"You have zero privacy [on the Internet] anyway. Get over it."
The first instinct for most people would likely be to express a strong disagreement with the above statement. However, when you consider the overwhelming number of people who have had their privacy violated in various forms, Mr. McNealy's pessimistic outlook begins to carry some weight. Before throwing in the towel, lets examine what can happen to your privacy on the Internet and how you can take steps to protect your personal information.
What constitutes a privacy violation on the Internet? Things such as identity theft, cyber-stalking and credit card number theft are among the clearly illegal activities taking place. Cyber-stalking is a crime in which the attacker harasses a victim using electronic communication, such as e-mail or instant messaging (IM), or messages posted to a Web site or a discussion group. Even corporations and private businesses will put ethics aside when it comes to the Internet. They will track your web browsing and tailor banner advertising in order to "serve" your better. They collect information from you when you fill out surveys, download software or enter contests. What do companies do with this information and how is it controlled?
Privacy is sometimes erroneously used to talk about issues that more appropriately fall into the computer security realm. It is important to realize that Internet privacy and security are related but distinct. Privacy concerns are related to the collection, dissemination and/or misuse of personally identifiable information. Security concerns include viruses, hacker attacks and other issues related to the integrity of computer systems and the Internet infrastructure.
Most people feel that surfing the Internet is a fairly anonymous practice. When you connect your computer to the Internet, you are assigned an IP (or Internet Protocol) address. This address is your Internet identity; much like your home address identifies you in your town. Every IP address, including yours, contains clues about who you are and what you are doing online. As you surf, Web servers automatically track and log each request for a Web page or click on a link.
Many websites utilize a technology known as a " cookie ". A cookie is an electronic tag placed on the hard drive of an individual user's computer by websites while the individual is on the Internet. Cookies can store information about the user, such as their name, credit card numbers, websites visited, e-mail addresses or personal preferences for a particular website.
Users can take advantage of existing features of their web browsers to alert them when a cookie is being placed on their hard drive or to block or remove the placement of an unwanted cookie. Both Netscape and Internet Explorer can be set to flash an alert message to inform the user whenever a server attempts to place a cookie on their system.
If your browser stores a site's cookie, it will return the cookie only to that particular site. Your browser will not provide one site with cookies set by another. Since a web site can only receive its own cookies, it can learn about your activities while you are at that site but not your activities in general while surfing the Web.
Sometimes a website displays content that is hosted on another website. That content can be anything from an image to text or an advertisement. The other website that hosts these elements also has the ability to store a cookie in your browser, even though you don't visit their site directly.
Cookies that are stored by a site other than the one you are visiting are called third-party cookies. Websites sometimes use third-party cookies with transparent GIFs, which are special images that help sites count users, track email responses, learn more about how visitors use the site, or customize your browsing experience. The transparent GIFs used to allow this tracking are known as web bugs.
Privacy settings on Internet Explorer
Netscape Cookie Manager is a feature of the latest version of the Netscape browser that allows users to view, block and delete cookies based on their individual preferences. Using the Cookie Manager you can view the contents of and delete cookies that have been stored on your machine. You can also block cookies on a site-by-site basis.
Internet Explorer also allows you to be prompted before a site puts a cookie on your hard disk, so you can choose to allow or disallow the cookie; or you can disallow all cookies. You can also differentiate the handling of first-party and third-party cookies, as well as specifying whether to accepts cookies based on your P3P preferences, which is described in the section below. Additionally, different levels of cookie management can be specified and exceptions to your default rules can be set for different websites by using Internet Explorer's override feature. For example, you might want to allow the NY Times website to create cookies if they are among your trusted sites and never allow cookies from all other sites.
Cookie handling options in IE
- Platform for Privacy Preferences
A large number of organizations contributed to the creation of P3P, including: America Online, AT&T, Hewlett Packard, IBM, Microsoft, Netscape, Nokia and TRUSTe. Input from many other groups was also considered.
Critics of P3P state that its main goal is not to protect data privacy but to facilitate the gathering of data by web sites. They also state that many people do not sufficiently understand the difference between "privacy practices" and "privacy". P3P could create an air of privacy while incorrect configurations would still allow the gathering of personal data from users to take place.
While it is a useful privacy tool, P3P is not intended to solve all online privacy issues but is seen as part of a larger, more comprehensive set of technical and legal tools.
Adware is any software application in which advertising banners are displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen. The justification for adware is that it helps recover programming development cost and helps to hold down the cost for the user.
There is a major catch with most ad-ware programs. In order to deliver advertising to you, the adware package you download will install additional tracking software without your knowledge. This tracking software monitors your web browsing habits and sends this data back to the advertising company's database without your knowledge or consent.
The advertising company analyzes the data to determine which ads it should send to you when you are using the software. For example, if you visited several web sites to compare music CD prices, this information will be sent back to the advertising company. The next time you use the software; ads for upcoming CD releases or for music stores could be displayed.
There are many pieces of software that include tracking software from well known sources [of spyware] like Gator (a web form completion and password saving tool) to more surprising ones like Real Network's RealDownload. Peer-to-peer file sharing software packages such as, Kazaa and Grokster have also been known to secretly install spyware.
Obviously, most people do not want their computer to spy on their surfing habits or release personal information to unknown data harvesters. Some spyware can be removed via the Add/Remove Programs applet in the Windows Control Panel, provided you know what to look for and if the software actually appears there. Most spyware is difficult to remove due to hidden files and registry keys. In order to effectively clean up your systems and keep it free of these malicious programs, a little more muscle is needed.
Currently, the most thorough spyware detection and removal
tool is a freeware product called Ad-Aware offered by the German company
Lavasoft. You can download Ad-Aware (the newest version is 6.0) at no
charge either directly from Lavasoft ( http://www.lavasoft.de
) or from one of many software repositories like Download.com
Ad-aware program from Lavasoft.
