The Legacy Sunbelt Software Blog

We’ve moved to new digs.  Basically, this is a consolidation of our operations that were previously in two buildings. 

Our new mailing address is:

33 N. Garden Avenue
Suite 1200
Clearwater, FL 33755

The view is beautiful (this image shows the view of the Gulf of Mexico) and the building is quite nice.

A side note:  I am so cheap that instead of buying nice new furniture, we simply bought furniture from the previous tenant and didn’t do any redecorating (I’d rather spend money on R&D than fancy furniture).  However, the previous tenant was some kind of financial services company, and all the furniture and decorations looks like something out of a bank lobby.  It’s very high quality, beautiful stuff, but it’s a bit funny to have a high tech company in offices which look like they should be on Wall Street. 

Oh, and did I mention that we’re hiring? 😉

Alex Eckelberry

I’m sure you’ve seen this in the past — you’re looking at something online and right next to it is an inappropriate advertisement.

Such is what happened Monday in the New York Post.  The Post, which apparently contracts with aQuantive to sell its online advertising inventory, ran the story of the sexual assault and murder of college student Immette St. Guillen.  Unfortunately, in the story online was an advertisement for True.com, which according to Mediapost:

“…in an especially bizarre coincidence, the creative, which carried the tagline “Get Soaked By Love,” featured a young dark-haired woman who physically resembled St. Guillen, staring suggestively at the camera.

…Not all visitors to the site Tuesday were shown the ad. DrivePM used its cookie-based behavioral targeting technology to display the ads to users who met certain criteria. The ad also appeared to be frequency capped, so that the same visitor didn’t receive that ad every time the page loaded. By Tuesday evening, DrivePM had made arrangements to remove the ad from its rotation on the Post’s site.”

True.com was not happy about this:

True.com, which bills itself as an especially safe dating service because it screens all members for a criminal history, said it would not have approved of having an ad accompany this particular story.

“If you’re going to talk about online dating, you just wouldn’t want to associate with someone being raped and murdered,” said Cornell McGee, senior vice president, acquisition marketing at True.com. “You’d think that would be common sense.”

True.com had only been using aQuantive’s DrivePM to place ads for about three weeks, McGee said. He added that True.com would develop a policy to prevent ads from being displayed in stories it considers inappropriate.

MediaPost article link here.

It is a problem with third party ad networks — how do they screen sites and contents to match their advertising?  It’s easy in the print world, because when a newspaper or magazine goes for layout, the content can be made compatible with the advertising (and ad buyers can choose the actual vehicles to advertise in, so that they can match their audience to their product). 

Ben Edelman has written about this problem in the adware space, where children were being exposed to advertising for adware.    

This is a big reason why third party ad networks like tracking cookies — it gives them some way to infer demographics and tastes and hence, display advertising that attempts to match the behavioral characteristics of the viewer (for example, an advertisers can infer that someone who goes to a lot of NASCAR sites might be interested in Ford trucks or Budweiser beer).   However, it’s imperfect because a) many people hate cookies and b) there are privacy concerns and c) it is a actually a fairly sloppy way to gauge demographics.

Enter companies like Claria, who promise much better behavioral based advertising with BehaviorLink, a third party ad network that apparently melds adware with advertising on site pages.  That doesn’t seem to make much sense either from a privacy standoint.

In order to truly allay privacy concerns and insure compatibility of the advertising message with content, it’s going to require a lot of manual labor.  In this era of automation, that’s going to be a challenging task for ad networks who want to make automation work for them.

Comments?

 

Alex Eckelberry

 

Back in November, we expressed concern over TRUSTe’s plans for its “Trusted Download Program,” which should be going into beta very soon.

At the heart of the “Trusted Download Program” will be a whitelist of adware vendors whose practices satisfy TRUSTe’s requirements for notice, consent, distribution, and uninstallation. According to TRUSTe, this whitelist allows “market incentives” to “promote ethical behavior” among adware vendors seeking certification because the white list “will be used by companies beginning with program sponsors such as Yahoo!, AOL, Computer Associates, CNET Networks and Verizon as a tool to make business decisions about advertising, partnering or distributing software products.” In short, the idea is to dangle economic carrots in front of misbehaving adware companies in order to coax them into improving their naughty practices.

