Andrew Patrick

Sexual activities at work have become a modern taboo. Everything from sexual jokes and innuendo to overt touching and sex acts have become absolutely forbidden in the workplace. Some sexual behaviors (jokes, banter, flirting) might be seen as innocent and a natural part of being human, but the current trend is one of zero tolerance justified by a perceived need to protect everyone, most especially women. A recent study by Jennifer Berdahl (U Toronto) and Karl Aquino (U British Columbia) asked employees what they thought about sexual behaviors at work to see if they really are offensive and harmful, or if the negative side has been exaggerated. Berdahl and Aquino surveyed over 1200 people working in manufacturing plants, community service centers, and a large university.

In a study reported in a recent issue of the Journal of Applied Psychology, the researchers measured the frequency that workers experienced various kinds of sexual behaviors, how they were perceived (on scales ranging from very negative to very positive), and who were the actors (men or women). They also measured various aspects of happiness and well-being, including feelings of hope, anxiety, and depression, feeling valued at work, tendencies to withdraw from work (avoiding tasks, thinking of quitting), and self-reported use of alcohol and drugs.

The results showed that exposure to sexual activities at work was common, with ambient behaviors (sexual materials, jokes, discussions) being more frequent than direct behaviors (sexual attention or advances, touching, exposure of private body parts). In the first study 58% of the employees reported experiencing some kind of sexual behavior at work in the past two years, while a second study found that 40% of those workers reported experiencing sexual behavior in the past year. Some of the workers (mostly men) enjoyed the sexual behavior, and about 25% of the workers describing it as fun and harmless, while many others found the activities to be benign. Perhaps not surprisingly, men gave strong positive ratings to direct sexual behaviors conducted by women, and negative ratings when they came from other men. Women gave negative ratings to direct sexual behaviors originating from men or women. Taken together, the results show that sexual behaviors at work may not always be perceived as offensive and harmful.

When looking at measures of psychological and workplace well-being, however, there was consistent evidence of harmful effects of sexual behaviors at work. The more frequently an employee experienced sexual behaviors, the more often they reported being withdrawn from work, regardless of whether they reported positive or negative attitudes towards such behavior. Also, the more frequently workers experienced sexual behaviors at work, the worse off they were on measures of psychological well-being and depression, the less they felt valued at work, and the more frequently they reported using drugs and alcohol. There was no evidence of any positive effects of sexual behavior at work on individual workers’ happiness, well-being, or a happy work life.

The authors draw the following conclusions:

“Our results show that sexual behavior at work is enjoyed by some women and by many men but that it is generally associated with negative work-related and psychological outcomes, regardless of whether it is enjoyed or disliked.”
…
“Despite the pleasure it brings to some, these data suggest it is wise to avoid sharing sexual jokes and materials and engaging in sexual discussions and interactions with coworkers, lest these behaviors offer no pleasure to many and work and psychological harm to all.”

There are problems with this study, of course. There may have been a perceived desirability biases when the questions were answered, with men exaggerating their enjoyment of sexual behaviors and women exaggerating their dislike. It is also possible that another factor, such as professionalism at work, could be affecting these results – sexual behavior at work may be related to unprofessionalism, and this is real cause of the poor personal and work-related outcomes. And, as always, correlations do not prove causation: we cannot be sure if the sexual behaviors cause the negative personal and work outcomes, of if these factors cause the sexual behaviors. It is possible that people in certain work environments engage in more sexual behaviors because they tend to be withdrawn, depressed, and feel under-valued.

Berdahl, J., & Aquino, K. (2009). Sexual behavior at work: Fun or folly? Journal of Applied Psychology, 94 (1), 34-47 DOI: 10.1037/a0012981 Available from http://www.rotman.utoronto.ca/facBios/file/Berdahl%20&%20Aquino%20JAP%202009.pdf

Location-based technology (LBT) refers to equipment and methods for determining the geographic location of a device, such as a mobile phone. The technology is used to provide location-based services (LBS) that use the geographic information to customize a service in some way. A common example is a Geographic Positioning System (GPS) navigation device in a car that displays a user’s current location on a map and directions to a desired destination. Location-based technology is also appearing in consumer devices such as mobile phones and portable computers. Mobile location-based services provide information or entertainment that changes depending on the location of the device. A specialized location-based service for mobile phones is enhanced 911, where location information is passed from the telephone provider to the 911 call centre during an emergency call. Canadian mobile telephone providers are supposed to complete deployment of enhanced 911 services by Feb. 2010, and this requirement is helping to drive the availability of location-based technologies in telephone networks and mobile phones.

