ReputationDefender
Press Room

The coolest free stuff on the Internet actually comes at a notable price: your privacy.

For more than a decade, tracking systems have been taking note of where you go and what you search for on the Web — without your permission. And today many of the personal details you voluntarily divulge on popular websites and social networks are being similarly tracked and analyzed.

The purpose for all of this online snooping is singular: Google, Microsoft, Yahoo, Apple, Facebook and others are intent on delivering more relevant online ads to each and every one of us — and bagging that advertising money.

Trouble is, the tracking data culled from your Internet searches and surfing can get commingled with the information you disclose at websites for shopping, travel, health or jobs. And it’s now possible to toss into this mix many of the personal disclosures you make on popular social networks, along with the preferences you may express via all those nifty Web applications that trigger cool services on your mobile devices.

As digital shadowing escalates, so too have concerns about the erosion of traditional notions of privacy. Privacy advocates have long fretted that health companies, insurers, lenders, employers, lawyers, regulators and law enforcement could begin to acquire detailed profiles derived from tracking data to use unfairly against people. Indeed, new research shows that as tracking technologies advance, and as more participants join the burgeoning tracking industry, the opportunities for privacy invasion are rising.

“It is a mistake to consider (online) tracking benign,” cautions Sagi Leizerov, executive director of Ernst & Young’s privacy services. “It’s both an opportunity for amazing connections of data, as well as a time bomb of revealing personal information you assume will be kept private.”

How the dollars stack up

These developments are acting like kerosene on the already contentious national debates in Congress over how privacy ought to be recast to fit the Internet age. Much is at stake. The corporations involved are vying for the juiciest claims on a golden vein. Research firm eMarketer projects global spending for online ads to climb to $132 billion by 2015, up from $80.2 billion this year.

The technology, retail and media giants shaping this brave new world of online advertising insist that they respect — and can be trusted to preserve — individuals’ privacy, even as they compete to dissect each person’s likes and dislikes.

However, startling findings, to be released on Thursday here at the Black Hat security conference, indicate otherwise. Website security company Dasient recently found examples of PC-based tracking techniques getting extended in a troublesome way to Internet-connected mobile devices.

Dasient analyzed 10,000 free mobile apps that enable gaming, financial services, entertainment and other services on Google Android smartphones. Researchers found more than 8%, or 842, of the Android apps took the unusual step of asking users’ permission to access the handset’s International Mobile Equipment Identity number, the unique code assigned to each cellphone. The IMEI was then employed as the user ID for the given app. In a number of instances, the app subsequently forwarded the user’s IMEI on to an online advertising network, says Neil Daswani, Dasient’s chief technology officer.

“The fact that an ad network is getting your IMEI means they can know how long you’ve used your phone and which mobile apps you use most often,” Daswani says. “The full implications of this aren’t clear, but with privacy you’ve got to be careful.”

–

How to limit Web tracking

Delete cookies: SlimCleaner is a free tool that will automatically delete tracking cookies while preserving account logon cookies.

Erase histories: Easy Eraser is paid software that periodically cleans sensitive information from your computer.

Lock down Facebook: uProtect.it is a free tool that can help block your Facebook activities from being accessed by ad networks.

–

Should IMEIs emerge as the preferred way for mobile app companies to track consumers’ access to free services, the advertising industry would suddenly have a powerful new way to snoop on how you use your smartphone or tablet PC, Daswani says.

The pervasive embedding of cool location-tracking technology in mobile devices only heightens such concerns. Sen. Al Franken, D-Minn., earlier this summer introduced a bill that would restrict location tracking, partly to protect children.
Anup Ghosh, chief executive of Web browser security firm Invincea, says Dasient’s findings underscore how application developers tend to grab for as much tracking data as they can without thinking through the privacy consequences.
Invincea has begun working on technology that will enable consumers to automatically disable mobile apps that try to tap into IMEI or take other invasive actions. “The reality is, users can’t be bothered to tweak privacy settings,” Ghosh says.

Privacy leaks

Meanwhile, in other research, Balachander Krishnamurthy at AT&T Labs Research and Craig E. Wills of Worcester Polytechnic Institute recently discovered hard evidence of what many privacy advocates feared: Tracking data about what pages you click to are increasingly getting commingled with personal information you disclose on popular websites and on the premier social networks in alarming ways.

