Privacy alert: 10 biggest threats of 2010

2010 could go on record as the year the privacy mess hit the proverbial fan.

Companies such as Apple, AT&T, Facebook, and Google all got nailed for sharing users’ personal data in big ways, accidentally or otherwise. Police officers were caught tracking people’s movements via cell phones, while Web advertisers tracked surfers’ virtual movements via hard-to-kill cookies. Schools spied on their students, mobile apps spied on their owners, and the feds caught heat for getting a little too personal with their security searches.

But the biggest privacy headlines of 2010 weren’t necessarily the biggest threats, while some lesser-known incidents had far more serious implications. How dangerous are these privacy issues to you? In this rundown, we use the Department of Homeland Security’s threat level system to rate the threats, and we provide suggestions on how you can protect yourself.

Be careful out there.

1. Google’s Wi-Fi Spying

Threat Level: GREEN

Google’s Wi-Fi spying debacle didn’t start out evil. By using its Street View vans to map out open Wi-Fi networks, Google could provide better location data to mobile users. If you use Google Maps from your phone, it could employ nearby wireless networks to determine where you are, no GPS required.

The problem: Besides the Wi-Fi network’s name and location, Google’s Street View vans were accidentally slurping up unencrypted data–including user passwords and e-mail messages. Over three years, Google gathered 600GB of extra data in more than 30 countries, resulting in international sanctions, civil lawsuits, and an FCC probe.

Even so, the impact on average consumers is minimal, says Peter Eckersley, senior staff technologist for the Electronic Frontier Foundation. You’re in greater danger of being spied on by nosy neighbors or creeps parked outside your house.

The solution: Password-protect your wireless network (duh) and use encrypted HTTPS connections to browse the Web when possible (see item #3 below).

2. The iPad E-Mail Leak

Threat Level: GREEN

If you bought one of the first Apple 3G iPads, an obscure security group may have purloined your e-mail address.

Last June, Goatse Security exploited a hole in AT&T’s Website that displayed an iPad owner’s e-mail address when it encountered an HTTP request containing that user’s ID number. Goatse flooded AT&T.com with URLs containing random 20-digit numbers and collected 114,000 e-mail addresses of iPad owners. It then shared a few of them with Gawker.

The good news? The Goatse hack didn’t reveal passwords, so the group couldn’t access information beyond your name. And you’re in select company–ABC’s Diane Sawyer, New York Mayor Michael Bloomberg, and top government and military officials also had their addresses stolen.

The solution: None needed. AT&T quickly closed the hole–and if a spammer wants your e-mail address, there are easier ways to get it. So is the iPad magical and life-changing yet?

3. Facebook Wi-Fi-Jacking

Threat Level: YELLOW

Updating your Facebook status from a Wi-Fi café? A stranger can log in to your account and pretend to be you. Blame Firesheep, a free Firefox plug-in that captures login cookies as they fly by unencrypted. Programmer Eric Butler wrote the program to demonstrate how much data people send “in the clear” without realizing it. Using Firesheep, a hijacker can access your account on Facebook, Twitter, and two dozen other sites. Any information you thought was private now isn’t. Feeling naked yet?

The failure of sites such as Facebook and Twitter to require secure logins is “an enormous privacy problem,” says the EFF’s Eckersley. “Google demonstrated this could be done on a colossal scale at minimal cost with Gmail. Now we need to get the rest of them to do that.”

The solution: Use EFF and the Tor Project’s HTTPS Everywhere plug-in for Firefox to force sites to use SSL encryption if available. And don’t log in to sites containing sensitive info from a public network.

4. ‘Naked’ Security Scans

Threat Level: BLUE

If Firesheep doesn’t make you feel naked, passing through airport security might. Major U.S. airports and federal buildings are deploying body scanners that can peer through clothing, rendering you virtually nude to security guards viewing the scan.

It gets worse. Last August, the U.S. Marshals Service in Orlando, Florida, admitted to storing some 35,000 body scans it was supposed to have destroyed. Naturally, some of those found their way onto the Net.

The Electronic Privacy Information Center filed suit against the Department of Homeland Security, attempting to keep airports from deploying the machines. A wave of protest ensued, including everybody from ordinary people to members of the Allied Pilots and U.S. Travel Associations.

The solution: In lieu of a scan, you can opt for an “If you touch me there, you’d better buy me dinner and a movie first” full-body frisk. But we don’t think you’ll feel any less violated.

5. Mobile Malware

Threat Level: YELLOW

The smartphone in your pocket is catnip to malware authors, yet mobile security is barely on most people’s radar, says Winn Schwartau, chairman of security vendor Mobile Active Defense.

Kaspersky Lab identified the first malware known to target Android phones last August, and rogue code targeting jailbroken iPhones and iPads has been available for over a year. Schwartau agrees with estimates that 20 percent of all Android and iPhone apps may be infected.