Location-based technology and services are becoming popular very fast. A recent Gartner report predicts that the number of LBT users will double in 2009 to 96 million people worldwide. Revenue from LBS is also expected to at least double to a worldwide total of 2.2 billion (U.S.) dollars. The importance of location-based services for mobile phones is illustrated by the recent purchase of Navteq (the leading digital mapping company) by Nokia (the leading mobile phone company).

Location-based technology relies on geographic data provided by some kind of infrastructure. For mobile phones, location information can be obtained from the cellular infrastructure. By measuring which cellular antennas are closest to a mobile phone, and knowing where those antennas are located, a mobile telephone provider can use triangulation to calculate a moderately accurate location. Many modern mobile phones are also being equipped with GPS capabilities. By receiving data from a collection of orbiting satellites, GPS devices are able to calculate location information to a high level of accuracy. Also, by tracking the location information over time, GPS devices can determine the speed and direction of travel.

Location information can also be obtained from local infrastructures. Information about nearby Wi-Fi or Bluetooth networks can be used to calculate approximate geographic locations. For example, while Apple’s IPhone uses GPS technology to provide accurate location information, the IPod Touch uses Wi-Fi information to calculate approximate locations. This type of local service is important indoors where GPS and cellular services may not work properly.

Location-based technology is being used in a number of application areas. Mapping and navigation has already been discussed. Real-time traffic and weather information that is sensitive to the current location and planned route can also be provided. LBT can also be used for commerce applications, such as providing information about the closest stores or restaurants. Advertisement can also be sent to a user’s mobile phone based on their current location. Purchases could also be completed using location-based technology and a form of electronic payment – a customer would point their phone at the desired object and then authorize electronic payment. Automatic tollbooth systems that rely on low-power transmitters attached to vehicles are an example of this kind of location-based transaction.

Location-based technology can also be used for monitoring and tracking applications. Employees carrying mobile phones or vehicles in a corporate fleet can be tracked. Location-based tracking is already common for monitoring the movements of people under house arrest or other judicial restrictions. The same technology could be used to track children or senior citizens.

Although location-based services can be very valuable for the user, there are significant privacy implications. Location information is personal and private, and inappropriate use of the information can have significant negative consequences. Knowing that someone is out of town, for example, may be an invitation for criminals to rob their home. Being able to track a person’s movements may provide an opportunity for stalking. Because of these concerns, proper safeguards must be in place to protect any location information that is collected.

The most fundamental privacy issue is ownership and control of the location information. The current model is that, although it is the customer who owns with the mobile phone, the location information is owned and controlled by the telephone company. The location information is in effect sold back to the customer embedded in some kind of service. The customer then becomes subject to any agreements and terms of service that they have arranged with the telephone company, and their partners. If a customer is not happy with the service or any privacy policies involved, they may have few options. This is especially true in places where the choice of telephone companies is limited.

Another important issue for location-based services in mobile phones is consent to gather and use the information. Cellular-based location information can be collected and used by the network operator without the customer’s knowledge or consent. Also, GPS devices embedded in mobile phones are often enabled by default and, although it may be possible to turn them off, controlling the devices can be difficult. Moreover, the services enabled by the location devices can be intrusive and unwanted. For example, location-sensitive advertisements that are pushed to mobile phones and automatically displayed would raise issues of consent.

Limiting the use of location information is also a concern. A mobile telephone provider and its customers will need to reach an agreement about how the location information is used, to whom it will be disclosed, and how long it will be retained. Location information may be particularly important in legal cases where establishing a person’s location at a specific time is crucial to a case. Canadian lawmakers are currently discussing new lawful access rules and the privacy of location information records should be included in that debate.

As mentioned previously, location information can be used to monitor and control individuals and activities. Knowing where someone is at all times can be used as a method of controlling his or her life. Location information can also be used to trigger a remote control, such as disabling a device if it is moved beyond some boundary. Understanding the personal and social implications of these powers will be important as location-based technologies continue to develop.