We certainly don’t doubt the attractiveness of this white list to adware vendors, many of whom have been scrambling for any scrap of legitimacy they can lay their hands on — loading up their web sites with empty “privacy pledges” and “certified spyware free” logos while issuing endless self-congratulatory press releases in which they celebrate their own “consumer friendly” self-reforms. Not surprisingly, there are signs that adware vendors are already lining up at the door in order to get white-listed.

Some, it would seem, can’t even wait for the door to open. Last week, UTcontextual, a British company that handles ad campaigns in Britain for a number of adware vendors, jumped the gun and issued a press release in which announced to the world that…

“the company confirms that all six contracted networks managed by UTcontextual, will strictly adhere to the TRUSTe download program.”

The press release even includes a laudatory quote from a certain “Tony Sullivan of Media Services” who remarked that

‘”UTcontextual has always delivered ethical advertising opportunities, and it is no surprise that they are first in the UK to publicly back the TRUSTe initiative.”

So just who are these upstanding partners of UTcontextual — partners whose practices have been so sterling that UTcontextual itself has “always delivered ethical advertising opportunities”? They are…

• Best Offers (aka DirectRevenue)
• eXact Advertising
• Hotbar
• Claria
• WhenU
• MetricsDirect (aka 180solutions)

Hardly what one might consider a list of angels, in other words.

DirectRevenue: Although DR has taken substantial steps in the past few months to improve its distribution practices, the company had to be dragged kicking-and-screaming to the point it would even consider serious changes. The subject of a class action law suit and well known (in the past) for threatening critics with legal action, DR gained notoriety last year for carpet bombing the internet with its much-hated “Aurora” program (remember nail.exe?).

Exact Advertising: Another well known adware vendor (Bargain Buddy, CashBack Buddy, Navisearch, BullsEye Network), eXact is also the target of a civil lawsuit over its installation and distribution practices.

Hotbar: This company’s poor practices were exposed last year by both Sunbelt and Ben Edelman..

Claria: Although improving its behavior over the past year or so, Claria’s practices still leave much to be desired (link here and here).

WhenU: The same holds true for WhenU, which has implemented significant reforms over the past year and a half, but which still has nagging problems, including several recent documented force-installs (link here and here).

180solutions: 180 has had no end of problems with unethical and illegal installations over the last few years. 2005’s list of bad installs and bad practices is staggering enough. But 180 has already seen several outbreaks of bad installs in 2006, the latest being through a security exploit. Ever optimistic, 180solutions has elsewhere expressed confidence that it will meet the Trusted Download Program’s requirements.

Given the history of this collection of adware vendors, how is it that anyone can claim that UTcontextual has “always delivered ethical advertising opportunities” — the kind of absolute statement which makes it sound like TRUSTe certification is an afterthought at best? And how can the company “confirm” with such certainty that all of its adware partners “will strictly adhere to the TRUSTe download program”? Not only is it TRUSTe’s job to “confirm” that adware vendors adhere to its standards, but to our knowledge TRUSTe hasn’t even initiated the application and certification process.

It’s just this kind of effort to exploit the TRUSTe program for publicity that gives us pause. Certainly TRUSTe cannot itself completely control the PR departments of adware vendors, and we don’t doubt that TRUSTe has anything but the most serious commitment to ensuring that vendors white-listed through the Trusted Download Program actually meet the program’s requirements. (The practical matter of whether TRUSTe can conduct the kind of thorough investigations required to issue and stand behind white-list certifications for adware vendors is another problem that troubles us.)

This press release is evidence, though, that the program is already attracting adware vendors with a long history of poor practices, a legacy installed base in part derived from these poor practices, and a penchant for exploiting any perceived mark of legitimacy. No one should be surprised at that the companies most desirous of certification and white listing are those who in many respects least deserve it. A similar phenomenon has plagued TRUSTe’s privacy seal program — sites with TRUSTe privacy seals are more likely to be privacy invasive than those without, as it is the privacy invasive sites that most value the air of legitimacy and consumer friendliness that such a seal confers.

