Subscribe with Bloglines The Privacy Lawyer: 12/01/2004 - 01/01/2005

Tuesday, December 21, 2004

Saving P2P by stopping the fraud and deceptive practices

I have been receiving many e-mails from parents, and many challenges from kids recently about P2P.

Most P2P companies are fighting for survival right now. With the U.S. Supreme Court agreeing to hear the appeal of the Grokster decision that found P2P technology couldn't be held liable for the misuse by its users in dowloading media and copyrighted content.

But consumers may be fighting for themselves now as well. The less reliable P2P companies are misrepresenting (perhaps intentionally) what people are buying when they purchase premium ad-free services. Parents, hoping to help keep their kids' downloading habits on the right side of the law, are paying for the ad-free product thinking it provides a license to download music. They (and many lawyers) are confused by claims that the site or service or product or technology are 100% legal (and in some cases referencing the 9th Circuit decision up on appeal as proof, and in at least one case claiming to be the only P2P product that was ruled legal by the court).

And ever time I stand before groups of kids/teens I am challenged with questions about these claims and the burden of having to explain to them that although the technology is legal, misuse of it is not.

I am shouting in the wind.

Last Wednesday in Washington, thanks to the foreward thinking of Commissioner Pam Harbour (FTC Commissioner and mom), a workshop was held inviting the various stakeholders ot the table. While the FTC's jurisdiction doesn't extend to piracy, there have been claims on both sides of deceptive and unfair practices that do fall within its jurisdiction.

There was lots of pointing fingers and launching of accusations. And, I think, some progress. I had a great meeting with P2P United and especially eDonkey. They understood the issues. eDonkey agreed immediately to change its disclosures to make it clear that buying their premium product wasn't buying a license to download or upload copyrighted content. They also agreed to make this disclosure at least as prominent as the sale message.

Morpheus and others agreed to work with me to come up with disclosures at least as prominent, on their front page, clarifying the issues and making sure that consumers aren't confused.

It's an important first step, and one I am thrilled is being taken voluntarily by at least some of the P2P companies.


Monday, December 20, 2004

Google Yourself! ogInformationWeek > Parry Aftab > The Privacy Lawyer: Here's To Happy, Safe Holidays > December 22, 2003

InformationWeek > Parry Aftab > The Privacy Lawyer: Here's To Happy, Safe Holidays > December 22, 2003

InformationWeek > Security > The Privacy Lawyer: Don't Wait Until An Employee Is Cyberstalked Before You Act > August 23, 2004

InformationWeek > Security > The Privacy Lawyer: Don't Wait Until An Employee Is Cyberstalked Before You Act > August 23, 2004

InformationWeek > Cyberstalking > Tips To Avoid Cyberstalking > August 23, 2004

InformationWeek > Cyberstalking > Tips To Avoid Cyberstalking > August 23, 2004

InformationWeek > Cyberstalking > Understanding The Cyberharassment Problem > August 23, 2004

InformationWeek > Cyberstalking > Understanding The Cyberharassment Problem > August 23, 2004

InformationWeek > Cyberattacks > The Privacy Lawyer: Combat Cyberwarfare > December 20, 2004

InformationWeek > Cyberattacks > The Privacy Lawyer: Combat Cyberwarfare > December 20, 2004

Saturday, December 11, 2004

Slash asked me a question I couldn't really answer at a training sessions - why is P2P legal?

Slash is the nickname I have given to one of our new teenangels. He is 13 years old and in 7th grade in New Jersey. I call him "slash" becasue he described himself as a history buff/technology buff/gamer and researcher. Any kid with that many "slashes" in his description of himself deserves a nickname, and "Slash" just seemed to fit.

We had about twenty preteen and young teens sitting in a classroom for a two hour training session on cybercrime, responsible use and online safety. It was being conducted with some of my existing teenangels, and a camera crew from Life and Styles TV show there to learn about cyberbullying issues and teenangels.

Our teenangels sessions are pretty free-wheeling when I conduct them. There are few questions I can't answer about kids online, cyberlaws and responsible and safe use. I've been doing this longer than most and talk with about 1000 kids a month, so I keep up to date on what theyare doing adn what they have questions about.

One of the kids asked me about music piracy online. I tried to stear the conversation to motion picutre piracy, since I think music piracy is a lost cause. (While some kids have slowed their downloading, it still remains the default method of acquiring music they want.) But they weren't having it. They knew all about music downloading. Only one had downloaded a motion picture (Sponge Bob and Incredibles).

If it's illegal to download music, she asked, why is the P2P network still up? How is that different from Napster. (They asked it differently, but that was the essential question.) I think went into my napster is different explanation, about central servers hosting the music itself and large software applications allowing you to search and connet to the drives of millions of other computers. One kid compared P2P to goolge, and I knoew they got it. It's the search and location service of P2P that makes it different, and as Google doesn't host the content, netiher do P2P. (These kids are amazing.) Someone asked another question and we moved on.

An hour later the session was over, and the kids were freed to go home, get something to drink and eat. They had sat patiently from 3pm to 5:30pm, and the promised pizza and drinks had never arrived. Most kids thanked me whiel bolting for the door, home and refreshments. :-)

But Slash stayed behind. He waited patiently for me to deal with the cameras, the parents and all the other kids. He waited becasue he had a question I hadn't answered.

"I don't get it" he said. "You explained that Kazaa and the others are just like a VCR." I told him that was correct. "And the recording and motion picture industries fought the VCR when it first came out because it could be used to steal TV and movie content, right?" he pressed on...'And you said that since the were lots of good uses for VCRs, like taping something when you're not home and family videos, that they couldn't blame the VCR for those people who used it improperly, right?" I nodded, very impressed that he had understood the underlying argument behind the Betamax cases which were used by the 9th Circuit to protect P2P industry from copyright infringement claims.

"I understand all of that. But what legitimate uses are there for P2P?" His mother stepped up to listen at this point. I explained that we hoped to share our online safety videos using P2P, and that Microsoft used it for sharing their ads and many people use if to share their own music that they have written and performed to help spread the word.

