he once tracked down a subject by calling pharmacies near the person's address, posing as the subject and asking if his prescription was ready. He quickly learned both the name of the prescription and the doctor who prescribed it. By calling the doctor's office, he was then able to get the time and date of the subject's next appointment. While all this is illegal (he did it with the subject's permission, as part of a friendly bet) and he says most professional investigators don't do that today, he's certain that scammers use the technique.

I also didn't find my state of birth or mother's maiden name online, but Rambam says that I could have found the information with a little more work. (For example, I didn't think to look on genealogy Web sites.) "The downside to all of this publicly available information is that it's now a lot easier to social engineer somebody," he says. If someone has access to a profile of personal information about you as well as your network of friends, that makes it easier for someone to pose as you to gain access to more sensitive data.

And much more personal information is tucked away in marketing databases, says Rambam. Data aggregators such as ChoicePoint and Acxiom, he says, maintain giant databases of information about individuals for risk management and marketing purposes.

1 2 3 Page 2
Page 2 of 3
  
Shop Tech Products at Amazon