In one case, the researchers documented how the supplier of a Facebook music-sharing application automatically forwarded Facebook members’ profile information onto a tracking data aggregator.

Facebook spokesman Brandon McCormick says the company strives to prevent such privacy leakages. Facebook requires users to grant explicit permission for any Web app company to access any Facebook profiles. And he says the company strictly forbids app companies from dispersing any Facebook profile information.

“If we find app developers commingling that data or sharing it with other parties, we will kick them off of our platform,” McCormick says.

However, policing the teeming world of Web app development is a gargantuan task, says Michael Fertik, CEO of privacy services firm ReputationDefender.

Tens of thousands of new Web apps get integrated into the top social networks as well as the most visited media, entertainment and shopping websites every day.

Many of the new Web app features, such as ‘like’ buttons and instant polls, are designed expressly to extend tracking systems and feed ever more data about users’ online behaviors to the ad networks and tracking data aggregators. Data routinely get “daisy-chained” together to create individual behavioral profiles, Fertik says.

“These profiles are bought and sold to data brokers, marketers and others and are used to make decisions and judgments about you, without your knowledge, without your consent and without a way to fix inevitable errors.” Fertik says. “That’s what’s scary.”

Responding to such concerns, the Federal Trade Commission late last year called for a “Do Not Track” mechanism that would enable consumers to opt out of being tailed around the Web. The technology is simple and can be quickly added to any Web browser. Users would then be able to check a box configuring their browser to automatically notify every webpage they visit not to track them. The catch: The online advertising industry would have to universally honor Do Not Track requests.

In May, Sen. Jay Rockefeller, D-W.Va., introduced Do Not Track legislation that has gained the backing of privacy groups. Rockefeller’s proposal would help consumers “decide for themselves whether or not they want to share personal information, including their various Internet and mobile Web activities,” says Jeffrey Chester, executive director of the Center for Digital Democracy.

The online advertising industry prefers self-regulation. Attorney Christopher Wolf, a privacy expert at law firm Hogan Lovells, counters that a Do Not Track law “may lead to the Internet economy — one of the few economic bright spots — being shackled.”

‘Trust us’

As this debate intensifies, fresh findings of privacy leaks continue to turn up. Krishnamurthy and Wills recently discovered that when they used the search function on popular health websites to look up information on pancreatic cancer, nine of 10 health sites forwarded their query onto a data aggregator.

Similarly, when they filled out job applications on big-name employment sites, eight of 10 jobs sites zipped that information over to a data aggregator, including the user’s name and e-mail address. In some instances, sensitive health-related search queries and personal information gleaned from job applications were forwarded to the same aggregator.

Wills says it would have been trivial for the data aggregator to correlate the cancer query and the job application data as having certainly come from the same browser, very likely from the same person.

“It is undeniable that data aggregators are getting this sensitive personal information about me,” Wills says. “We have hard evidence in our research that shows they are receiving this information. What they are doing with it, that we don’t know.”

Google, Microsoft, Yahoo, Adobe, AOL, Coremetrics and Quantserve are among the largest data aggregators. They each operate sprawling networks of tracking systems that encompass dozens more smaller, independent ad networks, data analytics firms and tracking services.

Google, reportedly the largest data aggregator, has long taken the public position that its tracking systems use an alphanumeric code to identify and keep track of individual Web browsers, and that it simply does not correlate any personal information to these anonymous browser identifiers.

After reviewing copies of Krishnamurthy and Wills’ research, Google spokesman Rob Shilkin issued a statement: “We’ve never attempted or wanted to use any personal or sensitive information in any URLs provided by a third party, and in fact this very issue is addressed by the comprehensive self-regulatory schemes that we comply with.”

Google has been widely known to scan the contents of Gmail messages to deliver targeted text ads. While some don’t mind, others believe scanning e-mail to deliver more relevant ads is an invasion of privacy. John Simpson, spokesman for the non-profit advocacy group Consumer Watchdog, isn’t convinced the search giant will necessarily stop there.
“Part of the problem is that Google collects and stores tremendous amounts of data about its users,” Simpson says. “The only assurance we have about what Google’s intentions are boils down to ‘Trust us.'”