The privacy implications of location-based services have not gone unnoticed by the mobile telephone providers. In 2008, CTIA – The International Association for Wireless Telecommunications published a set of best practices and guidelines for location-based services. These guidelines emphasized two privacy principles that should be adopted by all providers of location-based services: user notice and consent.

A number of alternative technologies and approaches are possible when considering location-based services on mobile phones. For example, the accuracy of the location information can be artificially decreased as a means to provide some level of privacy. Instead of a service provider or application knowing the exact address of a customer’s current location, knowing the general neighbourhood or city may be enough to provide a valuable service while protecting privacy. Changing the level of accuracy based on the service provider involved, the type of service, or the end-user of the location information can be a powerful technique. For example, a customer may want to let a family-tracking service know their exact location while a work-related application would only get information about their general area (e.g., what city).

Anonymity techniques can also be useful for increasing the privacy of location-based services. The technology can be configured such that a provider of location-based services gets information about a customer’s location without getting any identifying information. Thus, the service could provide directions to the nearest banking machine without knowing who the customer is. Aggregation techniques can also be used so location data is always grouped and the location of a group can be determined but not the location of individuals. This could be used, for example, in traffic alerting situations that rely on the locations and speeds of drivers on the highways. An operator of such a service does not need detailed identity, speed, and location information of each individual driver, just the aggregate information from a group near one another.

The range of location-based services that could emerge in the future is limited only by our imaginations. One use we are likely to see in the near future is digital coupons, where stores that are nearby send coupons to mobile phones. Obviously, issues about consent, intrusiveness, and privacy protections will be important in this application. Imagine receiving a graphic digital coupon as you pass a sex shop on a downtown street and then lending your phone to your children or spouse.

Location-based services will also be married with social networking applications, such as Facebook and MySpace. Such a service allows a customer to know if anyone in his or her social network is nearby geographically. One of the first instances of such a service is Google Latitude, and Google is already starting to wrestle with the privacy implications of their service. Currently, Google promises to never share location information with third parties without explicit permission. They also support privacy controls where the only people who can view location information are those explicitly included on a friends list. Google is also supporting an option to only share location information at the resolution of a city.

Location-based services can also be used to construct augmented reality systems. Here information about the local surroundings is combined with actual information to create a hybrid real/artificial display. For example, a user might wear a special pair of glasses that they look through to see the real world. At the same time, a computer system could detect their current location and overlay information about what they are looking at. For example, they might see historical information when looking at a national monument, or biographic information when looking at a statue. Such a service might also include real-time information, such as news stories about a protest that is currently taking place in a public park. The amount of detail provided by the augmented reality system and any records of what the customers look at will raise important privacy concerns.

Recently published in CIO Leadership

Stories about lost data and privacy breaches are all over the news: laptops are lost or stolen, data tapes and CDs go missing, and sensitive data is found on USB keys. While it is difficult to protect IT equipment from loss and theft, it is not difficult to protect the data stored on the equipment. Encryption is a key component in a data loss prevention strategy. When data is properly encrypted there can be no privacy or security breaches because the data will be unreadable without the proper keys to unlock it. And with the wide variety of encryption solutions available today, there can be no excuse for not encrypting your business data.

Protecting business data is becoming more and more important because organizations are collecting larger amounts of data and finding it valuable for a range of business functions. And it is not just customer data that is sensitive, but also business plans, customer lists, product information, pricing sheets, etc. Organizations with an online presence are also exposing themselves to greater risks from security vulnerabilities and hackers, not to mention inadvertent leakage from well-meaning employees. Strong data protection is also being mandated in certain business areas, such as healthcare, payment processing, and government services. The state of Nevada even requires encryption during the transmission of any personal data. Also, the costs of adopting an encryption solution are usually much less than the costs of recovering from a data breach.

7 out of 10 businesses have lost a laptop

There are a number of points of data vulnerability in a business, including desktop computers, servers and databases, online systems, backup media and services, and, more recently, online “cloud” services. Anywhere where sensitive data is processed and stored represents a potential source of loss. Perhaps the most serious vulnerabilities, and the most difficult to control, come from portable devices, such as laptop computers, PDAs, USB keys, and portable hard drives. These devices can be easily lost or stolen and yet, given the distributed nature of most businesses, they often contain large amounts of valuable data. Recent IDC research showed that 7 out of 10 businesses have experienced a laptop theft, and many could not determine the impact of the loss for their organization.

