OPSEC awareness data aggregation

Editor's Notes

• #2: Data aggregation refers to the phenomenon of single pieces of data collected into a whole that is more than the individual parts. Single pieces of personal data may not be damaging or even pose a threat, but when combined, that data may give a threat, whether it be criminal or otherwise, enough data to do some damage. Personal Data Aggregators on the internet pull all those bits of pieces together. They gather data from different resources (such as public records databases, social networking sites, and other internet databases) and present it as an easy to find, browse, and navigate package.
• #3: Personal data aggregators started off relatively harmless with sites offering no more than an address or telephone number. But recently, these sites have become adapt at pulling much more information. The data they return can include the basics such as address and telephone numbers to much more personal information such as religion, estimated wealth, and family information.
• #4: Many people will try to make the argument that personal data aggregators are not an OPSEC concern because it deals with personal information and not mission or operational information. However, personnel are part of the mission and operations!The Code of Conduct states that a US military member should give only their name, rank, service number, and date of birth if taken as a prisoner of war. In 1955, the US government understood that the more information the adversary had, the more apt they were to use that information against the individual or the US as a whole. If a service member were to be taken as a prisoner of war today, even if they only gave the adversary his or her name, rank, service number, and date of birth, how much more information do you think the adversary could get off the internet just using the information provided? Terrorists and nation states are not the only threats we face. Criminals can also use the personal information they find to cause us harm. If a criminal was to use data gathered from an aggregator and use that information to commit a crime against your family, how much of your time would that cost you away from work or even if you were at work, would you be able to focus on the mission?Adversaries could also use the information and conduct surveillance. Perhaps with what they observe, they could learn what your unit is doing by your activities. Are you preparing (i.e. visiting a law office, putting items in storage, getting a series of shots from a medical provider, visiting the Family Support Group, etc.) for a long TDY or deployment? Or maybe they could just use something they observed against you in order for you to provide them with more information?The bottom line is Personally Identifiable Information (PII) is critical and/or sensitive information and can be found on most organizations Critical Information List (CIL).
• #5: The best countermeasure is awareness. Go out and find what information exists about you and your family. To start with, “Google” yourself and your family. Then, search for yourself and your family members on these personal data aggregation sites.Some sites, such as spokeo.com and peoplefinder.com, will allow you to remove the link(s) to your information from their sites. However, if you do this, remember that you are not actually removing the information from the databases where these sites got the information. You are only removing the compilation of the data from their site. Usually, you can only remove “public record” information with a court order under certain circumstances. Also, remember to remove the links to your family members information if applicable.Be aware of what information you post and what information you share with others. Inform your family members of the risk this type of information can present when compiled.Some personal data aggregation sites allow you to “correct” information that they have compiled about you. Do not correct this information. If you can’t remove the information, at least the information will be incorrect.Keep yourself informed by periodically “googling” yourself and your family members. Google offers a “Google alerts” service. With this, you can set up keyword lists that Google will alert you too if their web crawler comes across one of these keywords. Again, don’t forget about your family members!
• #6: Lets take a look at two examples,spokeo and peoplefinders.
• #7: Spokeo, according to its website, is a search engine specializing in aggregating and organizing vast quantities of people-related information from a large variety of public sources. The public data is amassed with lightning speed, and presented almost instantly in an integrated, coherent, and easy-to-follow format.Spokeo aggregates data from hundreds of online and offline sources, including but not limited to: phone directories, social networks, marketing surveys, mailing lists, government censuses, real estate listings, and business websites. All of the data aggregated is publicly available, and accessible by anyone from those respective sources. Finding, consolidating, and organizing all of the data meaningfully, however, could take an individual weeks, whereas Spokeo automates the data aggregation process and offers it at lightning speed.
• #8: When you search for an individual by name, Spokeo returns all the results from the entire US.
• #9: You can then click on the state links on the left to further refine your results to the listings of that particular name in the cities/towns in that state.
• #10: Then Spokeo will lists all the known individuals with that name in that city/town. In this example, there is only one instance of a particular person in San Antonio, TX. The map on the right shows the address of that particular individual in that city/town.
• #11: When you click on the result on the left hand side of the screen, a box will pop-up over the map containing the information on that individual. Some of the information is free but in order to see all the information, a user would have to purchase a membership from Spokeo. You can buy a membership for 3 months, 6 months, or a year and are $14.85, $23.70, and $35.40 respectively.
• #13: Copy the entire URL from your browsers address bar thatshows the name and city and state of the listing you want deleted from Spokeo.
• #14: At the bottom right of the web page, there are some links, to include About, Blog, Directory, Privacy, Terms, Help, and Contact. Click on the Privacy link.
• #15: The Privacy link will take you to the page where you can remove a listing. Simply paste in the URL, provide an email address where you can receive a verification link, and type the captcha code. Once you have all the fields filled in, click the “Remove Listing” button.
• #16: Once you click the button, a new, but very similar screen, will appear. The only noticeable difference you will see is the text from the captcha box will be gone and a confirmation message (“Please check your email for further instructions.”) will appear below the captcha box.
• #17: Open your email where you had the verification link sent. You should have an email with a subject line of “Spokeo Directory Removal Confirmation”. Open the email and click the link in the middle where it says “To complete the removal process, please click here.”
• #18: Once you click on the link in the email, a web page should pop up that looks like the one shown here. Notice it is the same URL with the name, city, and state of the information you removed.
• #19: The removal should be instantaneous. To be sure, try to search for the name in the same city and state again. The listing you had removed should no longer be listed.
• #20: One thing to note, in order to prevent “abuse”, Spokeo limits the number of privacy removal request per email address to three. You may have to use separate email addresses to remove all your information from Spokeo if you have lived in lots of different locations.Another interesting observation is Spokeo asks government officials to use a .gov email address for priority processing. Due to OPSEC concerns, and because removal is instantaneous with a regular email address, the JIOWC/OS highly recommends that you do not use an official email address.
• #21: Peoplefinder.com is a one stop resource for free people searching on the web. People Finder claims to have indexed billions of publicly available records and provides a simple format to search for up to 80% of people currently residing in United States. In addition to the free people search and free white pages, People Finder has search portals for all other public records services. Public records include background checks, criminal records, cell phone directory, and more.
• #22: To begin with, type in the First and Last name of the person you are searching for. In addition, input the city or zip code of the person and the state.
• #23: The results, to include name, address, and phone number will appear for free. For additional information, you can purchase separate reports for such things as criminal history.
• #25: To remove your compilation link, go back to the main page, www.peoplefinder.com, and at the bottom of the page, click the “Remove Me” link.
• #26: On the resulting page, fill out the form presented and submit the form.
• #27: Once you click “Remove Me” on the previous page, you should receive a “Submission Accepted” page. Notice that it says it will take 1 business day to remove your information. Allow it a couple business days to remove the compilation link and then go back and check to ensure your information was removed. Again, don’t forget to remove your family members information.