How far can someone follow cyber footprints? Ken Picard finds himself online
Once upon a time, “Go Google yourself!” were fightin’ words akin to what Dick Cheney said to Pat Leahy on the floor of the U.S. Senate last year. Recently, however, one local computer expert suggested that Googling yourself is a useful exercise. By 2010, the amount of information swirling around in cyberspace is expected to double every 11 hours, according to an estimate by IBM’s Global Technical Services. No one knows for sure what all that “data” will be worth, or to whom. So, I decided to see where my name was popping up online, and why.
I’m not paranoid, just realistic. A vapor trail of digital information follows each of us wherever we go, both online and off. Our laptops, cellphones and PDAs are like mini-stenographers, recording our every keystroke — even those we mistakenly assume have vanished into oblivion. Computer databases track and profile our credit-card purchases, medical records, ATM transactions, emails, instant messages and Web traffic. Even our driving habits are logged if we use onboard navigation devices or automated toll-collection systems such as EZ Pass. And until Americans elect leaders who are truly committed to open government, we’re left to speculate about the level of official data mining and state-sanctioned voyeurism we’re being subjected to without our consent.
Last year, a Brooklyn, New York-based performance troupe parodied this phenomenon in a multimedia piece called Super Vision. In one vignette, an international business traveler endures an endless barrage of interrogations by immigration officials as he moves from one airport to the next. At each terminus, the probes become increasingly invasive and absurd, until his interrogators know more about the traveler’s health than he does. A great irony of the so-called Information Age is how little of our own personal information is freely accessible to us.
I Googled myself not to stroke my ego but to see how far I — or someone else — could follow my digital footprints and reconstruct my identity. To keep it realistic, I only used information that the average Seven Days reader could figure out with a few keystrokes and mouse clicks — that is, my approximate age and place of residence. Initially, I stuck to free searches and didn’t use my date of birth or Social Security number unless I found them online.
I quickly discovered my tracks scattered willy-nilly all over cyberspace, like paw prints in a muddy dog park. Unlike the dog park, however, cyberspace has no discernible boundaries. I’ve been a journalist for nearly 10 years, so my online presence is probably more conspicuous and widespread than that of many Web users. As a result, someone rummaging through my archived past could assemble a useful dossier on me — current and past employers, recreational interests, pets’ names, my old summer camp, places I’ve been on vacation. However, my first concern isn’t whether a gang of cyber-snoops will figure out if I’ve ever donated sperm or jumped out of an airplane. It’s whether they can nail down my Social Security number. As I soon discovered, that information is not so hard to locate.
I’m no expert at online man-hunting, so I began my e-sleuthing the way most people would — using free databases and common search engines. Google turned up 526 hits for “Ken Picard,” although searches for my full legal name led nowhere. Most of the first 30 hits actually were me — invariably, articles I’ve written for Seven Days or other publications, or sites that have re-posted those stories.
In the process, I discovered dozens of Ken Picards who aren’t me — though none in Vermont. On a database called Zabasearch. com, I tracked down 75 Kenneth Picards ranging in age from 20 to 74. They include a justice of the peace in Vermilion Parish, Louisiana; the director of a community-living center in Thunder Bay, Ontario; a recently elected selectman in Upton, Massachusetts; an amateur wrestler in Maine; and the CEO of an oil drilling and exploration firm in Australia. I found a Ken Picard who plays the bass in a blues band called Mr. BlueSteel. Another is a massage therapist and avid ice climber in Calgary. Like me, he’s no fan of George W. Bush; unlike me, he hates the Grateful Dead.
But aside from a general fondness for outdoor activities and an eerie predilection for goatees, the individuals I stumbled on had little in common with me except their names. In short, if someone wanted to target me, they’d have no trouble picking me out of the Ken Picard crowd.
They’d also discover where I’ve been. Within five minutes of free searching, I found 12 previous addresses in six of the eight states where I’ve lived, including an apartment I rented for just three months in Boise, Idaho, during a college internship in 1985. Within 10 minutes, I found the correct month and year of my birth, the names of all my immediate family members and one grandparent, their ages and the places they’ve lived.
