Nearly one in six convicted sex offenders is using sophisticated techniques invented by identity thieves to avoid their legally mandated registration requirements, a new study has found. These digital absconders might be able to avoid post-incarceration restrictions by living near schools and playgrounds, and could possibly gain employment working with children.

The study, conducted by Utica College and funded by the U.S. Justice Department, estimates that roughly 92,000 of the 570,000 registered sex offenders across the country are systematically manipulating their names, birthdays, Social Security numbers and other personal identifiers so they can live as they want while appearing to satisfy court-imposed or statutory restrictions.

"These are offenders who are flying under the radar and authorities don't know it," said Don Rebovich, the Utica professor who directed the study. "The authorities really don’t have the resources to keep on checking on these people. Offenders find where the vulnerabilities are in the system and exploit them."

---

These digital absconders create two obvious problems. Communities expend energy and resources dealing with offenders who aren't really there -- local police knock on doors and send notices to warn neighbors; public listings are published on the Internet. And sex offenders live where they please as normal adults, without any protective measures kicking in.

"In the worst-case scenario, by thwarting registration requirements, they could potentially have easier access to children," said Staca Shehan, director of case analysis at the Center for Missing and Exploited Children, who is familiar with the study. "(In) those jurisdictions that have residency restrictions that would not allow (offenders) to live within distance of a school, daycare or park, (they) could avoid that type of requirement."

While the study found that an average of 16.2 percent of sex offenders manipulate their identities nationally, some states fared worse: Louisiana, Washington, D.C., Nevada, Tennessee and Delaware all had digital absconder rates of higher than 25 percent.

Officials in Tennessee, Nevada and Delaware challenged the study's conclusions and complained that they had not been contacted by the researchers for additional information that might have clarified the results; officials in the other states did not immediately respond to requests for comment.

'Strategic' manipulation
Shehan said there are generally two kinds of sex offender absconders: those who simply fail to keep their records current, and hope they fall through the cracks; and those who are more systematic in their evasion, intentionally altering their identities so they can circumvent the restrictions. 

"That takes a lot more thought," she said. "They are much more strategic about what they are doing ... and so that's much more concerning."

In one celebrated case of sex offender identity manipulation, a convict named Frank Kuni changed his name to Jamie Shepard and was able to get a job as a U.S. Census worker in New Jersey. Kuni was recognized by a mom after he knocked on the door of her Pennsauken home, and he was later sentenced to three years in prison. Kuni’s case attracted national headlines because of the fear it created surrounding temporary Census workers.

The Utica study, believed to be the first attempt to quantify these more strategic absconders, was conducted by Utica College's Center for Identity Management, set up to examine a variety of identity issues in the digital age. Rebovich is director of the center.

It's well known that some sex offenders neglect their registration requirements, dropping off the grid and accepting only cash-paying jobs to remain hidden. But the Utica study found something more subtle, and perhaps more disturbing -- sex offenders who appear to be satisfying their registration requirements while living a digital double life.

In a parallel survey of 223 law enforcement agencies from 46 states, Utica found that awareness of ID-theft style registry evasion was low -- only 5 percent of respondents said they knew of an identity manipulation case within their jurisdiction. 

And nearly 40 percent of the agencies responded that they had zero absconders, suggesting some law enforcement agencies are unaware of the problem.

The power of the Utica study lies in the use of sophisticated algorithms developed by private firm ID Analytics, a fraud-fighting company used by many large banks and other financial institutions. ID Analytics receives more than 1 billion credit applications and other credit-related events from clients every year. It uses sophisticated software to track the behavior of identity thieves across the credit system, and can find fraud that individual firms miss. It knows, for example, if a criminal uses a systematic series of birthdays or addresses on a set of credit card applications at various banks in an attempt to evade fraud detection. The ID Analytics tool has enough data that it can generally tell the difference between honest typographical errors and systematic fraud attempts. 

ID Analytics ran sex offender data through its massive database of credit-related events, and found evidence of rampant identity manipulation among the offenders.

Kristin Helm, a spokeswoman for Tennessee's sex registry, challenged the study's findings, saying that fewer than 1 percent of that state's sex offenders are absconders. Criminals have always used false identities to try to evade police, but law enforcement systems are geared to handle that issue, she said. "Fingerprints obtained by law enforcement identify individuals regardless of a name or Social Security number," she said, adding that names sometimes change for legitimate reasons, too, such as marriage. 

But Stephen Coggeshall, chief technology officer for ID Analytics, said his technology is well-versed in screening out mundane reasons for identity changes and finding patterns that specifically indicate active evasion is taking place.

"This goes way beyond typos," he said. "These are people who have slightly adjusted or substantially adjusted their personally identifiable information for a reason. They are actively doing so, and we are observing them use these aliases relatively recently."

Nevada spokeswoman Julie Butler also questioned the validity of the study, which she had not seen. She said that Nevada uses fingerprints to track sex offenders, so identity manipulation techniques would be ineffective.

"Our registry is fingerprint-based. We don't base it on date of birth, or Social Security number, or name," Butler said. "They can put down their name as whatever and we still have them in the database."

But Coggeshall responded that even in states which use fingerprint identification, an identity manipulator would only be discovered when trying to engage in an activity – such as becoming an elementary school teacher – which triggers a fingerprint evaluation. 

"In general it doesn't help you track where they are or if they're living under an alias at an unregistered location," he said. "It can help to find sex offenders as they enroll in certain groups, but many … groups don't routinely fingerprint new enrollees."

SSNs connected to multiple people
Two years ago, using this tool on a database of Social Security numbers, ID Analytics found that rampant evidence of identity theft: 5 million SSNs were connected to three or more U.S. adults in credit applications, and 140,000 were associated with five or more people, indicating almost certain fraud. The tool can also track individual identity manipulators, as ID Analytics calls them, as they attempt various frauds across an array of credit issuers.

This tool was turned on the sex offender registry problem at the invitation of Utica College in Utica, N.Y., beginning last year. ID Analytics took a large sample -- nearly 100,000 -- of the 570,000 active registered sex offender records and ran them through its credit application database, looking for signs of manipulation.

The findings were disturbing. In Louisiana, the study found, nearly two-thirds of offenders' records showed signs of manipulation. Rebovich theorized that Louisiana's problem might stem from the aftermath of Hurricane Katrina, which gave some people a golden opportunity to drop off the grid.

Officials in Louisiana did not immediately respond to requests for comment.

In many cases, the study found, the steps criminals take are subtle -- changing an address from "440 Monroeville Road" to "434 Monroeville Road," for example. In fact, in the majority of cases, digital absconders were much more likely to move across town than across the country. Absconders who fake their address are six times more likely to remain in the same state than to cross state lines, the study found, and 90 percent of those who remain in state stay within 40 miles of their original registered address. In many cases, the data shows, those addresses belong to a family member. That might allow absconders to show up on a moment's notice at their registered address in case local police do a random check, Rebovich said.

But the address change could also allow them to apply for jobs and housing they would otherwise be unable to qualify for, he said.

While half of the manipulations involve bad addresses, plenty of other types of evasion are going on, the study found. One subject studied had five names, three Social Security numbers and four dates of birth, for example.

About 10,000 offenders had used at least four different Social Security numbers, Rebovich said. The evidence indicates this was usually done to evade the court registration requirements rather than commit financial identity theft, the study found.

