Educational CyberPlayGround ®

Security, Your Privacy Rights, and Spyware

Facebook security, children's rights to privacy, tracking software, selling data

2012 The data strongly suggests that security becomes more of a priority with age. The report focuses on differences between baby boomers (56- to 65-year olds) and generation Y (18- to 25-year olds).
Modern young adults have grown up surrounded by amazing technology, tech that they naturally take for granted. Does their innate tech-expertise make them better at protecting privacy and staying safe online? In a word, no.Young folks are more likely to prioritize entertainment or community over security, while more than half of the boomers placed security first. Perhaps not surprisingly, boomers worry more about email attacks while Gen Y expects trouble to come through social networks or P2P file sharing.

2012 4 high-tech ways the federal government is spying on private citizens
One of the running jokes in the 1980s was how the former Soviet Union spied on its private citizens. As comedian Yakov Smirnoff used to joke: "In Soviet Russia, TV watches you!" But here in America, we were all safe from the prying eyes of the government.
Fast forward to 2012, when the U.S. government actually has the tools and capabilities to spy on all its citizens. These eyes go well beyond red light cameras. Right now, the government is tracking the movements of private citizens by GPS, reading private citizens' emails, and possibly even reading what you're saying on Facebook. It does so all in the name of law enforcement and Homeland Security, of course — but whether or not that makes you feel safer is up to you.

1. The NSA is building a massive data center in Utah to read every email you'll ever send.
Many of us are aware that little of what we say on social networks is really private. But you'd think your emails would be safe from prying eyes — especially those of your government. Not so, once the government completes work on a top-secret Utah data center reportedly built to spy on civilian communications. The $2 billion facility, slated to be complete by September 2013, is allegedly designed to be able to filter through yottabytes (10^24 bytes) of data. Put into perspective, that's greater than the estimated total of all human knowledge since the dawn of mankind. If leaked information about the complex is correct, nothing will be safe from the facility's reach, from cell phone communications to emails to what you just bought with your credit card. And encryption won't protect you — one of the facility's priorities is breaking even the most complex of codes.The good news (if there is any) is that the sheer volume of internet traffic and emails sent in a single day is far too much to be read by human eyes. Instead, the government will likely need to rely on complicated algorithms to assess each transmission and decide if they represent a security threat. So you're probably out of the government's earshot here... as long as you watch what you say.

2. The FBI maintains detailed files on numerous public, semi-public, and private figures.
Have you ever thought of taking a job with the government? If you value your privacy, think twice — the government runs incredibly extensive background searches on its high-profile applicants.What kind of information does the government want from its applicants? Well, when former Apple CEO Steve Jobs was under consideration for a job with George H.W. Bush's administration in 1991, the FBI compiled a massive file on him. Included in that file: the fact that Jobs had a 2.65 GPA, his history of marijuana and LSD usage, and his tendencies to "distort reality" and to "twist the truth" in order to achieve his goals.Of course, Jobs is far from the only figure with an FBI file. Other public personalities profiled by the FBI include John Lennon, Marilyn Monroe, Jimi Hendrix, and even Anna Nicole Smith. If you're curious about what goods the FBI has on you, you can always submit a request to view your own personal file. It is worth noting, of course, that the government doesn't profile everyone - just certain people of interest.

3. Homeland Security is reading your tweets and Facebook status messages.
Unless you play around with your Twitter and Facebook privacy settings, just about anything you say is public. So it might not come as a surprise that the Department of Homeland Security is seeking contractors to build software and hardware capable of reading through what it calls "publicly available social media." Essentially, the government wants to read through your tweets and status messages to see if there's any information that might help in detecting threats. There are some ground rules to the project. The government won't pose as a Twitter follower and won't accept or send any Facebook friend requests. Still, even with those restrictions, there's a lot of information floating out there for the feds to read, even if most of it is nonsense about Justin Bieber.