Although TRUSTe has insisted that the Trusted Download Program is not be a “consumer facing” seal program, we fully expect that any adware vendor white-listed by TRUSTe will wield that certification as a stick against anti-spyware companies such as Sunbelt — an alleged “industry standard” certification with which Sunbelt is out of step should Sunbelt continue targeting that vendor’s adware programs. Thus, it’s worth reminding users, administrators, and adware vendors that even TRUSTe itself recognizes that anti-malware providers are not bound to respect TRUSTe’s own whitelist. TRUSTe’s “Program Requirements” document states:

“For example, TRUSTe understands that some potentially unwanted software applications may reach users’ computers, and that antispyware software will continue to provide a means of detecting and removing software that fails to meet the standards of the anti-spyware industry or the interests of anti-spyware consumers. TRUSTe hopes that antispyware companies will consider the whitelisting of a company as a useful input into their research efforts, but recognizes that antispyware companies may have different valid methods of evaluating programs and may consider additional relevant factors important to their users.: (“Program Requirements,” p. 2)

Moreover, the independence of Sunbelt’s spyware review process is explicitly established within Sunbelt’s Listing Criteria, which state:

“Although Sunbelt Software does consult and review the opinions and judgments of respected industry experts and leaders regarding the software it considers for detection by CounterSpy, Sunbelt is not obligated to agree with those other viewpoints, nor is Sunbelt obligated to recognize and respect third-party seals, logos, certifications, or classifications of any kind. As Sunbelt’s primary obligation is to its own customers, Sunbelt is bound to make its own independent decisions about software detected by CounterSpy.” (Link )

Put another way, despite what we anticipate adware vendors will be saying about the TRUSTe whitelist, Sunbelt will not be basing its targeting decisions on that white list but rather on its own Listing Critera. We would hope that adware vendors would recognize and respect the independence of Sunbelt’s review process, but we wren’t counting on it.

Eric Howes
Director of Malware Research

Note: this blog entry was updated on March 18 to include 180solutions (MetricsDirect) in the list of adware vendors mentioned in the UTcontextual press release.

It looks as if upgrading from one edition of Windows Vista to another is going to be much easier than ever before, with Microsoft’s Windows Anytime Upgrade feature. This appeared in the latest beta of Vista, and allows you to upgrade from Vista Home Basic to Vista Home Premium or Ultimate editions, to get more features and functionality. Read more about it here.

You open up your laptop computer and see three wireless networks displayed as available. You pick one, click Connect, and a few minutes later you’re surfing the Web – on somebody else’s Internet connection. You might be sitting on your front porch, picking up a neighbor’s wi-fi signal, or in a hotel room, connecting to the hotel’s own wireless network or that of a law firm across the street. It’s a common scenario that’s happening all over the country every day.

Most new portable computers, PDAs and even Windows Mobile cell phones come with built in 802.11 wireless network adapters. They’re handy for connecting to the many wireless hotspots that are springing up all over, in airports, restaurants and coffee shops, parks, etc., as well as for connecting to your own home wireless access point. Some of these hotspots are commercial and require you to pay a daily or hourly fee to connect. Some are free, operated by municipal governments and funded by taxpayers or established by businesses to draw in customers. And some aren’t really hotspots at all – at least, not intentionally. They’re private networks set up by companies and individuals who aren’t well versed on computer security and don’t realize they’re leaving themselves open to connections from anyone within a several-hundred-foot range with a wireless-enabled computer.

“War drivers” make a pastime of hunting down unsecured wireless networks and hopping on, wherever they may be. They argue that they aren’t doing anything wrong and aren’t hurting anyone if they just use the bandwidth to Web surf or get their email, and don’t try to access files on the other computers that may be connected to the network. Others disagree, pointing out that the owner of the network is paying for that Internet access and the “free rider” is in effect stealing bandwidth. Who’s right?

We’ve had a lot of questions wanting to know whether connecting to a wireless network that you just “stumble across” is illegal. That’s not an easy question to answer. Some point to federal law, specifically Title 18 of the U.S.Code (Chapter 47, Section 1030). At first glance, it would seem to address the situation by prohibiting unauthorized access to computers, but as you read further, you see that it really only pertains to certain types of networks – those that belong to federal government agencies and departments, financial institutions, or those involved in interstate commerce. While that last one might be interpreted broadly enough to cover connecting to that law firm if it has out-of-state clients, you may be hard pressed to find anything that applies to your next door neighbor’s home network. You can read the federal law yourself here.  

