Raj’s “Is your company Googling it’s Privacy and Security Away” article appeared in INFOSECURITY Magazine June 2009 Issue.
A well-known author, speaker and Information Security expert, Raj has presented at several national and international information security conferences, built an Information Security Compliance Office at a multi-billion dollar retailer, assisted clients in achieving the PCI-DSS Report On Compliance (ROC). Various hospitals and medical chains in the Northeast retain Mr. Goel to conduct HIPAA/PCI/State-privacy-breach compliance assessments and implement remediation strategies.
Raj has appeared on PBS, CNNfn, Geraldo and in hundreds of magazines and newspaper articles worldwide.
He is open to more speaking engagements, magazine and book publishing inquiries and information security engagements across North America.
DAVID: Well, good morning everyone and welcome to the CyberHood Watch live internet radio show. Obviously it’s live and we just had a little bit of a technical difficulty. So I’d like to welcome everyone and this is going to be a great show. We’re going to be having Raj Goel online. Prior to when we started the show I had a brief conversation with Raj, and I’m telling you, it’s going to be exciting and very interesting to hear what Raj has to say. I hope everyone really pays close attention because this concerns all of us. There’s a lot that happens out on the internet. Many times we wonder where are all these data and all these data is going and how it’s being used. What’s being done when we’re not aware, when we’re maybe on the social medias and we’re entering information on Facebook, Twitter, LinkedIn, and everything else. With that, I really like to welcome Raj.
Why don’t you just begin Raj with giving us a little bit of how you got to where you are today and maybe a little bit of you. Again, we’re talking about personal information so that’s up to you how much you want to share with us. Give us a little bit of your background and how you got to where you are today.
RAJ: Sure. Thanks David, glad to be here. So I’ve been in IT since I was 12 in ’82. Most of you can do math to figure out how old I am today now. So I did a lot of work with hospitals and doctors, a lot of professionals in the 80’s and the 90’s. And on ’97 one of my clients an insurance company wanted to build a web portal for their medical patients, it’s a health insurance company. And they sort of talked to me about, “Hey, what do you know about this HIPAA thing?” I swear to you, I thought HIPAA was an animal you saw at the zoo, the hippo.
Based on what the client needed I started researching and looking at this new thing called HIPAA, it was not a law then, it was just being talked about. And they’re sort of following what is it I need to know so I can help my client being compliant with this new law that will get passed any day now. So since 1997 I’ve been focusing on, researching, and advising clients, usually health care institutions, retailers, and companies across the US and Canada, and how to meet changing privacy and security requirements from a federal state and private sector levels. So the question I always get asked from my clients or perspective clients is what makes you better, why should we hire you? And secondly why does this matter to me? For me, as privacy and security matters for several reasons. One, no matter what business you and I are in, ultimately we’re all consumers. We all have doctors, we all buy cars, we all have cell phones, we all use social media, we all pay good money that we earned to corporations. From the professional side it’s in my interest to help my clients protect their client’s privacy better. And from the consumer side, it pays for me to protect my privacy, your privacy, and my family’s privacy better because ultimately our social identity is the new currency. In the old days how many money you had determine how much power you had. That’s still true, and today companies and governments had gotten so much better at data mining and data analysis.
Google’s self-proclaimed, self-professed goal. and Eric Schmidt, their CEO said this a couple of years ago in a live interview, if he wants to know you better than your mother and spouse combined, then you and your psychologist know. They want to be able to predict what you’re thinking, what you’re going to buy, what you’re interested in before you even know about it. And they’re not the company with that goal. Every marketing company wants to know what you’re going to buy, wants to predict what you’re going to buy, and influence your decision towards their products and their services, whether it’s GM, Ford, Colgate, Pepsi, Google, Facebook, Twitter, you name it. So over the last 15 years we’ve seen a lot of regulations coming down from the US and other governments take more and more industries and hold them to privacy and security standards. HIPAA for health care, [Unintelligible 00:06:21] and red flag for companies that lend you money, the banks, the insurance companies, the financial planners, real estate agents and so on. PCI for every company in the world that accepts credit cards, and all the state privacy breach laws. Because ultimately what governments have realized is if companies are playing [Unintelligible 00:06:39] with your data, we all pay the cost of ID theft.
According to the FBI as of 2009, ID theft from financial fraud was a $55 billion a year business. That $50 billion or more being stolen every year primarily from Americans by criminal organizations around the world. Why do we have spam, why do we have viruses, Trojans? When I was growing up kids wrote viruses and worms for the fun of it, for the ego points. Today, there are companies, I’ll just call them what they are, in Russia, Belarus, Eastern Europe, China, whose entire business model is to create new viruses, new infections that take over computers, primarily the American citizens, so that they can acquire bank records, steal funds, and so on. You can call them criminal organizations, or you can call them private corporations, it’s one and the same.
DAVID: You touched on HIPAA earlier in Canada. Prior to the show we briefly talked about that. Why don’t you share what’s happening there and how it differs from here in the US and Canada, and how they have consolidated, as you said. You got one person to call rather than many here in the US.
RAJ: Sure. First, let me explain to the audience what HIPAA really is and what it means to them. So HIPAA is created in the 1990’s as a way to lower the cost of health care in the US, because right now, in our $14 trillion economy, the cost of health care is roughly $2.7 to $3 trillion a year. And the US government is the world’s largest provider of health care. We pay the most money of any one in the world. And HIPAA is designed to lower the cost of health care by standardizing what your medical records look like so that Dr. A, Dr. B, Company A, Company B all speak the same language when talking about health care.