4. Your ISP may soon be required to keep files on what sites you visit.
The idea sounds pretty far out there - a law that would require your internet service provider to keep constant tabs on you, along with detailed records of what websites you visited and when. But that's exactly what the Hawaii state legislature proposed this January with H.B. 2288 and companion bill S.B. 2530. The bill, sponsored by State Rep. John Mizuno (D), "requires internet service providers... keep consumer records for no less than two years." The bill then goes on to specify that these records must include "each subscriber's information and internet destination history information." Thankfully, the bills' sponsors withdrew the offending legislation from debate. But the reason wasn't just public outcry. Also a factor was the fact that the U.S. House of Representatives is considering a similar bill titled Protecting Children From Internet Pornographers Act. That bill, sponsored and written by Texas Republican Representative Lamar Smith, would mandate that commercial ISPs create logs of customers' names, bank information, and IP addresses. That information could later be used by attorneys seeking to prosecute in a criminal trial or even in civil cases and divorce trials.
Not much is private anymore Between private companies violating your privacy and now the government, is there any way to avoid prying eyes? Not really, unless you make significant changes in the way you use the web. So before you send that next tweet or post that next Facebook status message, think about whether or not you'd be okay with a complete stranger looking at it - because that's very well what may happen.

"A Guide to Facebook Security" (PDF) is a free, 20-page pamphlet geared primarily toward teens, their parents, and teachers. Co-written with fellow security expert Linda McCarthy and teacher/editor Denise Weldon-Siviy, it is available to view and download from Facebook.

What happens at Facebook should stay at Facebook.
What do Facebook, the CIA and your magazine subscription list have in common? Maybe more than you think . . . Please see this first.

See and learn more about web 2.0 and Social Networks


Learn about children's right to privacy.

Find out who collects information about them and who sells that information. Learn what you can do to protect your child's privacy.

How to protect the social security number.

Who Sells Information about children?


selling data
online profiling

American ISPs are tracking you then selling your personal information, sharing data with outside ad firms.
Find out which ones and how you can opt out. American ISP for pimping user data to NebuAd, the Phorm-like behavioral ad targeter."What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and Communications Laws and Policies." Contact Congressman Ed Markey, John D. Dingell(chairman of the House Committee on Energy and Commerce) and Joe Barton (ranking member of the House Committee on Energy and Commerce).

Choicepoint sells your information to criminalsChoicePoint received the "Greatest Corporate Invader" award "for massive selling of records, accurate and inaccurate to cops, direct marketers and election officials."

FTC Issues Report on Online Profiling The report reviews the Network Advertiser Initiative's (NAI) self-regulatory guidelines. These guidelines will oversee the future practices of large profilers such as DoubleClick, Engage and 24/7 Media.

Six Tips to Protect Your Online Search Privacy PDF
Google, MSN Search, Yahoo!, AOL, and most other search engines collect and store records of your search queries. If these records are revealed to others, they can be embarrassing or even cause great harm. Would you want strangers to see searches that reference your online reading habits, medical history, finances, sexual orientation, or political affiliation?
Recent events highlight the danger that search logs pose. In August 2006, AOL published 650,000 users' search histories on its website.1 Though each user's logs were only associated with a random ID number, several users' identities were readily discovered based on their search queries. For instance, the New York Times connected the logs of user No. 4417749 with 62 year-old Thelma Arnold. These records exposed, as she put it, her "whole personal life."



Free Online Anonymity Services - maintain your privacy online. WHY??
Since 2000, Google has recorded your search terms, the date-time of each search, the globally-unique ID in your cookie (it expires in 2038), and your IP address. This information is available to governments on request.
Matt Cutts, a software engineer at Google since January 2000, used to work for the National Security Agency.
Keyhole, the satellite imaging company that Google acquired in October 2004, was funded by the CIA.
"We are moving to a Google that knows more about you." ~ Google CEO Eric Schmidt, February 9, 2005

Privacy Analysis of Your Internet Connection
the practice of sending fraudulent e-mail messages en masse to bait people into disclosing sensitive information. Newer scams involve "malware," which can install itself on a computer through e-mail or pop-up ads, detect when someone starts to use an online banking program or make a credit card payment, and then record the person's keystrokes and capture account details. The victims do not even have to do something foolhardy like giving away account numbers or passwords.

