What Information Can Be Pulled Off A Mobile Device SIM Card?

I recently taught a mobile forensics course and asked my students to identify what kind of information that can be retrieved from a mobile device SIM card.  Here’s a list of some of the retrievable information students listed:

 Integrated Circuit Card Identifier (ICCID) – this is the number that is printed on the SIM card itself.  It is nineteen or twenty digits long.

International Mobile Subscriber Identity (IMSI) – this is the number that identifies a SIM card user on a GSM network.  It is stored in the EF(IMSI).  It is a fifteen-digit number.  Three components that make up the IMSI are:

• Mobile Country Code (MCC) – the first three digits identify the country.
• Mobile Network Code (MNC) – the next two digits identifies the cell provider mobile unit in a GSM network.
• Mobile Subscriber Identity Number (MSIN) – the next nine digits identifies the mobile unit in a GSM network.

Service Provider Name (SPN) – the mobile provider’s name.  This can be found from the ICCID.

Mobile Station International Subscriber Directory Number (MSISDN) – basically, the SIM card’s telephone number.  This number can vary from fifteen to sixteen digits long.  The MSISDN is stored in EF(MSISDN).  It is made up of three components:

• Country Code (CC) – up to three digits
• National Destination Code (NDC) – two or three digits
• Subscriber Number (SN) – up to a max. of ten digits

Abbreviated Dialing Numbers (AND) – These numbers are shortcuts on the phone of the most frequently dialed phone numbers.  These are generated by the subscriber.  They are stored in the EF(AND) file.

Last Number Dialed (LND) – This is a listing of the most recent calls and can be found in the EF(LND).

Short Message Service (SMS) – Short messages sent to other phones with a maximum length of either 160 or 70 characters.  These messages can be found in the EF(SMS) file.  These messages show not only the message but also the time the message was sent, the sender and receiver’s phone number, etc.

Language Preference (LP) – the preferred language of the subscriber.

Card Holder Verification (CHV1 and CHV2) – allows access to files after the user’s verification of PIN 1(CHV1) or PIN 2(CHV2).

Ciphering Key (Kc) – a 64-bit ciphering key used for encryption and decryption of data on an over-the-air channel.  It is generated by the Mobile Station from a random challenge by the GSM network.

Fixed Dialing Numbers (FDN) – phone numbers added to a list and the SIM restricts outgoing calls only to those numbers listed.

Location Area Identity (LAI) – The LAI will be stored on the SIM card so that a phone knows what location it is in and able to receive service.  If a phone changes areas, then the new LAI is stored in the SIM.  This is great for investigators to be able to read a list of where the SIM card has been geographically.

Temporary Mobile Subscriber Identity (TMSI) – the SIM is assigned a TMSI by the Mobile Switching Center (MSC) whenever a phone is in the vicinity of a new MSC.  Information about the phone is stored in the Visitor Location Register (VLR) and the phone is given a TMSI which allows the subscriber to be uniquely identified.

Service Dialing Numbers (SDN) – Numbers that are installed by the service provider which cannot be changed or deleted by the user.  The SDNs are usually hidden.

Thanks to my Mobile Forensics class students!

Image source: https://www.quora.com/What-are-the-different-parts-of-a-SIM-card#

Online Tracking, Consumer Profiling, Data Collection and You

Well - it's the holidays when we're using the web along with those credit cards a lot more frequently. Ever wondered who's watching you online?  And who the heck you are giving your personal card info to when making online purchases? Ever also wondered if there was anything you could do to protect yourself a little more? Well, others have too.