State laws vary all across the board, and their language is often even more vague. Hwo do you define “unauthorized access,” anyway? One could reasonably argue that by leaving a wireless network unsecured, you are in effect setting up a public hotspot and issuing an implied invitation to use it. Perhaps this analogy will help: in most jurisdictions you can’t prosecute someone for trespassing if he simply walks across your yard, but if you put up a fence and “no trespassing” sign, then you can because you’ve taken steps to make people aware that you don’t want them there.

Likewise, if you use encryption and require users to authenticate to connect to your network, you’re giving notice that you don’t want any and everyone to connect. But if you leave it open so that all anyone has to do is click the Connect button, you may seem to be saying “come on in.”

Last summer, a man in Florida was arrested on felony charges of unauthorized use of a wireless network when he sat in a parked car and connected to a WAP in another man’s house. The story made big news when it happened but we’ve been trying to find out, with little luck, what the disposition was.

Of course, stealing bandwidth isn’t the only (or biggest) concern. If someone uses your network to commit illegal acts, such as downloading child porn or sending threatening emails or conspiring to commit terrorist acts, you could find yourself the object of police investigations or worse.

What if, despite that risk, you want to share all you have with the world, and choose to deliberately leave your wireless network open so others can share your DSL or cable connection to the Internet? No problem, right? Well, actually, your ISP may not appreciate your generous spirit. While it’s not a criminal offense for you to share, it may very well be a breach of your contract with your ISP for which you could have your service terminated or even be sued. Check the Terms of Service (TOS) before you share. Some providers are okay with sharing.

For example, see Speakeasy’s Wireless Sharing Policy here.

What do you think? Should connecting to a wireless network without permission be a crime, even if it’s left unsecured? After all, you wouldn’t just walk into a stranger’s house just because it was left unlocked.

Or should the responsibility be on network owners to put up a virtual “fence” if they want to keep others out? Do you ever connect to available but “unknown” wireless networks just for fun, or when you can’t get a connection any other way? What about voluntarily sharing your bandwidth? Should that be your right since you pay for the service, or should your ISP have the right to tell you “no?”

Deb Shinder

There’s this new thing called “BioBouncer”, a facial recognition system for bars.  The whole idea behind it is bars can start to maintain a database of troublemakers, which can be shared with other bars.

Well, this is all rather interesting, isn’t it?  It’s one thing to have a CCTV inside of a bar.  It’s another to start maintaining digital data that is shared with other businesses on their own customers.

In a Wired article, EFF’s Lee Tien makes one point:

Lee Tien, a staff attorney with the Electronic Frontier Foundation, said people may find BioBouncer insulting or invasive. Facial recognition software is notoriously inaccurate, he said, and he is concerned that data-sharing could be used to blackball innocent partiers.

“Think about it: Someone doesn’t like you, your photo gets in there, you walk in someplace and they’re telling you, ‘You’re a troublemaker, you got bounced from that other bar.'”

Bruce Schneier blogs about the subject and has this to say, more related to the creeping aspect of these types of applications:

Anyone want to guess how long that “automatically flushed at the end of each night” will last? This data has enormous value. Insurance companies will want to know if someone was in a bar before a car accident. Employers will want to know if their employees were drinking before work — think airplane pilots. Private investigators will want to know who walked into a bar with whom. The police will want to know all sorts of things. Lots of people will want this data — and they’ll all be willing to pay for it.

And the data will be owned by the bars that collect it. They can choose to erase it, or they can choose to sell it to data aggregators like Acxiom.

It’s rarely the initial application that’s the problem. It’s the follow-on applications. It’s the function creep. Before you know it, everyone will know that they are identified the moment they walk into a commercial building. We will all lose privacy, and liberty, and freedom as a result.

The company is requiring bars that use the service to have a conspicuous sign which includes the following

• Presence of BioBouncer
• Purpose of BioBouncer
• Patron Consent Agreement
• Image Collection & Storage Procedures
• Instructions for Protest
• Location of Further Information: http://www.biobouncer.com/

Wired article here via Bruce Schneier.