When you go to your bank, whether it’s Chase Bank, or Citibank, or the First Bank of Peoria, ultimately when you go to your ATM’s and you pull money out, you can pull the money out in seconds because all the banks would agree to use a common ATM standard for discussing your financial information. Be it money in your account, are you going to be able to withdraw it, what’s your balance. Similarly, the whole point of HIPAA was a standardized health care records and make moving your health insurance from company A to company B when you switch jobs, when you got laid off, when you got hired easier and cheaper.
The other thing HIPAA did is [Unintelligible 00:09:28] for the first time ever, allowed you as a patient, as a consumer, as a [Unintelligible 00:09:34] admission to demand from your doctors, your hospitals, your insurance companies, and you know of your medical records. That’s the first time in human history patients were told your health information belongs to you and not to the company creating it. So it’s the second thing HIPAA did. And because they’re putting everything electronically, a lot of the private and security advocates got involved and said, “If we’re going to digitize this information and put this in databases, we’ve got to have stronger security and privacy controls around it. Because otherwise 10 seconds after this data is in the database Madison Avenue, the pharmaceuticals, the consumer agencies are going to whip through this data to market to you deeper, better, faster. That’s what HIPAA does in theory.
DAVID: Is it working? Have we been successful with it or is it just a way to collect more information like you said. Everything is now going into data files and being brought in electronically rather than the handwritten files. So are we opening ourselves to more problems by those databases being infiltrated?
RAJ: Those are two separate questions. First is they’re improving the quality of health care, is it making our lives easier and better? I would say yes it is. It’s a slow process, and the HIPAA was never meant to be one-year home run, it was really designed to be marathon. So you’ll notice HIPAA was discussed in ’97, passed in 2001. The first year it started really sanctioning hospitals and health care organizations this year. It’s almost 15 years after the law was discussed and 11 years after it was passed that they started applying penalties to hospitals, doctors, medical practices, so it is working. It’s slow moving and it’ll probably take another 15-20 years before HIPAA becomes so ingrained it becomes like Medicare. [Unintelligible 00:1DAVID: 37] 50’s every hospital and doctor said we’re not going to take it. It’s a new government mandate, government regulation, we’re not going to take it. But when the first generation of doctors in the 50’s and 60’s, they’re retired, and the second generation doctors came on board, 20 years later kids going into medical school knew what Medicaid was and Medicare was, and today, you cannot be in the health care business and run a hospital without taking Medicare dollars. So HIPAA is going to do it for the same process, where you just have the first generation of kids become doctors in the HIPAA era. So as they go into private practice they are going to give us better health care with better data. So on that end it is working. Where it’s not working as well is there’s small or large loophole in the wall which basically says, “If I’m your doctor, I’m your hospital, I’m your pharmacy, I have all the legal obligations to protect this data.” You the consumer on the other hand can do anything you want with this information so a lot of companies, WebMD, Google Health, and [Unintelligible 00:1RAJ: 45], and there are hundreds of others sprung up. It promised you that if you put all your health care data here or you authorize them to get this data on your behalf then they will help you better manage your family’s health care. But what they’re really doing is being in and around HIPAA to go get your health care data to be able to sell it at some level to the pharmaceuticals, consumer products of agencies and so on.
And the difference between US and Canada is we have currently have 60 something laws that I know about are information security, hit by a GLBA arrest warrant, [Unintelligible 00:13:24] and all the state privacy breaches, Canada has just one [Unintelligible 00:13:28]. There’s one privacy commissioner for all of Canada. And if you are a consumer and your privacy is being violated, you go call her office, currently it’s a lady. And they proactively also go and defend the privacy of their citizens. So by 4 years ago, when Google launched Google Health and Microsoft launched Amazon Health Vault, both designed to you authorize them to get your health care data from your doctor, your pharmacy, your health plan and put it into online databases. The privacy zone in Canada, all these guys said “Uh uh, what you’re doing here violates bifida, fix it or get the hell out of my country.” And within a matter of weeks Google and Microsoft both changed their practices and privacy policies for Canadian citizens only. So Canadian citizens have stronger rights and stronger privacy controls than we as Americans do even though Microsoft and Google both benefited greatly from our tax dollars and our research.
DAVID: That’s amazing to hear. And you were even talking earlier about Google and Microsoft, and some of the early investors in Facebook. So let me bring you over to Facebook and talk a little what you shared with me earlier on Google and Microsoft, and how another end run is being done.
RAJ: Sure. In the US the primary model as citizens is any information the company creates around us is owned by the company. Whereas in New York they have different culture or privacy, and in Europe by social convention and by law, any information the company collects on you belongs to you the citizen, not the company. So right now there’s about 40-50,000 Europeans, it’s growing every day. Who are you taking advantage of the new EU security laws, they all went to Facebook and said, “Give us our data. Tell us what you’re collecting on us.” Whereas in the US, if you’re a US citizen and you ask Facebook for this data, Facebook literally laugh in your face. They’ll tell you, “Go away, we don’t have to listen to you.” In Europe, if you’re an EU citizen, they’re required by law to give you your data. And as a result what other people have discovered is Facebook collects anywhere from 192 to 800 pages of data per person. Your name, date of birth, gender, when you first signed on, everybody who’s given you a friend request, everybody you friended, everybody you unfriended, any instamessage you’ve sent, any Wall message you’ve sent, things you’ve clicked on, applications you’ve touched. One of the things that we discovered, we expected. When I say we I mean security researchers. But we’ve been able to now look at the data and be able to see with the very highest degree of certainty we can practically prove that if your friends have certain applications and lots of the applications have the same controls, if your friend has an application and you don’t, that application has the right to access your data because you’re friends with somebody who’s idea of privacy and security may not be the same as yours. So the big things in social media, LinkedIn, Facebook, Twitter, but mostly Facebook. It’s not just bad enough that you have to worry about how secure and private you are. You may be very good, you may only be using it for innocuous stuff. But if your friends or people in your friend’s list play Wild and [Unintelligible 00:17:10], they click on every little Facebook ad, they install application take, every survey take, every quiz and they don’t care about their privacy and security, they will compromise yours because Facebook lets them do that.
