University of Montana
No Place to Hide
By Brett Berntsen
Through a dead-bolted door, in an office space charged with humming wires and heated plastic, a team of techies gathers. Their hair lies unkempt, their faces shine greasy, and their eyes pulse with fatigue.
Between them rests a cork board bannered in paper. “The Fox,” a sheet near the top reads, “Gender: female. Age: unknown.” A web of lines spreads from the description, branching off sideways onto pages titled “Occupation” and “Residence.”
“Tonight, we have a challenge,” says Jonathan Santy, known to his compatriots by the moniker Saint. “Our goal is to find out as much about the target as possible.”
The team filters toward their respective stations, fingers poised for a night of keyboard pounding. Stacks of dismantled computers and circuit boards fill the room. In the corner, a surveillance image of the outside hallway flickers across a screen.
“Humanity just doesn’t have the instinct yet to guard the cave door in the digital age,” Saint mutters, swiping a lock of hair away from his wire-rimmed glasses.
The hunt begins.
More than 100 miles away, the Fox relaxes at her home in Missoula. Emily Thomsen calls herself an average Internet and social media user, who takes the usual precautions toward online security.A new mom who gave birth to a daughter in January 2013, Thomsen mostly surfs the Web on her iPhone, checking the news and shopping for baby products. She doesn’t use Twitter and only adds people on Facebook she actually knows. Yet she still encounters the Internet’s uncanny ability to learn the details of her life, such as when ads for baby products showed up on a news website, clearly targeting her specifically.
Unsettling as it may be for the attorney turned stay-at-home mom, Thomsen accepts that certain personal tidbits inevitably float about in cyberspace. She doesn’t dwell on the reality much in her daily life.
“I don’t even know how to maintain privacy,” she says. “Other than canceling my Facebook account, I wouldn’t know where to begin.”
It’s a dilemma that fosters unique consequences in Montana – a state with a strong reputation as a safe harbor for civil liberties. In the midst of the firestorm unleashed when former National Security Agency contractor Edward Snowden leaked documents revealing the government’s extensive domestic surveillance operations, Montana made headlines for passing the first digital privacy bill in the nation two months before the scandal broke.
The measure requires state law enforcement agencies acquire warrants before obtaining cell phone GPS locations. Privacy advocates hailed the effort as an archetype for the rest of the country and another layer of protection for Montanans, who already enjoy an explicit privacy right right built into the Montana Constitution.
Unlike the federal Constitution, Montana’s governing document guarantees a textual right to privacy, added during its redrafting in 1972.
“(The drafters) were very concerned about the ability of government snooping through technology,” says retired Montana Supreme Court Justice Jim Nelson.
Since its implementation, courts have interpreted the precedent to cover a broad range of issues, from law enforcement’s use of thermal imaging technology to abortion care. But considering current national trends, a state constitution only stretches so far.
“If the CIA wants to hack into my email surreptitiously, there’s not a whole lot that Montana courts can do about it,” Nelson says.
Additionally, the Internet operates outside any jurisdictions and technology races forward at breakneck speeds, sparing no region.
To demonstrate the extent of personal data availability in privacy’s so-called “last best place,” Thomsen agreed to act as a test subject.
Doxing, in the business, refers to computer hackers gathering information online, revealing practically every facet of a person’s life. Malicious “black hat” hackers use the method to embarrass victims.
The “white hats” of the Helena-based Montana Ethical Hackers (MEH) computer club are on Thomsen’s trail. Led by Saint, the club’s president and founder, the team began knowing only the Fox’s name and that she lives in Montana. For the cyber bloodhounds, the rudimentary clues provide enough of a scent to begin the hunt.
Doxing, as its name suggests, relies predominantly on documents, taking advantage of the accessibility provided by electronic file storage.
Like most states, Montana uses centrally located databases to manage its vast stores of information, from tax forms to hunting licenses.
“I can’t think of a working group that uses paper files anymore,” says Sheryl Olson, chief program and information officer at the Montana Department of Administration.
Digitalizing the bureaucratic dossiers makes information cheaper and easier to access for government and the public.
But within these benefits lies the downfall.