Learn about KEYLOGGERS - and how to keep it off your computer.

National Science Foundation's Cyber Trust program, which is intended to promote computer network security.

SPY WARE aka advertising-based networks with pop-up ads "The biggest, richest American companies are buying advertising through spyware. The biggest, richest venture capital firms are investing in those who make this kind of unwanted software. That's names like American Express, Sprint PCS, Disney, Expedia, Guy Kawasaki's firm." source

Rootkits - programs that are secretly installed on your computer without your knowledge or permission that hide themselves from you, compromize your ability to protect your computer from skank and won't let you protect your privacy.Digital Rights Management software - Palladium

Seth Schoen of the EFF has a good blog entry about Palladium and TCPA


Google Privacy Practices Rank Lowest
Leading Internet search engine Google has received the lowest possible rating for privacy practices, according to a detailed report released Friday by Privacy International, a global organization working for the protection of privacy. How to use Google.


10 security tips for protecting data while traveling

Buy technology that does not control you.

Richard Stallman is nothing if not determined. For over two decades this bristly MIT geek has championed an arcane cause: free computer programs. Stallman wants you to have the right to twiddle your software -- to be able to add features, rewrite it and, if you can figure out how, teach it get down and do the fandango.

Privacy International

How ISP surveillance currently works in England.

Computer Professionals for Social Responsibility
Some Frequently Asked Questions About Data Privacy and P3P

Nathaniel Borenstein President of Computer Professionals for Social Responsibility 2004

About JOHN GILMORE -- Picture -- Coderpunks Mailing List

About Declan McCullagh --'s privacy site

Privacy Rights Clearinghouse

Netscape SmartDownload reports file information to AOL
The Register tells that Netscape Communicator's SmartDownload component records the files it downloads, the client IP, the server IP, and the time, then forwards this information to AOL without informing the user. In other words, AOL receives a download-by-download report of each file Communicator downloads, its file name, your IP, and the server it came from. This information is passed on to AOL without user interaction or notification. Additionally, the information is recorded locally in a cookie file. When combined with other exploits which allow for remote transfer of cookie files, this vulnerability could reveal detailed information on a user's browsing habits.

Privacy Preferences Project - Take the Tour
AT&T Privacy Bird software is free. Tell the software your privacy preferences, and it will tell you if websites will do what you want or use your info against your wishes.

The Web Ad Blocking page
details a way to block specific URLs without software. In essence, you map offending IP addresses to your own machine. HTTP requests to offending addresses are sent back to your machine, where they fail. Works on almost any machine (PC, Mac, Unix, Linux, etc).

The Anatomy of File Download Spyware - The Newsletter Forum, Your Source for Privacy Policy From a Free-market, Pro-technology Perspective

GNUPG is the GNU implementation of the OpenPGP protocol stack, a near and direct descendant of the original Pretty Good Privacy email privacy system of Phil Zimmermann.

Privacy isn't public knowledge Online policies spread confusion
with Legal Jargon - Do big Web sites want you to understand what they tell you? Maybe not, suggests an analysis by an independent expert for USA TODAY of the privacy policies of 10 major sites.