He listened and never let his eyes leave mine. He waited until i was done. and then punctured my argument. "The only thing people really do on P2P is download music, software and movies illegally. You know that. Why are people pretending that only some people misuse the technology. The P2P guys need us to misuse the technology. And is that's what they really want us to do, isn't it the real reason for the network and not misuse at all?" I was stunned.

For all my arguments, I knew that the legitimate use of P2P was a very very small percentage. I wonder if anyone has that number? When does misuse become mainstream use? And when does mainstream use that isn't discouraged by the technology providers become sanctioned use? When does it become intended use?

I am deeply troubled by this. I couldn't answer his question. I promised him that I would bring him and a few others to DC to interview the RIAA, MPAA and P2P industry groups.

I have adamentnly supported the technology and not throwing the baby out with the bathwater approach to P2P. I have written it, argued it in legal documents and done media on it. I have lectured on it and done public speaking and panels on it.

And now Slash has me confused. That confusion wouldn't have been a problem, because when I was at the session yesterday, the law said that P2P was a Betamax case and had legitimate purposes. While I don't often agree with the 9th Circuit on Internet law matters, I agreed with their decision. And I could rely on it. It was easier than working through Slahs's question. I cold say. "its the law." and be done with it. But I don't train the teenangels that way. And the Supreme Court in accepting cert has now taken the certainty out of the existing law.

I let Teenangels ask questions and if I can't answer them, put them in touch with those who can.

Why don't the P2P networks make it much more clear about downloading music and what is and what isn't legal? Why do they allow people to think that when they say the technology is legal, they don't mean downloading protected music is also legal? Why do they allow confusion over the paid premium versions of their software when parents and kids think they are paying for the right to download the software, not just ad-free versions of the software?

If they were much more clear about this, I would believe more in the abuse/misuse ruling of Betamax being applicable to P2P. I doubt it would put much of a dent in their traffic. But the kids and parents who want to obey the law wouldn't be confused anymore. I'll ask the FTC about this while speaking on the panel. I'll also see if we can get the P2P indsutry group to agree to fix this problem. I would have much more faith in heir good faith if they did it, not in the small print, but clearly. We'll have to see if that happens.

Now I can leave this before the able-minded justices at the US Supreme Court, because I can't answer Slash.
Can you?

p.s. while I can't answer him, I can help make sure that the disclosures and statements on the P2P networks are not confusing, not deceptive and not consumer fraud. Watch this space.

Wow! I was taken by surprise when I heard about the U.S. Supreme Court agreeing the hear the appeal of the entertainment industry of the P2P decisions

I am quickly blogging this, as getting ready for a flight to DC this afternoon. I am going down to (among other things) speak on an FTC panel on P2P risks. Our panel is not designed to deal with the piracy issues, but other risks, government action and inaction and non-profit and advocacy programs. What is being done and what needs to be done to help consumers and businesses use the P2P technology safely and privately.

It's a softball panel, compared to the ones being held the next day on piracy issues. But one that made me think harder than most.

It's easy to talk broadly about the viral risks, security risks and privacy risks. So, when I decided to write a column for Information Week on P2P risks, other than piracy ones, I expected to have many others to draw on. Instead, I discovered that few articles have even raised the other risks. So I wrote it. Later I found some wonderful resources already written by the FTC on these kinds of risks. But their and my pieces pretty much stand alone. All the focus has been on copyright infringement and priacy issues.

The more I reviewed the situation, the more I saw potential problems in consumer misconceptions and confusion. And when consumers are confused, there is almost always something for the consumer protection agencies and groups to do.

As I review the cert applications and supporting documents, I realized that some of the issues I have discovered and some of the consumer misconceptions/confusion fixes may help save P2P technology from wholesale closures. And they involve not blokcing or filtering technologies, but education and disclosures and clarifications. The kind of things that the FTC does every day better than any single agency in the world.

I'll share some of my concerns and how, after shooting a video last night with some of my teenangels ( I decided to take more actions in thsi area and to devote serious time of, the non-profit I run, to developing educational programs, suggestions and helping stop consumer confusion and misconceptions.

Read further at this blog.

FREE Grokster for p2p or person to person file sharing - not yet updated with the Supreme Court granting cert to either overturn or uphold the case

FREE Grokster for p2p or person to person file sharing

EFF: MGM v. Grokster page.

EFF: MGM v. Grokster

EFF's brief in opposition to the Supreme Court hearing the case

I would also like to thank the EFF for having so much valuable information and documentation on their website. No matter how you stand on any issue covered by the EFF, they have one of the best websites online for information and documentation.

Brief opposing the hearing of the case by the US Supreme Court

Brief of Americna intellectual Property Law Assocation on the issues, not in support of either litigant/appellant

There are few people I respect as much as I do Mel Garner, a partner at Darby & Darby and president elect of the AIPLA. I will read this brief with care.

Brief in support of appeal filed by some paid online music download groups

Brief of Progress and Freedom Foundation supporting the application for the Supreme Court hearing the appeal

brief of a Washington law group supporting the Supreme Court hearing the case

the brief filed on behalf of some law professors supporting the Supreme Court hearing the appeal

brief supporting the Supreme Court hearing the case, filed on behalf of states attorney generals

the general brief on behalf of the appellant and supporting groups for the Supreme Court hearing the appeal

Brief of recording artist and foundation groups in support of the US Supreme Court hearing the case

brief filed on behalf of rights holders in the application for Supreme Court Cert to hear the appeal on P2P

brief filed on behalf of recording artists for the Supreme Court to hear the appeal

another brief in support of application for the Supreme Court to hear the appeal

Brief (legal and factual argument document) filed in support of the application for teh Supreme Ct to hear the appeal

Application for cert (permission to have the case heard) to US Supreme Court by entertainment industry to set aside the decision upholding P2P

In order for the US Spreme Court to hear an appeal, the party needs ot demand a cert. This is permission to appeal and for the US Supreme Court to agree to hear the appeal. Typically there has ot be a conflict among the lower courts that the US Supreme Court needs ot resolve or a very important issue they need to settle. The application for cert was granted on Friday, December 10, 2004. Many were surprised that the case was accepted for certification of appeal.