As I’m over 40, I’ve never posted a profile on a social networking site such as MySpace, Facebook or Friendster — treasure troves of personal data for online mischief-makers. But I searched a few of those sites just for the hell of it. Mostly, what turned up was a nauseating assortment of Star Trek references, including a creepy animated video of Captain Jean-Luc Picard dancing in the buff to electronica music.
I had better luck with reunion websites, where it didn’t take long to figure out where I’d gone to high school and college. A mere half-hour of Web prowling turned up a recent photo of me, a list of previous employers and a profile I posted years ago. For some obsessive reason, I felt compelled to update it.
Soon, however, the trail grew cold as I repeatedly slammed headfirst into fee walls. There are dozens, if not hundreds, of background check or “skip trace” websites promising reams of personal info on Ken Picard — unlisted phone numbers, email addresses, property liens, criminal convictions, marriage and divorce records, sex-offender registries, even psychological profiles. But invariably, a window popped up asking for a credit-card number.
Unsure which of these sites would work best, I did what most people would do — I picked one at random that appeared legit and affordable. Net Detective claims to search 211 million public records on more than 90 percent of all U.S. residents. It offers birth and death records, adoption information, Department of Motor Vehicles data — even Social Security numbers. The home page has a seal of approval that proclaims it a “Consumers Guide Top Pick for 2006.” I took the bait.
Eager to see what skeletons were lurking in my digital closets, I ponied up the requisite $29, typed in my full legal name and address, and hit enter. Within seconds, the words “No results found” appeared in big red letters.
Disappointed and confused, I widened my search and got a single hit, for a “Ken O. Picard” in Vermont — with the wrong age, middle initial and date of birth. A reverse search of my home telephone number, which is listed in the phone book, came back under someone else’s name and address. Frustrated, I searched four other states where I knew this Ken Picard had lived. But except for one old phone number in Clinton, Montana, the trail was a dead end.
Curious, I tried out Net Detective’s Social Security number verification. This function told me that my SSN was indeed valid and had been issued in New York, but offered no other clues. Another link, which claimed to access my FBI file, turned out to be a standard PDF of a “certification of identity” form that must be mailed to the U.S. Department of Justice. I could have obtained this blank document free of charge from the government.
Disgusted, I requested an immediate refund. Net Detective emailed me a form that, oddly, I had to fax or snail mail back to the company. In the meantime, the fraud-prevention unit at my credit-card company called me to verify that I’d made that online purchase. In the days that followed, I began receiving loads of new junk email under my legal name, something that had never happened before. There’s a bitter irony in knowing that my efforts at online self-discovery only created more digital footprints that are visible to others but not to me.
Another reasonably priced skip trace site, peoplelookup.com, provided more detailed info, including my full legal name, date of birth and 11 previous addresses, only one of which was incorrect. It also listed the assessed property value of my mother’s house on Long Island and the taxes she pays on it annually, the names of my current neighbors, and their addresses and phone numbers. This site ran a criminal background check and found no convictions or judgments against me, in Vermont or nationwide. About the only glaring errors I spotted were the listing of my father’s middle name as “Nassau” — that’s the county he lived in — and a “listed alias” for me as “Jennifer M. Blommel.” Sorry to disappoint, but that’s not my drag-show stage name.
Still hoping to probe deeper, I turned to the professionals for help. Ben Knieff is an identity theft prevention expert at Outside Look Research and Consulting in Minneapolis, Minnesota. Knieff, with whom I communicated via email, pointed me to Vermont’s one-stop link for searching the secretary of state’s website for such information as professional licenses, commercial debtors and registered business names. Since I’m neither a licensed professional nor a business owner, my name didn’t show up in the database. That said, I did come across other people’s property documents, including their Social Security numbers, despite a Vermont law requiring that such data be redacted.
Knieff suggested that if I owned property in Burlington, my name would appear in the city’s online grand list. Also, for a fee of $12.50, I could search a Vermont-run website that lists case summaries and real-time docket chronologies of legal proceedings, though full details of district court and family court proceedings aren’t available.
Then there’s always Vermont’s online sex-offender registry — where, thankfully, none of the lewd and lascivious have a name matching my own.