One reason sex offenders seem to get away with evasion is that registration requirements are set by states and vary widely. In some states, convicts merely send updates through the U.S. mail to state officials, and are subjected to little, if any, verification. In others, officers try to check on sex offenders, but ofter are assigned hundreds, or even thousands of offenders, to track.

In other states, such as Florida, there are strict requirements and frequent random inspections, Rebovich said. That shows up in the data -- Florida's digital absconder rate is about half the national average, at 9.4 percent.

The study was funded by the Justice Department's Bureau of Justice Assistance, which plans on issuing a comprehensive report later this fall. Requests for comment from the Department of Justice went unanswered.

'System is never going to be perfect'
Shehan, of the Center for Missing and Exploited Children, said she didn't believe that the potentially high rate of digital absconders means the entire sex offender registry program is broken. In fact, she said the situation has improved since passage of the Child Safety and Protection Act of 2006, which instituted some national standards on offender registries.

Still, she said it's important that states move to biometric identifiers, such as fingerprints, to maintain more accurate records of offenders and their whereabouts.

"Criminals are constantly thinking of ways to beat the system," she said. "The system is never going to be perfect."

Rebovich is hoping the study will spur new methods for checking up on sex offenders, including techniques that would seem familiar to those who work in financial fraud. In a model developed by Utica and ID Analytics, offenders could be given a score, similar to a credit score, which would rate the likelihood that identity manipulation was occurring. 

"We are trying to develop a predictive model," he said. "So we can turn it into an alert system, so states can do this in real time, if they want to."  

Coggeshall said such an alert system would have helped police track down Frank Kuni before he was able to get a job with the Census Bureau.

"In retrospect, we know there are things we would have been able to observe" he said.

http://on.msnbc.com/topnewsemailsignup">Click here to sign up to receive our Top News email each day.

 *Follow Bob Sullivan on Facebook.

*Follow Bob Sullivan on Twitter.  

Does the U.S. government read your email? It's a simple question, but apparently there's no simple answer. And the Justice Department and the Internal Revenue Service are reluctant to say anything on the topic.

In March, the American Civil Liberties Union caused a nationwide stir when the advocacy group released the results of its year-long investigation into law enforcement use of cellphone tracking data. After issuing hundreds of Freedom of Information Act requests, the ACLU learned that many local police departments around the country routinely pay mobile phone network operators a small fee to get detailed records of historic cell phone location information. The data tell cops not just where a suspect might have been at a given moment, but also create the possibility of retracing someone's whereabouts for months. In most cases, law enforcement obtains the data without applying for a search warrant; generally, subpoenas are issued instead, which require law enforcement to meet a lower legal standard.

ACLU lawyer Catherine Crump, who ran the cellphone location data investigation, is at it again. This time, she has filed similar Freedom of Information Act requests with several federal agencies, asking about their policies and legal processes for reading Internet users' emails.

"It's high time we know what's going on," Crump told msnbc.com. "It's been clear since the 1870s that the government needs a warrant to read postal mail. There's no good reason email should be treated differently."

---

There are hints that it is being treated differently, however. In a landmark 2010 case, United States v. Warshak, government investigators acknowledged that they read 27,000 emails without obtaining a search warrant, violating both the suspect's privacy and the privacy of everyone who communicated with the suspect, according to Crump.

Evidence obtained during that email search was thrown out on appeal by the 6^th U.S. Circuit Court of Appeals, but that ruling applies only to four U.S. states.

The case opened a window into what Crump fears is a widespread practice.

In the aftermath of the Warshak case, the Internal Revenue Service told its investigators that they should not try to obtain emails without a court order, but in doing so it hinted that other warrantless email searches had been conducted in the past.

For now, hints are all we have. Crump's Freedom of Information Act requests -- filed in February with the FBI, the IRS, the Justice Department's Office of Legal Counsel and other agencies -- were largely ignored, she says. So on June 14, she filed a lawsuit in the Southern District of New York in an attempt to force the agencies to comply.

"Four months have passed and I haven't gotten a single document," she said. "The American people have a right to know."

The federal agencies have until July 19 to reply to the lawsuit. The FBI is not included in the lawsuit because it replied recently denying Crump's request, saying it was too broad. The ACLU is appealing that determination through a different legal procedure.

Justice Department spokesman Charles Miller directed all questions about the matter to the agency's New York office. A spokeswoman for that office, Ellen Davis, said she couldn't discuss it. 

"We do not comment on ongoing litigation," Davis said in an email.

Julianne Breitbeil, a spokeswoman for the IRS, said federal privacy laws prevent the agency from discussing the lawsuit.

The Justice Department and the Obama administration had a chance to settle the issue in April 2011, during a Senate hearing on the Electronic Communications Privacy Act. Instead, officials with both the Commerce and Justice departments failed to provide any clarity. Instead, a Justice Department official argued against extending Fourth Amendment protections -- specifically strict warrant requirements -- to email, saying that doing so would hinder investigations.

"Congress should consider carefully the adverse impact on criminal as well as national security investigations if a probable-cause warrant were the only means to obtain such stored communications," James Baker, associate deputy attorney general, testified at the hearing.

Crump interpreted the testimony as indicating that warrantless email searches by federal agents are routine.

"It was disappointing when the Obama administration refused to commit one way or the other to obtaining a warrant," she said. "It leads me to suspect the federal government isn't getting warrants."

The 1986 Electronic Communications Privacy Act and its subsection, the Stored Communications Act, provides some guidelines for law enforcement review of email, but those are badly out of date now. They declare that federal authorities don't need a warrant for data that's stored externally (as opposed to locally, on a person's hard drive) if it's more than 6 months old. Given the ubiquity of services like Web-based Gmail, the 180-day distinction and the local vs. network storage issues are both now largely meaningless, and that's essentially what the 6^th Circuit Court found.

The discussion of requirements for email searches is more relevant than ever, given the explosion of social networks and their semi-private conversation tools and the coming of age of cloud services, where corporations are encouraged to keep all data in shared spaces that would fall under the Stored Communications Act. Concerned that such privacy issues would slow adoption of cloud services, a coalition of cloud-friendly companies calling itself "Digital Due Process," has argued for updates to the Electronic Communication Act that would require higher legal standards for digital evidence gathering.

A critical element of the email issue is a debate about whether the Fourth Amendment requires the government to get warrant based on probable cause in order to read a suspect’s email. To get a warrant, the government must appear before a judge, and convincingly argue that inspection a suspect’s email will probably turn up evidence of a crime.

"The warrant and probable cause requirement safeguard Americans' privacy in two important ways. Having to go to a judge means there is someone involved whose job it is to look out for the target's rights. And having to demonstrate probable cause will reduce the chances that innocent people have their communications read," Crump said.

The distinction is also important as the U.S. government plunges headlong into new high-tech surveillance technologies, such as its massive new million-square-foot "Utah Data Center," under construction in rural Utah for the National Security Agency. The facility is designed to help protect cyberspace, NSA official have said. But Wired Magazine published a cover story earlier this year arguing that the facility will be capable of monitoring every email and text message sent around the world -- including messages to and from U.S. citizens. It is scheduled to come online in 2013.

The NSA denies that the facility will be used to spy on Americans, but it's hardly far-fetched to surmise it will have such capabilities. 

Explosion of such technological capabilities is why clarifying digital Fourth Amendment rights is so critical, Crump said.

