Information War Brewing?

Apr 2, 2014
During dinner Monday night, my wife mentioned something "strange" that happened at work. While ordering computer equipment for her office, the company she was buying from had started asking her some "random" personal questions in order "to make certain" she was the person whose name and password she'd logged in under. She was, but found it odd that the company would be asking, for instance, who we'd bought our home from -and had presented her with three particular names.

She was then asked to either choose the correct name or "none of the above". After answering (correctly), she was then presented with another, similarly random question, again taken from information she'd never given the company. Actually, she didn't remember giving that information to anyone.

That's a troubling trend we're seeing across online commerce. Companies are taking measures they say are designed to "step up" security. Some of those steps include asking personal questions.

The thing that troubles me most about this "step up" in security is their reluctance to answer a very direct question: what's the source of this random personal information I've not shared with them- or any other online company?

The lack of a definitive answer would seem to point to a fact many (myself included) are reluctant to acknowledge: there is far more information floating around in the digital world about you than you would like to think, or could imagine. Much of that information was shared without either your knowledge or, more importantly, your permission.

Having owned a company that produced computer software, I'd thought I had some insight into how information is gleaned then aggregated about people. It is vacuumed in from your internet activities, including those as dissimilar as posting family photos on Facebook, purchasing corporate supplies directly from manufacturers, or taking part in online polls.

Boy, was I mistaken. Informational "snippets" are being collected, collated and then used to verify your identity, authorize your purchases, or more frighteningly, collect even more information about you. Sometimes that information is even used against you when credit scores are being compiled.

I started looking more at this concern far more closely after the ATF raided two California companies that had been making and/or selling the now-questionably legal polymer lowers for AR-pattern rifles. The ATF didn't just want the companies' inventories of lowers, they demanded relevant customer information from both companies' databases. Using search warrants authorized by a federal magistrate, they seized the computers that supposedly contained that information.

Today, the pitched battle continues over the legality of the polymer uppers and the possession of both the inventories and computers of those companies.

But one company has engaged a highly-regarded computer security company to implement new security measures that would prevent the ATF or any other agency's having easy access to their records. Yes, they're a high-speed 32-bit encryption - the scrambling protocol that makes it virtually impossible to unscramble their information without the all-important encryption "key" but they're also using an unusual legal protection: the Fifth Amendment. Based on a recent circuit court opinion, the company says the same Amendment that extends you the right not to answer a question that might cause self-incrimination also makes it possible for you to refuse to give the "key" to authorities -even if they've already seized the data and hardware housing it.

In other words, should a federal agency was so confident a crime had been committed that it were willing to raid a company, the owners of that company would be under no obligation to provide the all-important encryption key to that agency.

In that scenario, it would be possible to crack the encryption algorithm- eventually- but in no manner that would be considered "timely" by the courts, denying the agency the ability to link their suspicions to actual activities. And in the case of customer records, the individual customers' information would be kept confidential.

That's more than an intriguing idea. If defensible, it just might be the key to growing concerns that, despite the prohibitions against a national database of gun owners, federal agencies were going about building lists via seemingly unrelated actions.

If raiding two suspicious companies provided confidential information on, say, ten thousand possible owners of illegal AR-rifles (even if those "rifles" weren't capable of firing), any ATF investigation into any FFL-dealership could yield other records that could be pieced together to form a reasonably comprehensive list of the country's gun owners. That's presupposing, of course, the agency was willing to retain information it is ostensibly not keeping -as in the info from Form 4473.

The concern over misuse of confidential information is one reason the Canadian government ordered their now-discontinued long gun registry dismantled rather than simply closed down. It's also a major reason Canadian gun owners are up in arms because one Canadian law enforcement agency apparently didn't dispose of the information. Instead, they parked in on a computer, keeping it as a "potential resource" for solving future crimes.

That explanation probably won't survive serious legislative or legal scrutiny because the database, despite the billions spent to create it, never directly contributed to the solving of any Canadian crime involving a firearm.

Over the weekend, we received a release from a PR firm taking serious exception with information collected by the online gun trading company,

According to the release, "A Highly-Detailed Personal Information National Firearm Owner Internet Personal Data List Already Exists!" and it cites's collection of data about its members. The key objection was twofold: asking for a date of birth and physical address.

The release which was very careful to state that there was no implication that the company was doing anything untoward with their collected information continued to say the attempt to use a post office box instead of a physical address led to the company's "demanding" (more on that word in a bit) a facsimile of the person's drivers license.

When that was refused, the choice was given to either provide a redacted drivers licens and two other documents proving a physical address, or be denied registration.

Giving the DOB and physical address, the release said, was "giving a database (run by strangers) more information than gun owners would willingly give their neighbors".

In its conclusion, the release then called for to run "some sort of computer search/sort and "delete ALL (their caps) the DOBs they have and just note over 21."

I contacted and asked them about the concerns raised in the document.

Their response was twofold. First, I was told there are literally thousands of databases that have information on gun owners, some even larger than

Secondly, the company simply doesn't deliver to post office boxes or do business with people who won't give a physical address. As a frequent online buyer, I know that to be a fact. Many companies as a matter of course will not deliver to post office boxes. Fedex and UPS have similar restrictions in certain circumstances (like delivery of ammunition)., I was told flatly, simply will not allow access to its services - or its more than 3,000,000 clients - should anyone "refuse, be unable, or unwilling to give a street address".

My understanding is that address is integral piece of their guarantee that should you win a bid on a firearm listed on, pay for it and then not receive it, will repay you. A company's insurance company would likely stipulate the same requirement.

And I'd imagine both would pretty quickly report fraud to the appropriate federal authorities as is required by law. When a transaction involves a firearm, one of those agencies is the BATFE. One of the first places to begin an investigation would be that given physical address.

I was told that would be issuing a formal statement on the release and questions it raised, but it would likely not be available in time for our deadlines.

When that statement is issued, we will certainly share it with you.

It's part of our promise: "we'll keep you posted." And a second part of our promise is also one we've kept- we've never shared any information on our subscribers with anyone. If you ever receive a solicitation that indicates it's from any of our wires, toss it- it's not from us.

Delete is a key we should all use more frequently.

--Jim Shepherd

Editor's Note: You can read the original document raising the security concerns about>here.