As college freshmen say goodbye to high school and living under their parents’ roof, they should also shed some of their social media habits.

After using social media for years already, sites like Facebook and Twitter tend to be old news to incoming freshmen who are used to the exposure, but campus newbies might not be aware of the online image they’re projecting when they become part of the college crowd.

“They tend to take it more for granted and are often not taking it as seriously as later generations who know what it’s like not to have a social network or digital identity,” says Gordon Curtis, author of Well Connected. “[Adults might say] ‘I’ve got to be careful of this, I’ve never had so much exposure in my life’, whereas students just entering college grew up with the ability to be so visible.”

The start of college is the perfect time for students to rethink their online profiles and clean up wall posts, comments and photos that are unflattering or don’t jive with the person they want to be.

As college seniors gear up for their last year of school and start their search for jobs, any social media missteps could have long-lasting consequences.

No matter if seniors are planning to enter the job market after graduation or pursue another degree, Lon Safko, author of The Social Media Bible, says it is crucial to preserve professionalism online.

“Those universities and hiring managers are going to be very critical because of the supply and demand and they’re going to be hitting social networks to screen those potential candidates,” says Safko.

According to a 2009 CareerBuilder.com survey, 45% of employers surveyed say they use social media sites to screen candidates, an increase from 22% the previous year.

If they aren’t already, experts say seniors need to join a professional networking site such as LinkedIn. Not only do these sites allow users to follow companies they are interested in working for, they can locate possible connections within a field or sector.

Michael Fertik, CEO of ReputationDefender advises seniors immediately connect with alumni groups and organizations from their college to cultivate relationships with people with common professional and social interests.

“That is part of the network that you’ve earned as a student at that school, so you immediately join and start to interact and find people who are interested in the field you’re interested in,” says Fertik.

Here are expert tips for every college student to follow and maintain a positive online image:

Stay On Top of Privacy Settings. Most social media sites allow users to set their privacy settings based on personal preferences, but according to Curtis, many users don’t realize that those settings can change from time to time, which can catch users off guard and publicize posts that were meant to be private.

“It only takes one bad post or response–anything that has profanity, alcohol, drugs or violence,” he says, to taint a student’s online reputation. “People get lazy and totally forget that their pictures are accessible to their network and anyone can access your network. Think of it in terms of there’s no such thing as a completely closed network and the content within it.”

Safko suggests that students make a personal and a professional page.

“Keep the privacy settings on the personal one really high; 82% of hiring managers use social networks to screen candidates and the other 18% [who say they don’t], lie,” says Safko.

Guilty by Association. Fertik warns students need to be aware of their friends’ behavior and online content just as much as their own, and that people are increasingly looking at students’ social interactions to learn more about them.

Curtis echoes this sentiment and explains that even a clean and professional profile, can be ruined with one bad apple.
“It’s important to set boundaries and to teach or instruct your network on how you prefer to receive information, such as ‘don’t send me anything like that again.”

Don’t Just Play Defense. Even as freshmen, it’s important for students to use social media and professional blog sites as a way to establish their reputation and experiences. Fertik explains that students’ online lives don’t have to revolve around avoiding errors; they can also play offense and create opportunities through what they build online.

“Especially as you advance in your years, you can build a track record that reflects that you care about the things that you care about,” says Fertik. “Create a digital trail that reflects who you are and what you want to be–the smart, future-oriented people are already curating their profiles on the web.”

Safko encourages students to use sites like Twitter and Facebook to express their interests and generate a buzz.

“I would take my Facebook page and talk about the industry that I want to work in,” he says. “I would encourage other people to come and post on my wall and have this interactive conversation so that any time someone looked at my Facebook page, they’d say ‘that’s someone who I’d like to have in our organization—they get it.’”

For students lacking real-world job experience, social media and professional blogging sites are a way to demonstrate their interest in a field.

“If you can blog your own thoughts and your insights, you create something called ‘Google juice’—more and more pages that link keywords in your industry to your name and to your blog’s site,” says Safko. “When a hiring manager looks at your thoughts and ideas, you’re probably going to be the only one out there that has set yourself up as an expert in the industry because the others haven’t quite figured it out.”