Abine, a Massachusetts company spun out of MIT in 2008, has developed some pretty nice tools that allow web users more control over their personal data. These accessible tools allow you to choose when you want to share your information, control your personal data, and provide the ability to protect your online privacy. Before we get to the products - here's some interesting tidbits from an Abine fact sheet:

Online tracking, consumer profiling, and data collection are happening wherever consumers go on the web, usually without their knowledge or approval. Consumers are the product being sold. Social networks, ad networks, and e-commerce sites collect every last byte of personal information they can, combining consumers’ online activity with their offline lives. The consequences of all this data collection are growing and real: lost job opportunities, higher prices, more spam, lower credit scores, identity theft, and more. Let's look at some tracking info and stats:

A tracker is a connection that your browser makes when it loads a webpage that’s intended to record, profile, or share your online activity. Usually these connections are made to entirely different companies than the website you’re actually visiting. The most common types of trackers are:

• Javascript: 43% 

• Images, such as 1-pixels: 14% 

• iFrames: 14% 

• Flash cookies: 5% 

Abine collaborates with the UC Berkeley Center for Law and Technology on a recurring Web Privacy Census. The most recent Census found:

• The use of third-party tracking cookies on the 100 most popular websites increased by 11% from May to October 2012. 

If present trends continue, the amount of online tracking will double on about 2.5 years. 

• Google has a presence on 712 of the top 1,000 websites 

• 26.3% of what your browser does when you load a website is respond to requests for your personal information, leaving the remaining 73.7% for things you actually want your browser doing, like loading videos, articles, and photos.

• Google makes 20.28% of all tracking requests on the web 

• Facebook makes 18.84% of all tracking requests on the web 

5% of the top 1,000 websites use social networking code that can match users’ online identities with their web browsing activities, and nearly 25% of the web’s 70 most popular sites shared personal data, like name and email address, with third-party companies (Wall Street Journal, 12/2012).

So... how do you protect yourself?
Abine has just rolled out DoNotTrackMe 3.0, a browser extension that stops online trackers from finding your contact and credit card info.  Here's a DoNotTrackMe sample screen shot.

In addition, the company is giving out unlimited Masked Cards through December 26. The Masked Cards work with any credit or debit cards you have, allowing you to create disposable credit card numbers for each online purchase you make, preventing having to give out your real card info. 

The company also makes a product called MaskMe which keeps you private as you browse and shop the web, and creates and manages secure passwords and DeleteMe which removes your public profile, contact and personal info, and photos of you from leading data sites. 

Cool stuff. Check them all out.

What is Bitcoin and how does it work?

You may have heard last week that a single Bitcoin unit reached a value of $1000. Lots of people have been asking lately about them. So.... what are they and how do they work? Here's some details snagged from www.bitcoins.com, a site that was put together and went up last week from Mt. Gox.

What is Bitcoin? Bitcoin is a digital currency you can use for personal transactions or business at high speed and low cost. 

How are Bitcoins created?
Instead of being made on a printing press or by a central authority, Bitcoins are created through software available to anyone. Individuals and groups willing to dedicate computer processing power to support the Bitcoin network are rewarded with Bitcoins for their work. This process is known as mining. Most Bitcoin users do not mine, but purchase or trade for their Bitcoins. Mining doesn't affect the average Bitcoin user much, but is still a very important part of the Bitcoin ecosystem.

How are Bitcoins secured?All newly mined Bitcoins, along with every transaction, are publicly recorded. This record is known as the blockchain. While the blockchain records transaction details, it does not record any personal identifying information about the senders or recipients. The blockchain is a critical feature to maintain the transparency of the Bitcoin system, and make counterfeiting or double spending impossible.   

How do you use Bitcoins?Let's look at a step-by-step example. Say you want to give some Bitcoins to a friend to pay for gas on a roadtrip. You’ve both got the bitcoin app on your mobile devices and have internet connectivity. 

1. Find out your friends wallet address by typing, pasting, or scanning it. You can then save the address to use later if you want. 
2. Convert your desired currency amount into Bitcoin.Verify the desired payment amount and send.  
3. The amount in Bitcoin is now deducted from your balance, and entered into the blockchain as a transaction so they cannot be spent twice.  
4. Your friend immediately sees the unverified transaction. 
5. The transaction is verified on the network, and then deposited into your friends wallet.

Be sure to check out the www.bitcoins.com along with the Mt Gox site for more details.

Google "Glass Explorer"

"Humanity pending confirmation; to date, no real persons have ever been known to wear and/or enjoy Google Glass." 

