Dot Compost and the Danger to Your Privacy

by Dave Sifry

I've been prowling eBay lately. Lots of good deals can be had these days, especially in used computer equipment. As the dot coms die, their assets may be sold by their secured creditors (banks, leasing companies and sometimes investors). That means lots of slightly used computers end up on their hands, but they are not in the hardware business. So they use liquidators to sell the machines quickly to recoup some of their investment dollars.

These machines were used previously as everything from web servers to mail servers, intranet servers to desktops. On any given day, hundreds of computers and used hard disks are on sale on eBay from these liquidation firms. I recently bought two computers this way, and the savings was immense; I paid about 25% of the price I would have paid if I bought them new.

But this story isn't about the great deals to be had on eBay. Instead, it's about the fact that inside each of these computers were things both disturbing and frightening. What I found should make consumers, policymakers, CEOs and banks sit up and take notice: a serious threat to privacy and a serious legal liability for companies, their management teams and their creditors.

The first thing I did when I received the computers was turn them on; this is the simplest way to make sure nothing was damaged during shipment. What surprised me was that not only did the machines power up, but each soon presented me with an interesting sight: a Windows login prompt. This was surprising because I didn't pay for the operating system that the computer came with, nor did I receive a licensed copy of Windows with the computer. Obviously, something was afoot, and I had a sneaking suspicion more was on my new computers than just the operating system.

I pulled out my Linuxcare Bootable Business Card, a disk I helped develop that I often use when doing forensics of unknown systems. It's a utility that allows me to quickly and easily bypass the operating system and retrieve data, a task critical for performing data recovery of corrupted systems or for performing forensic analysis of systems that have been compromised by intruders. Within 45 seconds I was looking at the data on the computer's hard drive, and what I saw shocked me. It turns out that the first computer I bought used to be the main e-mail server for a highly visible startup. I won't mention the company's name because it is irrelevant, and I see no need to subject their former employees and customers to potential humiliation, liability, data loss and privacy loss. This company was not a minor player, however. Its investors included Intel, and one of the firm's premier customers was, ironically, eBay.

Because the computer was used as an e-mail server, it also contained a company employee directory that included names, phone numbers and, in some cases, home addresses. I only looked at six e-mail messages on the server, but six were enough. One message was addressed to a senior executive at the firm and sent from (presumably) his new employer. It discussed business plans and his requests for stock in the new firm. Another message sent shivers down my spine; it was from Wells Fargo Bank to someone at the firm, and it contained private banking information. In its e-mail, the bank tried to provide a layer of privacy protection to its client, but enough was revealed that I could theoretically impersonate that person to the bank.

At that point, I stopped looking around; I didn't want to see anything else. I only hope that there wasn't any other personally identifiable information on that server--like social security numbers.

I turned to the other computer. Using the same process, I brought up its data. In one directory sat a report on a promotion that this company had sponsored with eBay, their largest client. In another directory I found a whole array of copies of software CDs, ranging from web publishing software to databases to games for Nintendo Gameboys. In a third directory was an assortment of "warez", illegally cracked software spread through the computer underground. All in all, there was at least $10,000 worth of illicit software and license keys on the system. The liability involved in having and using this software was pretty big--this was a cracker's paradise.

The worst was yet to come. On another directory was data for nine illegally copied movies ranging from new releases, such as Tomb Raider and Enemy At The Gates, to pornography. I'm a pretty liberal guy and my philosophy is "to each his own", but I draw the line when you bring it into the workplace.

First of all, it is troubling to see the extent of illegal activities that were going on at this company. I sincerely hope that the unprofessional conduct that resulted in the accumulation of software and videos did not reflect itself in a hostile work environment. The larger issues, though, are ones of privacy and liability. The first and largest mistake the company, bank and liquidator made was to treat the computer systems as physical assets only; that is, they viewed them purely as pieces of hardware. They forgot that significant assets and liabilities existed in the computers and in the information on the hard disks. This information included intellectual property such as the eBay customer reports, which I'm sure the company (and eBay) wanted kept confidential. It also came in the form of the employee directory and all the associated personally identifiable information, which could be used by recruiters or competitors to snare former employees or by thieves to commit fraud or identity theft.

On a larger scale, my experience raises the question, "How much of your personal information has been sold as part of liquidation sales?" This is not an issue limited to a single company, but one that should concern all former employees of the dot-com failures, as well as their investors, lenders, partners and customers. A study released in July by the Denver, Colorado-based Privacy Foundation found that over one-third of US employees doing business on-line, some 14 million people, have their internet and e-mail usage monitored on a continuous basis. In addition, practically all of the web sites that require registration collect personal information. All that information is stored on computers like the ones I bought on eBay.

Fortunately, there are some simple solutions for these problems. First, all computers should be wiped clean before being part of a liquidation sale. It is in everyone's best interest to run a big magnet over the hard drives of computers before putting them up for auction. In addition, there should be clear legal consequences for organizations that do not follow these procedures and end up breaching the privacy of innocent third parties. Individual consumers have little protection here before-the-fact, and because most companies who go out of business do not advertise the fact, individuals also may have little protection after the fact. In addition, everyone should take a few common-sense precautions: never give out your social security number; limit the sharing of private information on the web sites that you frequent; and sign up for the privacy protection services offered by the major credit card companies.

In the meantime, privacy problems continue to surface. This spring, student journalists at the Southern Polytechnic University in Marietta found 3,187 pages of personal information covering thousands of students attending Georgia schools. The information was available on the search engine Google.com from April until June. Even large internet companies suffer from these types of problems. This April, ZDNet reported that the security of user IDs and passwords isn't consistent for eBay and Yahoo users who access those sites from shared networks--the kinds of networks most commonly deployed in businesses--making it easy to steal auction user IDs and passwords. I just hope that they stay in business; I'd hate to see eBay's computers up on an auction site somewhere.

Dave Sifry cofounded Linuxcare and currently is cofounder and CTO of Sputnik.

Load Disqus comments