"No data is more personal than email correspondence," she said. "Email is deeply personal and private. It is an unfiltered view of our thoughts and a catalog of our relationships stretching back for years. Government agents should not be allowed to troll through all of our most private correspondence without proving to a judge that they have probable cause to believe that a search will turn up evidence of a crime."

 *Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

The letter warned the recipient that she still hadn't responded to that great offer from "US Airlines" of two free airline tickets, and time was running out. Call the toll-free number now! it urged.

Fortunately, Red Tape reader Mary McNamara ignored it and passed it on to me. But somebody must be calling the enclosed toll free number, because the "great airline ticket giveaway" just won't go away. Complaints about it can be found across the web from a couple of days ago, and from at least two years ago.

---

Let's take care of the basics first. There is no airline called "US Airlines" -- you're thinking of U.S. Airways. That’s no accident; that’s a technique. A variation of the letter is from "American Airways," a bastardized version of American Airlines. Call the number, and you don't get two free airline tickets; you get invited to a 90-minute presentation where you will be encouraged to join a travel club.

 

In the words of travel expert and consumer advocate Chris Elliot: "I have yet to find a travel club that is legitimate."

I called the toll free number and was told I had to travel from Seattle to Portland to attend a meeting before I could receive my free tickets. But the operator, who identified himself as Josh, gave me the option of calling a friend or relative in the Chicago area and sending that person on my behalf to a meeting there. Thanks to their generous referral program, he said, I'd get free tickets just for talking a (soon to be former) friend into attending.

To save yourself the trouble of calling and listening to the pitch, someone recorded their call and posted it on YouTube.

Elliot, by the way, also received one of these free airline ticket letters recently, and wrote about it on his blog.

The free ticket letter offering has been around for at least two years, and inspired a lot of complaints in April 2011. It is such a nuisance that U.S. Airways had to post a "scam alert" on its website.

A representative to the airline told me that she's worked in the company's public relations department for seven years, and the free ticket letter "just kind of resurfaces from time to time." She reiterated, with a heavy sigh, that the airline was in no way affiliated with the offer.

Why would such an offer persist for years, despite all the warnings about it?

"People don't pay attention to details," said Elliot, also the author of the book, “Scammed.”  "US Airlines could exist, and the victims are quickly seduced by the offer. In other words, this thing is still around because it works."

When I asked "Josh" for more details, he said he was working for a company named Universal Travel Deals. The point of the 90-minute meeting -- he called it a "meet and greet" -- was to drum up business for local travel agencies, he said.

"Hopefully, to get people to book travel through them, rather than through those websites, like Travelocity or Expedia," Josh said. 

There are also complaints about Universal Travel Deals in various consumer sites online. When I called the number for a firm named Universal Travel Deals in a Chicago suburb called Tinley Park, a woman who answered confirmed her company was managing free airline ticket offers. When I said I was a reporter, she took my name and number and said she'd have someone return my call. I’m still waiting.

Elliot said he's seen various telephone numbers come and go for the offer, which is a sign that something is wrong.

"The numbers have changed, which suggests to me that they may be moving from state to state," he said. "That's a common tactic to stay a step ahead of state regulators. My guess is this isn't a big enough fish for the Feds to get involved. Either that, or the FTC hasn't received enough complaints about it."

Do letter recipients ever end up with free airline ticket vouchers? That’s unclear, but this much is certain: nothing is really free in this world, and certainly not airline tickets. Letter recipients never get anything just by calling. They have to attend sales meetings, which, according to the few stories posted online by people who claim they’ve attended, exact their own costs.

If you receive an offer like this, please do three things.

1) Read it carefully. It's good practice to find the misleading elements, such as names like "US Airlines."

2) Throw it out and ignore it

3) Complain to your state attorney general and the Federal Trade Commission so someone actually takes a close look what's going on. (Here's a handy contact list for state attorneys general).

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

Daryl Henry's reward for 20 years of service in the Navy was a $1,083 monthly pension. But more than half of it went to a private California company -- Retired Military Financial Services -- after Henry was duped into a complex financial agreement, the Maryland resident alleged in a class-action lawsuit.

Struggling with bills, Henry says he answered an ad in the Navy Times and traded 96 months of future pension checks -- totaling $103,000 -- for a lump sum payment of $42,131. He then spent years depositing his government pension checks into a special account so Retired Military Financial Services could take its share of the taxpayer-funded payments and pay private investors with it.

Lump sum pension payments for vets are big business, targeting 1.5 million former service members who receive $40 billion annually. Companies that provide them have attracted negative attention from military advocates for years. Tales of retired or injured vets getting 30 to 40 cents on the dollar are easy to find. In 2004, Congress threatened legislation designed to banish the industry, and several courts have ruled the arrangements run afoul of existing federal laws.

---

Still, companies offering so-called "annuity utilization contracts" crowd out Google searches around military pensions and loans. The websites that rank highest are often decorated with red, white and blue banners, and they have government-sounding dot-com names. While the lump payouts may sound attractive to retired vets in a financial bind, the terms are oppressive: Participants find themselves with what is essentially a loan at 30 percent interest.

 

But on Monday, Consumer Financial Protection Bureau Director Richard Cordray said his agency will begin focusing on pension lump sum payments.

"We are ... concerned about military pension buyout schemes," Cordray said in a speech on Elder Abuse Awareness Day. "Military retirees are offered lump-sum cash payments in return for surrendering their rights to their pension payouts. These schemes are usually very bad deals for the retirees. We want to collect information on all of these kinds of financial practices."

Several agencies and investigators have been collecting information on the industry for years. John Wasik, an author of 13 books on personal finance, recently investigated the industry for investment-related fraud in a column on Forbes.com.

"Basically, you sign up they lock you in, and if you want out, you don't have recourse," Wasik said. "There is very clear language saying, ‘This is not a loan,’ but it resembles a loan in all characteristics."

Where do these pension payout companies get their capital from? Investors looking for steady returns. Wasik found that Retired Military Financial Service’s partner, California-based Structured Investments Co., was ordered by an arbitrator in November to repay $5 million to investors who alleged they were defrauded. In December, the firm agreed to stop selling the investments in California.

In August, a California court ruled in favor of Henry and the class of veterans who joined his lawsuit, ordering Retired Military Financial Service to return $2.9 million.

"There is an awful lot of litigation out there," Wasik said. "My biggest concern is the proliferation of these things without regulation. Somebody should be looking at what they are doing."

Attempts to reach Retired Military Financial Services by deadline were unsuccessful. Founder Steven P. Covey defended his company last year in a story published by the Center for Public Integrity’s iWatchNews.org.

"The position is: We’re purchasing at a discounted lump-sum, future cash flow,” he said. “We’re not lenders. When you’re not lenders, you’re not dealing in potential usury areas.”

Covey's attorney, Robert Clarkson, told Wasik that his client had "done nothing wrong,” but said he wouldn't answer questions because of pending litigation.

'It's likely every single one is violating a law'
Plenty of websites offer cash for pension and disability payments, which add to an already crowded field of firms offering lump payments for structured settlement recipients. There’s good money in granting lump payments to down-on-their-luck consumers who have a guaranteed stream of income. Military pensions fall into a protected category, however, says Stuart Rossman of the National Consumer Law Center, who helped argue Henry's case.

"If these sites are dealing with the issue of military pensions, it's likely every single one is violating a law," he said.

