“We have all the same rewards in our job.”

“I left because Mark was more ambitious than I was. I liked the work we were doing, the freedom of self-employment, breaking new ground. I had a trust fund, though, and Mark didn’t. He was a few years older. He was the entrepreneur, the one with the M.B.A. and the big plans. Honestly, I wasn’t willing to do the corporate side of the work. I mean, come on. I was a computer science major, archaeology minor at Tufts. What do I know about business? Maybe if I’d pulled myself up by the bootstraps, I’d be more like him, but what can I say? Dot-com’s were all going bust so I got out. Mark had the cojones to stick with it.”

“You left on good terms?”

“Oh yeah. Mark’s a little uptight, but we always got along real well. He was nice enough to act heartbroken when I left, but he was probably happy to be able to take the company in his own direction. We worked out a nice little deal for both of us. I got to move on to other things. Mark kept his stock and got to live his dream.”

“He strikes us as more than just a little uptight,” Ellie said. “He pretty much threw us out of his office when we asked him to give us some customer names, then threatened to sue us if the story leaked. And he’s apparently got all of his employees too scared to help us behind his back.”

“Like I said, he was always more corporate than I was.”

“Feel like taking your old job back, just for a few days?” Ellie asked.

“Sorry. I hope that’s not your reason for being here.”

“Actually, I was hoping you might at least be able to point us in the right direction. Do you know someone at FirstDate who could pull the information we need?”

Jason shook his head. “I don’t know most of the people there now. The company’s grown, and we always had a lot of turnover. You’ve got to understand. It’s not like there’s this public file in the network at FirstDate that links customer names to their profiles. Very few people have access to that. Otherwise, you get one bad employee, and every married man hooking up online would get blackmailed. Only a few people are likely to have access, but I’ve got to be honest – my guess is they’ll toe the party line if Mark has put his foot down on this one.”

“Which he has,” Ellie made clear. “I don’t suppose you still have some magic password you can use to log on to the system?”

Jason smiled and shook his head. “Sorry. I’m afraid it doesn’t work like that.”

“I figured you probably would have mentioned it by now.”

“I’ve got a question,” Flann interjected. “Any idea how someone could get into a woman’s FirstDate e-mails and print one of them out?” Flann explained how they found a FirstDate message that apparently wasn’t printed by the victim. He placed the laptop he was carrying on Jason’s desk and opened it. “This belonged to one of our victims if you want to take a look.”

“Well, let’s start with the easy stuff. You said you have a list of FirstDate connections, so that means you managed to get into this woman’s account. How’d you do it?”

Ellie explained how she requested a lost password and answered the so-called security questions on the FirstDate site. Jason nodded.

“Okay, so there’s one way right there. You knew enough about the victim to have the password sent directly from the Web site provider. A higher tech way to get a password is by stealing a person’s cookies.”

“English please,” Flann said.

“A cookie is a tiny piece of data sent from a Web server to a Web browser. So when you use a browser like Internet Explorer to go to a Web site like eBay, eBay sends a cookie to your browser, then it’s stored on your computer so that eBay will recognize you the next time you visit the site from that same computer. What people don’t understand is that computers don’t just hang on to the stuff that you intentionally tell them to save. They also hang on to all kinds of data on a temporary basis. Here, take a look at this.”

He had logged Amy Davis onto the law firm’s wireless network and then pulled up the popular search engine site Google. He clicked on the empty text box provided for users to type in their Internet search. A menu of text appeared.

“With just one click on an empty box, we can see all of the different Google searches she ran since the last time she cleared her search history.”

He scrolled down the alphabetical list. American Idol. Black wedge boots. Cat toys. Dwight Schrute.

“That information is all stored in the computer temporarily. Same thing with her Internet browser.” He hit a separate button to display Amy Davis’s history on Internet Explorer, then scrolled down to point out all of the Web sites she’d visited recently.

“You could erase all of this data just by hitting Clear, or by scheduling your computer to do it every day automatically. The same is true with all the cookies that get sent to your computer from Web servers. So what a cookie tracker does is send the victim to a link that’s disguised as a legitimate Web site. But instead of being whatever site it purports to be, the link lets the bad guy steal the cookies off the victim’s computer.”

“And cookies are worth having?” Ellie asked.

“Sure, if they contain anything of value to the person who steals them – things like passwords, user names, sites visited, old searches. A good hacker can steal all kinds of information through cookies. Or cookies could be used to create a profile of a person, by monitoring their activities across a number of different Web sites. It’s like someone stalking while you surf.”

“Can you tell if anyone did that to Amy Davis’s laptop?”

“No, but a computer like this is a hacker’s best friend. Her privacy levels are low. She hadn’t updated the security on her system for more than a year. It also looks like she was using an unprotected home wireless network to connect to the Internet.”

“And what does that mean?” McIlroy asked.

“Half the people in Manhattan do it,” Ellie explained, “including me. Wireless home networks are designed for houses, which means that in a city apartment, you can mooch off your neighbor’s connection and not have to pay for your own.”

“It also means there’s about fifty different ways someone could have known what Web sites she was going to,” Jason explained. “They also could have gotten into any files she downloaded from the net, including that message.”

“And with all that clicking around you’re doing there, you can’t tell us which of those methods was most likely?” McIlroy asked.

“Nope. But what most people fail to realize is that the biggest risk of losing privacy online isn’t from the technological potential of the Internet. It’s carelessness.”

“What do you mean?” Ellie asked.

“Like one way for a black hat to get a white hat’s account password is to know them well enough to figure it out. People use birth dates, their kids’ names – amateur stuff. You pulled off a more sophisticated version when you answered all her security questions that backed up her password. Or they can hack it. Super computer nerd stuff. But the black hat could just persuade the white hat to turn it over. A phone call. There’s been a problem with our records,” he said, holding an imaginary telephone to his ear. “It’s possible that someone else has recently changed your password. We need you to verify your account information.”

“So the idea is to scare the person with a threat that doesn’t really exist, so they suddenly trust this stranger on the phone,” Ellie said.

“Precisely. Now imagine doing it not with a phone call, but with an e-mail sent to thousands of potential victims at one time. That’s what they call phishing.”

“I bet the fraud unit sees cases like that all the time,” Flann added. “Why go for an e-mail password when you can say you’re American Express and need to verify the customer’s account number? It’s a very simple con.”