The experts also suggest moderating a discussion on LinkedIn and to get involved in groups related to specific industries to catch employers’ attention.

“Being the facilitator of a discussion, by association, you’re beginning to be viewed as a thought leader,” says Curtis. “You are creating a dialogue where the collective intelligence of the group is really valuable.”

Nurture and Manage Accounts. Students should monitor their account every few days to remove any questionable material, update their profile and see what others are saying.

“People do read a book by its cover, and the new cover is your digital cover,” says Curtis.

Hewlett-Packard Co. Vice President Scott McClellan gave away more than his job status when he mentioned the computer maker’s new Web-storage initiative in his profile on LinkedIn Corp., a professional-networking site.

McClellan inadvertently tipped off competitors earlier this year to previously undisclosed details of Hewlett-Packard’s cloud-computing services. The information was later removed, though not before rivals got a look at the plans.

As workers put more information about their lives online through status updates, location check-ins and resume changes, employers are more at risk of competitors watching their every move. Investigators at Kroll Inc., the 40-year-old corporate sleuthing pioneer, are known for scanning deleted computer files and monitoring surveillance cameras to help large companies uncover rivals’ secrets. Now they’re trawling the social Web.

“Social media has become a much more efficient way of getting information that could only be gotten in the past by things like surveillance,” said Kroll Senior Managing Director Rich Plansky.

In a Forrester Research survey last year of more than 150 companies that monitor social media, more than 82 percent said they use this data for competitive intelligence — the most cited reason for the monitoring. With good reason: A single insider’s Twitter Inc. post can be more valuable than a stack of analysts’ research.

“Competitors obviously watch each other in social media just as they have historically monitored each other in the media and in public presentations,” said Shel Israel, an author and consultant on online networks. “Social media is a new data-abundant source that is here to stay.”

PROWLING SOCIAL SITES

Corporate investigators including Kroll, Nardello & Co. and Risk Solutions & Investigations are prowling social sites for oversharing insiders like McClellan. Michael Thacker, a spokesman for Palo Alto, California-based Hewlett-Packard, declined to comment on the matter.

At Kroll, a division of Falls Church, Virginia-based Altegrity Inc., social sites such as LinkedIn, Twitter and Facebook Inc. aid in investigations of employee misconduct, background checks and suspected cases of data breach.

“Who a person’s friends are, what bars they go to, which groups they are interested in, what they look like,” Plansky said. “All of those information sources are a potential gold mine for us in developing intelligence for our clients.”

PLAY-BY-PLAY

When one client asked Kroll to find out how a potential acquisition target got leaked to a competitor, investigators found a series of social media posts in which a member of the client’s mergers-and-acquisitions team publicly discussed doing diligence on a company in a specific city.

“Twitter can give you a play-by-play about a person’s activities,” Plansky said. “‘A lot of these posts are time-and date-stamped.”

For another client, Kroll began building a case against a fired executive by seeing whom in his LinkedIn network he might be sharing trade secrets with, a violation of his termination contract. Plansky declined to name any of Kroll’s customers.

Sean Garrett, a spokesman for San Francisco-based Twitter, said in an e-mail that posts made on Twitter are publicly available. Erin O’Harra, a spokeswoman for Mountain View, California-based LinkedIn, declined to comment.

The amount of data on social networks relevant to corporate investigations may be declining as users get more sophisticated about protecting their online privacy, said Michael Walsh, managing director of London-based Nardello, which gathers intelligence for companies and governments.

‘GLASS HOUSE’

“We will check” social sites, he said, “but it is increasingly becoming less a real source of information because people are becoming all too aware that this is a vulnerable spot for them.”

The people closest to a company’s sensitive information may be the most likely to leak it online, said Abhilash Sonwane, senior vice president of product management at Indian cybersecurity firm Cyberoam. Beginning in June 2010, his firm selected 20 companies and set out to track them across social media sites for several months. For each company, Cyberoam identified all the employees with a profile on LinkedIn, then subscribed to their feeds on Twitter and other sites.

“You can actually feel yourself inside that company — what’s happening, what’s the morale of the employees, how the business is doing, where top management go on vacation, did the CEO have a fight with somebody,” Sonwane said. “It’s a glass house.”