One of my favorite stories around this is about 3 years ago, a parolee in Arizona or Texas went camping with his buddy. And his buddy took a picture of him holding a shotgun. It was a really good looking photo, artistically a really nice photo. But you know and I know that parolees can’t handle firearms. His buddy put up the photo on Facebook, the parolee is now back in jail. On one hand, he’s sent back to jail for violating his parole, on the other hand he had no idea his friend was going to put his picture up on Facebook. And this is where your friends and your family, with meaning to or otherwise can turn around and destroy your life. There’s case out of New Zealand where the bank made a mistake, the couple got $20 million, New Zealand bucks in their account. It wasn’t theirs, they too the money and they ran. New Zealand police cannot find them. And they went all over the world, they couldn’t find them. The New Zealand police noticed on the husband’s sister’s Facebook profile that she says she’s going to Hong Kong for a family reunion. With the FBI and with Hong Kong police, when she landed in Hong Kong, the Hong Kong police were there to greet her and in doing so they apprehended the couple, are in jail. So the couple did nothing online but his sister got him landed in jail.
RAJ: And that’s interesting because I’m seeing more and more of that on the news or you see news events, or you see maybe some writing, or whatever happening in the streets and the picture is taken. Now they’re posting those pictures and police are asking for people to identify those individuals in those pictures because they’re either wanted for questioning, or they’re actually have been seen in the act of a criminal activity.
RAJ: And I get to thinking, “Wow, that really is kind of…” I don’t know, it’s wrong to do what some people have done but then how do you… Where’s that line draw where you now are pulling just everybody else to kind of capture somebody else?
DAVID: You hit the nail on the head. When it’s criminals and people do something wrong, I’m the first champion to go throw them in jail, prosecute them. You and I as human beings, we have conscience, we have the ability to discern what’s innocuous versus what’s not innocuous. Blood is black and white, machines are black and white, people are gray. The machines don’t have that ability. Data is data. Whether you’re jail walking, driving too fast, or committing murder, it’s all the same to the machines. So the real danger with all of these data being collected online and being sold and [Unintelligible 00:20:21] companies back and forth with each other and with governments is you can be keen to imply by activities that you are not guilty of, that you never did, or because of your association with certain people. The 50’s when the red scare came on it was bad enough if you were a [Unintelligible 00:20:41] Communist. But it was even worse if you weren’t a Communist and your friends were.
DAVID: Lots of actors and professionals didn’t get drugs. Today, in the real world here’s what happens. If you’re a young kid looking for your first job in college or after college, or you’re a seasoned professional like me and you and we’re looking for our third, fourth, or fifth jobs in our careers, first thing any good recruiter is pull up your Facebook profile, your Facebook profile, your LinkedIn profile, your social media, they look at your resumes, they look at your online profiles and if they don’t know your or they’ve never met you. If they’re looking through some candidates, and resumes are exactly the same, skill set level is exactly the same, execution is exactly the same. They’re all looking at you social media profiles and going gee, your friend seems to be in drugs, your friend’s been arrested. Why would I take a risk in my job by putting your resume in front of my employer or my client. So if your friends or family have really bad social profiles it shows up and it taints you with a bad brush.
RAJ: I want to go back here a little bit because there was something that I wanted you to talk about and bring out. And it’s going back to where Google or Facebook is collecting this information on you, and how the investment by Google and Microsoft,.. I’m sorry. You tell me how that went down. But my point is I want to kind of show or have you describe what really is taking place there in the back door because you and I both know we’re talk a little bit about this before that information that’s not allowed to be collected about us individually. But because the way things are being set-up and just manipulation of the system, how that is backdoored in the government gets that information.
DAVID: Sure. So under US constitution and the US federal laws, there’s lots of information the government cannot legally ask. They can ask you your name, gender, date of birth, social security numbers. They can ask if you’re married or not, that’s your census form. But they can’t ask you what kind of beer you drink, who do you sleep with, what drugs do you take, do you drive too fast, do you drive without your seat belt on. They can’t ask all this information, they can’t ask you which political candidate you favor? They can’t ask you who you voted for or where do you keep your bank accounts. They can’t ask you lots and lots of things. However, under US federal law if this information is available in a commercially available database, they can buy it. And as a result, whether it’s Google, Facebook, TransUnion, EquiFax, ChoicePoint, any of these data brokers, one of their primary business models is to sell your data to governments around the world. And what you and I talked briefly early on is governments have always invested in corporations and investments, but in the mid-90’s the CIA created their own venture capital arm called In-Q-Tel. And one of the earliest investors in Google and Facebook is In-Q-Tel, that’s publicly known. In fact, Oracle Corporation, currently one of the largest software companies in the world, their first client was the NSA back in the 70’s, and the Oracle database corporation, the database technology exists because the NSA had a need to combine and analyze terabytes of ideas back in the 70’s or terabytes of data. Two days the same thing applies, the information the government’s collecting on us, it’s growing by leaps and bounds, information that private corporation collecting on us. If you own an iPhone for example, every month the iPhone automatically collects 30,000 points of data on you, just your iPhone. You bought a Kindle, congratulations, I’m glad you’re a reader. What Amazon never told you is if you bought the first or second generation of Kindles they’re tracking every purchase you’ve made. They can also revoke the purchases you’ve bought. When they first came out, for whatever reason, Amazon decided that 1984 by George Orwell, an American classic, was forbidden. And people who build money to buy 1984 had it automatically deleted from their Kindle.
RAJ: And then realized their mistake and they corrected it, but that’s power you’ve given your corporate to corporations. You have a smartphone, a droid from Verizon, Sprint, AT&T, iPhone from Apple, one of the things you’re paying money for and you agree to your terms of service is you allow these corporations and others to install applications without notifying you, and to uninstall applications without notifying you.
