• United States



sarah d_scalet
Senior Editor

Search Can Be Your Enemy

May 01, 20065 mins
Data and Information SecurityWeb Search

After six years of working for CIO and CSO magazines, I think I know something about your jobs, dear readers. This month, I’m going to share a story about mine.

I’ve been reporting a story on the security implications of Google, which will be published in the May issue of CSO. A month or so ago, I was on the phone with Leonard Fuld, who’s known for his work in competitive intelligence, about Google searches I could run to try to find juicy bits of information. Picking on a huge, U.S.-based firm that’s had some financial trouble of late, Fuld suggested searching the Web for Excel spreadsheets that contained this company’s name and something about “finances.”

Later that day, one of several that I spent doing some amateur Google hacking (and sincerely hoping that if my company were monitoring my Web access, my boss’s boss’s boss would understand that yes, sir, this is research), I found a file from a small job-networking group that just didn’t seem like it should be public. It had information on 300 or so executives, some of whom had worked for the company Fuld mentioned. The document didn’t include their names, but it had enough information about titles and past work history that someone could figure out their names. It also included the status of their job hunting— whether they were only networking or “actively searching” for new jobs. It wasn’t exactly the formula for Coke, but it didn’t seem like the kind of thing that people would want made public, either. The exact search and the information it turned up made it into the story, as an example of the interesting things that a targeted Google search can reveal.

Fast forward to last week. My editor was going over the page proofs, and he wanted to know, one, whether the file was still there, and two, whether we oughtn’t give the company hosting it a heads up that we were about to publish instructions on how to find it. We weren’t mentioning the organization by name, mind you. But it seemed like a way of being a good corporate citizen about at least one of the disturbing files I’d uncovered during my research.

I ran the search again, found the website, and shot off a letter to its administrator. An online courtesy call. I included my phone number. You never know.

A few hours later, the phone rang. It was a friendly gent who identified himself as the founder of the firm. He’d received my e-mail and had been puzzling over it. The file, for better or worse, had been put intentionally on the public site, but he thought he’d deleted it years ago. He didn’t understand how I could find it.

I walked him through the search I’d done and another one that revealed the same file. Something about his demeanor made me want to help him. He was sniffling a bit, and he apologized that allergy season was kicking in. He sounded like someone’s grandfather. I tried to explain that he had probably deleted the link to the file, but not the file itself. I told him he needed to look in the file directory instead of the software he was using. That was about where my tech-support abilities ended. It’s a big problem, I said—that’s why we’re running the story.

There was just something so personal about the call, something so real and raw in the way he said that he guessed he’d call his Web hosting company but acknowledged he was likely to be told it was a case of “user error.” He said he put up the site years ago, never thinking that anyone but its members would ever chance across it.

On the other end of the phone was someone who still had faith in security by obscurity. On the other end of the phone was someone who’s not so different from the vast bulk of the people who are turning from consumers of the Internet into participants in itwhether they’re recruiters publishing websites, executives writing reviews of golf courses or teenage girls sharing their cell phone numbers in MySpace.

The problem with the super-connected, Web-centered world we live in is that we have made it easier to share information than to share it right. We’ve made it easier to post information on websites than to take it down. We’ve made it easier to open online accounts than to close them. We’ve made it easier to reveal our mother’s maiden names, our elementary schools, our first pets, our favorite color or our childhood street than to keep track of who knows what information and how long it will stay on servers located who knows where. We’ve made it easier to be fast than good.

I wish my caller luck in figuring out how to remove the information from his website and keep it out of Google. For all of you in corporate America, my wish is that luck won’t be necessary.