Dot Compost and the Danger to Your Privacy

I've been prowling eBay lately. Lots of
good deals can be had these days, especially in used computer
equipment. As the dot coms die, their assets may be sold by their
secured creditors (banks, leasing companies and sometimes
investors). That means lots of slightly used computers end up on
their hands, but they are not in the hardware business. So they use
liquidators to sell the machines quickly to recoup some of their
investment dollars.These machines were used previously as everything from web
servers to mail servers, intranet servers to desktops. On any given
day, hundreds of computers and used hard disks are on sale on eBay
from these liquidation firms. I recently bought two computers this
way, and the savings was immense; I paid about 25% of the price I
would have paid if I bought them new.But this story isn't about the great deals to be had on eBay.
Instead, it's about the fact that inside each of these computers
were things both disturbing and frightening. What I found should
make consumers, policymakers, CEOs and banks sit up and take
notice: a serious threat to privacy and a serious legal liability
for companies, their management teams and their creditors.The first thing I did when I received the computers was turn
them on; this is the simplest way to make sure nothing was damaged
during shipment. What surprised me was that not only did the
machines power up, but each soon presented me with an interesting
sight: a Windows login prompt. This was surprising because I didn't
pay for the operating system that the computer came with, nor did I
receive a licensed copy of Windows with the computer. Obviously,
something was afoot, and I had a sneaking suspicion more was on my
new computers than just the operating system.I pulled out my Linuxcare Bootable Business Card, a disk I
helped develop that I often use when doing forensics of unknown
systems. It's a utility that allows me to quickly and easily bypass
the operating system and retrieve data, a task critical for
performing data recovery of corrupted systems or for performing
forensic analysis of systems that have been compromised by
intruders. Within 45 seconds I was looking at the data on the
computer's hard drive, and what I saw shocked me. It turns out that
the first computer I bought used to be the main e-mail server for a
highly visible startup. I won't mention the company's name because
it is irrelevant, and I see no need to subject their former
employees and customers to potential humiliation, liability, data
loss and privacy loss. This company was not a minor player,
however. Its investors included Intel, and one of the firm's
premier customers was, ironically, eBay.Because the computer was used as an e-mail server, it also
contained a company employee directory that included names, phone
numbers and, in some cases, home addresses. I only looked at six
e-mail messages on the server, but six were enough. One message was
addressed to a senior executive at the firm and sent from
(presumably) his new employer. It discussed business plans and his
requests for stock in the new firm. Another message sent shivers
down my spine; it was from Wells Fargo Bank to someone at the firm,
and it contained private banking information. In its e-mail, the
bank tried to provide a layer of privacy protection to its client,
but enough was revealed that I could theoretically impersonate that
person to the bank.At that point, I stopped looking around; I didn't want to see
anything else. I only hope that there wasn't any other personally
identifiable information on that server--like social security
numbers.I turned to the other computer. Using the same process, I
brought up its data. In one directory sat a report on a promotion
that this company had sponsored with eBay, their largest client. In
another directory I found a whole array of copies of software CDs,
ranging from web publishing software to databases to games for
Nintendo Gameboys. In a third directory was an assortment of
"warez", illegally cracked software spread through the computer
underground. All in all, there was at least $10,000 worth of
illicit software and license keys on the system. The liability
involved in having and using this software was pretty big--this was
a cracker's paradise.The worst was yet to come. On another directory was data for
nine illegally copied movies ranging from new releases, such as
Tomb Raider and Enemy At The
Gates, to pornography. I'm a pretty liberal guy and my
philosophy is "to each his own", but I draw the line when you bring
it into the workplace.First of all, it is troubling to see the extent of illegal
activities that were going on at this company. I sincerely hope
that the unprofessional conduct that resulted in the accumulation
of software and videos did not reflect itself in a hostile work
environment. The larger issues, though, are ones of privacy and
liability. The first and largest mistake the company, bank and
liquidator made was to treat the computer systems as physical
assets only; that is, they viewed them purely as pieces of
hardware. They forgot that significant assets and liabilities
existed in the computers and in the information on the hard disks.
This information included intellectual property such as the eBay
customer reports, which I'm sure the company (and eBay) wanted kept
confidential. It also came in the form of the employee directory
and all the associated personally identifiable information, which
could be used by recruiters or competitors to snare former
employees or by thieves to commit fraud or identity theft.On a larger scale, my experience raises the question, "How
much of your personal information has been sold as part of
liquidation sales?" This is not an issue limited to a single
company, but one that should concern all former employees of the
dot-com failures, as well as their investors, lenders, partners and
customers. A study released in July by the Denver, Colorado-based
Privacy Foundation found that over one-third of US employees doing
business on-line, some 14 million people, have their internet and
e-mail usage monitored on a continuous basis. In addition,
practically all of the web sites that require registration collect
personal information. All that information is stored on computers
like the ones I bought on eBay.Fortunately, there are some simple solutions for these
problems. First, all computers should be wiped clean before being
part of a liquidation sale. It is in everyone's best interest to
run a big magnet over the hard drives of computers before putting
them up for auction. In addition, there should be clear legal
consequences for organizations that do not follow these procedures
and end up breaching the privacy of innocent third parties.
Individual consumers have little protection here before-the-fact,
and because most companies who go out of business do not advertise
the fact, individuals also may have little protection after the
fact. In addition, everyone should take a few common-sense
precautions: never give out your social security number; limit the
sharing of private information on the web sites that you frequent;
and sign up for the privacy protection services offered by the
major credit card companies.In the meantime, privacy problems continue to surface. This
spring, student journalists at the Southern Polytechnic University
in Marietta found 3,187 pages of personal information covering
thousands of students attending Georgia schools. The information
was available on the search engine Google.com from April until
June. Even large internet companies suffer from these types of
problems. This April, ZDNet reported that the security of user IDs
and passwords isn't consistent for eBay and Yahoo users who access
those sites from shared networks--the kinds of networks most
commonly deployed in businesses--making it easy to steal auction
user IDs and passwords. I just hope that they stay in business; I'd
hate to see eBay's computers up on an auction site
somewhere.Dave Sifry cofounded
Linuxcare and currently is cofounder and CTO of
Sputnik.