Frequently Asked Questions about Online Privacy

This FAQ is an addendum to our Fact Sheet 18 on Internet privacy.
www.privacyrights.org/fs/fs18-cyb.htm  It provides answers to questions that we are often asked by individuals who contact us concerning online privacy and safety.

Contents:

1. I have found my name and personal information on the Internet at sites like ZabaSearch and Intelius. I am worried about identity theft. How can I get my information removed from all of these sites?
2. My boss said he would begin monitoring my e-mail and Internet use. Is this legal?
3. Can my boss monitor my computer at work?
4. I get a lot of e-mails from banks and credit card companies asking me to verify my information. I do not even have accounts with some of these companies. What is going on?
5. Someone is pretending to be me on MySpace, or on Match.com or another social networking Internet site and is saying hurtful things. What can I do?  How can I make this stop?
6. What can I do to protect my computer from spyware, viruses and hackers?
7. Are wireless networks safe?
8. I have heard about programs that allow you to anonymously surf the Internet. How do they work?
9. How can I be sure that my e-mail has been deleted from my computer?
10. Someone is saying offensive things about me on the Internet. When I type my name into an Internet search engine, my name comes up connected to porn sites. How can I get this information removed?
11. I am interested in a job that I saw posted on the Internet. They gave me the job requirements and duties that I would be doing if hired, but one of the requirements said that I had to open a bank account to receive my salaries and to issue out payroll to clients or to transfer funds. I want to work at home for this company but need to make sure they are legitimate.
12. I keep getting e-mail messages from foreign countries telling me about the death of a person and asking me to pretend that I am next of kin so that I would receive a large sum of money. Where should I report these e-mails?
13. Is there a law prohibiting the posting of vital statistics (such as date of birth, place of birth, place of death) of living or deceased people on genealogy Web sites?
14. What is “behavioral targeting” and what can I do about it?
15. What is “Google Hacking” and what can be done about it?

There is no one simple way to have your information entirely removed from all of the information broker sites.  Most of the personal information found on these sites is compiled from publicly available sources, such as the White Pages and from the public records of government agencies.

Once your personal information has been recorded in public records, there is no effective way to permanently or completely remove it (for example, birth certificate, marriage license, home ownership documents, court records, and in some states voter registration, etc.).

Our Fact Sheet about public records explains how and why all these companies can (and do) access your information: www.privacyrights.org/fs/fs11-pub.htm

You might want to review our entire listing of some of the larger online information resellers and contact each one individually to attempt to opt-out of those that permit it.  Here is a direct link to this information on our Web site: www.privacyrights.org/ar/infobrokers.htm

Even if you request removal from the information resellers' sites, they regularly refresh their data and it will reappear when they purchase the next batch of public records. It is a problem that we have been receiving complaints about for quite some time.

We encourage you to contact your elected officials and also the Federal Trade Commission (FTC) to complain about these practices of having your personal information available online, and the fact that you have little or no control. You can go to the FTC Web site at www.ftc.gov, and click on the "complaint" box at the top of the page.

Caution: As part of the request for removal, the information broker Web site may ask you for personal information to “verify” your identity. Do not give them information that they do not already have, especially your Social Security number. There is some speculation that these companies are compiling this information in a separate database. We have not been able to confirm this.

Some sites do acknowledge that they will retain the information in a separate database and that their privacy policy is subject to change (meaning that it could later be re-entered or used in ways you might not agree to).  But, if an online information broker has a written policy allowing you to opt out and it does not comply with its own policy, be sure to complain to the FTC.  This can be considered a “deceptive business practice.”

It's always a good idea to include an actual printout of the entries you are asking to be deleted from.  Be sure to follow-up by checking the site after a few weeks to be sure the information has been removed. 

Probably. We are not lawyers. In short, you do not generally have an expectation of privacy in the workplace. The National Workrights Institute provides a more detailed legal analysis, available at www.workrights.org/issue_electronic/em_common_law.html#question

Please also review our Fact Sheet 7 that covers workplace privacy: www.privacyrights.org/fs/fs7-work.htm

3. Can my boss monitor my computer at work?

Probably. We are not lawyers. In short, you do not generally have an expectation of privacy in the workplace. The National Workrights Institute provides a more detailed legal analysis, available at www.workrights.org/issue_electronic/em_common_law.html#question

Please also review our Fact Sheet 7 that covers Workplace Privacy: www.privacyrights.org/fs/fs7-work.htm

E-mail messages that pose as legitimate companies and request personal information are known as “phishing” e-mails.  Often, these e-mails ask recipients to update their credit card information or their account will be promptly terminated. Or the message offers a service to protect their credit cards from possible fraud.  The fraudsters are hoping to get your Social Security number or bank account number.  With either of these numbers the thief may be able to steal money from your existing accounts or open new accounts in your name.
 
