Starting a Path to Modern Database Privacy
by Barrett Brown
Privacy has always been of interest to hackers.
Firstly because back in the day all the coolest/funniest/most-interesting information was kept private and getting a hold of it was often an "Elite Hack." It didn't matter whether one social engineered the information or rooted a server from halfway around the world to get it: Excitement came from the fact that one had access to something that very few others did, something special, as well as the fact that "something" often directed the hacker to even more secret information that they could play with and which could potentially lead them to even more.
The second reason privacy was so important was due to the fact that the "first" so-labeled computer/phone/network hackers (I still consider Alan Turing a computer/network hacker for example, but in this article I'm referring mainly to the period from 1970 to the present) were engaging in activities that existed in a gray area of law. No precedents had yet been made by the Supreme Court about information theft by way of computer. So it was vital to many of those engaged in such activities to keep their "true identity" as secret as possible, the better to fight off any court cases should they one day occur, and thus came the origin of using a hacker "nick" or "handle."
Besides such logical purposes, privacy was (and is) a fundamental part of hacker culture specifically and Internet culture in general.
Some sociologists think that this "privacy" is one of the biggest attractions to using the Internet for personal use. Instead of showing your face at the liquor store and blushing to the clerk because of the porn you just bought - well, presto, go to a web page! No one will ever know!
Simply the act of logging onto a chat site is a small example of this. You can choose to say whatever you like about yourself online. Change your race, age, whatever. As long as you have the acting ability to back it up, as far as anyone online knows, you are who you say you are. If you don't know someone in RL (Real Life), you either have to trust what they say online, on social networking sites, etc., or spend years and years chatting with them online, getting to know them, paying attention to everything they say, and eventually you may very well get a good idea of who they are.
How can an unknown (in RL) hacker with a nick trust another one whom they only know online? How do they know this new hacker they have been chatting up on IRC for months is not a federal agent trying to get the hacker thrown in jail? These are important questions because many a hacker has been caught in just this way: online communication only.
Well, in the old days (I'm an old-ish person), hackers would get on a BBS and trade information with each other. If the teleconference number, credit card numbers, or whatever "private" information that was being traded was good, the hacker's reliability rating went up, kinda like eBay ratings.
Because almost everything was private back in the day, hackers relied on war dialing, reading old manuals found in a CO (Central Office) dumpsters, social engineering telephone linemen and operators, and any other tactic a brilliant and motivated individual could come up with. But most important of all? Mutual collaboration.
Without multiple people/groups working on similar puzzles independently and from different perspectives, then sharing the information found with each other through BBSes, text files, Phrack, 2600, other small groups working together, etc... well, we simply never would have had all the hacking successes that came throughout that time period. Why did total strangers who had often never met, talked on the phone, or knew anything about their partners in what would one day be deemed a "crime," decide to work with each other? Why did they often trade information that could get them put in prison for theft, treason, industrial espionage, or worse, get them a job at the CIA?
Privacy and Curiosity
Without the unwritten promise that those early hackers were "safe," that they were "private," hiding behind their computer screens, sometimes thousands of miles away from the computer(s) they were accessing (the extra-competent even routing their activities through tens of computers and different networks to add security), that even if their accomplices were caught, those accomplices had nothing but a nick.
These were some of the elements that made old-school hacking so exciting and gave people the freedom to explore the digital world to their heart's content. We "white hats" were freeing and sharing information, liberating it from those who wanted to control it and keep it from the public. Information was meant to be free and being a hacker meant that you were one of the freedom fighters in the battle.
Despite such democratic beginnings, the Secret Service's Operation Sundevil soon came along and, by getting hackers who actually did know each other to turn on their friends and associates, the Secret Service began the ruination of "hacker groups" and mutual collaboration. So began the cyber-age of hacker lone-wolves, larger international criminal cyber-theft rings, and the obvious need for even more privacy than before.
It's 2011 now and things have changed quite a bit. "Private Information," once the main purview solely of governments, private detectives, journalists, spies, and hackers is now big business. Where LexisNexis was once "The Database" used by all these people to find out anything about anyone, now there are countless data brokers out there, each one with their own specialty areas, each one trying everything in their power to find out everything they can about everyone and cross reference it. This means you. One hundred years ago, if you wanted to disappear, you just moved across the country, gave everyone in your new town a fake name and past, and you were pretty good to go. No national fingerprint databases, no genetic vaults cataloging DNA, no satellites, no credit cards, no cell phone towers to silently inform people where/ when you are, etc.