“Mobile apps are the best hostile-code delivery system ever invented,” Schwartau says. “The entire mobile space is in chaos.”

The solution: Before you install a new app, do some sleuthing to suss out potential red flags; avoid apps from unfamiliar vendors or sites. “Install Gotcha 1.0 from Bob’s App Store?” says Schwartau. “I don’t think so.”

6. Facebook’s ID Giveaway

Threat Level: ORANGE

Facebook is often rightly accused of playing fast and loose with its 500 million members’ data. But perhaps the site’s worst privacy breach of 2010 was when Facebook and its biggest apps revealed user identities to advertisers and data brokers.

When users clicked ads on Facebook, Web links sent to advertisers contained unique IDs that could be traced back to the users’ public profiles–giving the advertisers access to detailed information about a user’s religion, politics, sexual preferences, and more. In other cases, app makers simply sold the user IDs to brokers.

EFF’s Peter Eckersley says using Facebook IDs to extract personally identifiable information is easy for data brokers. “Tracking people is what they do,” he says. “If they’re sitting on a gold mine of data, they’re going to dig for gold.”

The solution: Use Facebook’s privacy controls to keep your public profile sparse, and opt out of data-broker databases when possible.

7. Cell Phone Tracking

Threat Level: ORANGE

Geolocation services such as Facebook Places, Foursquare, and Gowalla let you tell the world what you’re doing and where you’re doing it, but they’re voluntary. Other people may be tracking you in secret, thanks to that homing beacon in your pocket.

In September, a federal appeals court in Philadelphia ruled that law enforcement officials do not have to obtain a search warrant before obtaining location data, though a judge may still request one. (Conversely, last August the U.S. Court of Appeals for the District of Columbia ruled that a warrant is required before the feds can put a GPS tracking device on your car.) Until the Supreme Court issues a ruling or Congress enacts laws making location privacy a priority, the rules will vary depending on your location (appropriately enough). Meanwhile, private businesses can use your location data as they wish.

The solution: Turn off all of your handset’s wireless antennas when you feel the urge to roam free.

8. Webcam Watchers

Threat Level: GREEN

A high school in southeastern Pennsylvania achieved international infamy after it used school-supplied laptops to secretly spy on students. Harriton High officials admitted that the school remotely operated Webcams on the district’s 2400 MacBooks as an antitheft feature, capturing more than 50,000 images of students over three years.

A major kerfuffle erupted. Families sued the school district, prosecutors investigated, and the U.S. Senate held hearings. Tales of remote Webcam spying in other schools came to light. But an investigation failed to find criminal wrongdoing; the district agreed to stop remotely spying and settled the suits for $610,000.

Could this happen to you? Possibly. Any malware that can take control of your system can be used to operate a Webcam remotely. But only a handful of Webcam spy cases have ever been prosecuted.

The solution: High schoolers foiled the cams by disabling them or putting tape over the lenses when they weren’t in use; you can too.

9. Zombie Cookies

Threat Level: ORANGE

Don’t want online ad companies shadowing you across the Web? Simply delete their browser tracking cookies, and you’re free to wander. Right? Wrong. Web advertisers have found a way to follow you anyway, using Adobe Flash cookies that automatically respawn after you delete them–hence their nickname, zombie cookies.

Last summer, privacy attorney Joseph Malley filed class-action suits against ABC, Disney, MTV, NBC, and their advertising partners, charging them with violating federal privacy and computer security laws via Flash cookies.

The solution: You can use Adobe’s occasionally flaky Settings Manager, the Firefox plug-in BetterPrivacy, or CCleaner to nuke those zombies. The problem? Sites such as Pandora Radio and YouTube rely on Flash cookies–which can store up to 100KB of data–to improve media playback, and they may not work without them. So choose your undead victims with care.

10. Criminal Stupidity

Threat Level: RED

For years we’ve been told that online-privacy policies will protect our rights. Now it seems that many of those policies are not worth the paper they’re not printed on.

Google flatly denied that it was slurping data off Wi-Fi networks–until the German government told it to check again. Facebook said it had no idea it was sharing user IDs with advertisers–until the Wall Street Journal pointed it out. Body scans weren’t supposed to be retained; Webcams weren’t supposed to capture teenagers in their bedrooms. Some of the biggest companies on the Web failed to play by their own rules, and didn’t even realize it.

But Mobile Active Defense’s Winn Schwartau says consumers are equally to blame–for clicking on spam and failing to protect their data, for sharing too much and caring too little.

“The biggest problem is criminal stupidity,” he says. “If people follow basic security practices–secure their connections, pick reasonable passwords–they’ll be in much better shape.”

The solution: You’re reading this article. That’s a start.

PCWorld Contributing Editor Dan Tynan’s personal threat level ranges from robin’s egg blue to burnt umber, depending on his mood. Catch his snarkier side at eSarcasm (Geek Humor Gone Wild) or follow him on Twitter: @Tynan_on_Tech.