“It’s way easier to get an electronic file out of a network than it is to go in and pilfer a record out of a file cabinet,” says Robin Jackson, a computer security consultant and a former IT bureau chief at Montana’s Department of Labor and Industry.
“If a hacker gets into the system,” Jackson says, “they can steal hundreds and thousands of records at a time. And they can do it from anywhere.”
It’s not just Uncle Sam storing data on potentially vulnerable systems. Private companies are doing the same. Sites like Spokeo and Intelius draw data from a menagerie of public sources, from magazine subscriptions to voting records to tax forms, then sell them through online search services.
Many of these services hand over basic information, such as names and addresses, for free, and charge for more comprehensive profiles including details such as warrants, arrests, and bankruptcy filings.
During the initial steps on Thomsen’s trail, the MEH team turned to free data- mining websites like PeopleFinder and WhitePages.
“Most sites give you enough information to go off of in order to start your search,” says Bill Genzoli, who, operating under the pseudonym Hook, led the reconnaissance team.
Running a profile for Emily Thomsen in Montana revealed her current address in Missoula. Then, with a more pinpointed Google search, the squad found Thomsen’s name on a web page inviting members of the Stanford Alumni Association to convene in Missoula and watch their alma mater’s football team play its rival. The post listed the contact person as Emily Thomsen. In the comments section was an RSVP from someone named Ian Robinson Thomsen. The pieces began to fit together.
Guessing the two were a couple, Hook Googled various combinations of the names.
“Logical deduction is all it is,” says Hook, a core member of the hacker club.
This simple method got Hook his big break, a gold mine of information from articles published in Ian Thomsen’s hometown newspaper.
He uncovered graduation announcements, marriage notices, and a bulletin about the birth of the Thomsens’ daughter. Articles included photos, names of relatives, even material on the family’s hobbies and aspirations.
From there, the resources became endless. Hook double-checked everything against government websites, using tax records, census information, and marriage and birth records to prove he had the right targets. He searched university archives, social media sites â€” everything in cyberspace that gathers information.
Hook’s final report portrays an eerily complete account of Thomsen’s life.
“Emily Joyce Thomsen,” the report reads. “Maiden name: Langhorne-Howell. Married Aug. 8, 2012, to Ian Robinson Thomsen in Friday Harbor, Washington.”
Below the introduction, Hook includes a picture of the couple, Ian wearing a Hawaiian shirt and Emily a black dress and gold earrings. They smile carelessly, un- aware the photo would be available for the world to see.
The report lists the names, addresses, and phone numbers of both Emily’s and her husband’s parents. It shows ages, dates of birth, where Ian and Emily attended high school, and that they graduated in 1999.
The report states the couple met at Stanford University, where they both earned bachelor’s degrees. It shows Ian spent a summer hiking in Europe with his mom and brother after graduating, that Emily went to law school in Colorado and became a member of the bar, that she’s a licensed attorney in multiple states but currently inactive.
The report states the couple moved to Missoula, where Ian attends graduate school at the University of Montana. It says they enjoy skiing, hiking, and camping. It comprehensively lists Thomsen’s former addresses, from her dorm rooms and P.O. boxes at Stanford to her current home in Missoula. A street-view snapshot shows the residence. A green Subaru sits parked outside.
The report shows Thomsen gave birth to a baby girl in January 2013, named Elsie after her mother-in-law’s middle name. For a grand finale, Hook includes a picture of the child, lying in her crib, wearing a pink, cat-print onesie.
“Born in Missoula,” he writes. “Weight: 8-pounds. Height: 21-inches.”
As significant as the breadth of information uncovered in the effort is its ease of access. Hook says most of the data was gathered in about one hour. The team stayed within completely legal bounds during their search, using only publicly available documents and system-manipulating savvy.
“We tried to use over-the-counter methods to point out you don’t have to be an uber-hacker to get this,” he says. “I stopped it at the point where it would become illegal.”
This reflects the state of privacy boundaries in the digital age: blurred beyond recognition. Although many tout the benefits of access to the information super- highway, people in the computer security industry cry foul.
“I think it’s a straight-up invasion of privacy that all this is out there as it is,” says Hook.
Legally, there’s little regulation of unwanted dissemination of personal data across the Internet.