All firms that offer such lump payments are between a legal rock and a hard place, he said. Assigning military pensions to a third party isn’t legal; offering loans without abiding by Truth and Lending Requirements is also illegal.

"And they are either one of the other," he said. 

One site, MilitaryPensionLoan.org, offers a typical example: "This program is NOT A LOAN," it says on its home page, despite its Web address. "We will buy the next eight years of your pension for a lump sum of cash."

MilitaryPensionLoan.org didn’t immediately respond to requests for comment.

Despite the legal troubles, and occasional bad publicity, the military loan/pension products have survived for more than a decade. Rossman said he filed his first case against such a firm nine years ago. But why?

He thinks many of these companies use veterans' sense of honor against them.

"They believe in doing their duty. They don't want to come forward. They believe 'It's my mistake and I have to own up to it,'" Rossman said. "And a lot of them don't even realize they are paying 30 percent interest."

Rossman hopes military pension payout companies are on the ropes now that investors might be scared away by the California litigation. No investors would mean no money for lump payments. 

Henry’s legal triumph was a bit of a hollow victory, however -- he'd already made all 96 payments by the time the judge ruled in his favor. While he is entitled to a portion of the $2.9 million judgment, Rossman said the owners of Retired Military Financial Payments had declared bankruptcy, so there are no assets to pay the judgement.  

Still, it was a worthy fight, Rossman said. 

"He's proud he's put a stop to this, and once we had the judge's ruling, we were able to tell other members of the class they could stop making payments. We saved them a lot of money, and he's proud of that," Rossman said.

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter.  

Has the U.S. government been caught with its virtual hands in the world's cookie jar? And might it lose control of the Internet as a consequence?

If you were among the forces on the planet wanting to wrest control of the Internet from the U.S.-friendly agencies that manage it, that's the story you'd surely want to tell. 

But things are rarely what they seem.  The barrage of Flame news – including word that Flame and Stuxnet appear to have common authorship -- should not be viewed in a vacuum.

---

A group of nations led by China, Russia and several Middle Eastern countries would love to see the end of U.S. dominance over the operational control of the Internet, and these nations think they have found their vehicle for accomplishing that: A U.N. body called the International Telecommunications Union.

 

The organization, which manages international telephony agreements, will meet in Dubai in December and attempt to extend its charter to take operational control of the Internet away from the U.S.-dominated nonprofit International Corporation for Assigned Names and Numbers, or ICANN. 

Even as news of Flame first hit, an ITU working group was meeting in Geneva to finalize the agenda for the Dubai meeting. At almost the same time, there was a hearing in an obscure congressional subcommittee where experts rang alarm bells about an ITU coup.

The argument that the U.S. should not be in a position of power as far as overseeing the Internet will be bolstered by a world set aflame by news that the U.S. may have exploited its technological advantage to attack sovereign nations with Flame and Stuxnet.

Some technology experts say the Dubai meeting could very well decide the direction of the world's most valuable resource - information - for the rest of the 21st century:   The future of Internet anonymity, free speech and perhaps freedom itself could be at stake.

"I think there is a political story that is being missed here," said Chris Bronk, a former State Department official who worked in that agency’s Office of eDiplomacy and is now a professor at Rice University. "There's much more to this. … Stuxnet was better than bombs in the short run, but this could hurt the U.S. down the road.”

Conspiracy theorists -- including several interviewed for this story who requested that their comments remain off the record -- point out that the world learned about Flame from a Moscow-based antivirus company (Kaspersky Labs), and the ITU chose Flame as the subject of its first-ever international cyber-warning, claiming for the first time an important role in cybersecurity affairs.  They see the grand publicity surrounding Flame as little more than a power grab by the ITU in advance of the Dubai meeting, dubbed the World Conference on International Telecommunications (WCIT).

“If you want to be cynical, this is definitely a play by an international group to try to gain control over arguably the world’s most valuable resource,” said Paul Rohmeyer, a Stevens Institute of Technology professor who specializes in cybersecurity and international issues, and one of the few members of the conspiracy camp willing to connect the dots publicly.

But you don't have to draw such a direct connection to see the relationship between Flame and ITU's desire to find and flex new power. Kaspersky Labs, the Russian firm that continues to publish the most informative details about Flame, has a solid reputation in the security research world, and there’s no reason to believe it is acting on behalf of Russian national interests. Still, it's impossible not to view Flame -- and recent revelations about Stuxnet -- without understanding the diplomatic backdrop.

“If I were advising Russia, I would be all over the place waving these stories around,” said Eneken Tikk, formerly the legal and policy advisor for NATOs Cooperative Cyber Defense Centre in Estonia.  “It seems like a great opportunity to increase pressure on talks around cyber threats to international peace and security and gather a coalition of potential victims to say, ‘We see the U.S. establishing itself on the Net in offensive way, we need an international umbrella to do something.’”

If the U.S. is guilty of escalating cyberwar by writing computer code that disabled critical Iranian computers, there is no question that forces around the globe will try to exploit the news to their own ends. While most analysts have focused on the potential that Flame invites other countries to counterattack the U.S. with similar cyber-bombs, the real threat might be the rationale it could provide for ending the free-flow of information around the Web.

“It's very concerning from a purely political standpoint. You can see why a group like ITU would be incentivized to release this news,” Rohmeyer said. “I’m guessing that's what they are trying to set up. They are building their case for internationalization. They have everything to gain and the established order, which is U.S.-based, has everything to lose.”

U.S. officials aren't blind to the threat; they've made very public warnings about it. In February, Federal Communications Commission member Robert McDowell wrote an op-ed piece in the Wall Street Journal where he criticized the ITU:

"The most lethal threat to Internet freedom may not come from a full frontal assault, but through insidious and seemingly innocuous expansions of intergovernmental powers," he wrote. "Scores of countries led by China, Russia, Iran, Saudi Arabia, and many others, have pushed for, as then-Russian Prime Minister Vladimir Putin said almost a year ago, 'international control of the Internet' through the ITU."

McDowell also testified before that congressional subcommittee on May 31, and warned that "pro-regulation" forces led by China and Russia are far more organized than U.S. allies.

"While precious time ticks away, the U.S. has not named a leader for the treaty negotiation," he said.

Some in Congress were even more blunt:

“If we're not vigilant, just might break the Internet," said Rep. Greg Walden, R-Ore.

The dire-sounding warnings aren't coming solely from U.S. government officials, either.  Even the so-called “father of the Internet,” Vint Cerf, expressed grave concern that day in Congress.

“(The Dubai meeting) holds profound—and I believe potentially hazardous— implications  for the future of the Internet and all of its users," he testified. "If all of us do not pay attention to what is going on, users worldwide will be at risk of losing the open and free Internet that has brought so much to so many.”

Nor is the alarm coming just from the U.S. Toomas Hendrik Ilves, president of Estonia, rang alarm bells on Friday during the International Conference on Cyber Conflict in Tallinn.

“The outcome of (the Dubai meeting), and related processes, will help determine the topography of the Web for the next two decades,” he said. “While this conference may fall into the domain of ministries of commerce and communications, make no mistake, there will be major cybersecurity ramifications. More ominously, we will face calls to limit free expression as we know it on the Web today.”

But as Western nations try to draw battle lines, the reality of Flame and Stuxnet muddies the argument considerably.  The U.S. risks losing moral high ground through stories about such cyberattacks.