Since I don’t know Knieff personally and didn’t verify his identity, I decided to approach an old out-of-state acquaintance who has more cyber experience (and fewer scruples) than I do, to see if he could dig up my Social Security number where I could not. He’s a former insurance industry employee who got into some hot water for using a company computer to track down attractive women he’d spotted on the road. It took him several days to get back to me, but eventually he found my Social Security number. I was shaken but hardly surprised. While the easily accessible free and paid services hadn’t delivered the goods, a bit of extra Internet know-how did. With my birth date and federal digits in hand, someone pretending to be me could have a world of information at their disposal.
But even without a hacker’s help, there’s plenty of useful data out there for “social engineering” — that is, talking people into doing things that usually aren’t in their best interest. Hackers have traditionally used such old-fashioned grifting skills to supplement their technological savvy.
Dr. Gary Kessler is an associate professor of computer and digital forensics and director of Champlain College’s Center for Digital Information in Burlington. He believes we’ve all become so conditioned to give out personal data when asked for it that we often fail to recognize social engineering.
For instance, say someone calls you at home claiming to work at your bank; he tells you the bank is updating its computer systems and has the first three or four digits of your Social Security number, but the rest are smudged. Since almost everyone born in Vermont has a Social Security number beginning with 008 or 009, the caller could be an identity thief who simply found an ATM receipt with your name on it. Many people will automatically divulge the rest of their numbers without verifying the person’s identity.
“If someone stopped you in the middle of the street and said, ‘Give me your credit-card number,’ you probably wouldn’t,” Kessler says. “So why do it on the Internet, and why do it over the phone?”
Kessler isn’t surprised that someone could find my SSN online in relatively short order. But he emphasizes that it takes a fair amount of time and work to steal identities one person at a time.
“The truth is, while I take all this stuff seriously, most of us as individuals are not targets that people are attacking,” he says. “Even a bad phishing site will gather hundreds, if not thousands, of people’s information.” Phishing is a form of social engineering in which an email or instant message imitates a legitimate business or institution and asks for sensitive information such as computer passwords or credit-card numbers. While plenty of people fall victim to these schemes, there’s a certain comfort in knowing one isn’t being singled out.
When I began my exercise in cyber self-discovery, I had a mental image of an enormous HAL-9000 computer somewhere vacuuming up reams of personal data about my online book purchases, recent medical procedures and Internet search habits. But, as Kessler explains, much of the data that leaves us vulnerable is stored right on our own laptops, cellphones and PDAs. If we write checks online or use software such as Quicken or Microsoft Money, a lot of sensitive data can be accessed from our hard drives, especially if they’re lost or stolen.
Equally troubling, Kessler adds, are the social networks such as MySpace and Facebook, which he calls “an entirely new rat’s nest, particularly when it comes to social engineering.” Many people, especially children and teens, post sensitive, detailed and highly personal information about themselves that can be exploited by identity thieves and other predators. A survey earlier this year by the Girl Scout Council of Vermont and the Vermont Commission on Women found that 44 percent of all female 12th-graders in Vermont had been approached by an online stranger.
“If a cop had nothing else to do one day and decided to go after a child sexual exploiter, within 15 minutes he or she could have a target,” Kessler says. “Sadly, it’s like shooting fish in a barrel.”
According to the Federal Trade Commission, identity thieves hit about 10 million of us in any given year, with losses to businesses totaling about $50 billion. Victims of identity theft have spent about $5 billion trying to undo that harm.
While I had hoped to learn more about myself online, I came away from this little exercise uncertain which is worse — being able to follow my every digital footstep, or being unable to get a big-picture view of the landscape I’ve traveled.
In the meantime, I’m left wondering if my search did more harm than good. Sure, I pulled up my free credit report, which looks squeaky-clean. But what new lists did I get myself on? What sensitive info is now permanently etched in my hard drive?
I’m going to take the advice of experts like Kessler and shred my credit-card receipts and financial documents before I toss them — maybe even join the tiny percentage of Web users who run anti-spyware and anti-virus programs on a regular basis.
Or perhaps I’ll just run my laptop through the dishwasher.