Friday, December 10, 2004

US Supreme Ct to hear the P2P copyright infringement claims, reviewing the decision of the 9th Circuit Top WorldwideThe legality of P2P networks is being reviewed by the U.S. Supreme Ct, that accepted cert today. This was a surprising move to many. I personally thought that the 9th circuit decision was not going to be reviewed.

Thursday, December 09, 2004

Privacy lost with the touch of a keystroke? |

Privacy lost with the touch of a keystroke? | csmonitor.comWe should be paying more attention to what's already out there about us and how easy it is to find.


Wednesday, December 08, 2004

InformationWeek > Parry Aftab > Tips On Spotting A Spoofed Link > January 26, 2004

InformationWeek > Parry Aftab > Tips On Spotting A Spoofed Link > January 26, 2004

Here are some tips from an Internet service provider, eBay, and Citibank on ways to avoid being phished.

Citibank Tips
Citibank warns its customers to check the security certificate for any site to which they're linked.

If the name doesn't match the company owning the site, you shouldn't trust the link. It also recognizes that not all certificates are held in a name recognized by consumers accessing the site, but the bank informs its customers that all security certificates for Citibank's sites are held in its "Citibank" name.

Since not all security certificate issuers police similar-sounding "brand-related" names when issuing their certificates, knowing the exact name of the security-certificate holder is key to authenticating the page. All sites should disclose the correct security-certificate holder name at their sites.

EBay Tips
EBay teaches its members how to spot a fake eBay URL by checking the browser Web-address window. (Although, given the Microsoft Internet Explorer vulnerability that permits the URL appearance in the browser window to be spoofed, this tip may be ineffective for IE users.)

Here's how to be sure you're on an eBay page: Before signing in, check the Web address in your browser. If you click on a link in an E-mail, verify that the Web address in your browser is the same as the address shown in the E-mail.

The Web address of most eBay sign-in pages begins with Never type your eBay user ID and password into a Web page that doesn't have "" immediately before the first forward slash (/)."

Examples of real eBay addresses:

Examples of fake eBay addresses:

Advice From Those In The Field
I sought the assistance of members of the Internet Society's IETF list in trying to come up with better tips on avoiding phishing and spoofing schemes.

Dean Anderson, who owns and runs an ISP in Boston, explained the basics best, so I want to share his tips with you.

EBay, the FTC, Citibank, and consumer-advocacy groups advise to make sure you're using a secure server connection. Dean comments on the wisdom of that tip and holes that can be exploited by the con artists. "When you connect to a secure Web site, you can examine the SSL Certificate for the site, usually by clicking on the 'lock' symbol on many browsers," he says. "People should learn how to do this and make it a habit of doing so when they connect to secure sites, so they recognize when something changes.

"Unfortunately, like other components of scams, the certificate might have a similar-sounding name. You think you've got (e.g.,, but you got The certificate (we assume for argument) really does belong to an entity called, but is the same as PayPal? You don't know.

"The best thing to do is start from (e.g.) from your account statement, etc., and examine the site certificate. Then you have a good chance that it's not spoofed. But it is only a chance, as it could still be spoofed in various ways. There are lots of scenarios for this, but here's one: Your computer could be infected with a virus which installed a Web proxy, then the attacker sends you a message to go update your stuff. You type in, but your infected browser goes to the fake site instead. When you try to view the certificate, your infected browser shows you the real certificate information. You can't easily know this didn't happen. But examining the certificate is a good practice.

"So there are things to do that will make the con artist's job harder, but you can't make it impossible to be conned. Hopefully, the police will be able to track down the con artists, and by doing so, will deter others. "There's no perfect system, so we can't give any assurances that there is a perfect system. Nor is the case that if you do or don't do certain things, you can't be victimized. The best we can do is tell people to use their common sense, so they aren't victimized by the lowest grade of con artists."


InformationWeek > Parry Aftab > Phishing By Brand Name: Tips On How To Check For Fraud > January 26, 2004

InformationWeek > Parry Aftab > Phishing By Brand Name: Tips On How To Check For Fraud > January 26, 2004
The first reports of spoofed E-mail links and phishing using the eBay and PayPal brands arrived in the first quarter of 2003. Some of these reports were referred by the online safety and help group I run,, and its law-enforcement division, EBay quickly responded to this threat by providing consumer alerts to the members of its community of 86 million registered users. The alerts were distributed via administrative E-mails and top-level postings on the community boards.

By mid-2003 eBay's Dave Steer (formerly from Trust-e, a nonprofit global privacy certification and seal program) had constructed an extensive tutorial for eBay users. The tutorial advised its members to check the headers on E-mails, the browser window displaying the URL of the site, and the URL itself. (It also explained that all can be spoofed.)

Using the consumer-responsibility model, eBay warns that all spoofing fraud is avoidable by being careful. It advises that the member should access the eBay site directly by typing it into their browser, or using the "my eBay" browser bar if they have any doubts about an E-mail's authenticity.

The tutorial can be found at:

Phishing: InformationWeek > Parry Aftab > Phishing Vulnerabilities In Microsoft's Internet Explorer, Plus A New Server-Access Ploy > January 26, 2004

InformationWeek > Parry Aftab > Phishing Vulnerabilities In Microsoft's Internet Explorer, Plus A New Server-Access Ploy > January 26, 2004

Until recently, consumer advocates recommended that you check the browser's URL window and make sure it confirms that you've linked to the site you expected. If the two didn't match, you knew you were being spoofed from a phished link.

However, Internet Explorer allows the spoofed site to appear to be the one you trusted. People relying on consumer-safety tips to avoid becoming victims of spoofed and phished links would find themselves tricked into compliance.