You need to be very cautious when dealing with these messages. Here are some tips to protect your sensitive personal information and prevent identity theft.

• Legitimate companies will not send you unsolicited e-mails asking for passwords, PINs, account numbers, or Social Security numbers.
• Don't trust e-mail headers, which can be forged easily.  It may say “Citibank” and it may look like Citibank’s logo, for example, but it is not Citibank.
• Don’t fill out forms in such e-mail messages. You can't be sure where the data will be sent, and the information can make several stops along the way to the recipient.
• If you click on a Web site link in an e-mail message from a company, be aware that scam artists are making forgeries of company sites that look like the real thing.  Do not disclose your personal information at these fake Web sites.

Mail Frontier has developed a Phishing IQ Test to see how good you are at recognizing phishing e-mails from legitimate e-mail requests for personal information at www.sonicwall.com/phishing/

The Anti-Phishing Working Group also has a lot of good information at:
www.antiphishing.org/consumer_recs.html

The answer will likely depend on the specific Web site. Most Web sites remove inappropriate material, but often the harasser will re-post the information.  Look for the section on the Web site that explains what you can do about harassment.  Such sites usually have an “abuse” department that you can e-mail.  For example, MySpace has information on cyberbullying under the “Contact MySpace” link at the bottom of their page.  Information about abuse can commonly be found in Frequently Asked Question sections of social networking Web sites.

Wiredsafety.org has more information on My Space available at www.wiredsafety.org/internet101/myspaceguide.html

If a harasser is threatening or sexually explicit you should report the activity to the police.

There are many tips and suggestions. Unfortunately there is no easy solution. We have tried to cover most of the major areas of concern in our Fact Sheet 18 which is available at www.privacyrights.org/fs/fs18-cyb.htm#PART%20TWO

If you do not want to read the entire sheet scroll down until you see a heading that interests you.

Getnetwise.org has a list of tips for securing your computer, available at: http://security.getnetwise.org/tips/

Wireless networks are significantly safer if they are secured. There are many guides available that explain securing your network.  GetNetWise offers a guide on wireless networks, available at http://spotlight.getnetwise.org/wireless/wifitips/

There are several services that mask your identity by acting as an agent to transfer data between your computer and Internet Web sites. The Electronic Privacy Information Center (EPIC) offers a guide to companies that offer these services, available at www.epic.org/privacy/tools.html 

The following services are among those included in EPIC’s guide.

Free services:

• Tor -  http://tor.eff.org/.
• Anonymouse - wwww.anonymouse.org. 

Commercial service

• Anonymizer - http://www.anonymizer.com/.

This is not as easy as pressing the delete button. According to the Electronic Frontier Foundation, simply deleting data from a hard drive, or even writing over it, doesn't remove all its traces from the media. Undelete utilities and forensic analysis can often recover data that has been only weakly deleted. Strong deletion utilities (also known as secure deletion utilities) write over the old data enough times to clear those remnants.  TechSoup offers a list of disk-cleaning software. www.techsoup.org/learningcenter/hardware/page5496.cfm

First, do a "WhoIs" search on the domain names containing the objectionable material. You can do a search at: www.whois.com. The search should give you the contact information for the domain's Internet Service Provider (ISP) (unless there is fraudulent contact information, for which you will need to contact "WhoIs" directly). 

For example, to find out how to contact the PRC (if we did not provide the information on our Web site) you would:

• Go to www.whois.com .
• Type in the PRC’s domain name “privacyrights.org” into the search box.
• Click on the WhoIs Lookup button at the bottom of the Web page.

The resulting information shows our address and phone number.

