At the Beep, Leave Your Life Open

The first signs of trouble at National Regulatory Services, a small consulting firm in Connecticut, were a series of odd complaints from customers that their phone messages were not being returned--the electronic equivalent of a slap in the face.

Sales agents at the company were stumped by the complaints since they could never remember receiving the phone messages in the first place. Helplessly, they watched as their business dwindled and customers drifted away to competitors who, presumably, at least returned their phone calls.

It took months of digging before the company finally figured out that a former employee was tapping into the voice-mailbox of the salesman he had once sat next to and deleting calls from potential customers, whom he would then call on his own.

By the time the man was convicted last year, the damage had been done: an estimated $1 million in lost business and an incalculable loss in the sense of privacy and security for those who worked at the company.

“E-mail, phone, voicemail--I use them, but I don’t put anything proprietary on them anymore,” said Jacqueline Hallihan, the president of National Regulatory Services. “It’s changed the way I do everything. I sit there sometimes and still wonder . . . who is listening?”

Within the last handful of years, the walls of electronic privacy that had been so intricately constructed through technology have crumbled with an alarming regularity.

Voicemail once seemed to be a trivial corner of modern communication, made up of endless messages in the game of phone tag or spousal reminders to please call home.

But voicemail has proved to be a gaping hole of vulnerability, not so much for technical reasons but for human ones--easily guessed passwords, careless password handling or no passwords at all.

Although there is a wide variety of voicemail systems, in general they all have security features that protect messages and passwords--some even from the designers of the machines. Systems can be set up to lock mailboxes if they detect a trial-and-error attempt to discover passwords. The passwords in most systems are also usually hidden and encrypted so they would be unreadable even to someone with the deepest computer access.

But, at best, these features create only an illusion of privacy. They protect against technological attacks but not against the most basic errors of wetware--that is, humans. Ken Kumasawa, a telephone security consultant with Burlingame-based TeleDesign Management, said the most common error is picking a password that is too short or obvious. Classic errors include using children’s names, the last four digits of a phone number, 1111, 0000 or the user’s first name. Guessing or simply looking over someone’s shoulder as they enter a password can make a mockery of the most advanced security systems. Kumasawa said using any password less than nine digits is just inviting intrusion.

“It doesn’t take a rocket scientist to break a four-digit pass code,” Kumasawa said.

Newspaper Story Galvanizes Concerns

The case that has propelled voicemail into the heated lexicon of electronic paranoia is the alleged theft of thousands of voicemail messages by a reporter for the Cincinnati Enquirer. Many of the messages were printed in an 18-page Enquirer report on Chiquita Brands International that appeared in May. The report alleged that the company sprayed dangerous pesticides on farm workers in Central America, used phony companies to obscure its ownership of land in some foreign countries, attempted to hide an effort by one employee to bribe Colombian officials and failed to take adequate precautions to prevent illegal drug shipments on its fruit ships.

Although the truth of the Enquirer’s stories about Chiquita are still being sorted out, the impact of the intercepted messages has long since transcended the realm of mere bananas and newspapers.

They have become the latest centerpieces in the evolving tale about the loss of privacy in the modern world and the general disarray in grappling with modern forms of communication that don’t quite fit in the traditional mold of wire and paper.

“People expect a level of protection--that this system is private,” said Evan Hendricks, the publisher of the Washington-based newsletter, Privacy Times. “People expect that a lot of things are private these days. The reality is that they are very vulnerable.”

The Chiquita case has become the most notable instance of voicemail interception not only because of the vastness of the alleged theft but also because the newspaper retracted all the stories, fired the lead reporter and paid Chiquita at least $10 million to settle the issue.

The Enquirer’s report relied on interviews with workers in Central America, leaked documents and comments from anonymous sources--all part of the stock in trade of investigative reporters. But what distinguished the stories was the liberal use of the taped voicemail messages, which gave a sense of peering into the inner workings of the company in a way that newspaper investigations have never done.

In one case, the newspaper asked Chiquita officials about lax security measures that allowed Colombian drug lords to smuggle large quantities of cocaine on Chiquita ships.

The company responded with a written statement that “the security and smuggling concerns that Chiquita faces in Colombia are not unique to the company or even the banana industry.”