- from a post at Seattlish.

Well..... sort of...... key phrase here is to date. If you follow tech at all you've heard about the self proclaimed  "Glass Explorer" who got kicked out of the Seattle Lost Lake Cafe for refusing to either remove or turn off his Google Glass headset or leave the restaurant. Well, the "Explorer" ended up leaving and then posting a Facebook note complaint requesting 

“an explanation, apology, clarification, and if the staff member was in the wrong and lost the owner money last night and also future income as well, that this income be deducted from her pay or her termination.”

As much as I enjoy new technology - I really don't see the need in a public restaurant to keep your Glass going. Can I see a use for a Glass type product - of course - lots. Would love to have a pair on while fishing for example. But sitting in a restaurant wearing one..... nah. Don't even want to think about someone walking into a public restroom with one on. 

We all carry phones with cameras now. If you want to take a picture or video of your food in a restaurant use your phone.

Looking forward to my next Seattle visit and dining at the Glass free Lost Lake.

DOJ Rejects Transparency Request by Microsoft, Google, Facebook, LinkedIn

Last week the U.S. Department of Justice (DOJ), the primary federal criminal investigation and enforcement agency in the U.S., rejected a request made by Microsoft, Google, Facebook and LinkedIn to be allowed to share more details on what data the companies are providing to the U.S. government. The rejection was made in the name of national security and filed with the Foreign Intelligence Surveillance Act Court (FISCA).

The DOJ's petition to FISCA claims:

The companies’ contemplated disclosures risk significant harm to national security by revealing the nature and scope of the government’s intelligence collection on a company-by-company basis throughout the country. 

Such information would be invaluable to our adversaries, who could thereby derive a clear picture of where the government’s surveillance efforts are directed and how its surveillance activities change over time. If our adversaries know which platforms the government does not surveil, they can communicate over those platforms when, for example, planning a terrorist attack or the theft of state secrets.

FISCA now needs to rule on this.

There is more - other tech people (Twitter, Apple, Tumblr, Yahoo, etc) are getting involved with 72 companies and non-profit organizations signing a letter on September 20, 2013 to the U.S. Senate and House Judiciary Committee chairs supporting two surveillance bills (S. 1452 and H.R. 3035) currently moving though the Senate and the House of Representatives. Here's the full titles of those bills:

S.1452 - To permit periodic public reporting by electronic communications providers and remote computer service providers of certain estimates pertaining to requests or demands by Federal agencies under the provisions of certain surveillance laws where disclosure of such estimates is, or may be, otherwise prohibited by law. 

H.R. 3035 - To permit periodic public reporting by electronic communications providers and remote computer service providers of certain estimates pertaining to requests or demands by Federal agencies under the provisions of certain surveillance laws where disclosure of such estimates is, or may be, otherwise prohibited by law.

Sony Playstation Network Breach

In an environment where it's difficult to turn a profit on hardware, Sony has pushed for the integration of hardware, software and the network to make money. To have this happen now is really unfavorable.

That's a quote that appears in today's Wall Street Journal from Nobuo Kurahashi, corporate research analyst at Mizuho Investors Securities in Tokyo. It's with reference to recent hacker penetration of  Sony Corp.'s online PlayStation videogame service. The Playstation Network has an estimated 77 million accounts and allows users connect online, play games against each other, chat and download televisin shows and movies. As I write this, it is not know whether hackers got users credit card information.

Sony, like most hardware companies has been following the Apple online store model and it appears to be working. According to the Wall Street Journal piece, under a mid-term business plan announced in late 2009, Sony said it aims to have a user base of 350 million network-connected devices while generating revenue of 300 billion yen ($3.65 billion) from the services business.

Yesterday, Sony said the company will stay on  track with current strategy. "This incident doesn't change Sony's fundamental strategy of networking products and providing services to our customers," said spokesman Shiro Kambe to the Wall Street Journal.

As more and more services and content goes up into the cloud, mobile and connected devices developed, and broadband bandwidths continue to rise we're going to see more of these kinds of attacks. You could easily substitute a number of other companies in place of Sony in the quote - just pick one with an online store.