When the vulnerability was discovered in mid-2003, Microsoft responded by saying it was looking into the problem. When I consulted one of their spokesmen in December 2003, the company still hadn't taken any action or made any firm decision about what, if anything it will do to close the vulnerability. The spokesman indicated that perhaps Micrososft would include a patch in its monthly patch updates, but wasn't certain. But since the real answer here isn't turning our customers into cybersleuths to spot the latest fraud, it really doesn't make much of a difference if or when it patches the vulnerability.

Roundabout Server Access
Although phishing incidents involving third-party E-mails are the most common, a new scheme has arisen involving cybercriminals seeking access to your company's servers.

An E-mail is sent to those within the corporation, appearing to be from internal legal, IT, or security administrators. The E-mail announces a security breach, or problem within the network. It advises the employee to log into the company's network, using the link provided in the E-mail. Once the employee types in their login and password, the phishing expedition was successful. They now have access to the company's communications and password protected network. By targeting employees with all levels of access, to all segments of the server, they are able to gain access to most, if not all, of the server data and infrastructure.

So, look within, as well as to outside communications when warning your employees about intrusions and fraud. It's well known that the fastest way to break security on a secure network is to fool someone with access into letting you in. Don't let your employees provide the key to the burglars. Set up a confirmation process and make sure your employees know how you will communicate any security breach. Make sure they have a contact E-mail or telephone number where they can confirm the validity of any communication, and a network posting of any emergency announcements. Forewarned is forearmed.

Phishing : InformationWeek > Parry Aftab > The Privacy Lawyer: Which Kills E-Commerce Faster, The Cure Or The Disease? > January 26, 2004

InformationWeek > Parry Aftab > The Privacy Lawyer: Which Kills E-Commerce Faster, The Cure Or The Disease? > January 26, 2004

Identity theft is a big issue these days. According to a recent Federal Trade Commission survey, 10 million people in the United States were victims of some type of identity theft last year alone. But identity theft, when reported, is largely an offline issue. Family members, people within your workplace or household, credit-card thieves, and those who rifle through your garbage are the typical bad guys. According to the same survey, only about 3% of the identity fraud they identified occurred in connection with the Internet. Expect that to change, and quickly!

Phishing, the latest in the long line of Internet fraud schemes, tricks E-mail recipients into providing their private financial and password information to a site posing as a trusted site. And it's growing by the virtual second. Phishing has snared savvy techies and newbies alike. In fact, in my experience, experienced tech users are more likely to be ensnared than others, since we tend to be more comfortable sharing personal sensitive information online with a site we trust.

A phishing incident typically starts with an E-mail purportedly delivered from a site you trust with your financial information--your online bank, credit-card companies, mortgage companies, ISPs, and large E-commerce sites. (BestBuy, Citibank, EarthLink, PayPal, American Express, and eBay are the more popular spoofed companies, but any popular E-commerce business will do.)

The latest form of phishing starts with a crisis of some type to get your attention. The E-mail announces a security breach, or a problem with your account. The senders also give you a short deadline and try to frighten you enough to respond without thinking too carefully. Perhaps your account will be terminated if you don't respond quickly, or they threaten financial losses or a security breach, or that you won't be able to buy through that account anymore.

The phishing E-mail typically contain the logos of the site being spoofed, and often contain legitimate links to that site, with one or two exceptions. Those exceptions link you to a rogue site (or even a hacked section of the legitimate site) where you are asked to sign in (login and password) and in many cases to provide updated account information, Social Security numbers, names, addresses, and even mother's maiden name. Once that information is collected, the phishers sell it or use it themselves to empty your bank account, charge items to your existing credit cards or new credit cards applied for in your name, and even blackmail you. Thereafter, it becomes a typical identity-theft scheme and travels the normal distribution channels to criminals on and offline.

Old Ruse, New Name
While the current permutations of phishing are more sophisticated, I first encountered it in 1995 as an AOL subscriber. A tiny screen popped up "from AOL" telling me that my credit-card information had been lost and they needed it again, and giving me a link to provide it. Luckily, I didn't, and soon the AOL message that they will never ask you for password or credit-card information via E-mail was promulgated and continues to this day. Some people, though, are still caught in this password-spoof's net.

But much has changed since 1995. We're now far more accustomed to providing sensitive information online and to receiving E-mails from our banking institutions and E-commerce sites with embedded links. And the growth and adoption of E-commerce, especially for financial institutions, depends on our being able to trust those communications and the links that they provide.

Therein lies the rub. The financial institutions and E-commerce sites need us to become more comfortable with communicating sensitive information online. Yet, the more comfortable we become, the more likely we are to be caught by a phishing expedition. By creating consumer-friendly methods for their E-commerce customers, those same companies provide fertile grounds for the phishers who will abuse those same methods. And the phishers aren't just watching the E-commerce companies. They're also tracking the security tips provided by the FTC and consumer-safety groups. Within days of a new consumer safety tip being released, the phishers find a way to foil it.

So, what can we do to stem the tide of cybercrime and phishing fraud? Alarming customers may backfire with a consumer-base that's already distrusting of using the Internet for highly sensitive information. Yet, failing to inform customers means they're facing serious consequences, unarmed and unprepared. Avoiding Fraud
The large financial institutions have all been facing this issue. Luckily for its customers and other consumers online, Citibank has done more than face it. They've put the issue front and center on their Web page (with prominent placement of a link "about E-mail fraud" on their most valuable front-page real estate on They also have tips for Citibank customers and online banking and financial-services users (see sidebars) on how to avoid becoming a victim of phishing fraud.

A spokesman for Citibank told me that when they first learned of the phishing incident misusing their brand, they reached out to their customers to warn them. When they discovered that some of their customers had been tricked into providing their financial information, they counseled them, one-on-one, and helped them close accounts and notify the credit-reporting agencies. Luckily, the first reported cases of phishing involving the Citibank brand came in October 2003, on the tail of the beginning of its identity-theft campaign. The marketing and public-policy gurus were already conversant with the issues in connection with that campaign, so adding a special layer to their consumer-awareness message was easy.

