You may have already heard about this problem, or perhaps received this letter yourself, the upshot of which was contained in the first paragraph of the notice:
"The Department of Veterans Affairs has recently learned that an employee took home electronic data from the VA, which he was not authorized to do and was in violation of established policies. The employee's home was burglarized and this data was stolen. The data contained identifying information including names, Social Security numbers and dates of birth for up to 26.5 million veterans and some spouses, as well as some disability ratings. As a result of this incident, information identifiable with you was potentially exposed to others. It is important to note that the affected data did not include any of VA's electronic health records or any financial information."
My first thought after reading this was "Great. Some criminal somewhere now has my name, Social Security number and date of birth." Having already been the victim of an identity theft scam, I was understandably upset over a potential repeat of this situation.
"Appropriate law enforcement agencies, including the FBI and the VA Inspector General's office, have launched full-scale investigations into this matter," the letter continued. "Authorities believe it is unlikely the perpetrators targeted the items because of any knowledge of the data contents."
While this is somewhat comforting, with the best-case scenario being that the data is recovered by the authorities or is simply erased by the thieves who may not realize how valuable the information is, the whole situation is a serious breach of personal security.
Although the VA debacle represents an unintentional release of personal information, it made me think about the circumstances surrounding the intentional release of this level of information and how webmasters are particularly vulnerable to data security and identity theft threats.
There are three main avenues by which this release of private information occurs: through domain name registration and by joining affiliate programs and webmaster (or other online) communities. Fortunately, there are several simple steps that webmasters can take to help mitigate these risks. While registering a domain name and joining an affiliate program both require the disclosure of truly "personal" information, the key to preserving data security in these instances is to remove the "person" from the "personal" information — something that is really easy to do when joining a webmaster community.
When joining a webmaster or other online community, operators concerned about maintaining their privacy or hiding their identity can begin by adopting a "handle" or board nickname and pseudo location, rather than using their real names and physical locations. Using a disposable email address, such as a free Yahoo email account, can also help in protecting your identity. More problematic is the various contact and other information so casually offered in public message board posts and "profile" pages, but typically, these open disclosures of information won't contain any financial information, limiting the risk of this material being illicitly used.
The problem is that most webmasters continue to be the sole proprietors of their businesses, which are often run from their homes, and as such, their real names and home addresses are often the ones given out during the affiliate program or domain name sign-up process. While choosing the best corporate structure for your business is far beyond the scope of this article, it's quite clear that using a legitimate business entity for these purposes can put one more layer of security between you and potential identity thieves.
Also beyond the scope of this article, a brief mention of the realities of "at home" primary producers having to publicly list their name and home addresses as part of 18 U.S.C. § 2257 compliance is a further example of the benefits of using an outside business address — rather than your home address — as an enhancement to your overall security.
In the case of domain registration, the registrant's information is typically accessible to the public, showing a name, mailing address and telephone number. Using a corporate entity and inadequate security for this can have drawbacks if steps aren't taken to prove ownership of the domain, as the Sex.com case easily demonstrates, but this measure will help insulate you from the public eye — an especially vital concern for many in the adult marketspace.
Private domain registration services, such as the one offered by Network Solutions, are also effective at preventing unwanted access to a registrant's personal information and can be used in addition to the corporate entity designation to further secure your privacy.
Much more problematic than any vulnerability associated with public WHOIS lookups, however, is the real threat faced by affiliates who commonly volunteer their personal information to every sponsor program that comes along.
Think about it: How many times have you entered your personal information, including your name, address, and social security number and even banking information into an often unsecured online form? Who did you just send that info to? Who else received it? Did the promise of some new free-hosted galleries get you to send all of your personal details to a 15-year-old kid in East Uzbekistan? Thinking about this and the number of affiliate programs I've signed up for over the years makes me shudder...
Doubtless many of you will believe that just because you've seen a company rep posting over at GFY that the company must be legitimate, and as such, there's no problem in handing them your personal information, but that's simply living in a fool's paradise. There are solutions to this issue, however, chief among them is the use of a corporate entity to sign up to these affiliate programs, and for U.S.-based webmasters, the exclusive use of a federal taxpayer ID number (EIN) rather than (in the case of sole-proprietors) your social security number.
Avoiding "unknown" or "overseas" sponsors also is worthy of consideration, as is using sponsors with trusted third-party programs such as the one offered by CCBill. These steps may severely limit your opportunities; however, by limiting the number of companies you can do business with, but for those who would rather be safe than sorry, they're a step in the right direction.
Regardless of how careful and trustworthy a sponsor, domain registrar or other entity is, there is still the threat of unintentional releases of data (such as in the VA case), or even of intentional releases due to employee theft or malfeasance (such as in the AOL email address theft case). Given these realities, there is no such thing as guaranteed data privacy in today's electronic world, but by being careful of how, where and to whom we provide our personal identifying information, we can mitigate much of the risk.
With the exception of spammers harvesting email addresses from message boards and WHOIS lookups — as well as spam sent to mailing lists provided by affiliate programs — most webmasters will likely never feel any repercussions from any disclosures of their personal information. Still, the potential for catastrophic losses dictates that measures to limit our voluntary informational disclosures are worth implementing, so the best advice is to stay safe and keep your personal information personal.