Students Hacking Campus Networks

I teach a telecommunications course to Verizon technicians one morning a semester. On the last day of class in December we were finishing up the final exam and some group presentations. During a break one of the Verizon students went out in the hall to make a phone call and noticed what looked like a guy sitting outside the door trying to hack into the classroom wireless network. He came in and told me so I went out (with a couple of Verizon guys following me) and took a look - sure enough - the guy was sitting outside the door running BackTrack, trying to hack the Verizon classroom wireless access point password.

I asked him what he was doing and he was honest, telling me what he was up to. The odd thing was his attitude - I think he thought I would be impressed. I told him it was against campus policy and could get him kicked out of the college. I also said if he did not stop I would call campus police. And, I told him he was hacking into an access point that was part of a corporate (Verizon) sponsored program and may be breaking the law. He packed up and left quickly.

So - what could happen to students that do this kind of stuff? This is from the Information Technology Resources Unacceptable Uses section of our College Student Handbook:

The following uses of STCC’s Information Technology Resources are unacceptable uses. This list of unacceptable uses is not exhaustive. It is unacceptable to use STCC Information Technology Resources (I’ve only selected a couple that apply in this case):

• to gain, or attempt to gain, unauthorized access to any computer or network;
• to intercept communications intended for other persons;

Here’s a piece from the User Responsibilities section of the handbook:

Users must comply with all applicable College policies and procedures and state and federal law. The use of STCC Information Technology Resources is a privilege, not a right, and failure to observe this policy may subject individuals to disciplinary action, including, but not limited to, loss of access rights, expulsion from the College and/or termination of employment. Further, failure to observe this policy may result in violation of civil and/or criminal laws.

Technically, if he was a student, it looks like he could have been kicked out of the college. Was he also breaking any laws? The National Conference of State Legislatures has a section of their website with Computer Hacking and Unauthorized Access Laws listed. Here’s a piece from their site:

"Unauthorized access" entails approaching, trespassing within, communicating with, storing data in, retrieving data from, or otherwise intercepting and changing computer resources without consent. These laws relate to either or both, or any other actions that interfere with computers, systems, programs or networks.

In Massachusetts, Gen. Laws Ann. ch. 266, § 33A states:

Whoever, with intent to defraud, obtains, or attempts to obtain, or aids or abets another in obtaining, any commercial computer service by false representation, false statement, unauthorized charging to the account of another, by installing or tampering with any facilities or equipment or by any other means, shall be punished by imprisonment in the house of correction for not more than two and one-half years or by a fine of not more than three thousand dollars, or both. As used in this section, the words “commercial computer service” shall mean the use of computers, computer systems, computer programs or computer networks, or the access to or copying of the data, where such use, access or copying is offered by the proprietor or operator of the computer, system, program, network or data to others on a subscription or other basis for monetary consideration.

So many of us are using tools like BackTrack in our classes. It is critical we let our students know this stuff, if used the wrong way, can get them in a lot of trouble.

I think the guy trying to hack the Verizon classroom network learned a lesson. Three Verizon students ended up following him out of the building (without me knowing), not saying a word. They said when he got out the door he was sprinting across the campus.

WikiLeaks and DNS

[Notes: Click images for higher resolution. This post was originally published on 12/3/10, then edited and repost-ed on 12/7/10.]

We all probably have some idea and opinion (depending on particular sources) about what is going on with WikiLeaks and the exposing of hundreds of thousands of classified US state documents. I'll keep my personal opinions private here. Technically it has been interesting to watch the cat and mouse game and I thought it would be good to diagram how DNS works.

EveryDNS.net, a U.S. DNS provider pulled WikiLeaks from it's database, claiming constant denial of service took the controversial site offline earlier today, claiming that the constant hacking attacks were so powerful that they were damaging its other customers.