You buy an iPhone from any carrier, you’ve given Apple the authority and the ability to delete an application that you’ve installed on it. And that’s only when corporations are meaning to do well. Like everybody else they make mistakes, and a lot of technology today has built-in securities which don’t get found until long after the horses left the bulk of the barn. Case in point HTC, they are one of the largest manufacturer of smartphones in the world, it’s one of the top 3 corporation for smartphones. And research has discovered in the last 2 weeks alone there’s a small flaw in the HTC droid phones. Any application on the phone can have access to all of your data, your current attached emails, body lists, you name it. It’s further in the air in HTC’s fault on HTC’s part, but it now exposes all your data to anybody, and any application installed on your phone. And in the old days 5 years ago the criminals and the various writers went after your PC. Now they’re going after your smartphones because on the PC you can walk away from it. For most of Americans and most people the smartphone is never more than 6 inches away from their body. So if I can take over your smartphone I know where you are, between the GPS and the Wi-Fi antenna, I can pinpoint your location within 50 feet or less. Not only can I do it, every corporation in the world can do it. And by extension, every government in the world already has back doors into your smartphone providers and your social media providers.
In the US, arguably the biggest country in the world, the Patriot Act requires that any corporation can be served with a national security letter, which authorized the government to get data without a subpoena and without you being notified. In other countries which are “less open” government demands the information, companies hand it over. Google hands over information to India, Brazil, and China all the time, so does Facebook. There was a great quote from the director of, I believe, Facebook or Google 2 weeks ago. He said here in Russia, and the Russian government want information, what are you going to say, no? You can’t say no to the Russian government in Russia. And as a result, anything you put online or anything your vendors collect on you is not when you’re being sold to other corporations but it’s being giving away to governments hand over fist.
If you go to GM vehicles in the last 15 years it came with OnStar enabled. And on one hand OnStar’s a great thing, if you forget keys, if you need help in the middle of nowhere. Just 2 weeks ago OnStar decide unilaterally that they were going to now sell your OnStar data, which is GPS location of your vehicle at any given time, how fast you drive, whether you drive with a seat belt on or not, whether the airbag was deployed or not, whether the headlights were on, tire pressure, all these data they collect on your car, they’re going to sell it to anybody and everybody who could afford to buy it. And if you are a paying customer you’re automatically given the right to do this. If you are a LAPSE customer, if you were an ex-customer of OnStar, [Unintelligible 00:29:03] to collect and sell and sell this data on you. Thankfully, Chuck Schumer, a couple of senators got involved, and publicly OnStar has gone back to their old privacy property, but I really don’t know how long that’s going to be true. They’re identifying some backdoor or some loophole in the law, and turn around and sell this data. Why? Because your current insurance company wants this information that they can turn around and charge you higher rates if you drive with your seatbelts off, or you drive too fast, or you’ve been in too many accidents. Your health insurance company wants this information because when it comes to renewal time they want to be able to use this information and charge you a different rate because you’re a fast driver, or you’re an aggressive driver, or you hit the brakes too often, or you use drive through “dangerous areas”.
DAVID: This is just amazing stuff. You’re somewhat aware of it but I guess one that I wasn’t aware of is once you are not a customer of OnStar any longer then system is still on and still tracking. I don’t think a lot of people are aware of that. But what I want to do now is maybe take this all and throw it up into the Cloud.
RAJ: Go for it.
DAVID: But before we go into the Cloud there’s something else. Because a lot of our listeners are small business owners and you touched on this earlier of why HIPAA and GLBA, and Sarbanes-Oxley was put together. A lot of this had to do with identity theft. And from what I understand now a lot of what’s taking place is not just identity theft but small business identity theft.
DAVID: Talk about how the red flags and how small businesses really… And not just the small business but anybody who’s maybe an internet marketer online or doing business online that has personal, identifiable information on their computer or their database. How these red flags might apply to them and how important is that red flags rules for small business if they do not comply.
RAJ: All right, so two different things there. One is you talked about small business identity theft and the second is red flag, so let’s take them in reverse order. Red flag, it’s a great idea, it’s a law. Right now it’s still in an embryonic stage. The American Bar Association employers, the American Medical Association of Doctors and the Academy associations are all suing the federal government to try exempt their professions from red flag. So until some of those cases are settled it’s a piece of paper. Right now in theory it’s a good idea and small business really should understand what privacy and security means, and try to protect the privacy and security or their consumers, it’s in your best interest as a business owner to protect your customer’s privacy because we’ve seen from research in the last 5 years from the Panama Institute that a company loses information on its clients and it becomes public knowledge between 3% and 7% of your customers never come back. And that’s a huge cost of business.
You lose records on your patients and it becomes public knowledge you can spend thousands to millions of dollars cleaning up the mess depending how big you are. Now, I get the [Unintelligible 00:3RAJ: 48] state regulators and your customers, they have to set-up a privacy office, somebody to deal with their ID theft monitoring, again, these all depends on how big a business you are. If you’re a 5-person floral shop or two person law firm your risks and your cost are being [Unintelligible 00:33:06] different than if you’re a hundred person accounting firm or in Wal-Mart. So red flag rules they did have scaling dealt into the, and when it comes to regulators they always look at the size of the company and the nature of the mess before, and the culture of the company before they apply penalties. So I would start looking at them, I would certainly talk to your attorney about drafting privacy policies and red flag compliant policies, talk to a good security consultant. You can ask me questions directly or if you’re in areas that we serve you can certainly hire us to help you build your compliance program. But first educate yourself, read the law, talk to other business owners and advisers about it, see what they’re doing. Red flag is going to go the same way HIPAA did. HIPAA’s talked about for 4 years, passed in 3 steps, in ’01 and ’05. And the large hospitals started getting compliant, or trying to be HIPAA compliant starting in 2001-2002. A lot of the medical practices today in 2011 are still not compliant. And if they’re five doctors or larger, they’re getting compliant now. The small practitioners, most of them barely deal with service.