The process of encryption involves using some type of secret (such as a password) to form a key. The key is used in a transformation algorithm to make the information to be protected unreadable. Only when the key is used again (with the right password) in a process of decryption can the original information be read and used. There are a variety of key types and the length of a key is one factor that determines its protection strength. Key lengths of 128 bits are common and considered strong enough for most applications, but attack technologies are always improving and longer keys are sometimes recommended.

Focusing on portable devices, there are now a wide variety of encryption methods available to businesses. A recent Ponemon Institute study found that encryption in mobile devices is the top priority in a majority of organizations. Encryption solutions can be categorized in five main categories: (1) file encryption, (2) encrypted disk partitions, (3) encrypted containers, (4) whole-disk encryption, and (5) self-encrypting hard drives. For file encryption the transformation is done to individual files located on some storage device. This method is appropriate when there are only a few files to be protected (such as on USB keys). Encrypted disk partitions use a portion of a disk drive to create an encrypted store, protected by a secret. Any files placed into the partition are automatically encrypted and can only be read if the proper key is used again. Encrypted partitions are useful when there are large collections of files that need to be protected. Encrypted containers are similar to encrypted partitions, but a special container file is created on an existing partition and then mounted as a new drive. Once the proper key is provided, all files stored on the container drive are automatically encrypted. Encrypted containers are popular for applications where a large number of files need to be encrypted but the user does not want to repartition a hard drive.

In whole-disk encryption an entire disk is protected so none of the information can be read without the proper key. This is suitable for applications where all the data on a disk needs to be protected, even temporary files stored by the OS and applications, or in cases where users are not able to determine what information needs to be protected and what does not. Whole-disk encryption is an easy-to-use, automatic solution suitable for many business laptops. Self-encrypting hard-drives contain special encryption hardware that protects all of the information on the drive all of the time. The Trusted Computing Group has recently completed technical standards for these devices and manufactures such as Seagate are now offering drives with this capability. Self-encrypting USB keys with special encryption hardware are also available from companies such as IronKey and Sandisk.

Most operating systems support encryption

Most computer operating systems offer some form of encryption. Microsoft Windows (including XP, Vista, and Windows 7) offers the Encrypted File System (EFS) in its premium editions (not the Home or Basic editions), and this can be used to protect individual files and folders. The secret used to create the encryption key is usually the user’s computer password, although other key methods are available. Microsoft also offers (in its premium editions of Vista and Windows 7) a form of whole-disk encryption called BitLocker. For Apple computers, OS X supports FileVault, which can be used to encrypt a user’s home folder. In addition the Disk Utility application can be used to create an encrypted container. Most of the popular Linux distributions also support whole-disk encryption, encrypted partitions, and encrypted containers.

There are also third party providers that offer powerful encryptions solutions. PGP Corporation offers a full range of enterprise products for desktop computers, servers, and mobile devices (such as Windows Mobile smart phones). TrueCrypt is another popular, free, open-source encryption solution that supports whole-disk encryption, encrypted partitions, and containers. TrueCrypt containers can also be used across different platforms, making it popular for businesses using multiple operating systems.

Even with all of these encryption methods, adoption of encryption technologies remains slow. Businesses may have a number of concerns when it comes to encryption. One unfounded concern is that encryption will slow down the performance of disks or applications. Although the initial encryption operations can be slow if there is a large amount of information to encrypt, once the files or partition are encrypted there is usually negligible impact on day-to-day operations. According to Tim Matthews, Senior Director of Product Marketing at PGP, the overhead caused by encryption is usually 1-3%.

Another concern is lost keys or forgotten passwords. Normally, encrypted data cannot be decrypted without supplying the proper key, and that key is usually protected with a secret password. If the key is lost or the password is forgotten (or an employee leaves the company), it will not be possible to decrypt the data. For laptop systems this may not be a serious concern since most data on a laptop should also be stored elsewhere in an organization. When data recovery is important, enterprise encryption solutions such as the PGP products provide a variety of ways to recover encrypted data. For example, PGP supports having multiple whole-disk encryption passwords, so an administrator could have a password in addition to the end user.