‘EDGY’ BEFORE BANKRUPTCY

At one of the companies, workers began to indicate in their postings that business was slow around October 2010.

“We could sense that they were edgy about something,” Sonwane said. A few months later, a vice president wrote in a LinkedIn status update that he was looking for a new job. When his followers asked why, he responded that the company was about to file for bankruptcy — which it did less than six months later, Sonwane said. He declined to identify any of the companies in the study.

Preventing such leaks can be difficult, said Josh Bernoff, a social-media analyst at Forrester Research.

“Employees will post, regardless of whether the company endorses it or not,” he said. “It is far better to have a policy about what you can and can’t say than to try to stop it.”

ReputationDefender LLC, a Redwood City, California-based service for helping individuals and organizations monitor what’s being said about them online, has been enlisted by one client to track activity related to the company’s top 300 executives. Michael Fertik, Reputation’s chief executive officer, wouldn’t name the client.

MANAGING INTERNET ‘FOOTPRINT’

“Everybody who is in business with you, in a personal, professional, romantic, transactional relationship with you, is looking up information about you, is finding information about you, and then, most importantly, making decisions about what they find about you on the Internet,” Fertik said. “That’s why everybody has a need and obligation to themselves, to their family members, to their shareholders, to manage their footprint on the Internet.”

More and more businesses are going on the offensive, collecting information about their own rivals. That has led companies including Bellevue, Washington-based Visible Technologies LLC to develop tools that detect competitive intelligence on the Web. For about $4,500 a month, Visible’s customers get a dashboard that identifies conversations happening about their industry in blogs, message boards and social sites including Twitter and Facebook.

CORPORATE ALERTS

If there is a conversation with a negative sentiment, such as someone complaining about a rival company’s product, people monitoring the dashboard might intervene and offer a discount on switching to their own product or service.

LinkedIn has added tools to its networking site that send users alerts when competitors hire employees, or when its
executives change roles.

“On LinkedIn, above all other social networks, people are very connected with their employer,” said Edd Dumbill, program chair for Strata Conference, a technology event hosted by O’Reilly Media Inc. focused on the use of online data.

As the generation of workers in their 20s and 30s take more senior roles in organizations, their greater exposure on social sites can make them more prone to investigations, said Steve Vale, a former Kroll managing director who is now a principal at Los Angeles-based Risk Solutions & Investigations.

During a recent background check on someone whose company was being acquired by a private equity firm — a man in his mid-30s — Vale discovered numerous videos and online posts he created that raised additional questions and necessitated extra interviews with him.

“You just wouldn’t believe the amount of social networking this fellow did,” said Vale, who wouldn’t disclose the name of the client or the subject being investigated. “In the end, everybody was fine with it, but it begged a question you would never have posed just a short time ago.”

For better or worse, your digital reputation is your reputation. Every decision about you is going to be determined by a quick Google search, and you won’t have a chance to explain yourself if you don’t have a pristine one. Even if you don’t show up on Google, that just means you’re 10 times more vulnerable. It’s a totally virgin territory on which to get jacked.

Manage it before you have a problem. The mistake that most people make is to think that because you’re a good and decent person, the Internet will think so. The two are not correlated. The accidental architecture of the Web is such that one stray remark can radically change your digital profile. People come to me all the time and say, I never thought I’d have a problem until my kid mentioned my fight with my wife online or someone in my company started saying nasty things about management. So the first thing is to Google yourself. When people search for you, they should see all the terrific things that are true about you or your company. Own a Web page with your own name or your business name in the Web address. Have a tasteful LinkedIn or Twitter account with your name in the user profile. The aim is to occupy the real estate on your search results.

If someone attacks you online, it’s almost always best to ignore it. You only want to respond if the material is very visible and demonstrably false. Otherwise, you risk the Streisand Effect, named for Barbra. In 2003 her lawyer sent a letter to a paparazzo who had photographed her house. It only called attention to the photo. Just don’t respond.

The question comes up all the time among college and graduate school applicants: Are admissions officers looking at me online? Followed by: “Do I need to ‘clean up’ my Facebook profile and Twitter feeds before applying to college, and if so, how?

Might I be denied or accepted based on my online life?