I don’t expect red flag to overnight come in with Draconian peak conditions. I expect it’ll take the next 3-5 years for red flag to become part of our culture just like income taxes. At some point it’s going to go from a [Unintelligible 00:34:37] law to actual law, and you’ll start getting forms and practices. Say you’re 10 years down the road you’ll go through red flag compliant [Unintelligible 00:34:46] through your taxes every year, once a quarter, or once a year you have your adviser come in and do an assessment or work with you and file a paperwork. In theory it’s a good idea, in practice, before you worry about red flag look at the other laws that are actually on the books that may apply to you. If you’re in health care, whether you’re a doctor or a pharmacist, or you work in a health care industry you need to be HIPAA compliant now. In most states, 47 states distinct privacy breach laws that already apply to your business. If you spend credit for a living, whether it’s payday lenders, or you give clients generous lease or loan terms, [Unintelligible 00:35:28] already applies to you. But first, work with your attorney and work with a good security professional like myself, or others and really determine which laws apply to you that are already on the books after being enforced. And then build a comprehensive compliance program, which actually is pretty easy to do.
This sounds complicated, for most small businesses it’s not that complicated. [Unintelligible 00:35:54] small business really for the most part aren’t that complicated. Pure, simple fact is you might think they’re unique but you’re no different than the other 50,000 doctors who stay in private offices. As your business grows and if you’re making less than a million a year in revenue most of compliance really doesn’t apply to you. [Unintelligible 00:36:17] something really stupid or [Unintelligible 00:36:19] dumb, we tell those clients and prospects if you’re doing less than a million a year in revenue you first priority is payroll. Work on increasing your business and being profitable. If you’re under 5 million [Unintelligible 00:36:32] in health care, compliance is something you want to talk about [Unintelligible 00:36:38] but not your first priority. Your priority is payroll, rent, and your new Jaguar. Companies with 5 to 20 million start looking at compliance, 20 million and up you better be compliant. Because quite frankly if they’re doing 20 million or more in revenue then you’re also impacting a lot more consumers than you are as a million dollar company. If you got one office and you’ve got 50 clients that’s different from 2 offices and 20,000 clients. Because all the compliance laws really deal with number of customers you have and the type of data you collect on them and you keep on them. [Unintelligible 00:37:18] one law is already in the books and then start working towards compliance with them.
DAVID: Okay, now let’s…
RAJ: No one’s going to try you.
DAVID: Let’s jump in to the cloud now and actually talk about how maybe the cloud is hacking us. And how it’s maybe affecting our civil liberties, something that we…
RAJ: Sure, but before we go there there’s the other part about small business ID theft which is a real problem for small businesses, county governments, macro profits, church groups, and so on. Now there’s a lot of consumers that have gotten pretty smart about their own credit card and what other banks have become [Unintelligible 00:38:03] end-user credit fraud. There’s a small loophole in our laws which is if you go to your local as a private citizen, as a consumer and you get a personal checking account, your liability for credit fraud and ID is limited by law. If you get a credit card your max liability is $50. If you get a debit card your liability starts at $50 and go up to $5,000 depending on stake. But it really doesn’t go much more beyond that. But if you save, or you go in there and open up a business account, or not for profit account for your church group, your synagogue, your boy scouts club or whatever else, the same liability protections do not apply to you. So if you’re going into this consumer attack you got a liability limits. If you go in as a business owner, or not for profit, or county government, or school board you have zero protection under the law. So what’s been going on for the last 5 years is a lot of criminal organizations are now focusing on the small businesses, the county governments. And they’re hacking companies over months, and they’ll generally do an attack over a long weekend because they know it’s Friday evening, people are going home, no one’s going to come in until Tuesday, and they have stolen hundreds of thousands of dollars, or millions dollars, and it’s almost impossible to get their money back.
RAJ: So if you are a business owner or you work with not for profit during the board, you have something with your local organizations, talk to your banks now and start asking them to not authorize any large dollar [Unintelligible 00:39:48] without approval. [Unintelligible 00:39:54] different than most of you, we have an agreement with our bank, any purchase over a $100 needs an approval. On my credit and debit cards we get notified over email automatically of every transaction of over $250. That way I’m not getting hit every time I go fill up my car or go get dinner. But anything larger than that we get notified immediately. So that we can proactively call the bank and say, “We didn’t authorize this stuff, shut it down.” Talk to your banks about not allowing any wire transfers, any large money transfers without verbal and written approval from the approved people. If you don’t do that, you’ve got money in your account, or if somebody’s open accounts and gets credit in your name they will steal thousands to hundreds of thousands of dollars in an instant.
DAVID: I’m glad you made people more aware of that and I’m glad you offered that piece of advice, really, go talk to your financial institution and let them know that you want to set limits. It’s very simple and it works.
RAJ: Yeah. You go to a business center and you give your employees’ credit cards or debit cards and corporate account, you can set not only what their buying limit is but also what their per transaction limit is. In my company I’m one of the owners but I’m also the guy who travels a lot. So my limit and my per transaction limit is actually a lot lower than my CFO’s, because you know what chances of me losing my credit card are much higher than hers. Therefore, for each employee based on what they do, what their job role, and the risk of loss you may want to address on a per employee basis, how much they can do without getting approval? Sometimes I get annoyed when I want to buy something and I have to call my CFO and my bank and say, “Yeah, please increase my credit temporarily.” On the other hand, maybe you wondered once or twice here I get annoyed because I’ve hit my limit without getting approval, but it protects me day in and day out automatically. So I strongly recommend you do that. Also, police once a year go to each new credit agencies and request a credit profile and keep a good eye on them.