PGP also offers a comprehensive key management system where keys are produced and administered at a central server. This allows help desk staff to provide one-time recovery keys in the case of emergencies or managed key recovery procedures if an employee leaves a company. Tim Matthews states that one of the powerful features of PGP’s integrated solutions is that the organization can set policies about where encryption is to be used, and then it can become automatic and transparent. When a smart phone or a USB drive is introduced to the organization, for example, the policies and encryption technologies can ensure that any data copied to those devices are automatically encrypted.

Laptops will be lost and stolen. Storage media will go missing. Internet vulnerabilities will continue to happen. Businesses need to examine the variety of encryption technologies available to them. They have the option of deploying encryption in an ad-hoc fashion using one of the OS methods or perhaps the free TrueCrypt utility, or they can opt for a complete enterprise solution such as the ones offered by PGP. With all of the solutions available, there is really no excuse for businesses to be vulnerable to these events.

An interesting article from Psychology Today reporting on survey research in the US. It seems that when people were asked questions like “I would disapprove if my child wanted to marry a member of this group”, the most detested group were atheists. The were consistently rated lower than various religious groups (e.g., muslims, Christians, Jews) and racial groups (e.g., Hispanics, Asians).

Atheists Are the Most Mistrusted Group: They Are Evil and Immoral!

Suppose that we had an extraordinarily accomplished would-be President who proclaimed her atheism. Let us assume that this person is a great orator; a righteous person with great personal integrity; a speaker of four languages; and a Nobel laureate. If she were to declare that she does not believe in the existence of a “celestial dictator” (to borrow the term from the remarkable Christopher Hitchens), she would be automatically deemed unfit to serve in political office and/or to date your son.

A number of technologies are used to collect personal information during airport security screening. First, identification documents are used, including citizenship cards and passports. These documents record a variety of personal information, such as name, address, age, gender, and citizenship. These documents might also contain electronic devices that store personal information, such as magnetic stripes and Radio-Frequency Identification (RFID) chips.

Identification documents are usually used in combination with one or more databases. These databases might be owned and operated by the airline, the security agency doing the passenger screening, or other government agencies. Information from the documents is matched with database records to retrieve further information about the passenger. This might include frequent flier account numbers, travel records, or assessments of security risks.

The boarding cards given to the passengers also record some personal information, such as the name and travel itinerary. Special codes can also be printed on the boarding cards to relay information about security risk assessments to the security screening staff so that a passenger can be given more attention. Electronic boarding cards, sometimes stored on smart phones as two-dimensional bar codes, are starting to appear.

Biometric information is sometimes collected during airport security screening. Frequent traveler programs, for example, can allow people to use shorter security screening lines. In order to qualify for such a program the traveler often has to provide biometric information (such as fingerprints and face images) and detailed personal information that is used during a background check.

The x-ray scanners used to examine carry-on luggage can also collect personal information related to the contents of the bags being scanned. People carrying items of a personal nature may be embarrassed if the contents of their bags are disclosed.

There are many of other surveillance technologies that can be used during airport security screenings, and these may or may not collect personal information. Explosives residue detection tests that involve swabbing a passenger’s belongings, usually laptop computers, are commonly used. More advanced “puffer” machines, where nozzles direct air bursts at the passenger and sniffers then sample the air for explosives-related particles, have been tried by they have proven to be unreliable and they are being abandoned. Advanced x-ray technology is also being introduced. Millimeter wave scanners (also called backscatter x-ray machines) are able to scan a passenger’s entire body and view within clothing to the skin, allowing hidden objects (and body parts) to be seen. Such technology has obvious privacy implications.

Video surveillance cameras and face recognition systems can also be used for passenger surveillance. Modern technology is able to scan the faces of people without their knowledge as they move through the security lines. The faces can be matched to a watch list and, although historically the performance rates have not been ideal, the matching technology is improving all the time.

Behavioural monitoring and profiling technologies are also being developed. Traditionally, trained human experts do behavioural monitoring but automatic technologies are starting to appear. These technologies use surveillance cameras and algorithms to automatically detect suspicious behaviours and typical profiles of interest. The profile information might include age, gender, and ethnicity. The behavioural monitoring might scan for signs of nervousness, profuse sweating, attempts to have covert conversations, etc. Such behavioural technology is in its infancy and it is not clear how successful it will be.