We all recognize that phishing and the next schemes Internet con artists and cybercriminals cook up can't be fully avoided if we're looking to make the Internet easy for everyone to use. But having a financial institution that is willing to step up and help its customers avoid becoming victims of identity theft online and offline is the next-best answer to locking up all online access. I am and will make sure I continue to remain a Citibank customer. In the cybertrenches, we need all the help we can get. And those E-commerce financial institutions that are the biggest help will earn and keep our trust and loyalty, online and off.

InformationWeek > Parry Aftab > From Nigeria With Love... > January 5, 2004

InformationWeek > Parry Aftab > From Nigeria With Love... > January 5, 2004

InformationWeek > Parry Aftab > Criminals Are Made, Not Born > January 5, 2004

InformationWeek > Parry Aftab > Criminals Are Made, Not Born > January 5, 2004

Many people, in trying to cash in on the millions of dollars promised in the Nigerian schemes, find themselves stealing to fund their investments. Unfortunately, more people are prosecuted for stealing from others to participate in the scheme than for perpetrating the scheme itself. In New Hampshire, Charles Brewster, 51, pleaded guilty to embezzling $73,000 from companies with which he was associated. The money, plus the funds obtained by forging a $120,000 check, was to be invested in a Nigerian oil con. Brewster was convinced the scheme was legitimate. Early in 2002, Shirley Elaine Hangings responded to the 419 schemes by spending her life savings of $30,000 to $70,000 and then passed a bogus check for $228,260 to fund any deficiency. She was sentenced to 16 months in a California state prison. And a law-firm bookkeeper, Anne Marie Post, 57, was charged with embezzling $2.1 million from her Detroit-area employer. She believed that she would receive millions from an official with the Ministry of Mining in South Africa.

According to Wired, statistics presented at the International Conference on Advance Fee (419) Frauds in New York on Sept. 17, 2002, show that approximately 1% of those who receive 419 E-mails (and faxes) are fooled and eventually scammed. - Transcripts - Privacy and the Internet - Parry's appearance - Transcripts

Anti-Phishing Working Group - the best place for security experts and members of the Internet and financial industries to learn about phishing

Anti-Phishing Working Group

transcript of Parry's appearance from EST Dec. 7, 2004 CNN Insight (International) on Phishing


HOLMES: There's a new kind of fishing and a new kind of bait and computer users are paying the price.

Welcome back.

The scam is called phishing. That is phishing, with a "ph". The FBI says it is the fastest growing online fraud scheme.

Again, Daniel Sieberg explains how it works.


SIEBERG (voice-over): Susanna Trotter of Richmond, Virginia bought her first computer in 1999. Within three months, her credit card number was stolen.

SUSANNA TROTTER, VICTIM OF INTERNET FRAUD: I got an e-mail from AOL saying that they needed to check my billing.

SIEBERG: Though the message looked real, it was not from AOL -- a corporate sister of CNN, by the way. It was from an online con artist and when Susanna clicked on a link inside the e-mail, it directed her to what appeared to be a customer service page, complete with legitimate links, logos and all the right language. It even had dropdown menus to select her choice of credit card. She was being duped by a very clever identity thief.

TROTTER: Well, the first thing I noticed was on my credit card that there was a charge that I didn't recognize.

SIEBERG: The thief had used the stolen credit card number to purchase some rather lewd content online.

TROTTER: And I called and it was a company out in California. And after much cajoling, I got the girl to tell me that it was an adult entertainment site. And I knew I hadn't signed up for that.

SIEBERG (on camera): The company, of course, was tricked, too. It had nothing to do with Trotter's stolen credit card information. The scheme is called phishing, spelled with a "ph", not an "f". And scammers cast wide nets in the form of mass e-mails, hoping to reel in unsuspecting victims who think the messages are legitimate.

Sometimes, however, their tactics backfire and they hook the wrong guy.

(voice-over): An FBI agent in the Norfolk field office received the same phony AOL message as Susanna. His name is Joe Vuhasz, but we can't show you his face for investigative reasons.

JOE VUHASZ, FBI AGENT: I think there is some sort of irony in the fact that they were sending the e-mail messages out in such abundance that it just so happened that I happened to get one. And one of the things that I specialize in is cyber crime. So I think there is some sort of poetic justice.

SIEBERG: The phishers had hooked an FBI agent and he had the means to track them down. Helen Carr and George Patterson are now serving time in federal prison. Their lure of choice was AOL, but other common phishing e- mails purport to be from eBay, PayPal, Citibank and U.S. Bank, among others.

EILEEN HARRINGTON, FTC CONSUMER PROTECTION BUREAU: Phishers send out huge volume of e-mail to people who may or may not have accounts with the companies that they pretend to be on the theory that these companies do so much business that some of the people who receive these e-mails are bound to have accounts or have done business with them and will bite.

SIEBERG: According to one study, 57 million U.S. adults believe they've received a phishing attack e-mail. It's estimated that 11 million of those people actually clicked on the e-mail's links to the fake Web sites.

And the trend is on the rise, according to the Anti- Phishing Working Group, with a 52 percent average monthly growth rate through June 2004.

The Federal Trade Commission operates the largest consumer complaint databases in North America. Eileen Harrington says phishing is becoming a huge problem, but it's a crime that's completely preventable.

HARRINGTON: Do not ever provide account information, a PIN, a social security number, any kind of personally identifiable information like that in response to an e-mail, even if you think it's from a legitimate and reputable company, because that's not the way that these companies do business.

SIEBERG: Susanna was able to reverse the charges on her credit card, but was rattled by the whole experience.

TROTTER: I had felt like I was safe. I didn't know enough to realize I wasn't safe. And sure, ever since that happened, I'm very, very careful.

SIEBERG: On the Internet, seeing is not believing. The logos, language and look of anything online are very easy to copy. If you think your billing records need updating, don't take the e-mail's word for it. Contact the company independently and directly yourself.