Cyber Treaty Goes Too Far? by Declan McCullagh 5/3/00
Planned Global Net-treaty hands police more power, limits privacy. Details of the "Draft Convention on Cybercrime"* Make it a crime to create, download, or post on a website any computer program that is "designed or adapted" primarily to gain access to a computer system without permission. Also banned is software designed to interfere with the "functioning of a computer system" by deleting or altering data.
* Allow authorities to order someone to reveal his or her passphrase for an encryption key. According to a recent survey, only Singapore and Malaysia have enacted such a requirement into law, and experts say that in the United States it could run afoul of constitutional protections against self-incrimination.
* Internationalize a U.S. law that makes it a crime to possess even digital images that "appear" to represent children's genitals or children engaged in sexual conduct. Linking to such a site also would be a crime.
* Require websites and Internet providers to collect information about their users, a rule that would potentially limit anonymous remailers.

SLAPP as Strategic Lawsuits Against Public Participation.
Anonymity on the net - A new form of lawsuit called a "CyberSLAPP" suit is threatening to overturn the promise of anonymous online speech and chill the freedom of expression that is central to the online world. CyberSLAPP cases typically involve a person who has posted anonymous criticisms of a corporation or public figure on the Internet. The target of the criticism then files a frivolous lawsuit just so they can issue a subpoena to the Web site or Internet Service Provider (ISP) involved, discover the identity of their anonymous critic, and intimidate or silence them.

PhoneBook project - Making your PC 'Police-Ready' providing you with an encrypted Linux filesystem (virtual disk) with unique 'plausible deniability' and 'disinformation' features.Protecting your On-Disk Privacy with *Deniable Encryption.

Internet Privacy Education Campaign

EFF - Electronic Frontier Foundation - is the leading civil liberties organization working to protect rights in the digital world. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression, privacy, and openness in the information society. EFF is a member supported organization, now has a RADIO STATION. Programming includes interviews and panel discussions with the people who are on the front lines defending freedom of expression in cyberspace. EFF staff attorneys and activists regularly appear discussing ongoing litigation and legislation that will determine the future freedoms of the individual in the digital age.


Eschelon Espionage

Carnivore - The Federal Bureau of Investigation released the first set of documents concerning its Carnivore Internet surveillance system.

Whistle-Blower Outs NSA Spy Room
AT&T provided National Security Agency eavesdroppers with full access to its customers' phone calls, and shunted its customers' internet traffic to data-mining equipment installed in a secret room in its San Francisco switching center. According to a statement released by Klein's attorney, an NSA agent showed up at the San Francisco switching center in 2002 to interview a management-level technician for a special job. In January 2003, Klein observed a new room being built adjacent to the room housing AT&T's #4ESS switching equipment, which is responsible for routing long distance and international calls.

How well does Your State do? Rank Your States Privacy Protection

Submit your IRS Tax Return Online? Is your information secure? NO.
Critical information security weaknesses at the Internal Revenue.

The report cites 47 specific instances where federal agencies announced their intent to exchange personal data and combine it into their own databases. According to the report entitled "Government Exchange and Merger of Citizens' Personal Information is Systematic and Routine," when an individual submits information to one federal agency, that agency will often share that information with other federal agencies. This sharing often takes place without the knowledge or consent of the individuals involved.

Find Individual Contributor by Zip Code Page for the 1980-2000 Election Cycle
"Type in a 5 digit zip code and find everyone from that geographic area who has contributed to Federal campaign committees during the election cycle...1980 -2000"

The Federal Communications Commission
creates a daily internal report called the Daily Circulation Report, which provides the review and voting status of materials circulating among the Commissioners. Request daily reports from the FCC:
Federal Communications Commission
Ms. Shoko Hair FOIA Officer [p] 202 418-0216 [f] 202 418-0521
445 12th Street, S.W., Room 1A827 - Washington, D.C. 20554
The Daily Circulation Report is an internal FCC record that is exempt from disclosure under the deliberative process privilege of FOIA Exemption 5, 5 U.S.C. § 552(b)(5). See Wolfe v. Department of Health and Human Svcs., 839 F.2d 768 (D.C. Cir. 1988) (en banc) (records indicating what actions had been completed by the Food & Drug Administration but awaiting final decision or approval by the Secretary or the Office of Management and Budget were exempt from disclosure under the deliberative process privilege). The Commission has previously withheld the Daily Circulation Report pursuant to FOIA Exemption 5. In a letter to Bill McConnell, Broadcasting & Cable, dated May 2, 2001, in FOIA Control No. 21-095, Managing Director Andrew S. Fishel explained, "Disclosing the list of pending proceedings and other details that identify these pending proceedings could chill Commission deliberations on important telecommuni-cations issues. Disclosure of this list may lead to unnecessary speculation about individuals responsible for any perceived decisional delays and this speculation may lead to precipitous decision making." "David Fiske" <>