What's DNS and why is it so important? I always describe DNS as basically an internet telephone book - it keeps track of site names (URLs) and the IP addresses of the servers hosting those sites. It is something that is not required to access websites but makes it a lot easier because users only have to remember site names and don't have to remember long IP addresses. You get access to DNS with a web connection from your provider. There are also some good alternative DNS providers you can access as long as you have an internet connection. Here's a diagram I made up showing how it works.
Is DNS required to access websites? No. You can still get to a site by typing in the IP address of the site.

I've got an earlier post on DNS linked here that you may also find interesting.

Better Internet Wiretapping?

The New York Times today posted an interesting article titled U.S. Wants to Make It Easier to Wiretap the Internet. The article discusses a bill the Obama administration plans to submit to Congress next year. Here’s a quote from that NY Times piece about the bill.

Essentially, officials want Congress to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct “peer to peer” messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages.

We’ve actually got a rather dated law like this in place right now. Back in 1994 the federal government passed the Communications Assistance to Law Enforcement Act (CALEA). Under the law, telecommunications providers must have hardware and/or software installed that will allow law enforcement agencies real-time surveillance of any telephone or Internet traffic.

Originally, CALEA only applied to telephone networks, but in 2004 several federal organizations filed a joint petition with the FCC to expand the ability to monitor voice over IP and broadband Internet connections. Lawsuits challenging that the ruling was unconstitutional under the Fourth Amendment were filed by organizations like the Electronic Frontier Foundation and the American Council on Education.

There are several gaps in CALEA that the Times piece discusses including the use of offshore services and “freeware” applications created and maintained by volunteers. These are some of the holes the new law will try and address. The Times piece claims officials are coalescing around several of the new proposal’s likely requirements:

• Communications services that encrypt messages must have a way to unscramble them.
• Foreign-based providers that do business inside the United States must install a domestic office capable of performing intercepts.
• Developers of software that enables peer-to-peer communication must redesign their service to allow interception.

My biggest concern is technology backfire - hackers taking advantage of wiretapping holes. I understand the need to monitor traffic in some cases but based on the way the Internet has been put together and works I don’t see how real-time surveillance can technically be accomplished without eventually exposing holes that could (and would) be exploited by hackers. Be sure to read the entire New York Times piece linked here.

*******

Update 9/27/10 - I received the following message from Kyle at newsy.com

Hello Gordon,

I just finished reading your take on how federal officials want to improve internet wiretapping in the very near future. I really enjoyed how you citied the New York Times as well as offered your own opinion on how this opens the door for a different kind of security risk: hacking. It's kind of interesting that by increasing monitoring of the internet, the government could also open doors as you say for hackers to exploit. In terms of security, that's a pretty big issue to deal with right there.

I think you would enjoy this video from newsy.com, it analyzes what the national media is saying about this possibility in a 2:30 video. The video actually references the same Times article that you talk about with mention to the three major requirements the bill will request.

Here's the newsy.com video:

Multisource political news, world news, and entertainment news analysis by Newsy.com

Thanks for passing this along Kyle.

When Blocked Caller ID Calls Are Not Really Blocked

You may think turning off, or blocking, your caller ID can make you anonymous to the person you are calling. Well...... it can but..... not really. Linda Scott out at the Education Development Center in Newton, MA paased along a link to a service called Trapcall. This service can be used to unmask blocked and restricted calls, allow users to blacklist harassing callers, and can also record incoming calls. There is no software to install and the service will work on mobile phones from AT&T, Verizon, T-Mobile and Sprint.

Here’s a piece on how TrapCall works from a 2009 Wired article:

TrapCall takes advantage of a loophole in Caller ID blocking that’s long benefited corporate phone customers: Namely, calls to toll-free numbers are not blocked, because those calls are paid for by the recipient.

TrapCall instructs new customers to reprogram their cellphones to send all rejected, missed and unanswered calls to TrapCall’s own toll-free number. If the user sees an incoming call with Caller ID blocked, he just presses the button on the phone that would normally send it to voicemail. The call invisibly loops through TelTech’s system, then back to the user’s phone, this time with the caller’s number displayed as the Caller ID.