Needless to say, I’m sure you can imagine my feelings about this thing.  I don’t like it one bit.  The signs may go up, people will notice for a while and then forget it’s there.  And you’ve just lost one more part of your freedom.

Alex Eckelberry

(From BioBouncer’s website)

The IT Security Services crew at the University of Michigan have written a fairly extensive whitepaper on security considerations for Google Desktop.

Unfortunately, it only covers version 2.0, not the new 3.0 — the one which has a number of people quite concerned. (It is important to remember that the feature that’s most disconcerting to folks is Search Across Computers, which is not enabled by default.)

Nevertheless, it’s still a good read and I look forward to an updated version with their comments on 3.0.    

From the whitepaper: 

            1. Google Desktop should not be deployed

            a. As part of a “standard build” that is available to all users

            b. On workstations that process sensitive (per SPG 601.12) data

            c. In Terminal Server environments

            d. On workstations that do not follow common security best-practices such as automatic OS updates and automatic AV updates

            e. On workstations that leverage external (non-UM) email or IM services

            2. Instead, Google Desktop should only be deployed to individual users on an “as-needed” basis in accordance with the following deployment guidelines:

            a. Disable Google Integration

            b. Disable Network Drive Indexing

            c. Disable Indexing of secure web pages

            d. Disable Indexing of Instant Messages

            3. In managed Windows environments

            a. Use the Enterprise version of Google Desktop so that the recommended configuration settings (above) can be enforced via Group Policy.

            b. Be prepared for “zero-days” in the indexer by ensuring that you can centrally disable it.

            4. Finally, make user’s aware of

            a. Google Desktop’s privacy policies and, in particular,

            b. Privacy concerns with Google Desktop Advanced Features

 

Link here (via Martin McKeay).

As always, your comments are welcome.

Alex Eckelberry

 

Process Explorer is one of several extremely cool tools made by Windows uber-guru Mark Russinovich. 

In a recent blog posting, he explains how you can use Process Explorer to run specific applications as a Limited User, without the attendent hassles of actually running the entire user session as in Limited User mode.

An alternative to running as limited user is to instead run only specific Internet-facing applications as a limited user that are at greater risk of compromise, such as IE and Outlook. Microsoft promises this capability in Windows Vista with Protected-Mode IE and User Account Control (UAC), but you can achieve a form of this today on Windows 2000 and higher with the new limited user execution features of Process Explorer and PsExec.

Process Explorer’s Run as Limited User menu item in the File menu opens a dialog that looks like and acts like the standard Windows Run dialog, but that runs the target process without administrative privileges:

Link here.

Alex Eckelberry

 

There’s this new paint that’s been developed that can dynamically shut off cell phone reception:

“You could use this in a concert hall, allowing cell phones to work before the concert and during breaks, but shutting them down during the performance,” said Michael Riedlinger, president of NaturalNano.

The cell phone guys hate it.  But they have a point:

“We oppose any kind of blocking technology,” said Joe Farren, spokesman for The Wireless Association, the leading cell phone trade group. “What about the young parents whose baby-sitter is trying to call them, or the brain surgeon who needs notification of emergency surgery? These calls need to get through.”

Link here (via Catherine).

Blocking RF as a general practice may have practical uses.  But in the way this is marketed, do you agree with the cell companies or the paint maker?

Alex Eckelberry

My earlier blog story on Hotbar apparently not being happy with the Symantec settlement had a broken link.  In the interest of fairness, I am publishing this new blog entry with the correct link, here.

Alex Eckelberry

Google is moving Google.cn offshore. 

The Mountain View, Calif., company has decided to store search records from the site outside of China in order to prevent that government from being able to access the data without Google’s consent, said Peter Norvig, Google’s director of research, speaking Monday at a panel discussion at Santa Clara University.

All similar types of Internet companies doing business in China should follow the same move. 

Link here via /.

 

Alex Eckelberry

NOTICE:  This Blog contains information that may be indirectly or directly critical to the Chinese Government and hence may be in violation of Chinese Government Law.  If you reside in mainland China, do not read or even allow this blog to enter your thoughts.    

His son is suing to have his Dad removed from managing the family’s trust.

“A renowned psychiatrist from UC Irvine was duped into squandering at least $1.3 million of his family’s fortune on a Nigeria Internet scam, according to a lawsuit recently filed by his son.