The Center for Responsive Politics
[P] 202-857-0044; [F] 202-857-7809
Featuring campaign finance and lobbying information on the president, Congress and special interests. Enter your state or zip code in the "Get Local!" window for localized campaign finance figures.

To file a complaint, visit: and click on "File a Complaint Online",
call 1-877-FTC-HELP, or
write to:Federal Trade Commission
Washington, D.C. 20580
If your complaint is against a company in another country, please file it at

If you would like to forward unsolicited commercial e-mail (spam) to the Commission, please send it directly to UCE@FTC.GOV



County of Los Angeles Public Library Forced to Filter Staff 1/17/00
The Los Angeles County Board of Supervisors
, spurred by concerns about the Internet, has required the County of Los Angeles Public Library (CoLAPL) to install "appropriate filtering software" on all child-designated Internet workstations at all libraries that have more than one workstation and give parents the opportunity to designate whether they wish their children to have filtered or unfiltered access. While a spokesman for a county commissioner told the Los Angeles Times that a minor had built a bomb based on a web site found via a public library, there's no evidence that the incident occurred in Los Angeles, said CoLAPL Public Information Officer Nancy Mahr. A library task force will test various filtering systems, including the possibility of access regulated by card. The task force also will determine what categories should be filtered. In addition, children's terminals will have a default guidance screen that links to youth-oriented sites.

Covert censorship in libraries : a discussion paper
Moody, Kim (2005) Covert censorship in libraries : a discussion paper. Australian Library Journal 54(2):pp. 138-147. Full text PDF
Abstract - Librarians, through their professional associations, have long been committed to the social justice principle of free access to information. External censorship challenges to library collections threaten this principle overtly. However, censorship can also occur in libraries in various covert and often unconcious ways. This discussion paper raises concerns about current librarian practices and library processes which can effectively censor library collections from within. The paper concludes by highlighting specific areas of practice in which librarians need to be vigilant for such covert censorship.

Neuhaus, Paul J. "Privacy & Confidentiality in Digital Reference." Reference & User Services Quarterly 43, no.1 (Fall 2003).

The FBI Has Bugged Our Public Libraries
November 3, 2002
Some reports say the FBI is snooping in the libraries. Is that really happening? Yes. I have uncovered information that persuades me that the Federal Bureau of Investigation has bugged the computers at the Hartford Public Library. And it's probable that other libraries around the state have also been bugged. It's an effort by the FBI to obtain leads that it believes may lead them to terrorists.Many members of the public regularly use computers in libraries to access the Internet for research purposes or to locate information about particular interests. It's also not uncommon for students and others to communicate with friends and relatives through e-mail from there.
The FBI system apparently involves the installation of special software on the computers that lets the FBI copy a person's use of the Internet and their e-mail messages. (Don't ask me how I know about this because I can't reveal how I was able to collect the information.) Members of the public who use the library have not been informed that the government is watching their activities. It's not just the computers. Circulation lists that show which books someone borrowed are also accessible to the government.
What are the Hartford librarians saying? "I can't disclose that we were presented with anything," said Louise Blalock, Hartford's head librarian.
I asked Mary W. Billings, the library's technical services manager, if the FBI had given her a subpoena or a court order for library information. Her response: "I cannot answer that question."