Many ISPs have standardized guidelines in place to deal with fraudulently registered or maintained sites, and all it takes is telling them the domain name.  At any rate, you will have to work with the people providing the bandwidth and space for the site, rather than the creators of the site.  Unfortunately, unless you are able to get law enforcement involved, the likelihood of you identifying the creators of the objectionable sites is slim.

Unfortunately, if something seems too good to be true, it probably is. In this case, we would discourage you from pursuing this job since it could very well involve money laundering, which is illegal and could get you into serious trouble with various government authorities. There are a number of "red flags" in this advertisement.

Here are links to some of our Fact Sheets and other resources to learn more about these types of scams that try to lure honest people:

• Fact Sheet 25(a) - avoiding online job scams: www.privacyrights.org/fs/fs25a-JobSeekerPriv2.htm

• Fact Sheet 25 - online job seekers guide: www.privacyrights.org/fs/fs25-JobSeekerPriv.htm

Unfortunately, these messages have become extremely common. Sometimes consumers who fall for them do end up losing their entire life savings.

If you receive an offer via e-mail from someone claiming to need your help getting money out of Nigeria — or any other country, for that matter — forward it to the Federal Trade Commission at spam@uce.gov   Also report it to the Internet Fraud Complaint Center of the FBI through their Web site:  www.ic3.gov/ .

If you have lost money to one of these schemes, call your local Secret Service field office. Local field offices are listed in your telephone directory in the blue pages.

For a useful guide on this fraud scheme and many more, visit www.lookstoogoodtobetrue.com/fraudtypes/419.aspx .

No. Most of this information comes from birth and death certificates, which are public documents. We have more information about public records in our Fact Sheet 11:
www.privacyrights.org/fs/fs11-pub.htm .

Unless the record is sealed or made confidential when it is created (not always an option), it will be useable in its entirety for genealogy research and for sale on the Internet.

The availability of this information is another example of why it is never a good idea to use your mother’s maiden name for a password.

"Behavioral targeting" refers to the practice at most search engines and some commercial Web sites of collecting information about users in order to serve them more relevant advertisements. As Internet companies increase their product lines to include e-mail, chat, maps, and other tools, they gain access to ever growing amounts of potentially sensitive personal data. This data can be used to develop highly detailed profiles of users, which in turn can be used to serve them focused advertising. Some consumers find this targeted advertising discomforting, while others see it as useful. But in any case  Internet users would benefit from clear notice and choice concerning the collection, storage and use of their personal data.

Here are a few suggestions to reduce your exposure to behavioral targeting:

• Use a different company for your search engine than you use for your e-mail, chat, maps, and other Web tools.  That will limit the amount of information that any one company will have about you.
• Clear your “cookies” regularly. You can set most Internet browsers to automatically clear your cookies when you exit the browser.  If you delete cookies, you will not be recognized as a repeat visitor when returning to a site. You can even set most browsers to not accept cookies, but that may limit your ability to visit certain Web sites. You will need to consult your browser’s help tool to determine how to do this. 
• Consider using the search engine www.ixquick.com/.  Ixquick promises not to use cookies that uniquely identify its users.  They also promise to delete the IP address that is associated with your search within 48 hours.

Nine consumer and privacy advocacy organizations jointly submitted comments to the Federal Trade Commission in November 2007 urging the creation of a national “Do Not Track” registry, similar to the Do Not Call Registry. www.worldprivacyforum.org/pdf/ConsumerProtections_FTC_ConsensusDoc_Final_s.pdf

15. What is “Google hacking,” and what can be done about it?

“Google hacking” is the term used when a hacker tries to find exploitable targets and sensitive data in Web sites by using search engines.  The practice relies on employing a carefully crafted combination of search terms to unveil potentially confidential files in a Web site.  In other words, a hacker can create a search in Google that will identify Web sites with vulnerable servers.  There are commercial Web site vulnerability scanners that can be utilized to find such weaknesses in your Web site.

Copyright © 1994-2007. Privacy Rights Clearinghouse/UCAN. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution of this fact sheet, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. This fact sheet should be used as an information source and not as legal advice. PRC fact sheets contain information about federal laws as well as some California-specific information. Laws in other states may vary. Overall, our fact sheets are applicable to consumers nationwide. This publication was originally developed under the auspices of the University of San Diego.

Privacy Rights Clearinghouse, 3100 - 5th Ave., Suite B, San Diego, CA 92103. Web: www.privacyrights.org