The son, also an Orange County doctor, said his father — Dr. Louis A. Gottschalk — gave as much as $3 million over a 10-year period in response to an Internet plea that promised the doctor a generous cut of a huge sum of cash trapped in African bank accounts in exchange for money advances.”

Link here.

Alex Eckelberry

Only regulated gaming houses will be allowed online. The state is losing too much money in tax revenue.

A few hours ago the recently approved measure forcing Italian internet service providers to block unlicensed online gaming websites entered into force. The censoring method recommended by the [Italian] Amministrazione Autonoma Monopoli di Stato – the State Monopoly Agency – is based upon the redirection of queries to unauthorized websites to a dedicated website by using the ISP DNS systems.

So a country is censoring all traffic to a particular segment of the Internet.  Nuts.

Link here, with a hat tip to Ferg.

Alex Eckelberry

Hotbar founder Oren Dovronsky apparently doesn’t like the company’s settlement with Symantec:

“We don’t understand why they’re vilifying us; it’s just not fair,” said Hotbar founder Oren Dovronsky via the Hebrew news Web site Ynet. “There is no adware company in the market so upstanding as Hotbar.

“Indeed, there is a great confusion of concepts. It’s not at all clear what adware is. If it’s a program that presents advertisements, then there are a lot of programs that need to be included in that category, including MSN Messenger,” Dovronsky said.

Link here.

Alex Eckelberry
(Hat tip to Richard)

 

Interesting article in The Nation about censorship and technology in China.

This opening paragraph says it all:

Back in the late 1990s, when I was working as a journalist in China, I happened to read Timothy Garton Ash’s The File. It’s a personal account about what happened in East Germany soon after the Berlin Wall fell, when East Germans were suddenly able to access their Stasi police files. As it turned out, secret police informants included neighbors, lovers, spouses and in some cases even people’s own children. One evening over dinner with some Chinese friends, I described the book and asked how they thought things might play out in a post-Communist China. One friend replied: “That day will come in China too. Then I’ll know who my real friends are.” The table fell silent.

Link here via beSpacific.

Alex Eckelberry

NOTICE:  This Blog contains information that may be indirectly or directly critical to the Chinese Government and hence may be in violation of Chinese Government Law.  If you reside in mainland China, do not read or even allow this blog to enter your thoughts!

In my mind, there’s no better way to read RSS feeds than through your email program.  That’s why I’m a big fan of RSS Popper.  However, it only supports Outlook and Outlook Express.

Steve Bass over at PC World wrote recently about Squeet  — a service which delivers RSS feeds to any email.  If you want to sign up for this blog through Squeet, just click here and enter your email address.

He also mentions another service, Blogarithm, which one of his readers likes because “they will e-mail you daily with a list of what has changed on your favorite blogs, if anything. They give you the top couple of lines, so you can determine if you want to click through and read the rest.”

Sounds like a matter of personal preference. 

A side note:  On this blog are two RSS feeds: FeedBurner and Atom.  You can use either one. 

Alex Eckelberry 

You can get a free USB drive from Microsoft for answering a few simple questions.

Such a deal.

Link here (hint: the answers to the questions are also on this page).

Alex Eckelberry
(Hat tip to Steve Bass)

Readers who subscribe through Bloglet may have noticed that things were a bit quiet.  That’s because I broke all the Bloglet subscriptions when I recently did a password change on the blog (not the first time I’ve done this…).  Mea culpa.

Should all be working now.

Alex

If you use change tracking, how can you be sure that only the final version of the document makes it to the recipient, and that first draft text isn’t still hiding in there somewhere, waiting to embarrass you? All changes should be removed if you click Accept All Changes in the Reviewing toolbar. See more detailed instructions here.

You can also use the Remove Hidden Data utility to get rid of tracked changes and comments in Word XP/2003 documents. Download it here.  

If you don’t quite trust these methods, one sure-fire way to ensure that your document doesn’t include your tracked changes is to convert the Word document to a PDF. You don’t have to buy Acrobat — you can simply use a free PDF tool like CutePDF.