Personal information can be shared between security systems. As mentioned above, information from risk assessment databases is already transferred to boarding cards so that some passengers can be subjected to more detailed screenings. Information could also be shared between x-ray systems and explosive residue tests, such that suspicions raised by one test would lead to a more detailed screening in the other test. Similarly, profile information and face recognition technology could be used to feed information to behavioural monitoring systems.

The sharing of personal information can also go beyond local security systems. Travel records and the results of security scans can be entered into databases, for example, and this information could determine the level of screening to be done on future trips. The databases could be local in scope or they could be national databases. International databases are also in place, so that people of interest can be identified regardless of where they travel. Canada and the United States, for example, seem to at least partially share a no-fly list.

Personal information can be accessible to unauthorized users in a number of ways. This might occur if security personnel act outside of their assigned roles and positions, proceeding to access personal information that they don’t require for their job, either out of curiosity or for malicious purposes. Security staff could also borrow (or steal) other users’ passwords or tokens in order to gain access to systems or places. Outsiders might also be able to access personal information if the workplace and electronic systems are not kept secure. If people are able to physically enter the security zones of an airport they could gain access to personal information by reading documents or operating machines. Outsiders might also gain electronic access by breaking into data networks and systems.

It well known that smarter people tend to do better in life, but what about attractive people or self-confident people? With today’s emphasis on looks, it might be that attractive people get ahead. And what role does self-confidence play?

A recent report by Timothy Judge, Charlice Hurst, and Lauren Simon from the University of Florida was published in the Journal of Applied Psychology. The researchers questioned 191 adults in the Boston area who were taking part in a long-term, longitudinal study. The study measured a number of characteristics including income (which was used as a measure of life success), intelligence (9 different IQ tests), education, attractiveness (based on ratings on facial photographs), and self-evaluations of life satisfaction (e.g., “I am pleased with how my life has turned out so far.”). Controlling for age, race, and gender, the study used covariance structural models to study direct and indirect effects on income.

Not surprisingly, intelligence was positively related to income, which was used as the measure of life success. Income was also strongly related to the amount of education a person completes. Attractiveness was also positively related to income, but mostly because of mediating relationships with education and positive self-evaluations. So, more attractive people did make more money, but mostly because they got more education and feel better about themselves. Attractiveness alone was only weakly related to life success.

So, when determining life success, it is better to be smart, but attractiveness and self-confidence can help.

There are obvious limitations to the study. The sample size was small and limited to the Boston area — attractiveness might be more important in other parts of the country (i.e., California) and other places in the world. Attractiveness was also measured at adulthood, even though appearance during childhood might have the largest effect on life success.

Also, self-reported income was used as the measure of life success and it could be argued that there is more to life than money. And, of course, correlation does not imply causation – we can’t say for sure that intelligence and attractiveness cause higher incomes, just that they tend to occur together.

Reference: Judge, T.A., Hurst, C. & Simon, L.S. (2009). Does it pay to be smart, attractive, or confident (or all three)? Relationships among general mental ability, physical attractiveness, core self-evaluations, and income. Journal of Applied Psychology, Vol. 94, No. 3, 742–755.

Identity theft, the misuse of someone’s personal identity to commit fraud, is a large and growing economic and legal problem. Identity theft has become the most prevalent form of fraud resulting in billions of dollars in losses.

ID theft is often considered a “white-collar” crime because it is committed during the course of normal employment duties (e.g., a bank employee gathering personal information), or the crime does not usually involve any physical harm. Identity thieves are often portrayed as sophisticated computer specialists, hackers, or organized networks. But, is this the reality?

A recent research report by Heith Copes (U Alabama at Birmingham) and Lynne Vieraitis (U Texas at Austin) has shed some light on this issue. Copes and Vieraitis searched federal court records in the US for people convicted of identity theft and then tried to find out where they were serving their sentences. They were able to find 297 inmates, from which they sampled 59 inmates in 14 prisons across the country. The convicts agreed to do detailed interviews, in private, to talk about themselves and their crimes, and the results are reported in a recent issue of Criminal Justice Review.