Daniel Sieberg, CNN, Atlanta.


HOLMES: This is a growing problem. What can computer users do to protect themselves from such Internet scams as phishing?

Well, joining us now to talk about this is Parry Aftab a lawyer who specializes in cyber crime and is the executive director of

Thanks so much for your time.

One figure I read was that 5 percent of people fall for phishing expeditions, if we can call it that. That is a lot of money potentially.

PARRY AFTAB, WIREDSAFETY.ORG: It's a lot of money and it's a worldwide problem, not just one in the United States.

HOLMES: How much money are we talking about?

AFTAB: Billions and billions and billions, because we have no way of really knowing. And the interesting thing is that you talked about the FBI agent who was phished. I've been phished. And when people come to the person who runs a group with thousands of volunteers to protect others, you know that if I am almost caught, other people who don't know as much will be caught for sure.

HOLMES: Tell me this, what is the first indication that you've been had? Is it that suspicious purchase on your credit card? Is that normally the first anyone knows that they've been phished?

AFTAB: Well, if they're phishing your credit card, you'll found out on a statement. And in the United States we have different legal protections than you do outside of the United States on being able to challenge your credit card for fraud.

However, if they're phishing your identity, so they've sent you an application for a new credit card or something special that you need to put in that may have your tax identification number or some social identification numbers to allow them to go in and apply for new credit under your name, you may not know until you're denied credit or someone starts sending you bills for something you didn't buy.

HOLMES: While some people have probably not heard about phishing, many have. I'm curious whether many people get caught for doing this.

AFTAB: So many get caught doing it. The first time I received it, it was in the guise of PayPal, and someone asked me to sign in to our charitable account because there was a problem.

If I had had our code name, I would have done it. Instead, I sent it to the head of our security and our fundraising group, saying put it in, and luckily the head of security said Parry, you were caught.

They also masquerade as sites where you can buy software at much reduced prices or even download pirated motion pictures before they hit movie theatres, asking for your credit card. Then that site doesn't charge you, but they sell your credit card information to another that will.

HOLMES: How hard is it to catch these people?

AFTAB: Well, it's hard because most people don't know how to give up the evidence we need to be able to track where it's coming from, and the sites are quite good. They may counterfeit a seal for BBB online or trustee. They have all of the links in place that look right. And every once in awhile, unfortunately, a legitimate company sends out an e-mail that looks like a phish but isn't.

So you're never really sure. The answer is, if you get anything that comes to you from your bank, from a company you want to buy from, from anybody, and asks you to sign in to a link, get out of there and log into the site the old fashioned way, through your browser, and don't ever give any information to anyone you get on e-mail, even if it looks legitimate, even if you have an account with them, even if you're absolutely sure they're trustworthy, because in all likelihood they're not.

HOLMES: I was looking around your Web site today. You cover a lot of other issues as well. If we can touch on some broader issues of privacy on the Internet in a general way, there is so much information out there that pretty much there are people who say that they can find out anything about anybody. Are we safe to do anything on the Internet?

AFTAB: Well, you're safe doing things on the Internet if you're careful. So what you need to do is not give out personal information. Don't give out your name, address, telephone number. When you're applying to register at a Web site, use a special e-mail address that you've created with hotmail or Yahoo! or one of the other free Internet accounts just for signing into sites. That will get all of the spam and all of the junk mail and hopefully all of the phishing. You'll check it when you need to because you registered, but people won't be able to find you otherwise.

Google yourself. Check your name, address, telephone number, your mobile number, and see if anyone has it upline you can find. If they do, ask them to take it down. You can really protect yourself from most of this online.

HOLMES: You know, cyber commerce is so enormous now and I have this debate with my own mother, who will not buy anything on the Internet. I buy just about everything on the Internet. My argument to her is it's no different than giving your credit card up at a restaurant if you're on a reputable site. We don't want to frighten people, do we?

AFTAB: Absolutely we don't. And e-commerce is fabulous, and your mother, you should tell, that she can shop from midnight in her bunny slippers without having to go out in bad weather. So it's a wonderful place.

But we need to be as intelligent as we are when we're in a supermarket or we're in a restaurant, we hand off our credit card. But we don't, say, hand it to somebody at the next table or hand it to a stranger outside the restaurant. We have to use common sense and always don't believe everything we see. We just need to be a little skeptical, make sure that we're protecting ourselves and know where to go when things go wrong.

HOLMES: Two things I want to cover very quickly, if I can. One is adware and spyware. There are a couple of programs out there that will track down these things, just to let people know what that is, because a lot of people, it appears on their computers, they just don't even know it's there.

AFTAB: Well, you know, where they recognize it is when these things popup on the screen, even when they're not online. So you may be surfing something and find ourselves encountering pornography or something else you don't want, ads for Viagra. So that usually comes from adware, spyware, or what we call malware.

There are some good programs out there. Lavasoft makes one called Ad- Aware and it's free as long as you run it every time you need to. Spybot is very good as well. And we have a lot of that information at

We're a charity and you can trust us when we review a product.

HOLMES: I use both of those, actually.

The final thing I want to ask you about is there are some of us out there who get mad when people try to do these things. Can we track them down? What do we do if we want to report this?

AFTAB: Well, you shouldn't track them down. You need to go to professionals.

What you can do is you can come to WiredSafety and our security team will tell you what we need to get from your e-mail communication. You need to save a header and you need to make sure not just forwarding the e-mail, but everything, including the electronic things that go before it, so we can track it.

You can go to the Anti-Phishing Working Group site, which is, or you can come to us at, and we'll help you. We actually are going to be using Spider Man and all of his friends on Internet safety awareness on spyware and phishing around the world, including some special custom comics, and we hope to get a lot of those in Europe and in Asia involved as well.

HOLMES: They're both great Web sites. I was looking around them today.

I want to thank you, Parry Aftab, a lawyer specializing in cyber crime. is the Web site. Thanks so much.

AFTAB: Thank you very much. I appreciate it.

HOLMES: Good information there.