The caller hears only ringing during this rerouting, which took about six seconds in Wired.com’s test with an iPhone on AT&T. Rejecting the call a second time, or failing to answer it, sends it to the user’s standard voicemail.

And, here’s a short video from HousholdHacker demonstrating the service:

If you think this stuff is not very popular take a look at the YouTube view counter for the video - almost 2.4 million views as of today.

In my 2003 book Introduction to Telecommunications Networks I wrote the constitutionality of caller ID has been repeatedly challenged in court with people having three major concerns:

• The right to be left alone
• The right to be free from unreasonable searches or seizures
• And, the right to not be subjected to unreasonable government intrusions

Privacy works both ways for me. I don’t think I’ve got much to hide so don’t worry too much about having to block my caller ID. If I do have concerns about my number getting out I’ll just use another phone with a public number. If someone does call me from a blocked number, I typically just let it go to voicemail.

Your Web Privacy At Risk? Will You Be Phormed?

British Telecom has been testing an interesting product from a company called Phorm . Phorm is not a household name yet but it could rapidly become one. Here's a piece from Phorm's Wikipedia entry:

Phorm, formerly known as 121Media, is a digital technology company based in London, New York, and Moscow. The company drew attention when it announced it was in talks with several United KingdomISPs to deliver targeted advertising based on user browsing habits by using deep packet inspection. It is one of several companies developing behavioral targeting advertising systems, seeking deals with ISPs to enable them to analyse customers' websurfing habits in order to deliver targeted advertising
to them.

Phorm claims the product in trial, called Webwise, is designed to make the internet safer and more relevant to internet users. Webwise is offered free of charge to participating ISP partner customers and includes relevant advertising features and enhanced protection against online fraud. Webwise works by giving users a unique identification. User browser habits are observed and then ads are targeted based on user browsing habits. The company says that all collected information is completely anonymous and Phorm (along with anyone else) will never be aware of any users identity or what that individual users has browsed.

Will British Telecom move forward now that the trial is complete? Here's a quote from a ZDNet piece:

"The trial has now concluded and achieved its primary objective of testing all the elements necessary for a larger deployment, including the serving of small volumes of targeting advertising," said the company in a statement on Monday. "There will now be a period of joint analysis of the results. Following successful completion of analysis of both the trial results and of any changes required for expansion, BT's expectation is to move towards deployment."

Some in Europe are fighting - anti-Phorm campaigner Alexander Hanff is quoted in theZDNet piece:

"There's still pressure from the [European Commission] and the public that may mean BT doesn't deploy the system," said Hanff, who added that the Crown Prosecution Service is still considering whether to launch a prosecution against BT over two previous trials.

I pay for Internet access in my home and do not believe anyone should have access to my surfing habits except those I give it to. This stuff scares me.

For updates watch Hanff's blog linked here.

Global Positioning System (GPS) Jammers

I recently bought a Bluetooth GPS receiver and software for my PDA and it has changed the way I drive. I find myself traveling to a lot of new places and I often end up renting a car when I get there. With my GPS system I can pre-load maps and location destinations (like hotels and meeting addresses) before I arrive. When I get to the rental car I turn the receiver on, put it on the dashboard and turn the PDA on. In a couple of clicks my PDA is talking to me, guiding me turn my turn to where I'm supposed to be going. The device has saved me a lot of time, stress and confusion when I'm trying to get to someplace I'm not familiar with.

GPS locations are based on positioning relative to 24 satellites orbitting 12,000 miles above the earth and generating (by the time they get to earth) relatively weak wireless signals. As a result, it does not take much signal power to jam them. GPS works on two different frequencies:1575.42 MHz for non-military public use and 1227.6 MHz used for the United States military. The military has used GPS jammers for a long time to confuse the enemy. Consider a GPS guided missile directed at a specific location - if a target location is jammed missiles will likely not be able to hit that location.

GPS jamming went mainstream with an article published in Phrack Magazine in January 2003 titled Low Cost and Portable GPS Jammer. Here's a quote from the article: "the onslaught of cheap GPS-based navigation (or hidden tracking devices) has made it necessary for the average citizen to take up the fine art of electronic warfare."