DAVID: That’s really…
RAJ: [Unintelligible 00:4RAJ: 14] monitoring, review your credit reports, if you’re cheap get them for free once a year under law, interview them, but do it for yourself and do it for your children and your grandchildren. [Unintelligible 00:4RAJ: 26] what’s going on is most adults in America can be [Unintelligible 00:4RAJ: 31] doing credit profiles when they were either kids. And there’s lots of kids this year applying for college who’ve been denied any and all financial aid. When they go to fill out their financial paperwork and then they found out last year or a couple of years ago somebody bought a house, or a car, opened up a credit card in their names because the banks have gotten greedy. They got really greedy in the mid 90’s, early 2000’s. If you had a pulse or a big paperwork they’ll give you credit accounts. So all generation of kids whose credit score is already negative or in the low 100’s because criminals have already stolen their identity for life.
DAVID: That is amazing, and a lot of parents aren’t aware of that. You touched upon a couple of things that Bill and I have talked about all the time and that’s where security versus convenience, and you touched on that just for the fact that just putting a limit on maybe a little inconvenient at times. But we really do need to start being more conscious of what it takes to be secure. I don’t think we’ve talked that through enough. And we have to sometimes give up a little convenience for that extra protection. When you really look at it, a lot of the problems that we have today is because we didn’t account for that in the beginning.
RAJ: We agree, and not only that, we’ve gotten so used to the convenience culture. “I want it now, I don’t want to wait even 10 seconds.” And companies have built entire business models around giving to our convenience and in the backdoor, selling us out while taking our money. I’m not saying be [Unintelligible 00:44:22]. I have an iPad, I love reading eBooks, I’ve got my iPod, I’ve got my smartphone, I’ve got the same tools you do, the difference is on how I use them. I have my iPad, I love reading eBooks on it, but I don’t buy books from Kindle or the Apple iTunes store. There are lots of great publishers who’ll sell you the books directly in your favorite eBook format, I love eBooks. Download them directly off the publisher’s website. Don’t go through an intermediary like Amazon or iTunes. I love my iPod, I love music but I’ve never bought a track from the Apple store and Amazon store. I buy the CD’s and rip them because every software lets you do that. And the big advantage there is if you rip your own music legally, or if you don’t have the eBooks legally on your own, the vendors and the device licensers can’t take it back from you. Apple doesn’t know what music I have in my iPod, they can’t take it away. They don’t know what eBooks I have in my iPad too, they can’t revoke it, neither can Amazon. I’m a big fan of convenience, I love convenience. But…
DAVID: Do it one more time when you’ll actually buy the CD and then rip it to your mobile device, as well as you’ll go directly to the website of the author and download it from there?
RAJ: Author or publisher. And if you like reading science fiction which is one of my favorites, all of its online, [Unintelligible 00:46:01] library gives you hundreds of books for free, which you don’t have to give them anything for, not even your name. Lots of good publishing houses and lots of independent publishers, even the big ones, you can buy them directly. [Unintelligible 00:46:15] books has a great new web store. Eric Flint, an author and a mini mogul has a great online library system where he you can pay a subscription and get all the books he writes every year. But most of them for a flat fee, he gives them to you with DRM, without new protections on it, so you can put them on your device. You can give them to your friends if you like. He has no problem with you sharing the books. Tony [Unknown name 00:46:40], one of the most celebrated and successful authors in the world, this guy in his contract from day 1 says “Anytime I write a book [Unintelligible 00:46:49] free online to anybody who wants it.” You don’t have to give him a dime for his work. Of course, you turn around and you’re like me and you go buy his books because you love his work. But he says, “You want to read my work? Go ahead and read it for free. You don’t have to give me anything.” Lots of authors are doing that. A lot of musicians are doing that. Even if you’re paying for the music, go buy the CD, rip the CD. Do not use an intermediary to save a couple of seconds to rip your CD. Because the moment somebody like iTunes, or the Amazon Store, especially iTunes, they revoke music. Amazon has a history of revoking purchases on the Kindle reader. If you’ve gotten your Kindle fire which launched a suite, a built web browser, Amazon runs as interference between you… To optimize your web experience and make it faster…
DAVID: You cut out there Raj.
DAVID: It runs interference between us and who?
RAJ: The new Kindle Fire, their new eBook reader, the new tablet.
RAJ: One of the things Amazon touts is how surfing the web on this new tablet is faster than any other tablet. The web browser is faster than the iPad, faster than your droid phone, faster than anything else. Yes, it is faster, but the way they made it faster is that every time you click on the web browser in the Fire, everything is being pre-processed for you in the Amazon cloud, which means Amazon knows automatically what you clicked on, what you’re reading, what your interests are. They are literally building a jail guard around your Kindle Fire. They know what your clicking on and what ads you’re seeing before you even register it.
RAJ: The model has become from instead of you paying the money and owning the product like your car or your book, you’re now paying money to be a licenser of the product that somebody else owns. You don’t own your smart phone, you don’t own your iPad, you don’t own your Kindle. You are a licenser of the product and the manufacturers technically own the product, you just have license rights.
DAVID: That’s a really interesting point of view.
RAJ: That’s also a law and that’s reality.
DAVID: Yeah, and I don’t think of it that way. So then let’s go to the cloud then and talk about how the cloud may be hacking us, or how our civil liberties might be challenged.