In the past, lawyers used the analogy of a fenced backyard to describe privacy. If someone sunbathes nude, in the open, he or she gives up any right to privacy. If that person builds a fence and a Peeping Tom looks through the cracks, that’s invasion.
The Web arguably works the same way, only the fences are few and shoddy at best. Anthony Johnstone, an assistant professor at the University of Montana Law School, says that in court, privacy hinges on reasonable expectation. It’s considered common knowledge that anybody can access the Web, so there’s no reasonable expectation of privacy.
The concept changes dynamically over time.
“What we’re trying to do is translate these older values of privacy to a new world,” Johnstone says. “It’s possible that younger generations might be more comfortable with sharing information online.”
But assuaging concerns about this trend proves a tough task when presenting someone with a detailed, web-gathered run-down of her life.
At home in Missoula, cradling her daughter in one arm, Thomsen scans the results. Working down the list, her eyes widen reading the personal details, such as her husband’s post-graduation trip to Europe and the description of their lifestyle in Missoula.
“I didn’t know all this was totally public,” she says.
She racks her brain to fathom where the data came from. Then it dawns on her. “Every time there’s a big life event, Ian’s mom writes to the paper about it,” she says. “I didn’t think about that, honestly. I forgot that those articles were out there.”
While the fox hunters found a break with the articles, many of their other discoveries weren’t so obvious. Thomsen says she’s most disturbed by the exhaustive list of her former addresses, especially her P.O. box and dorm room at Stanford.
Still, ominous as it may be, the report didn’t contain any bombshells or skeletons in Thomsen’s closet.
“It’s not like I’m embarrassed or ashamed about any of this stuff,” she says. “I guess it’s okay.”
But Thomsen doesn’t sound convinced, and for good reason.
A cyber criminal with Hook’s report would have a solid basis from which to wreak havoc, including identity theft, blackmail, and bribery.
With the information at hand, Hook explains, one could create a fake identity using real statistics from Thomsen’s life, and then establish addresses, bank accounts, loans and otherwise re-route her finances. Through a painstaking process, the crook could crack her social security number. The first three digits of the numbers are based on place of birth. Idaho, where Thomsen was born, has only two possibilities. The remaining digits are based on when the person was born relative to others in the state that year, deducible through careful analysis of birth records.
Access to an ID and social security number opens the door to applying for birth certificates online and eventually obtaining a passport. One could also create a variety of fake social media accounts to debase Thomsen or her family members.
If that’s too much work, another option is to sell the information as a black-market “virgin account.”
“A package deal like that could net someone five grand,” Hook says. “And they never have to do anything except get the information.”
The possibilities seem limited only by creativity or ethics, the latter of which constitutes the canon of groups like Hook’s.
Saint, who hacked his first computer at age 10, created Montana Ethical Hackers as an arena for techies to scratch their hacking itch without crossing into illegal waters. The club’s lab provides “victim” machines to hack and a nurturing environment to develop skills for good.
“People ask me, â€˜How do I know you’re not a black hat?'” says Saint, gesturing to the piles of antiquated electronics in the hackerspace. “I tell them, â€˜If I was evil, don’t you think I’d be richer?'”
All nefarious semblances aside, crucial pieces of Thomsen’s information were unattainable by the fox hunters’ ethical means.
Hook says Thomsen’s financial in- formation wasn’t as readily available as he expected. He couldn’t uncover tax forms listing her assets, a principal piece of data for any fraud or bribery plot.
This is at least one positive development concerning confidentiality. Federal regulations passed during the last two decades have reined in companies storing sensitive documents.
“In my experience, our financial records and our health records have gotten more secure and harder to access,” says Mark Fullerton, a licensed private investigator operating in Missoula.
“September 11 changed everything,” says J. Otis, another Missoula-based private investigator. “Everything tightened up.”
Otis says he can’t access phone records like he used to, a paradoxical dilemma considering government agencies have unprecedented access to this data.
Files leaked by Snowden confirmed the secret Foreign Intelligence Surveillance Court allowed government agencies to demand records from the telecom giant Verizon.