To summarize my introduction and get to the meat of my article: Maintaining one's privacy (particularly in America) these days is a daunting task. But for any good hacker, the harder the climb, the greater the reward. I am no criminal, I owe no large debts, I'm not skipping out on alimony, and there is nothing I am running from. I am simply a very serious believer in the intentions behind the writers of the U.S. Constitution, when they deliberated and thought very hard about the "God given right" that everyone has for reasonable privacy. Watching that privacy being eroded (maybe avalanching at this point?) year after year has inspired me to make a hobby of seeing just how invisible I can be.
So I bring to you, 2600 readers, straight from my own "privacy journal," some first steps in clearing up your digital footprint, along with notes I took along the way. Everything in this article I have performed and can personally vouch for. It is far from complete. Many books have written on the subject and society at large is far from achieving any reasonable kind of privacy (as the U.S. government and international data brokers continue to actively work toward breaking existing privacy laws) and I didn't get into changing Social Security numbers/names, filing off fingerprints, making an identity from scratch, flooding the databases with too much information to obscure what is real, or any other uber-advanced techniques.
Here I simply have a record of addresses, dates, phone numbers, and procedures for the largest data brokers and government privacy agencies I could find, which anyone may use to increase their privacy. Enjoy!
LexisNexis
www.lexisnexis.com/opt-out-public-facing-products/
a.) July 17, 2010: Filled out LexisNexis online opt-outform. Saved reference number.
b.) Printed out corresponding paperwork to be mailed or faxed.
c.) LexisNexis has a very strict policy about removal of information. You must be a target of stalking or fit some other qualification listed on their site. You must prove it by supplying a police report, letter from a Social Services agency, or other proof. You must also send them a copy of two valid forms of ID, a list of all the places you've lived in the past ten years, a utility bill, and more.
d.) I went to my local police station and retrieved a copy of an arrest that led to nothing from many years ago. In my letter to LexisNexis, I told them I was worried that the police in my case were "dirty cops" and that they would seek revenge on me because they lost their case (hey, it's possible...). I think I also used the word "attorney" a few times for good measure.
e.) Mailed paperwork "certified mail," so I could prove they got it.
f.) Emailed: privacy@lexisnexis.com requesting confirmation.
g.) Received verbal confirmation of opt-out, waiting for paper receipt (two to four weeks, they said).
h.) August 21, 2010: Received mail from LexisNexis dated 7.17.10 denying my opt-out request, with no specific reason given. Saved paper in file. To succeed, I must: "Prove that [I am] an individual at risk of physical harm, or call LexisNexis privacy hotline at 800-831-2578 or LexisNexis privacy coordinator at 800-227-9597, extension 55568."
i.) August 22, 2010: Left a message for privacy coordinator.
j.) 8.23.10: Received voice message from the privacy coordinator informing me that my opt-out order was actually approved, it's just that my mail got "crossed." Yeah, right.
k.) Called privacy coordinator back and requested paper or email confirmation of opt-out.
l.) August 24, 2010: Privacy coordinator left voice message saying documentation is in the mail, ETA one week.
m.) October 1, 2010: Paperwork received and framed on my wall.
ChoicePoint
www.privacyatchoicepoint.com/optout_ext.html#optout
a.) Filled out ChoicePoint opt-out form.
b.) Received email confirmation.
c.) Emailed copy of confirmation to my "records" email account.
Do Not Call List
www.donotcall.gov/register/reg.aspx
a.) This is the U.S. government's "Do Not Call List" created a few years ago through an act of Congress. Although it feels good to have all my numbers on the list so I can threaten telemarketers (it works!), don't get too excited or put too much faith in it as any corporation can buy this list to use - and they do.
b.) Registered all of my numbers.
c.) Emailed copy of confirmation to my "records" email account.
The DMA (Direct Marketing Association)
a.) Many pages direct you here to get off of mailing/email lists.
b.) Emailed privacy@the-dma.org asking about removal.
c.) Directed to www.ims-dm.com for privacy.
d.) Filled out forms in upper right-hand corner of page.