"When we had plausible deniability for Stuxnet, we could make the argument more easily,” Bronk said. “This completely cuts at the knees the Internet freedom agenda.  How can the U.S. use clandestine cyberattack to go after a threatening regime, and then push the free agenda? "

As Rohmeyer sees it, the combination of U.S. cyberattacks and the Dubai meeting puts the Internet at “an age-old crossroads.”

What might change mean?
The ITU has its roots in an organization created during the 1860s to standardize cross-border telegraph traffic in Europe. It became a U.N. body after World War II, focused almost entirely on simplifying international telephony. Only recently has it tried to extend its charter to Internet traffic, most notably with the creation of an agency called The International Multilateral Partnership Against Cyber Threats, or IMPACT, based in Kuala Lumpur. Modeled after national computer emergency response teams, IMPACT’s stated mission is to share time-critical computer vulnerability and virus information around the globe. The U.S. has so far refused to join ITU’s IMPACT. Russia, China, Iran and about 140 other nations are members.  

IMPACT tried to take the lead in international dissemination of information about Flame, using the virus as cause for its first-ever warning.

How might ITU change the way the Internet works? No one knows, of course, but there are obvious reasons for concern.  Chinese officials have repeated stated they want an Internet where users must register by IP address, effectively ending anonymity and, perhaps, Internet-based uprisings. 

McDowell warns that Russia, Tajikistan and Uzbekistan asked the U.N. General Assembly to create an “International Code of Conduct for Information Security” to mandate “international norms and rules standardizing the behavior of countries concerning information and cyberspace.”  Even  ITU’s head of corporate strategy, Alexander Ntoko, raised eyebrows  earlier this year in Cancun when he predicted that anonymity online would end.

“Why countries are interested in the ITU varies. … China and Russia, their motivations are not very friendly to human rights or openness,” said Cynthia Wong, a lawyer for Center for Technology and Democracy. “Other places feel like they don't have a voice in the current process. “

One of the main criticisms of the process is a lack of transparency and the limitations on participation of non-governmental groups, according to complaints publicized but the Center for Technology and Democracy and human rights groups.  But it’s clear the ITU plans new ways to raise revenue, which might lead to some form of a per-click tax, according to witnesses who testified before Congress at that May 31 hearing.  wong also expects the ITU to push for mandatory standards for packet delivery – Net standards have been voluntary so far -- which could be a precursor for giving nations more control over incoming and outgoing Internet traffic at their borders.

One state, one vote
“Part of the problem with ITU process is that it's so opaque, so it is really hard to understand what might be at stake,” Wong said.  “But what we do know is Russia and some of the Arab states have put cybersecurity on the table.  There are proposals for greater regulation of traffic routing for security purposes.  Depending on how such regulations are implemented, it could be used to justify greater intrusions on privacy and fundamentally change how the Internet currently works technically.”

In other words, such proposals would make it easier for nations to control Internet traffic.

Practically speaking, it will be difficult for ITU to grab control over the central tool governing the Web – the domain name system – in Dubai. That system is currently operated by ICANN. But a sizable block of non-U.S. countries agreeing to mandatory routing standards could still wield considerable power. Treaty negotiations are one state, one vote. The U.S. government could make a reservation with something in the treaty, but if ITU standards become mandatory, all Internet users could be impacted. One potential outcome would see a “splitting” of the Internet, where traffic from nations following one standard is denied by a bloc of nations following another.

But Wong’s chief concern currently is that groups like hers aren’t welcome in the proceedings. On May 17, the Center for Democracy and Technology and 20 other non-governmental agencies from around the world sent a letter of protest to Secretary-General Dr. Hamadoun Touré, who is running the meeting, saying “there has been scant participation by civil society” in the run-up to Dubai.  But Wong thinks the influential Internet protests around SOPA demonstrate that no government agency will be able to pull a fast one on a recently empowered digital constituency.

“One of the lessons you can pull from SOPA is this: The time when governments can go behind closed doors and make important decisions about how we use the Internet is gone. That’s not acceptable anymore,” she said. “There is a community of users who are paying attention, and are really concerned about the future of the Internet. They are not going to find it acceptable anymore to use these old ways of creating laws. And it behooves governments involved in this to pay attention to that.” To that end, several groups have collaborated to create WCITLeaks.org, to encourage anonymous uploading of conference-related documents.

The experience of SOPA might make the Flame and Stuxnet sagas even more important. Could the potential for Internet users to rise up against U.N. control of the Net be blunted if the alternative seems to be continued control by the U.S., its image damaged by Flame and Stuxnet?  Rohmeyer thinks so: Like many technology experts, he’s skeptical of claims that Flame is the most powerful virus ever created. As others have pointed out, Flame is so large that it’s clearly not designed for stealth operation – whoever created it almost begged for it to be found. He thinks a big part of the publicity around Flame is a function of this battle for control of the Net.

“Is the U.S. releasing viruses so powerful that it needs to lose its control of the Internet?” he said. “I don't think by itself the release of Flame rises to threshold. I’m dubious of is effectiveness, and suspicious of those claims.” 

There are also open questions about ITU’s ability to take operational control over the Internet and cybersecurity.

'No country is an island on the Internet'
“The ITU has been kind of like one big group hug,” said Rohmeyer.  “Do U.N. groups have a track record of success with this kind of operation? The ITU was a standard-setting body for telephony. Once you move out of the connectivity realm into operational controls – wow! That gives them an enormous amount of power. ICANN seems to be functioning. When I woke up this morning, the Internet seemed to be working. I don’t think (ITU) has been in this business before.”

Not everyone in the U.S. is against giving ITU more control over cyberspace.  Jody Westby, who launched the Central Intelligence Agency’s famed In-Q-Tel technology investment arm and is now a highly sought-after U.S. cyberexpert, penned a column for Forbes last week strongly endorsing U.S. participation in IMPACT.

“No country is an island on the Internet, and the U.S. cannot expect to be able to adequately respond to cyberattacks or malware infiltrations without the input and involvement of others around the globe,” said Westby, who disclosed that IMPACT was previously a client of her consultancy firm. “The U.S.’s ‘our way or the highway’ attitude in the important area of cybersecurity appears petulant.”

She also said that, absent U.S. participation, other nations will look to Russia and China for leadership.

“The U.S. appears as the shirking nation state quietly standing on the sidelines while being accused of engaging in cyberwarfare tactics,” she said.

But Rohmeyer was was among those who wondered aloud what was in it for the U.S.

“There is no upside for the U.S. (in participation),” he said. “Is the Internet going to be managed better? Will it be more open?”

Many experts think the end result of Dubai will mean the already tense balance between bottom-up governance, where private firms dictate policy through collaboration, and top-down governance, where governments mandate Internet policies, will grow even more stressed. So will the tension between anonymity, free speech and U.S.-friendly control on one side, they say, vs. accountability, control, and Chinese/Russian/Arab interests on the other. McDowell, from the FCC, has repeatedly warned that even a positive outcome for the U.S. in Dubai offers little reason to celebrate. 

“Given the high profile, not to mention the dedicated efforts by some countries, I cannot imagine that this matter will disappear,” he testified before Congress. “Similarly, I urge skepticism for the ‘minor tweak’ or ‘light touch.’ As we all know, every regulatory action has consequences.”

Phillip Hallam-Baker, writing in the online magazine CircleID, compared the balancing act to the uneasy management of the Church of the Holy Sepulchre in Jerusalem, where power is shared awkwardly among various Christian groups and squabbles are common.