Outcry over this revelation has sparked some efforts to combat the trend. Montana’s aforementioned law requiring state law enforcement to obtain warrants before receiving cell phone locations touches on the issue. But the act has been deemed “privacy light” due to its limited jurisdiction and minimal effects. The information only provides the location of the last communication tower a device connected to. In Big Sky Country, this could encompass a 20- mile radius, assuming the phone is in an area that has reception at all.
Previously obscure issues are taking center stage in the privacy realm.
Companies that collect “metadata” have drawn attention, shedding light on how minuscule tidbits of material can be gathered and put to use. Websites track browsing habits from the moment a person accesses the Internet, making valuable material for marketers and others. Thomsen experienced this when she was bombarded with ads for baby products.
“It’s really similar to the idea of tailing someone in the real world,” says Michael Schuh, a senior member of Montana State University’s Data Mining Lab. “It’s just the digital age and so much easier.”
These collections store trillions of bytes of data and don’t discriminate based on region. Robin Jackson, the computer security expert, says people who live in rural areas and do more shopping online may build up a larger record.
“There’s a kind of naivetÃ© of people that are rural,” says Jackson. “But the great equalizer is that the Internet is the same whether you’re living in Montana or New York City.”
Companies that track online activities have no restrictions on the amount of data they collect or how they use it.
Jim Heckel, a board member of the Montana chapter of the American Civil Liberties Union, says this is especially worrisome considering recent big data bills in Congress, which have attempted to merge government databases with those compiled by Internet companies.
“Because there are no restrictions,” he says, “what Amazon or Facebook or phone companies collect about you is potentially a lot more sensitive than what the government has now.”
As technology proliferates, different forms of metadata encroach further into personal lives. Emerging technology like facial recognition cameras and automatic license plate readers have captured attention for their contributions to law enforcement. Montana law enforcement doesn’t use these technologies, yet.
To keep pace with fast times, Heckel advocates new measures to prevent personal privacy from being trampled.
“You can’t legislate on the basis of technology itself because it changes too quickly,” Heckel says. “But you can deal with the theory of what’s happening.”
At the next Montana legislative session, Rep. Daniel Zolnikov (R-Billings) plans to introduce bills banning the use of automatic license plate reading technology and making consent mandatory for privacy infringement.
“Your information cannot be obtained without consent,” he says. “Simple as that.” Zolnikov hopes the precedent can serve as an example for the rest of the nation. “It’s not just about passing in Montana,” he says. “It will pass everywhere in this country and it will be looked at as a federal issue. That’s why it’s such an uphill battle.”
With mountains of valuable digital information piling up by the second, lawmakers have their work cut out for them.
“I really don’t know that you can ever put the genie back in the bottle,” says Jackson. “It’s getting to the point where you’re getting more and more of this data out there, not less.”
The advantages and draw- backs of the situation ultimately lie in the eye of the beholder.
During a rare quiet moment in her day, Thomsen reflects on the information gathered in the fox hunt while her daughter sleeps soundly in the next room.
“When I think about it, I’m not that surprised,” she says. “But I am kind of amazed that you can find out so easily.”
Despite the exposure, Thomsen says she can’t help but feel sentimental about the newspaper articles her mother-in-law published.
Like the fox hunters inferred, the Thomsens met in college, but lost touch after graduation. Later, Thomsen Googled Ian’s name and found the graduation notice with his plans to work at a geology firm in Nevada. She called the company and the rest, she says, is history.
“It was because of this article that we are married,” she says. “So, that’s an upside to public information.”
Thomsen struggles to find comfort in the rest of the data.
Curious to understand how the fox hunters discovered her college dorm addresses, she grabs her laptop and pulls up her profile on Stanford’s webpage. Sure enough, after hitting a few links she sees her information listed. For the first time, she notices the security setting tab at the top of the page, “Show to everyone.”
“I didn’t even know there were privacy settings here,” she says. “I had no idea you could go on here and find out that information about me.”
She changes it to private, and seems comforted.
The baby starts to wake. Thomsen picks the girl up and hands over her iPhone in a plastic, bunny-ear case, the child’s favorite toy.
“Do you realize all your information is public now?” Thomsen asks her daughter. “People know how much you weighed when you were born.”
The child giggles, contently playing with the phone, leaving the freshest tracks along Thomsen’s growing digital trail.