Monday, December 06, 2004

Finding the person behind a cyberbashing or cyberattack...cyberbreabcrumbs and discovery online

Peek-a-Boo…I can find you!

People often mistakenly believe they can surf and communicate online anonymously. The reality is that no one is truly anonymous online. We leave a trail of cyber-breadcrumbs behind us wherever we go, whatever we do online. But most times no one cares about piercing the veil of anonymity. Unless they are the recording industry, an irate spouse, or someone being bashed unfairly online.

Luckily, these cyber-breadcrumbs almost always lead you to the basher. Each e-mail (and even IM) and every cyber-communication contains an IP address. The IP address (Internet protocol) tracks back to the IP address owner, and sometimes to the Ethernet card in a computer in an office or home network.

When you have your own server, or use certain ISPs, you have a static IP address. That means it’s always your IP as long as you use the same computer and the same ISP access. Tracking you is then as simple as tracking your IP address. Most larger companies, especially the technology-based companies, educational institutions and governmental agencies have their own static IP addresses.

When you use AOL and other Internet service providers to access the Internet, you typically have a dynamic IP address, which means it’s yours for the period you are logged on, like subletting from the server’s IP address pool. But the only way it can be tied to you is by knowing when the IP address was recorded and tracking which subscriber was using it at that time. For that they need the cooperation of the ISP or online service, which has to check their records to tie the IP address to you, as their customer.

Given how many subscribers they have and the high turnover of IP address assignments, many ISPs only retain the subscriber/IP address records for a short period of time, usually ranging from three weeks to three months. Problems arise when someone needs those IP records and they are no longer being stored by the ISP. Unless the situation and IP address is discovered quickly, important evidence linking the suspect to the cyberabuse and possible cybercrime may be lost.

Most leading ISPs will retain these records for longer periods of time, if requested to do so by a litigant or law enforcement official. Some statutes permit law enforcement and lawyers to send a letter to the ISPs requesting that they maintain their records on a particular user for ninety days, and that request can be extended for an additional ninety days, if necessary.

But even with extended retention periods, this requires that the victim of a cyber-bashing moves quickly. Counsel is usually retained to bring a lawsuit and moves for expedited discovery. That means the lawyer asks the judge to permit her to subpoena the IP records from the ISP before the complaint is even served in many cases. The lawsuit typically alleges defamation and is brought against John or Jane Does. The ISP may or may not notify the subscriber of the subpoena. (Recently in response to lawsuits brought by the Recording Industry Association of America, some courts have demanded that the subscriber be notified and have an opportunity to contest the disclosure of their identity before the ISP is permitted to turn over that information. AOL and MSN both promise their subscribers that, in the case of a civil case, they will receive notice before their information is turned over. Once the defendant is identified in the discovery process, the complaint is amended to include the real defendant.

That may be enough. If the cyberbasher is using only one computer, or the IP address traces back to one particular computer in a network, especially if the user needs to sign in and sign off, you may not have to prove much else. But in some cases, tracing the message to a computer isn’t enough. Sometimes you need to trace it to a person and a file.

Lawyers love conducting computer hard-drive discovery. They can usually find far more than in conventional discovery methods. And defendants often think that getting rid of evidence on your computer is as simple as clicking on the delete button. But all that does is take it off your desktop so you can’t see it. But your computer knows it’s there and can retrieve it with the right programs. The only way to know it’s really gone is by reformatting your hard drive. That means you write over the old information, like recording over an old audio- or videotape. (Law enforcement and good cyberforensic experts can often still retrieve it after reformatting.) And back-up drives, programs and tapes often keep copies even if you are able to truly delete the file from one computer.

It is very difficult to ever be sure that something is deleted entirely. If someone wants it badly enough, like the RIAA, an irate spouse or someone you’ve attacked online, they will almost always find it. If you’re the lawyer and on the side seeking the information, always ask for a mirror-image of the drive and a copy of whatever software is needed to read it. If you’re on the other side, offer to print out whatever they need. If they are naïve enough to accept that offer, they deserve what they get.

P2P file sharing risks...Parry is joining a panel at the FTC workshops in her role as Executive Director,

Federal Trade Commission - Your National Resource for ID Theft

Federal Trade Commission - Your National Resource for ID TheftWhile I was at the website on the Internet porn case, I thought I'd take the chance to highlight their awareness resources. This one, on identity theft, is a great checklist that will walk you through the steps you need to restore your identity.

Alyon Technologies Settles FTC Charges against Internet porn operator for unauthorized billing and decpetive practices.

Alyon Technologies Settles FTC Charges In a settlement that could cost Alyon Technologies more than $17 million, Stephane Touboul, the principal of Alyon, and Alyon itself have finalized a settlement with the FTC.

Once again, the FTC steps in as the primary US regulatory agency protecting consumers online.

Great work!!

Friday, December 03, 2004

When an online hotel discount site promises what it doesn't

A Four Star is a Three Star is a Make-it-Up-As-You-Go-Along Star Hotel

I have been booking hotels online since I first began using the Internet. When you run an Interent safety group, you try and find ways to get quality travel packages and hotels and still save money. I have my favorite sites and some I use only in a crunch.

I've been meaning to write about the problems associated with online auction and discount hotel websites, especially when they advertise the star-ratings of hotels. You can, on certain websites, select a hotel based upon their star-ratings and, in the case of HotWire, are only given the name of the hotel after it is booked and paid for.

I am going to be in DC for an FTC workshop, interestingly enough. I spend my entire life protecting consumers from Internet fraud, deceptive practices, abuse and misrepresentations. I feel cheated. I didn't save any money over what I would have paid for that same hotel from the hotel chain website itself, once the hotwire service fees are factored in.

I am now both frustrated and angry and will both write about this and see what charges, if any, should be brought by complaint to the FTC and other consumer protection agencies. I apologize in advance to the hotel itself. It is a nice little hotel, a nice place to stay, a good location. It's just not a four star hotel. I paid for a 4 star hotel and expected to get one.