RAJ: Sure. As we’ve talked about several times already, anything you put online can be held against you, the cloud never forgets. Secondly, anything your friends, neighbors, your contacts say or do shows up in your public and private profile searches. Certainly because the cloud is such a wonderful force for processing information, companies have turned around and are now using us and the cloud against us. For example, you go to Facebook, lots of people do, and I’ve seen adults whose day job is doing whatever but they’ll come to the office and spend 2, 3, 4, 6 hours a day [Unintelligible 00:50:04] because on Facebook. On the one hand you tag pictures so you can find all the photos of [Unintelligible 00:50:12]. On the other hand what you’ve just done, is you’ve given Facebook for free the intelligence and [Unintelligible 00:50:19] needs to do, facial recognition. And it’s up a year and a half ago Facebook created a new corporation which sells facial recognition software to governments around the world. That training and technology was not built by an army of PhD’s that Facebook paid millions of dollars a year to, that technology was built and trained by the consumers who gave away hours and years of their lives to train the Facebook facial recognition filter.
In a couple of years the guys at Google came out with GOOG-411 so you could get 411 information for free, on the one hand save you a couple of bucks instead of calling 411. On the other hand you train the Google voice recognition system for free. Yeah, they couldn’t afford to pay a million or billions of people to call on a different accent to say different things and all that. But putting up GOOG-411 you fed them the data.
DAVID: Wow, clever.
RAJ: Clever. One place where the cloud is hacking you right now… Let’s take Gmail, whether you use Gmail, Hotmail, EarthLink, whatever, but Gmail’s my favorite [Unintelligible 00:5DAVID: 36] boy. What does Google tell you? Never delete your emails, keep them for life. Every time I look at my Gmail interface, I use for test purposes and for testing things, never really [Unintelligible 00:5DAVID: 47] production work but we use it because we like to keep an eye on the tools out there. Every time I log-in they tell me I’ve got more stories than I ever needed for email. What they don’t tell you is under US Federal Law, UCP in 1986 any email held in an online provider for more than 6 months is no longer subject to the privacy protections guaranteed in the US Constitution. So on day 181, anyone with a gun a badge can get this data without a subpoena, without even a court order. Google didn’t tell you this. Google, Facebook, Twitter, and LinkedIn, all these guys don’t tell you that under the same law, UCP IN 1986, any information held in an online database has zero days of privacy. Zero, the moment you put it in, it’s no longer private. So all the stuff that you put on Facebook that is “private”, it’s not. All the stuff you put in Twitter that’s in your private tweets and private chats, it’s not. It is publicly available. It’s available to law enforcement, anyone with a check. And for years I love my blackberry, I love the security, I love the privacy controls. But Blackberry REM is doing writing on the wall. Then when London had the rights couple of months ago without being asked without being forced REM Corporation volunteer and voluntarily submitted all the BBMs of Blackberry instant chats to London police without being asked for it.
RAJ: So, this is what companies are Doing. Just two days ago, the story broke out. There’s a secret department of justice article that talks about how long phone, your cellphone carriers keep your information online and what kind of information they keep in their records. Your phone records, who you called, who called you has kept in their database for one to five years. Verizon keeps track of every chat, SMS you sent, not only who you sent it to or sent to you but the actual contents for over a year. Why? So they can turn around and sell with the government and corporations on demand.
DAVID: You know, let me ask you a quick question in. So, do I have the right then if I wanted to and if I have the money I could buy information specifically on you?
RAJ: In theory, you can can’t just say give me everything to Raj Goel, most companies will tell you no because that’s against every [00:54:28] in all federal laws. However if you said, I want to buy the list of every IT security professional or every small business in New York. And if you could say, I want to buy a list of every IT company in my own zip code once you know just tell me a website. You certainly could and once you get the so called anonymous data, it’s very easy to be anonymizer. You know one of the biggest loopholes in the law is HIPAA says you can still anonymize data and give it to researchers or others, it’s anonymized. Lots of laws say anonymize data is fine. What the law doesn’t say and law cannot say is how easy it is for a smart graduate student to be anonymized any information about you. And what the information that Google and Facebook and Twitter automatically, there really is no privacy from them because no matter how big you are, how good I am, they know more ways of identifying you deeply than it’s possible. You can’t find information on a single human being but if you can buy information, details on human beings, 50 or 100 people, it’s pretty easy from there on or even a thousand people to work backwards to find out what individual you are looking for.
Case in point, when we have 911 and the Terrorist drove the airplane to the World Trade Center. Choice Point Corporation, the head of Choice Point told his researchers, I want you to go through our databases and find me who the potential Paris might be. Who you guys could have been because obviously they’re all dead and buried in embers. They were all burned [Unintelligible 00:56:08]. Within 24 hours this guy had a list of 30 people who is his database told him might be the potential terrorist. He gave the data to the FBI for free and out of the 30 people identified, 11 hijackers were on the list. Within a matter of months [Unintelligible 00:56:24] Corporation got a $100 million plus contract for doing this kind of data analysis for the FBI and homeland security. This is data they weren’t even looking for. They were even collecting “You might be a terrorist information. But within hours of the airplanes hitting the buildings, Choice Point was able to tell with high degree of accuracy how the hijackers, probably some of them are on this list of 30 people. And that was back in 2001, was the technology and the tools that was outdated back then.
DAVID: You know, I think we have a caller on the line and he’s from area code 312. Caller, if you have a question for Raj?
CALLER: Yes, okay, yes Don. One thing that you said there Raj that was kind of interesting those that maybe, like you said 11 of them were terrorist on that list that was supplied, then those name that were supplied but weren’t, what do you think sometime the result of that might be. Do those people get blank listed now because they’ve been kind of identified as a problem?
RAJ: Absolutely, A lot of those people and all the other people with the FBI and CIA who turn up on their searches ended up under the tourist watch list. You go to the airports today, your name might be on the list of do not fly. And if you are on the list you’re taken off of it. You can’t legally even ask if you are on the list or not. And when the Do not fly list first came out, couple of sitting of US senators were on the list. And it took them several months to get their names off the list and these are arguably one of the 100 most powerful people in the world. When a sitting US senator can’t get his name off of a do not fly list without jumping through hoops and threatening fire and doom. You and I as private citizens have no control over it.