Intelius
a.) Oddly, when I searched switchboard.intelius.com/optout.php for my info, I couldn't find anything, so I thought I was not in the Intelius database. It was only after more research that I discovered I was.
b.) July 19, 2010: Faxed Intelius data brokers at 425-974-6194 my California ID with picture and number crossed out as directed, got fax confirmation, and filed it in paper records.
c.) Emailed them requesting fax confirmation. Still waiting....
Acxiom
a.) Filled out remove request form (then waited for mail confirmation): www.acxiom.com/about_us/privacy/consumer_information/opt_out_request_form/Pages/Opt-OutRequestForm.aspx
b.) Requested "opt-out cookie" for targeted marketing: www.acxiom.com/products_and_services/TargetedEngagement/DisplayAds/Pages/Relevance-XOpt-Out.aspx
c.) August 20, 2010: Received mail packet from Acxiom which included a mostly useless "Privacy Guide" with reference number which contained the "final opt-out form" which I mailed back promptly. Still waiting on final reply...
Google Phone Directory
www.google.com/help/pbremoval.html
a.) Removed all numbers found.
WhitePages.com
www.whitepages.com/myinfo/removal_form
a.) Found my listing and removed it online.
PeopleFinder/Enformation
a.) July 19, 2010: Received PeopleFinder email back asking for a post letter, saying it will take five to six weeks...
b.) Printed PeopleFinder/Enformation letter and mailed it: Opt-Out/PeopleFinders.com, 1821 Q Street, Sacramento, CA 95811. (Oddly, this address is used for more than two data broker businesses.)
c.) Emailed them asking for confirmation when letter arrives. Still waiting...
Abacus
a.) July 19, 2010: Emailed opt-out request.
b.) July 25, 2010: Received email from abacusoptout@epsilon.com saying: "Per your request, we have suppressed your name and current address from Epsilon's Abacus Cooperative database. In addition, your name and current address will be blocked from entering our system in the future. Should you change your name or address, you may need to opt-out from Epsilon's Abacus Cooperative database again using your updated information."
c.) Easiest to remove and most impressive response on record.
Random Magazines?
Everything was going so well until I got some magazines in the mail. WTF? After all my privacy work, I get catalogs?
a.) Received a REI camping catalog in the mail with a code number on the label. I have never ordered from the company, do not camp, thought my mailing address was super-secret, and did not know how I got on their mailing list. I called their "mailing list removal number" (800-426-4840) and requested removal. They asked for my code number, then said they had removed me. Before hanging up, I asked them where they got my name and address. They had to check, but they found that they got my info from Title Nine, a clothing company I ordered two small items from several years ago who must have been actively stalking my change of address requests or getting my information from somewhere else.
b.) Called Title Nine customer service (800-342-4448), gave them my customer number (on the catalog), and asked to be removed from their and all other databases. They said that it may take some time for the removal to be processed, but they will. Also I emailed remove@titlenine.com to be removed from their database completely, for good measure.
c.) I should have known better, but this was the first I'd heard of magazines I order from passing around my address (even though I'd had about six changes of address since ordering from them) and it bugged me.
Email Opt-Outs and Other
From "Privacy-Alerts"
Conclusion
In the end, this is just the tip of the iceberg.
It's a full time job just trying to keep oneself out of today's information databases. Even after being cleaned from all the systems listed here, there are still credit reporting agencies, governments, Facebook, Gmail, hardware MAC addresses, and entities that will not erase your data no matter how nicely you ask.
In today's world, the only real privacy is not existing at all (or acting like you don't) and that's the best advice I can give to anyone who wants "real" privacy. Use Tor, OTR, encryption, and the countless decent plug-ins for Firefox to help make your identity less obvious. When filling out forms, if convenient, make a habit of transposing numbers/letters, so that in every database you are in your date of birth or name is just a little bit different.
If you are doing something private, use one-way blind email, or even better no email. Boot your computer with a live CD operating system. Change your MAC address before logging onto any networks.
Do anything and everything to stay private, not because it's cool or because of paranoia, but because it's our right as human beings. A right that we are losing minute by minute, a right that we will lose, if we don't stand up for it.
No matter how invasive the world becomes, there is always a way to fight fire with water.
Links
barrett.chaosnet.org/foxext - Some good Firefox privacy extensions.
www.haltabuse.org - Site about fighting online stalkers.
www.privacyalerts.org - Many links from here.
www.fas.org/blog/secrecy - Government secrecy project.
store.2600.com/privisdeadge1.html - This article was inspired by Steve Rambam.