Here's a few more quotes from the Phrack article:

Several companies now sell "hidden" GPS based tracking devices which mount inside
or underneath your vehicle.  Some transmit the coordinates, via cellular phone, of
your vehicle's present and/or past locations for weeks at a time without battery
changes or court orders!

Vehicle rental companies have been known to use GPS tracking devices to verify you
don't speed or abuse their rental vehicles.  The unsuspecting renter is often faced
with these hidden abuse "fees" after returning the rental vehicle.

Law enforcement agencies...... keep track of house arrest prisoners with simple GPS
based tracking bracelets.  Some even use GPS for automatic vehicle location

Cellular phone companies, trucking companies, private investigators, toll-roads,
aircraft, those "protect your child" systems and many more services are all fully
involved with the use of GPS based tracking.  The problem is, do you really want
everyone to know where you are?

I was watching local news the other evening....... a small town near where I live has installed GPS units on all of the town highway department trucks. The location of all vehicles is monitored and administrators know where their vehicles are, where workers have been and where they are going. The town justified the purchase based on the price of gas and wear and tear on the vehicles and expected a full return on the technology investment within 3 years.

Some that work for these kinds of companies and organizations don't like the idea of someone knowing exactly where they are all the time and have obtained, or are considering obtaining, GPS signal jammers. A quick search on eBay for "gps jammer" yields several battery and cigarette lighter devices starting at $76.

MicroVideoX.com has a video posted on YouTube demonstrating their GPS Counter Track device:



Interesting technology and the devices look like they are fun to play with. However, I don't believe I would risk my job.

Search Engine Privacy

As Mike Q and I travel around presenting on Web 2.0 technologies some of the most common questions we get are with regards to privacy. The questions are along the lines of:

- How private is my communications (text messaging, email, etc) on the web?
- How private are documents stored in places like Google docs and Spreadsheets?
- Can I securely delete things like search records from places like Google and Yahoo?
- Can anybody else access my stuff?

Yesterday the Center for Democracy and Technology (CDT) released a report that starts to give some answers and, more importantly, will continue to put pressure on Internet search companies and lawmakers to further strengthen privacy protections. In a report titled Search Privacy Practices: A Work In Progress (linked here as PDF) the CDT takes a look at how these companies delete old user data, strip personally identifiable information and give users the ability to delete old search records. There's been a lot of activity by companies recently so this report is very timely.

Specifically - the report takes a good look at Google, Yahoo, Microsoft, Ask.com and AOL and makes the following recommendations:

1. Search companies should continue to work towards providing controls that allow users to not only extend but also limit the information stored about them. As it becomes possible to tie more and more information back to an individual user account, users should control the correlation of their account information with records of their online activities.
2. Researchers, academics, and Internet companies should continue to pursue new and innovative methods for (a) improving the quality of search results, preventing fraud and otherwise meeting business needs without tying searches to particular users, and (b) safeguarding data that is stored for long periods.
   
3. Search companies should expand efforts to at balance the demands of the advertising marketplace with their users’ privacy needs. This should include the development of new standards and policies that take privacy into account from the beginning.
   
4. Internet companies should leverage their contracts with partners to promote privacy protections across the board. Consumers can also exert pressure to improve privacy practices by staying informed and making use of available privacy tools.a simple, flexible framework.
   
5. No amount of self-regulation in the search privacy space can replace the need for a comprehensive federal privacy law to protect consumers from bad actors. With consumers sharing more data than ever before online, the time has come to harmonize our nation’s privacy laws into a simple, flexible framework.
   

The report is short (6 pages including a Glossary) and easy to read with an excellent table on the second page that answers the following questions for the 5 companies studied:

1. How long after search data has been collected will it be removed?
   
2. How will search data be removed?
   
3. Is most or all search data shared with a third party on an ongoing basis?
   

This is an excellent look at current web search privacy - you will likely be surprised at some of the things you see. I look forward to more "persuasion" in the web privacy areas from the CDT and other similar organizations.