“Backing ICANN appears to be the only sensible course for the U.S. But the problem with this approach is that the U.S. cannot risk ICANN itself being captured by hostile powers, and that in turn means that the U.S. cannot ever release its de facto control of ICANN,” he wrote. “It is an inherently unstable situation that is only maintained through constant vigilance on all sides. “

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

Could you be blamed for a car crash because you sent a text message? 

A New Jersey judge will decide later this week if the sender of a text message might be partially liable for a horrific auto accident that occurred because the driver was reading that message on his cell phone and drifted into oncoming traffic.

With nearly half a million U.S. drivers injured in distracted driving-related accidents every year, according to the National Highway Traffic Safety Administration, the judge’s decision could have wide-ranging impact in both the legal and digital realms.

While it might seem absurd to blame someone who isn't even in the car -- or anywhere near it -- for causing an accident, some legal experts say the plaintiff is on firmer ground than you might think.

---

Skippy Weinstein, a Morristown-based lawyer, is using similar logic to press the case he filed on behalf of David and Linda Kuber. Both Kubers lost their legs during a 2009 crash in Mine Hill, N.J., after 19-year-old Kyle Best sideswiped their car when driving while texting. Weinstein said Shannon Colonna, who was texting with Best, should also be held responsible for the Kubers’ injuries.

"She was not physically in the vehicle but she was electronically present," Weinstein told msnbc.com. "She and he were assisting each other in a violation of the law."

That word "assisting" is at the crux of Weinstein's novel legal argument. 

Most readers will be familiar with the notion of "aiding and abetting" a criminal act and the guilt it brings: the man who knowingly holds the door for the gang is just likely to be convicted of bank robbery as the safe cracker.

More recently, this notion of aiding and abetting has been extended to civil liability cases, too, creating a basis for what's sometimes called "secondary" or "vicarious" liability. For the past two decades, most civil aiding and abetting cases have been limited to investment and securities fraud: An aggrieved investor might not only sue Bernie Madoff for stealing his money, for example, but also go after a third-party broker who repeatedly executed trades for Madoff. Even if the trader wasn't profiting from the scheme or part of a "joint enterprise,“ a court might find the trader provided assistance to Madoff, and should have known that someone was likely be injured by his actions.

The aiding and abetting argument in injuries that give rise to lawsuits, known as "torts," is only beginning to find its way into other kinds of civil cases.

There's a simple three-pronged test to prove someone is partly to blame for causing an injury by aiding and abetting someone else. It is set out in the Restatement of Torts published by the American Law Institute, which guides most civil courtrooms:

1) The party the defendant assists must do a wrongful act;

2) The party must be generally aware of his or her role in the illegal or "tortuous" act;

3) The party must "substantially assist" in the principal violation.

Weinstein think his argument is easy to make. The driver violated the law by texting while driving. Colonna, the text sender, should have known that Best was driving home from work and had to know texting while driving was a violation, he said. Therefore, it's hard to argue that a text sender isn't substantially assisting in the creation of a text message conversation that violates New Jersey's driving laws.

"That very comfortably satisfies the third prong of the legal test," he said.

Colonna’s lawyer, Joseph McGlone, doesn't think the argument has any merit, and has asked Morris County Superior Court Judge David Rand to dismiss the case. Rand is scheduled to rule this week on McGlone’s motion to dismiss the case.

The sender of a text message has no way to control or predict when the recipient will read it, McGlone argues.

"The sender of the text has the right to assume the recipient will read it at a safe time,” McGlone told the local Daily Record  newspaper. “It’s not fair. It’s not reasonable. Shannon Colonna has no way to control when Kyle Best is going to read that message."

He added that there is no precedent for heaping liability on a person on the other side of a text message conversation that causes injury.

Of course, there's no precedent for a lot of legal areas in the Digital Age. In situations like this, judges usually turn to analogies. In driving injury cases, the judge has a bushel full to choose from.

For starters, it's hard to tag liability on anyone who isn't holding the steering wheel of the car while an accident occurs. Lawyers around the nation have repeatedly tried and failed to make passengers partly responsible for accidents caused by drunken drivers when passengers knowingly get into a car with an intoxicated driver.

There are exceptions, however. A South Carolina court has said a passenger could be judged a "proximate cause" of an injury if the driver and passenger were in some kind of "joint enterprise," such as the passenger steering the car while the driver presses the gas pedal.

Passengers who have directly encouraged drivers to break the law -- by urging them to speed excessively or to drive in the oncoming lane as part of a game, for example -- have also been found liable, Weinstein says.

But to find a passenger liable, the South Carolina court said, "The passenger must have an equal right to control the direction and management of the vehicle." It seems hard to argue that a text message sender has equal ability to control the vehicle as the driver does.

But there are plenty of other situations where someone other than the driver has to pay after an injury accident, an extension of liability called “imputed negligence.” The most common is when the driver is "an agent" of someone else -- when a pizza delivery man driving for work causes an accident, his employer is liable.  Parents are often liable for accidents their children cause if they kids are directly under their care. 

There's also concept called "negligent entrustment": if you knowingly let an unlicensed driver take your auto out for a spin, you will probably be liable for an accident he or she causes. 

Neither of those cases fit this situation well, however. So Weinstein has settled on a simpler analogy.

"If she was in the vehicle and put her hands over his eyes so he couldn't see, she would be liable," he said. "(Texting with him) is as if she put her hands over his eyes."

Is texting the digital equivalent of willfully rendering someone blind? To even make that argument, and to press on with the aiding and abetting claim, Weinstein has to persuade the judge that Colonna knew that Best was texting while driving. Colonna's lawyers are contesting that point, but Weinstein says the pattern of texts between boyfriend and girlfriend make clear that she must have known he was on his way home from work.

But even if he fails on that argument, it's easy to imagine other lawsuits where evidence of knowledge by the sender could be hard to deny. A driver might directly text, "Hey, I'm driving home," for example.

That would make a big difference in a case like this, said Robert Mitchell, a Utah-based lawyer and author of a recent article on aiding and abetting claims.

"If there is conclusive evidence that the person sending the text messages to the driver knew the driver was texting while driving, we see no reason why a claim for aiding and abetting the driver’s negligent or reckless conduct could not be made. The case is probably weaker if there is no evidence of actual knowledge, but only evidence of ‘constructive knowledge,’" said Mitchell, referring to a concept that the sender "should have known" the recipient was driving. "Courts disagree over whether constructive knowledge is sufficient to give rise to aiding and abetting liability."

Courts have found that the contribution by this third party in aiding and abetting cases can't be slight – it must be “significant.” For example, giving directions to the bank robber probably wouldn’t be substantial enough to get you prosecuted, but telling him what time security guard shifts change could be. And, as with most civil liability cases, the harm caused by the action doesn't have to be intentional.

Mitchell said this is the critical phrase in the American Law Institute's guidelines.

"If the encouragement or assistance is a substantial factor in causing the resulting tort, the one giving it is himself a tortfeasor and is responsible for the consequences of the other’s act. This is true both when the act done is (intentional) and when it is merely (negligent)," Mitchell wrote in his review, quoting the guidelines with added parenthesis. In fact, liability exists even if the third-party has no idea he or she is doing something illegal or negligent.

So in Mitchell’s view, it's a relatively easy to argue that the texter "substantially assisted" the driver in causing the accident. 