The inside story, as seen through voicemail messages, was entirely different. “[Let’s] see if we can tighten things up in Colombia,” one company official stated in a message. “It seems like drugs that are coming into Europe are primarily on Chiquita vessels rather than on other people’s vessels . . . it does seem that we have a high incidence of [drug] finds on our vessels.”

The newspaper originally maintained that the messages were provided by a high-level executive with access to the company’s voicemail system--an important point since court rulings have protected the right of newspapers to use even stolen documents as long as the newspapers did not participate in or encourage the theft.

But it was clear to Chiquita officials that the messages must have been obtained some other way since there was no one at the company who had complete access to the voicemail system. Although attorneys for Chiquita have refused to detail how their system was penetrated, they have said that it was not from any high-tech attack.

The company has denied the allegations in the Enquirer’s story and filed a defamation suit against the lead reporter, Mike Gallagher.

What has made Chiquita’s case more complicated is that copies of the messages are believed to have been sent to the Securities and Exchange Commission, opening the possibility of a battle in the tricky legal realm of electronic privacy.

An Evolving Area of Law

Various federal and state laws, dating to the late 1960s, ban the unauthorized interception of electronic communications. But after so many decades, it is still an evolving area of law--one that at times seems uncertain about the new methods of communication that seem to sweep the planet periodically.

One case now pending before the U.S. 9th Circuit Court of Appeals involves a worker at PDA Engineering in Costa Mesa who broke into a female co-worker’s voice-mailbox after discovering she was having an affair with a company vice president. The office worker managed the break-in by simply guessing that the password was the vice president’s first name.

The sport of listening to messages turned serious when the vice president, Richard J. Smith, left a message suggesting that he was involved in insider trading. The U.S. attorney’s office in Los Angeles was contacted and an investigation began.

Smith was convicted of 11 counts of insider trading in 1996, but he has appealed the case, claiming, in part, that his voicemail could not be used as evidence.

The 1968 Wiretap Act bars the use of any evidence gotten through an unauthorized interception of “communications by the aid of wire, cable, or other like connection.”

The act’s suppression of unauthorized wiretap evidence sets a standard that is actually greater than that applied to other types of evidence, such as paper documents. In most cases, stolen evidence can still be used by law enforcement agencies--and the press for that matter--as long as they did not steal the evidence themselves.

For example, if a person broke into a home and stole a weapon used in a murder, that weapon could be turned over to police and used in a trial as long as the police were not involved in the theft.

Smith’s case would be much easier to resolve if not for the passage of the 1986 Electronic Communications Privacy Act, which was designed to include more recent methods of communication, such as e-mail, computer files and voicemail.

Within the amendments was a section specifically dealing with “stored wire and electronic communications” that had no requirement to suppress illegally obtained stored communications.

The government has argued that Smith’s voicemail messages are stored communications and hence can be used as evidence.

Voicemail Seen as Less Sacred

The point of this conflict is simply that the law is unsettled. It seems to create a hierarchy of privacy--with live phone conversations considered the most sacred and documents or voicemail seen as some lesser entity.

These fine distinctions in the law are irrelevant to most people, akin to debating the number of angels that can dance on a pin. Phones, beepers, e-mail, voicemail and video are simply different ways of accomplishing the same task: talking with another person.

Hallihan, the president of National Regulatory Services, said that, like most people, she had always taken her electronic privacy for granted and assumed her conversations were private.

She had started her company, National Regulatory Services, in the rural northwest corner of the state to get away from the Manhattan rat race. With just 20 employees at the time, it was more like a family operation than a business.

The man responsible for the break-ins, Kenneth T. Kaltman, pleaded guilty in state Superior Court in 1997 to one count of larceny and one count of computer crime. He was fined $2,500.

But for Hallihan and others in the company, the conviction was not an end to their problems but rather the beginning of a new era of paranoia.

Hallihan said she is still haunted by the thought of all the things she said that Kaltman overheard. The fact that she can’t remember them all bothers her too.

“You lose the sense of security and you start wondering all the time,” she said. “I feel like I’m being stalked.”

(BEGIN TEXT OF INFOBOX / INFOGRAPHIC)

And Now, An Important Message

Here are five tips suggested by Lucent Technologies for securing a voice-mail system:

1. Use at least 12 digits, preferably 15, in passwords for the primary and secondary system manager.

2. Require user passwords to be at least six digits.

3. Have users change passwords periodically.

4. Set the system to prevent consecutive failed log-in attempts.

5. Have the system administrator actively monitor the system.