I am always surprised at how trusting people are with confidential and “private” data. They send attachments by email, they chat and post updates/pictures through their facebook/blogs/twitter accounts. And yet people are shocked when they hear about identity theft. You are shocked when someone knows your name, birthday, what you look like, what your kids look like, and how much your last raise was at work along with the particulars of the big deal you just closed.
It is very simple actually. We are all leaving a “digital footprint” in everything we do online and on our computers. Just because you delete something doesn’t mean it is gone. I was on the news a few years ago doing an “experiment”. We took 4 computers from the eco depot and I was able to recover data from every one of them including a copy of someone’s will, list of their stocks/jewellery and combination to their safe. This computer had already been “recycled” twice since the original owner gave it away.
While discussing network security with a good colleague of mine, he pointed me to yet another interesting site, pipl.com – go ahead and search your name, you may be in for a surprise on what this digs up about you. Sure enough there are even some newsgroup postings I had made back in the 90s that are showing up along with different projects I have been involved with. Quite enlightening. And there is no way for me to “delete” them, they are out there, probably many copies of the information being archived on different servers.
But I digress…
The reason for this this update was to remind and/or increase awareness of something called the US Patriot Act. Why should you care? This is a topic I think about often and bring up when conducting audits of individual and corporate networks. Any data that is routed through the US opens the possibility that it can be intercepted by US authorities. No longer do they require a warrant but now can do it quite simply with something similar to an administrative subpoena called a national security letter. Along with this goes a gag order such that the custodian of the information/data that is being examined/requested is not allowed to tell anyone that this demand has been made.
Many people use Facebook/Twitter which have data that reside on US based servers. How about where your website is located? Does your website have a private database, do you maintain information about your clients? How about something as simple as gmail/yahoo/hotmail/msn/googledocs/etc Did you know that everything could have already been examined without your knowledge?
Perhaps this is not a big deal for individuals but it is certainly very serious for organizations.
Many clients don’t even know where their data is being stored! We also find that many companies that provide website and email hosting, or even IT support services, make use of reselling other services offered online typically from these very large hosting providers (typically located in the US). Offsite backups, email accounts, databases, etc all could be stored on a US based server without your knowledge and you thought you were dealing with a local company.
The US Patriot Act was passed by US Congress following the 911 terrorist attacks. Canada also enacted a legislative response called the Anti-terroism Act.
I would caution you to educate yourselves regarding where is your data stored and transmitted, are there privacy concerns that should be investigated and addressed, and ensure you aren’t violating any laws (such as the privacy act).