You can also remove metadata from Office documents. This is the information stored with the document that includes such data as the author’s name, organization name, name of the computer on which it was composed or server on which it was stored, template information, hidden text or cells, comments, and other file properties or summary information. For instructions on removing metadata, click here. 

Deb Shinder

As privacy becomes more and more of an issue for computer users, many turn to encryption software to protect confidential documents and email messages. There are the advantages and disadvantages of encrypting your data, including how just the fact that a file is encrypted may be a red flag that attracts hackers, who have reason to believe the data must be valuable (or at least titillating) since you went to the trouble to try to keep its contents secret.

But the bigger question may be whether encryption really protects your information at all, or just provides a false sense of security. That may depend on who it is that you’re trying to keep out. Certainly a good encryption program will help prevent snooping by co-workers, family members or casual hackers. But if you’re worried about keeping the government from knowing your secrets, will encryption do the job?

Earlier this month, Vnunet.com’s News section ran a story suggesting that Microsoft “may” begin training police agencies to crack the encryption technology in Vista, the desktop operating system slated to replace Windows XP when it’s released later this year. This speculation was based on talk in a U.K. parliamentary committee meeting. 

A lot of folks are up in arms over this possibility, perhaps not realizing that computer forensics is already a big and growing subspecialty for officers of both local and national law enforcement agencies all over the world. Training has existed for years, designed to teach government agents how to decrypt encrypted data regardless of the operating system, and how to discover incriminating data that’s been deliberately hidden on computers or left there inadvertently, even when users think they’ve erased it by deleting files or formatting disks.

Many believe that the National Security Agency (NSA) has the ability to decrypt any existing encryption. Of course, the federal government doesn’t publicly confirm or deny this, but reports surface regularly of deals made by those who make encryption software and devices to provide a “back door” to which the NSA has the keys. For instance, in 1999 a story came out that Swiss company Crypto AG had built a back door for the NSA into their encryption devices and it was being used to decrypt messages of foreign governments containing military secrets and other sensitive information.

Many experts agree that the next stage in computer technology will be quantum computing, machines based on quantum physics that will allow for computers that are orders of magnitude faster and more powerful than today’s supercomputers. Such technology would render all of today’s encryption methods easily breakable (and would also result in new, far stronger encryption solutions). Some believe the NSA or some other secret government organization has already built such machines. Whether they already exist or not, it’s a good bet that governments with vast financial resources will have access to them first (and maybe exclusively).

Some folks don’t see anything wrong with any of this. They believe that the military and law enforcement need to have every tool possible to fight crime and terrorism, and that those who have nothing to hide won’t mind that their secrets can be probed whenever the government wants. Others are appalled at the idea that “Big Brother” can read their encrypted email, even if there’s nothing incriminating in it.

But you don’t have to be encrypting your data to have a false sense of security. Many computer users still think that when they delete a file, it’s gone from their hard disk. That’s not true, and that’s why File Recovery programs work. These programs have been lifesavers for many who have accidentally deleted their homework or the Great American Novel they’re writing, but have also proven to be a source of chagrin for people from pedophiles to cheating spouses who’ve thought they disposed of the evidence only to have it come back and haunt them. Even reformatting your disk doesn’t get rid of the data. To do that, you can use an overwrite program that will write random characters to your disk over the “deleted” data, use a strong magnet to wipe all the data off the disk, or physically destroy the disk. Even if you do one of these, remember that copies of your document or email message may still be residing on one or more servers somewhere.

Features in some applications have also resulted in embarrassment to those who don’t understand how they work. For example, many companies use the Track Changes feature in Microsoft Word when collaborating on or editing documents. Depending on Word’s settings, those changes may or may not be displayed. More than once, edited documents have been sent with the edits still available to be viewed by the recipient when this was not what was desired. For an example of this, see another Vnunet.com article here.

Have you been operating with a false sense of security? Or do you even bother to try to protect the privacy of your data? Should the government and law enforcement officers have access to “back doors” in software to allow them to decrypt information if they need to in investigating criminal activity? Should they be required to get a warrant first, or would that prevent them from being able to effectively protect the public? Is encryption that can be cracked worthless, or should we look at it as analogous to locks on our doors – a deterrent, but not something that’s expected to keep a really determined intruder out? Let us know what you think.

Deb Shinder