DAVID: Yeah. Well, let me ask you cause I got a two part question for you. And the first part is What’s the most frequently ask question that you get, and what’s the answer to that. The second part is because of your position, if someone is asking you a question maybe it should be more what should have been ask, the should’ve ask question and maybe what’s the answer to that one.
RAJ: Okay, so the most frequent question I get ask after I did this group presentation and interviews and so on. [Unintelligible 00:59:13] So, Can you help me with my LinkedIn profile? How do we get a good ranking on Facebook? I have attorneys and accountants sit there through my cloud security presentations where we talk about all the different laws, all the private cloud data and how if you’re an attorney, an accountant, or a doctor using the cloud, would they risk your financial health because the law works against you. And I’ve done multi-hour presentations. I’ve been on channels with hundreds of attorneys, and they go “Yeah, great presentation, you really scared the [Unintelligible 00:59:47] out of me. And then the next question is, so what do you think of my virtual advocate? What this cloud based on practice management systems or… So how do i get my rankings on Google better? Can you improve my website? So there’s disconnect between people coming to these kind of events and listening about information security and then actually applying it to their lives. The question that should be asked and part of your question, the first question really should be, what can I do to protect my business? And more importantly what can I do today to protect my kid and grandkids 20, 30, 40 years down the line. Because the data collect today is going to come back and destroy their lives 30, 40, 50 years down the road.
DAVID: Wow, it is so important, I think you hit that one right on the head is the fact that we forget. And you mentioned it early that all this you put online is carved in stone, it’s there and now use the analogy of because one time we talk about cyber bullying and the sex thing, and a lot of things that are happening online. But I use the analogy of a little girl sitting on her grandma’s lap looking up and her eyes a little bit bewildered saying, “Grandma did you really do that? ” We have to remember we are leaving a legacy online for generations to see.
RAJ: Yeah. In the 90’s Joe [Unintelligible 01:01:20], Girls Gone Wild was on every late night cable channel. Every late night show had to ask for them utilize the first generation of girls, [Unintelligible 01:01:25] the first generation of Girls Gone Wild CD’s and DVD’s are now are now mothers and grandmothers? Which means the next couple of years, their kids are going to be looking to Google, got a Google image or YouTube and go, “Mommy was that you?”
DAVID: Yeah, exactly.
RAJ: How many girls did [Unintelligible 01:01:51] back in the mid 90’s when they were going on Girls Gone Wild really thought about what do we have to say to the kids or grandkids in 2011 or 2020.
DAVID: That’s the point of a lot of the problem with security is a lot of it stands around human behavior. It really boils down to having a good moral compass and practicing those things that we learn a long time ago as kids. Just certain behaviors that were acceptable and trying to apply those things and find them to the technology.
RAJ: That’s not enough. Because fundamentally as human beings we are wired to do stupid stuff. As teenagers we are biologically, hormonally wired to do stupid stuff. Teenagers cannot think in long term. That’s human nature, that’s biology. And I promise you, you and I and everybody who’s listening has done something as a teen which we will be proud of. We may not be proud of best friends now, which is currently illegal today.
RAJ: So, what’s really required is for us, as citizens, as taxpayers to demand of our government certain fundamental legal rights. Why is it that Canadians get better privacy from Microsoft and Google than we as Americans do? Why is it that the Europeans can demand Facebook, “Give us the data you collect on us. Google, you cannot just street view on my blog because I do not want my house picture on your damn database. Why is it that the Europeans have this right and we as Americans do not? We need a new fundamental charter for privacy of rights which this is what HIPAA does for health care data but expand it. They’ll just limit it to my health care data. I as a consumer and generator of this data should be able to go to every corporation and say, “Whatever you have on me, give it to me.”
DAVID: Well, I agree with you then I can’t believe were actually above past the hour. So, want I like to do before we close Raj is we hand off, you’re familiar with this from last time. What we call the CyberHood watch magic wand and really it’s just basically came about the idea of being around the water cooler and the employees talking. If only this would happen or if we would do this great things would take place. So this magic wand allows you to wave it over any particular issue either on the local, international level that you can make a positive change. What would that be?
RAJ: My magic wand say’s I want American citizens to talk to their Senators, Congressman, to their government officials and demand that we have a fundamental charter of privacy where the consumer are now the corporation and the owner of the information. And I want us, as consumers to demand of our vendors that they hold themselves to the theme as [Unintelligible 01:05:08] standard that we hold ourselves as human beings.
DAVID: Wow, great answer Raj. And I really appreciate the you taking the time to be with us on the show. But before we go, do you have a website or anything that people can go and follow up with you?
RAJ: Sure, if you go to rajgoel.com you’ll learn more about me. Every week or so I put up an article or blog post on things related to information security and privacy, you’re welcome to read those. If you’re on LinkedIn, just Google Raj Goel, I’m the first one on Google. Connect with me LinkedIn, I do a lot of presentations for attorney groups, accounting groups, security groups across the county. If you’re interested come meet me. If you want me to come to speak at your local event or your organization, book me as a speaker. I love to speak with you folks around the country and in Canada about information security privacy, and quite frankly, how can we use this to improve our economy and grow our businesses. I do believe that running your business securely and properly increases profitability. We’ve done it for small companies who are dependent from multi-billion dollar retailers. Good security equals great profits.
DAVID: Thank you very much Raj. And everyone, go to his website, check it out. And if you do, have an engagement or a group that Raj could speak in obviously if you’re listening to this show you know Raj is well versed in the topic. So thank you very much Raj and I hope to have you back soon.
RAJ: Thank you. It’s a pleasure to be here.
DAVID: Bye everyone