"The third prong, substantial assistance, would be an easier hurdle to clear (than knowledge) since sending somebody a text message while driving distracts the driver and that distraction may ultimately cause the accident," he said.  "Of course defenses may include superseding or intervening causes to the underlying tort (the first prong), like bad weather, poor road conditions or visibility, avoiding someone or something on the road."

Not all experts agree, however. Maryland-based lawyer Bradley Shear, an expert in digital law, openly fretted about how far liability might extend if Weinstein is successful in his novel legal argument.

"What if someone is hopping on a boat, and they look down at a text, slip and drown? What if a doctor gets a text before a surgery that upsets him and he makes a mistake? Is the sender responsible?" he said. "If you start going down that route where are you going to draw the line?"

Mark Rasch, for head of the Justice Department’s Computer Crimes Unit, said he thinks the case will boil down simply into this question: Can anyone really prove that the sender of the text, Colonna, knew that Best would read it while driving? Absent such proof, there is no case, he says.

But he was concerned with the larger issue of extending liability through digital means.

“The real question here is, do we as a society want to impose a duty on the non-driving texter for accidents that happen when a recipient is driving?” he said. “For now, it seems a reasonable place to draw the line at this: The person driving has a duty not to text. And the person on other end of line has no duty unless there are special circumstances.”

One special circumstance he envisioned: A boss or other person in a position of power who received a message from an employee saying, “I can’t text, I’m driving,” but continued to send demanding texts with an implied threat if they weren’t answered quickly.

“The person in the position of authority might have liability then,” said Rasch, now a cybersecurity consultant with Virginia-based CSC Inc.

Complicating matters, juries can apportion liability, and theoretically could find a driver 90 percent responsible and the sender of a text 10 percent responsible. Damages can be similarly apportioned, although the realities of collections means the party with the deepest pockets usually pays the most in damages.

It’s also possible that Congress or state legislatures might create a chain of liability, as states have done with dram shop laws, which make bars liable for injuries and damages caused by patron who are served after they’re drunk.

For his part, Weinstein demurs when asked if he's trying to set an important legal precedent or make law. He's just trying to win a case for his client, he said.

"The defense ... wants to make this into a cause celebre, but this is not complicated," he said. "A jury may find I'm wrong and thrown me out on my duff. ... All I'm saying is don't (text) while driving, and don't assist someone else in texting while driving."

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

A mother who says her middle-school daughter was forced to let school officials browse the 13-year-old girl’s private Facebook page is speaking out against the practice because, she says, "other parents are scared to talk about it."

Pam Broviak, who lives in the Chicago suburb of Geneva, Ill., says her daughter was traumatized when the principal of Geneva Middle School South forced the child to log in to her Facebook account, then rummaged through the girl's private information.

"What a violation of my daughter's privacy this whole episode was," Broviak said. The incident took "a huge toll on my daughter, who ended up crying through most of the rest of the day and therefore missed most of her classes. She was embarrassed and very upset."

There have been several descriptions lately of Facebook prying by schools – and one lawsuit was filed recently by the American Civil Liberties Union on behalf of an anonymous plaintiff against a school district that allegedly demanded a student’s social media passwords. But Broviak may be the first parent to go public with concerns about what she sees as serious violations of student privacy.

---

In a conversation with msnbc.com, Broviak said she confronted school officials about the incident involving her daughter soon after it occurred last fall and was told that they routinely investigate student issues by asking kids to log into their social networking pages -- or cellphones -- in the presence of administrators. And she said her daughter and other students told her they are frequently called into the principal’s office and told that they can’t leave until they surrender their passwords or unlock their phones and allow school officials to browse their personal information.

"(Students) let them see the accounts because otherwise, they are not allowed to leave the room. And that is just wrong," she said.

Kent Mutchler, superintendent of Geneva schools, said in an interview with msnbc.com that he couldn't comment on Broviak’s daughter because privacy rules prevent him from publicly discussing an individual student’s situation. But he said Broviak's description of district policy is inaccurate.

"We would never demand someone's password. When you have someone's password, you open yourself up to other issues," Mutchler said. "But if we have a disruptive situation, a school (official) will ask to see the page, and if the student refuses, we call the parents."

But principals only request access to students' social media pages under extreme circumstances, Mutchler said.

"There are different levels of concern. If there is a drug trafficking suspicion, we'll get the police involved. If it's something like cyberbullying, we'll say, 'This has been reported to us,' and ask to see the page," he said.

Often, students volunteer before they are even asked, he said.

"We ask, 'Is there something you want to show us?' that sort of thing. And they volunteer," he said. 

Such incidents are very rare among district middle schools, he said, contradicting Broviak's assertion that the inspections are commonplace. 

"It happens a half-dozen to a dozen times per year," he said.

Broviak's public complaint comes at a time when schools, employers and lawmakers around the country are wrestling with sticky privacy issues surrounding social networks. The state Legislature in Illinois is considering legislation that would make it illegal for employers to demand access to workers’ or applicants’ private social media information. That law is silent on the issue of schools and social media snooping, but federal legislation introduced last month by Rep. Eliot Engel, D-N.Y., would extend the protections to students, too.

Submit your questions about social media and privacy, then join our Google+ Hangout Friday at 4 p.m. ET.

Broviak said she didn't think school officials should ever look at a child's personal social media page or cellphone without first contacting parents.

"It's just wrong for them to do this, but parents are afraid to talk about it, because they are worried, 'Are they going to target my kid?'" she said.

Additionally, she said, looking at a kids' social media page violates an entire family's privacy, even if school officials don’t intend to look at posts involving other family members.

"The whole family is exposed in this," she said. "Some families communicate through Facebook. What if her aunt was going through a divorce or had an illness? And now there's these anonymous people reading through this information."

When the first incident occurred in the fall, Broviak said she didn't know what to do -- and initially chose to let it drop for fear that complaining might make things worse for her daughter. But she said reports from her daughter that other kids have been treated the same way and a recent spate of news stories surrounding the issue pushed her to speak up. Three weeks ago she published a detailed accounting of events on her personal blog, and this week agreed to be interviewed by msnbc.com.

"It's really important for people to talk about this and know what's going on," she said. "And I'm really glad that the state Legislature and Congress are considering laws to deal with this."

Her daughter, meanwhile, has learned an important but sad lesson through this experience, Broviak said.

"It's taught her to use better judgment with adults," she said. "Basically, what (they) showed her was you can’t trust anyone. Her trust in and the respect of the adults at her school has been shattered to the point that she is struggling to look beyond this abuse and allow for the education process to occur."

*Follow Bob Sullivan on Facebook.
*Follow Bob Sullivan on Twitter. 

 

The most important tool consumers have to fight against ID theft has been turned against them by hackers, msnbc.com has learned. Websites that offer consumers a chance to see their credit reports are being brazenly used by hackers to steal victims' information.

The prices of the reports rise and fall depending on the credit score of the victim. For consumers with credit scores in the 750s, report data might fetch $80; reports from victims with scores in the low 600s sell for about half that, according to "for sale" pages viewed by msnbc.com.

"It shows how people with good credit and a net worth now have a bull’s-eye on their backs," said Dan Clements, who operates the Internet security firm CloudEyez.com. Clements gave msnbc.com a virtual tour of the marketplaces, which he has been observing for months.