The role of social media in admissions is a two-way street. Most colleges are honest about using Facebook to reach out to students for recruitment. A 2010 Kaplan survey showed 82 percent of undergraduate colleges use Facebook to recruit students, 56 percent use Twitter and 56 percent use YouTube.

For example, the Illinois Institute of Technology invites prospective students to follow the undergraduate admissions Facebook page where they can have questions answered, meet current students, etc. Loyola University says it connects with students through its Facebook pages early in their high school career.

But when it comes to checking out applicants online, the American Association of Collegiate Registrars and Admissions Officers strongly discourages it.

“They might find a perfectly good reason for denying somebody, but we can’t know what it was or how the decision was made,” says associate executive director Barmak Nassirian. “Also, who knows if what was online was true? Accidental facts can become the stuff of prejudicial decision making. Also, not everybody is found online.”

Like or unlike?

A 2011 survey of graduate schools by Kaplan Test Prep reveals not all schools follow this recommendation. According to the survey, 88 percent of the 123 graduate programs surveyed said their admissions officers were forbidden to use social media to make admissions decisions. But of the remaining 12 percent, 29 percent said they had rejected applicants based on something they saw about them online.

When it comes to an admissions officer researching a student online, many schools will not comment or stated it was not part of their admissions process—though not always expressly forbidden.

“There is an ongoing discussion in our profession about this,” says Glenn Hamilton, assistant vice president for undergraduate enrollment at Dominican University. “At Dominican, we are committed to social justice, and we uphold the value of individual privacy. We do not view applicants’ social media presence during the admission process. We feel it does not give an accurate representation of the person.”

North Park University says it generally does not review an applicant’s social media presence. “However, there have been rare instances when, in the judgment of an admissions officer, such a check might be necessary for a specific reason, but those instances are very rare,” says spokesperson John Brooks.

Michael Fertik, CEO of ReputationDefender, a leading online reputation management company, is convinced colleges have been peeking at students on Facebook since the days when it was only on .edu addresses. “The anecdotal information that we collected over time is massive,” he says.

If colleges use Facebook to recruit, why wouldn’t they look at who responds, Fertik asserts.

Granted, Fertik has built a 120-person company around selling services that clean up and protect one’s online reputation. But he notes that ReputationDefender offers some free services that can assist students with internet privacy.

For example, uProtect.it encrypts Facebook messages so that they’re only visible to the friends you choose to see them. You can time stamp messages and pictures so that they’re permanently destroyed at a certain date.

ReputationAlert is a free solution that informs individuals where they appear online. PrivacyDefender allows individuals to better understand and set secure Facebook privacy settings, Fertik says.

For those who want a clean-up service, it starts at $99 and usually takes a few days, depending on the scope of the problem.

“Up until two years ago I used to give tips to do it yourself,” Fertik says. “Now it’s too complex.”

Things typically deleted are postings, messages, photos and other items available to the public that contain references to alcohol, drugs, sexual or racial content, profanity, aggression, etc.

Hamilton says cleaning up one’s Internet profile gets addressed during college planning sessions at high schools.

“One example that I give is having an appropriate e-mail address,” he says. “Create a college admissions and financial aid e-mail account, so that the colleges can use it to communicate with you, then when you get in, close it out.”

Communicating appropriately matters, too. “Texting language is not appropriate in e-mail correspondence with admissions professionals or professors,” he says. “I tell them to be professional. Show us that you can write. Information can get lost in translation, or gives the impression that you are in a hurry and don’t really care about getting in to college. I tell them to use good judgment with pictures and their Facebook page.”

If you are unsure whether your Facebook page might be objectionable, your school counselor should be equipped to advise you on this.

Loyola’s Director of Undergraduate Admission, Lori Greene, says any information applicants share via university-sponsored sites is viewed by any number of different people within a campus community including faculty, staff, administrators, current students, alumni, etc. “Students need to think about who might have access to such sites and how it may be viewed,” she says.

The Kaplan survey also indicated 65 percent of admissions officers considered Facebook friend requests inappropriate coming from applicants, so it’s best not to cross that line, either. Hamilton says this is a big issue among admissions officers. Remember, if you friend someone, they have access to your profile, too. It’s a two way street.