It turns out that identity theft is an equal-opportunity crime. The thieves were just about equally often men or women, black or white, from poor backgrounds or from middle/upper class families. The ages ranged from 23 to 60. About 52% of the criminals were employed at the time of their crimes, and only 35% used their employment status to facilitate their crime (most often mortgage fraud). Most of the ID thieves had been arrested for other crimes before, but some said they stopped doing other crimes because they could make more money stealing identities.

The most common method for obtaining identity information was to buy it, often from employees of banks, mortgage companies, and government agencies. Identity information could also be bought off the street from petty criminals often fuelling drug habits. Other methods of obtaining IDs were robbing mailboxes and going through trashcans. Sometimes, victims willingly gave up their IDs in exchange for a portion of the fraud profits.

The most common method of converting identities into cash was to apply for credit cards using the false identity. These cards were then used to buy goods to be kept, returned for cash, or sold on the street. Buying gift cards was very popular because they could be quickly sold. Instant credit offers from big box stores were also a favourite.

Taking out new loans and mortgages was also a common form of cashing. ID thieves sometimes depositing bad cheques into newly opened accounts, using the false ID. After a couple of days, the cash would be withdrawn before the cheques could bounce. ID thieves would even create additional documents to complete a false identity, sometimes forging realistic copies and sometimes paying agency employees to issue the documents.

So, how do we understand identity theft? According to Copes and Vieraitis, “it is best categorized as an economic crime committed by a wide range of people from diverse backgrounds through a variety of legitimate (e.g., mortgage broker) and illegitimate (e.g., burglar) occupations.”

As to the issue of whether these are white-collar criminals: “Despite public perceptions of identity theft being a high-tech, computer driven crime, it is rather mundane and requires few technical skills. Identity thieves do not need to know how to hack into large, secure databases. They can simply dig through garbage or pay insiders for information. No particular group has a monopoly on the skills needed to be a capable identity thief.”

Reference
Copes, H., and Vieraitis, L.M. (2009). Understanding identity theft: Offenders’ accounts of their lives and crimes. Criminal Justice Review, 34(3), 329-349

Does “Cressie” swim the waters of Crescent Lake in Newfoundland? Sightings of this giant creature have been reported for years, much like the Loch Ness monster, but no evidence has been found. In this article from Skeptical Inquirer, Joe Nickell goes in search of the elusive creature.

Quest for the Giant Eel

Sightings of a “monster” in the lake date back to the turn of the last century when a resident known as “Grandmother Anthony” spied a giant serpentine creature while she was picking berries. From the 1940s to the present, there have been a dozen or so sightings, although without photographs to date. Most descriptions are of a dark, eel-like creature, up to twenty-five or more feet long.

Lawful access refers to the requirement by telecommunication providers, including IPSs, to allow law enforcement agencies to track and monitor communications (e.g., wire tapping). Canada has been considering changes to its lawful access laws for some time and the latest attempt is a a new set of legislation currently being debated. The new rules would require the release of customer information (name, telephone, IP address) without court oversight (i.e., without a warrant). In this article Michael Geist digs into the case being held up as an example of the need for new legislation and finds that no ISP records were even requested, and yet an arrest was made using the current laws. Interesting reading…

Van Loan’s Misleading Claims: Case for Lawful Access Not Closed

Last June, current Public Safety Minister Peter Van Loan tabled the latest lawful access legislative package. Much like its predecessors, the bill establishes new surveillance requirements for Internet service providers. In an about-face from the Day commitment however, it also features mandatory disclosure of customer information, including name, address, IP address, and email address upon request and without court oversight.

As part of the Financial Cryptography and Data Security Conference to be held in January 21010 in Tenerife, there will be a workshop on ethics in computer security research. This is an important topic since conducting ecologically valid research is often at odds with adhering to ethical principles. In particular, security research can sometimes involve having people taking risks, with their systems and personal information, and/or involve the use of deception, where people may not be informed of the true purpose of a study. This should be an interesting workshop.

WECSR 2010 CFP

Computer security often leads to discovering interesting new problems and challenges. The challenge still remains to follow a path acceptable for Institutional Review Boards at academic institutions, as well as compatible with ethical guidelines for professional societies or government institutions. However, no exact guidelines exist for computer security research yet. This workshop will bring together computer security researchers, practitioners, policy makers, and legal experts.