The most troubling part of these markets however – many hosted in the .su domain, which stands for the now-defunct Soviet Union – is the ready availability of credit reports and the hackers' bragging about how easy it is to infiltrate websites like AnnualCreditReport.com or CreditReport.com.

---

"I'm selling super prime credit reports and scores which include all 3 bureaus and other information," brags one advertisement on one site. 

Clements helped msnbc.com view dozens of credit reports on the forum, many of which had CreditReport.com stamped across the first page. But others viewed by msnbc.com indicated they were stolen from AnnualCreditReport.com and Equifax.com. Clements said most other online credit report and some credit score suppliers were hit, too --  he shared a page showing a victim's score produced at CreditKarma.com.

"We really have no idea how many reports have been used or put up for sale in the 'libraries,'" said Clements, who also operates a consulting firm. 

The credit report trade shows why even simple credit card fraud – long considered a relatively benign form of ID theft – can escalate quickly into a full-blown identity nightmare. Criminals with stolen cards can obtain background reports, credit reports and ultimately open new accounts using the information gleaned about the victim, Clements said.

In one how-to posted on a bulletin board, a hacker describes one brute-force attack used to gain access to credit report websites. Most sites are protected by "challenge" questions such as, "Which bank holds the mortgage on your home?"  But there's a critical flaw, the hacker said:

"Normally all ... of them will ask you the same question," the hacker wrote.

Because the sites use the multiple choice format, it's easy to use the process of elimination and determine the correct answers, he claims.

The hacker explained that the trick is to open several credit report sites and keep trying random answers until one set works.

The recipe is highly detailed, including helpful tips such as, "Take a shot of screen to remember what answers you gave. After that click the submit button and see what it says."

A would-be credit report thief needs additional information to get credit report access, but that can often be gleaned by ordering background checks using the victim's stolen credit card. Reports stolen from Intellius.com and BeenVerified.com, which provide previous addresses and a host of other valuable information, also were found on the site.

One victim whose credit report was spotted on the site told msnbc.com that she found one instance of credit card fraud on her accounts around the time the data theft was first discovered by Clements. She now pays to maintain a credit freeze on her credit reports.

"You hear about this kind of thing all the time but you never think it will happen to you," said the victim, who requested that her name be withheld. "And when it happens, you think, 'Great. Now what do I do?'”

For years, consumers have been advised to visit AnnualCreditReport.com once each year to see their reports. Federal law requires the nation's three largest credit bureaus – Experian, Equifax, and Trans Union – to maintain the site, under the direction of the Federal Trade Commission.

That's still good advice – looking at your credit report is the best way to detect identity theft. But the site is apparently both an ally and a foe now.

The FTC would not comment on hackers' use of AnnualCreditReport.com.

In the past, the FTC has sued companies for inadvertently selling credit report data to hackers, however. In 2011, the agency settled with Settlementone Credit Corp., ACRAnet Inc. and Fajilan Associates after those firms unknowingly sold reports to criminals. The three firms were ordered to submit to 20 years' worth of security audits.

Those firms prepare reports for car dealerships and other credit granters. Raiding consumer-facing sites like AnnualCreditReport.com is even more brazen, however.

CreditReport.com is operated by credit bureau Experian; that firm also provides credit reports to consumers as part of AnnualCreditReport.com.

"Experian is aware of schemes such as this to access reports illegally, and we have taken measures within our systems to mitigate the issue," said Experian in an e-mail to msnbc.com. "We are constantly evolving our systems to prevent fraud and criminal activity, but do not comment publicly on the specifics of our fraud prevention methods." 

Trans Union and Equifax, which also provide reports through AnnualCreditReport.com, did not immediately respond to requests for comment.

Kenneth Lin, CEO of CreditKarma.com, said the firm had received "a handful" of complaints about compromised accounts and worked quickly to shut down access. CreditKarma credit score reports show no account information or other personal data, so the security risk posed by an imposter getting a victim's score is minimal, he said.

"That's intentional. That's a security feature," he said. The site also uses more difficult challenge questions than AnnualCreditReport.com, Lin added.

Solving the problem of credit reports stolen through consumer websites is no small task. One irony of the hackers' ability to easily raid such sites is that many consumers report great frustration getting their own credit reports through AnnualCreditReport.com.  The challenge questions are sometimes so arcane – such as, "Which bank held your previous auto loan?" -- that legitimate consumers can't answer them easily.  

"But anyone who does any research can probably figure out what the answers are before you can," said Jay Foley, who runs IDTheftInfoSource.com. In other words, it's too easy for criminals to get credit reports, but it's too hard for consumers.

One of the websites where Clements observed the stolen card activity – kurupt.su – dropped mysteriously off the Web late last week. The site was well-known as a haunt for criminals and scam artists in the computer underground. But Clements says that will hardly put a dent in the stolen data trade.

"You currently can't stop this scam because the 'soft inquiry' of a consumer pulling their own report doesn't record in the majority of credit files," he said, explaining that a consumer would never know if a criminal pulled a copy of their report. "Unfortunately, it allows the bad guys, by impersonating you, to download your credit file and leave no tracks."

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.

Facebook is apparently getting a lot more unfriendly.

Users are getting a lot more selective, deleting comments, photo tags and even friends at a record rate, according to a new study released Friday by the Pew Internet and American Life Project.

Pew is calling this phenomenon "the pruning" of social networks, and the study includes findings like this: 63 percent of users have unfriended people from their friends users. Another 44 percent have deleted comments made by others from their profile page, and 37 percent have removed tags from photos.

"Social network users are becoming more active in pruning and managing their accounts," says the report, written by Mary Madden, senior research specialist at Pew.

---

Users are also taking an active role in keeping their private information private, with 58 percent of users saying they use high-level privacy settings so only friends can view their pages. Women are far more restrictive, with 67 percent using the tightest privacy settings, compared to 48 percent of men. They lock down their accounts despite the fact that half of all users say they have "some difficulty" using the privacy controls.

The research seems to suggest that U.S. adults, who have so far shown little appetite for actively managing their personal privacy, are starting to get the hang of it.

"Social science researchers have long noted a major disconnect in attitudes and practices around information privacy online. When asked, people say that privacy is important to them; when observed, people’s actions seem to suggest otherwise," the report noted. The shift to more privacy on Facebook seems to belie this long-standing trend.

Perhaps regret has something to do with that.  The report found that 11 percent of Facebook users say they've posted something that they regret on a social network. Men are twice as likely to say so (15 percent to 8 percent). Users 50 and older, at 5 percent, are much less likely than young adults under 29 (15 percent), to express such regret. 

One area where there was a surprising lack of age gap: Overall privacy settings. While 23 percent of users 65 and over choose fully public settings, 22 percent of users 18-29make the same choice.

"The choices that adults make regarding their privacy settings are also virtually identical to those of teenage social media users," the report said.  "Private settings are the norm, regardless of age."

Young adults are more likely to "unfriend," however at 71 percent, compared to just 41 percent for the oldest users.

The Pew report is based on a survey of 2,277 U.S. adults conducted in May, and has a margin of error of +/- 3 percent.  In nearly all "pruning" related categories, and within nearly all age groups, use of privacy-related tools gained ground since the last time Pew conducted the study in 2009. Back then, only 30 percent of all users had untagged a photo, compared to 37 percent in 2011; and 56 percent had unfriended someone, compared to 63 percent in 2011. 

*Follow Bob Sullivan on Facebook     
*Follow Bob Sullivan on Twitter.