Hotwire disclosed on their website that they had a 4-star hotel available in DC for $100 per night. When you click on their ratings guide, you discover that they include examples of certain hotel chains in each category. The Crowne Plaza Hotel chain was included on their chart as a 3-1/2 star rating example. The 4-star rating example included Wyndam, Hilton and Westin chain hotels. This is all in red bold type.

An astericks follows the column header "examples" (all of which were in bold red type) and refers to very light grey print below the chart (on a white background), much smaller than the red bold type, and not bolded. It says:

"*Examples only. Hotwire does not guarantee you will stay in one of the hotels listed here. Property classes can vary within the same chain. Some hotel partners have properties in more than one star-rating category."

You can drill down one more level, in much darker and slightly larger type "Learn more about Hotwire hotel star rating." That sends you to a pop-up page that says:

"How We Rate Hotels
To help you book the right hotel, we constantly work to ensure that our hotel ratings and ratings guide are accurate and up-to-date. Our star ratings reflect the level of overall service, amenities and facilities that you can expect. When evaluating hotels, we consider:
• Recognized industry sources and ratings systems - including Mobil, AAA, Fodors and Zagat.
• Visits by Hotwire Hotel Team representatives.
• Customer feedback. We ask customers to tell us about their stay at a Hotwire hotel."

When I checked both Orbitz and Expedia, the Hamilton Crowne Plaza Hotel in DC was rated a 3-star hotel. (Not the four star rating given at Hotwire, and not the 3-1/2 star reference in their rating guide for the Crowne Plaza chain.)

I will be checking the other ratings agencies when they open on Monday morning. The hotel itself told me it is a 3 star hotel (although Intercontinental hotels don't normally rate themselves using stars).

Is the light grey disclaimer enough to warn people? If it were more prominent would it be enough or is it difficent legally? Shouldn't consumers be able to rely on a star rating and representations made by travel sites?

I think it's time we do something about this. Being able to create ratings that suit the discount site, rather than accurately reflect an apples to apples comparison.

Is there anything reliable behind the ratings? Is the fact that consumers enjoyed their stay at the hotel enough to rachet it up a few stars?

If not, there should be. Watch this space...I'll let you know what happens.

BTW, the people at the Hamilton Crowne Plaza Hotel were incredibly nice to deal with, caring and concerned about what occurred at Hotwire. If I could make this case without naming them, I would have.

my 2 cents.


Net Bullies...preventing and handling cyberbullying and harassment

Net Bullies...preventing and handling cyberbullying and harassment I am spending so much time these days handling cyberbullying issues and advising schools and parents on what they can do to prevent it and handle it when it occurs, I thought it was time to develop a special site devoted to bullying online. I'll be building it out over the next month.
If you have a question in the meantime, e-mail me, or visit or


Child pornography and network servers at work...what to do when the unthinkable happens

Child pornography images are showing up in the most unlikely places – such as on the desktops of professors and senior executives, lawyers, teachers, and others you would never have suspected – like your trusted employees . How what would you do if the police heard about this before you did –directly from another one of your employees?

Suddenly your carefully crafted Internet use policy doesn’t give you the coverage you expected. How should you deal with criminal activities that implicate your company and the contraband you discover on your company’s computers? How should you handle the police, the employee who is implicated and the employee who called the police?

The time to think about these questions is BEFORE they happen. Being prepared, and preparing your employees can make the difference between a difficult situation and a public relations and legal disaster. To do that, you need to have a policy in place and procedures that implement that policy. Then you need to make sure that those policies and procedures are communicated to your employees so they too are prepared. The last thing you want is an employee taking the matter into their own hands.

Start off by reviewing your existing Internet use policy. (If you don’t have an Internet use policy in place, this is the time to get one.) Does it already contain a provision dealing with criminal activities, or does it just deal with inappropriate workplace activities? What about pirated software, music and intellectual property? Have you created a procedure where people can report abuses of the policy?

Next comes the hard part. You have to make some important policy decisions. Should you report criminal activity you discover, or handle it as an internal matter?

Many companies elect not to report employees’ criminal activities to law enforcement. They handle these activities as a violation of company policy. Often, fearing adverse publicity, companies merely terminate the suspected employee without pressing charges. Unfortunately this means that the criminals just change jobs, not their conduct.

Should your decision for handling discovered criminal activity depend on the type of criminal activity involved? Are you more likely to forgive music pirating or unlicensed software than child pornography or attempts to lure a child into an offline sexual encounter? These difficult issues need to be worked out in advance, not in the heat of the moment. And consult with your legal advisors. Failure to take action when you discover criminal activity may result in the company itself facing liability and even criminal charges.

Once the parameters are decided, you can create written policy and procedures that deal with criminal activities that are discovered on your computer system. (You may want to broaden this to deal with all types of criminal activity, not just those connected with technology.)

Your policy on illegal behavior can be added to your existing Internet use policy, or produced as a standalone policy. Make sure that it is signed and acknowledged by everyone. It should include a description of the kinds of actions that are illegal, as well as a statement that the list is not exclusive. It should also include to whom and how violations should be reported. Make sure they know that ignoring procedures and calling the police directly is a violation of company policy and can be disciplined as such.

Then establish methods of investigation. These methods will differ depending on the type of suspected criminal activity.

Investigating child pornography is especially tricky. It doesn’t take much for the investigator to violate the law during the course of an investigation. Possession, downloading, printing or saving child pornography images, in any format, or delivering it to anyone else is illegal, even when you investigating a potential crime and intend to report it to legal authorities. When child pornography is suspected, law enforcement or private consultants trained in this area should be called, and the computer isolated immediately. Note that if law enforcement is involved, the equipment will be seized and may be held for more than a year.

There are no easy answers here. Balancing your desire to see justice done, your need to protect the company and the shock of having a trusted employee violate your trust is a difficult task. That’s why advanced planning and communication of your policies can make all the difference in the world. When the unthinkable happens, the best reaction is one you have already thought about.