FBI's reading list worries librarians
By Martin Kasindorf, USA TODAY
At New York City's Queens Borough Public Library, director Gary Strong is anuneasy draftee on the front line of the war on terrorism.
New surveillance laws that have made it easier for FBI agents to obtain search warrants for library records have created a dilemma for librarians such as Strong: Should they unquestioningly help agents track what a patron has been reading, and perhaps help prevent a terror attack? Or should they resist, and try to protect individual liberties and the library's status as a haven of intellectual inquiry?
Few librarians across the nation say they have been approached by federal agents in the terrorism probe; Strong won't say whether the feds have visited him in Queens. But the questions raised by the FBI's increased authority have made political activists out of some librarians, who are filing lawsuits against the Justice Department and lobbying Congress in a growing debate over whether American values are being trampled in the name of homeland security.
At issue is the USA Patriot Act, the post-Sept. 11 legislation approved by Congress that, among other things, gave federal agents broad new powers to spy on people in this country. Under the Patriot Act, the FBI no longer has to show a judge that it has probable cause to believe that a person under surveillance has committed a crime to get a search warrant for a library's circulation records or computer hard drives, or a bookstore's sales records. <snip>

Censorship - Public Librarys
Library May Not Have to Filter Source
New York Times (7/11-CyberTimes)
Author: Pamela Mendels Issue:
Libraries Description:
City officials in Livermore, Calif. and civil rights groups invoked a little-known section of the Federal Communications Decency Act and asserted in court papers filed Friday that "public libraries have broad protection from suits seeking to force them to restrict access to sexually explicit material on the Internet." Daniel G. Sodergren, the assistance city attorney for Livermore, said that "The law clearly applies to a public library that has computer terminals that provide Internet access and bring up material that originates with a third party." In the papers, supporters defended the Livermore public library's policy of giving patrons full access to the Internet. The documents were in response to a lawsuit filed by a mother in late May who said her then 12-year-old son had used library computers to obtain sexually graphic images from the Internet. The part of the Decency Act that the city and library supporters pointed to was Section 230 of the statute. It states that no provider of "an interactive computer service shall be treated as a publisher or speaker of any information provided by another information content provider."

Gagged librarians break silence on Patriot Act
5/31/2006 by Larisa Alexandrovna
Connecticut librarians spoke about their fight to stop the FBI from gaining access to patrons' library records at a news conference yesterday organized by the American Civil Liberties Union (ACLU), and in a subsequent interview with RAW STORY. The Librarians, members of Library Connection, a not-for profit cooperative organization for resource sharing across 26 Connecticut library branches sharing a centralized computer, were served with a National Security Letter (NSL) in August of last year as part of the FBI's attempt to attain access to patron's records. The NSL is a little known statute in the Patriot Act that permits law enforcement to obtain records of people not suspected of any wrongdoing and without a court order. As part of the NSL, those served with the document are gagged and prohibited from disclosing that they have even been served. The foursome of Barbara Bailey, Peter Chase, George Christian, and Jan Nocek were automatically gagged from disclosing that they had received the letter, the contents of the letter, and even from discussions surrounding the Patriot Act. The librarians, via the national and Connecticut branches of the ACLU, filed suit challenging the Patriot Act on first amendment grounds."People ask about private and confidential things in the library setting like about their health, their family issues and related books they take out these are confidential and we did this to protect our patrons from authorized snooping," said Peter Chase, Vice President of Library Connection."On September 9 of last year, a federal judge lifted the gag order and rejected the government's argument that identifying the plaintiff would pose a threat to national security.Yet the government continued to appeal the case throughout the reauthorization debate, passionately arguing that not a single incident of civil liberties violations by the Patriot Act had occurred. By continuing the appeal, the government effectively silenced any evidence to counter their claims."This all happened during the reauthorization debate and the government was saying no one's rights were being violated," said George Christian, staff liaison for Library Connection and one of the plaintiffs in the case.As the debate over the reauthorization of the Patriot Act heated up, the librarians and others gagged by the NSL had to watch in silence, intimately aware of dangers they believed were not being exposed."We could not speak to Congress until after the renewal of the Patriot Act," Said Barbara Bailey, President of Library Connection and one of four plaintiffs in the case.Although the ACLU, representing the librarians, filed the case on August 9 of last year, US Attorney General Alberto Gonzales decried any civil liberties violations in a Washington Post op-ed in December, stating that "There have been no verified civil liberties abuses in the four years of the [Patriot] act's existence."

Five Technically Legal Signs for Your Library

Orgs. who have not stopped by this week

[on the assumption that it's only illegal to say they've been there if it's true...] courtesy of Library Net.

How can you tell when the FBI has been in your library?

U.S. Ends a Yearlong Effort to Obtain Library Records Amid Secrecy in Connecticut
By ALISON LEIGH COWAN June 27, 2006 New York Times
After fighting for nearly a year to keep details of a counterterrorism investigation secret, the federal government has abandoned efforts to obtain library records in Connecticut, concluding that the implied threat
had no merit. The decision was hailed yesterday as a victory by the four Connecticut librarians who mounted one of the few known challenges to the nation's
strengthened antiterrorism law when they filed a lawsuit last summer objecting to the government's request for patron records and its insistence on absolute secrecy.
Government officials, in seeking to explain why something that was once a matter of national security was no longer worth the fight, explained in interviews that they were ultimately able to discount the threat using
other means and pronounce their investigation complete. They also warned that the highly publicized standoff should not be a cause of celebration for anyone.
"They're celebrating the fact they don't have to comply, and I don't think that's something that should be celebrated," said Kevin O'Connor, the United States attorney for Connecticut, referring to the librarians. "What
are you celebrating? You're celebrating the fact that you prevented the government from investigating a potential terrorist threat."

Here are 6 resolutions for businesses and organizations that want to be responsible about privacy: From: "Prof. Jonathan Ezor"

1. Prioritize privacy.

Even if your organization is not in a field covered by explicit privacy laws (at least here in the US), such as healthcare (HIPAA) or financial services (Gramm-Leach-Bliley), being responsible with customer and employee information should matter to you. It certainly does to regulators and the people whose information you have. Just ask Mrs. Fields Cookies ($100,000 fine in 2003 for violating Children's Online Privacy Protection Act by launching Web-based birthday clubs for kids without getting verifiable parental consent) or Tower Records (FTC settlement in 2004 for violating its own privacy policy).

2. Make it someone's responsibility.

Appoint a Chief Privacy Officer or at least add oversight of privacy issues to the duties of someone within your organization. Make sure the person given that duty also has the time, training and resources to do the job right.

3. Draw yourself a map.

Do an organization-wide survey to identify each way that personally-identifiable information comes in, is moved within and may move out again, and what information you are actually collecting. Consider not only your Web site but e-mail, snail mail, faxes, 3rd party databases and research, telephone calls, business partners, service providers, etc. Be expansive in your investigation. Repeat every few weeks or months as your business processes may change.

4. Fact-check your privacy policy (if you have one).

Saying "we won't share your information with third parties" may be comforting to customers, but it's generally incorrect. Everyone from your Web host to UPS and FedEx may get customer information from you in the ordinary course, which isn't necessarily bad, except that it could violate your own public statements on privacy. That's where you can get into trouble.

5. Don't trust your own data about how you use others' data.

Ask a privacy professional or knowledgeable attorney to do a privacy audit of your organization. An outsider, particularly an experienced one, will likely find something you miss.

6. See the world.

Remember that, in the Internet age, most organizations are international even without intending to be. Read up on privacy laws of other nations (if you're in the U.S., pay particular attention to the EU Data Protection Directive and the related Safe Harbor at Consider how you or your employees might be held liable in some other country for something you do (or don't do) where you are (see the recent eBay India employee case for a parallel example).