E-mail is widely used every day by hundreds of thousands of people. You might think your communications are secure and private but this is not the case.
On the Internet, sometimes hackers send e-mails disguised as alerts from popular Internet service providers such as America Online and Microsoft's MSN. These e-mails often ask recipients to re-enter their account names and passwords to solve a false problem on their service. The technique, called "social engineering", is a simple, yet sometimes effective, way for identity thieves to invade accounts and steal personal information. You'll learn more about social engineering and identity theft in a later section.
Spammers can cause another privacy problem with e-mail. "Spam", or unsolicited bulk e-mail, is something you are probably already familiar with (and tired of). If you get a spam advertisment, certainly don't take the sender up on whatever offer they are making, but also don't bother replying with "REMOVE" in the subject line, or whatever (probably bogus) unsubscribe instructions you've been given). This simply confirms that your e-mail address is valid, and you'll find yourself on more spammers' lists in no time. These lists are often sold to other marketing companies or individuals.
If you happen to open a spam message, watch your mail program's outbox to make sure that a "return receipt" message was not generated to be sent back to the spammer automatically. (It is best to queue your mail and send manually, rather than send immediately, so that you can see what's about to go out before it's actually sent. You should also turn off your mailer's automatic honoring of return receipt requests.)
Whether you realize it or not, those e-mail messages you've been sending to friends or family are being sent in a plain text format; information you thought was enclosed in a sealed envelope was instead sent just like a postcard.
PGP stands for Pretty Good Privacy and is the best way to secure your e-mail transmissions. This means that only the intended recipient of a message can read it. By providing the ability to encrypt messages, PGP provides protection against anyone eavesdropping on the network. Even if the information is intercepted, it is completely unreadable.
The creator of PGP, Philip R. Zimmermann, was the target of a three-year criminal investigation, because the government held that U.S. export restrictions for cryptographic software were violated when PGP spread all around the world following its 1991 publication as freeware. Despite government's attempts at stopping it, PGP nonetheless became the most widely used email encryption software in the world. After the government dropped its case in early 1996, Zimmermann founded PGP Inc. Network Associates Inc (NAI) acquired that company in December 1997, where he stayed on for three years. In August 2002, a new company called PGP Corporation acquired PGP from NAI. Zimmermann now serves as special advisor and consultant to the PGP Corporation.
So what is all this encryption stuff? The fundamental idea behind encryption is to encode messages from their plain text form into an intermediate form, known as a ciphertext, without exposing the information that the message represents. Most of us have encountered a simple form if ciphering in school or in games we used to play, and it usually consisted of something similar to this:
There are a number of tools available for users who are interested in securing their e-mail transmissions. MIT (Massachusetts Institute of Technology) offers a download site for a freeware PGP toolset at: http://web.mit.edu/network/pgp.html.
The PGP Corporation, which was discussed earlier, also offers a freeware PGP toolset. They also offer a number of advanced commercial packages that give added functionality such as the ability to ensure files are truly deleted from your hard drive when you request that action. When you delete a file from your hard drive it can be recovered with various utilities unless the disk space that it occupied is over written. Tools like PGP Wipe fills the length of the file with binary garbage. Essentially, this acts as a virtual file-shredder, further protecting your privacy. You can download their software at: http://www.pgp.com/products/freeware.html
Alternately, you can check out HushMail ( http://www.hushmail.com/ ), a free, Web-based email service. HushMail uses the OpenPGP ( http://www.openpgp.org/ ) standard algorithms to ensure the security, privacy and authenticity of your email. With HushMail, users need only create and remember their own passphrases, and the secure HushMail server does the rest.
Carnivore is a computer-based system that is designed to allow the FBI, in cooperation with an Internet Service Provider (ISP), to comply with court orders requiring the collection of information about emails or other electronic communications to or from a user targeted in an investigation. That explanation is from the FBI web site regarding the Carnivore system. The FBI uses the system in two ways: as a content-wiretap as well as in a mode known as trap-and-trace.
During a telephone wiretap, law enforcement eavesdrops on the suspect's phone calls, recording them on tape. Carnivore can do similar things with Internet communication. It can capture all e-mail messages to and from a specific user account and can capture all network traffic to or from a specific user or IP address.
A less invasive mode of wiretap is known as trap-and-trace , where law enforcement track all caller IDs of inbound and outbound telephone calls. Carnivore also mimics this ability for Internet traffic. It can capture all e-mail headers including e-mail addresses going to and from an e-mail account but will not capture the contents of those e-mails (i.e. the Subject: line or the body of message). Carnivore can also track all the servers (web, FTP, etc.) along with a list of web pages or FTP files that a suspect accesses but does not capture the content being accessed.
Essentially, Carnivore acts like a " packet sniffer ". All Internet traffic transmission is broken up into small groupings called packets. A single e-mail or file download usually consists of many individual packets. Carnivore eavesdrops on these packets; watching them go by and saving a copy of any packets that meet its search parameters.
Critics of Carnivore have been
concerned that its technology was likely to allow people's e-mail or Internet
traffic to be searched without the benefit of warrants. Groups like the
ACLU ( http://www.aclu.org ) were quick to point
at the USA/Patriot Act, which expanded the government's authority to collect
information on citizens and to conduct many new types of searches. The FBI
responded by addressing the most glaring problem with their pet project,
its name. Carnivore is now known as DCS1000, which stands for "
digital collection system ".
With online sales totaling in the billions of dollars and continually growing, it is clear that consumers have embraced the digital marketplace. Still, may people are worried about sharing their credit card and other personal information over the Internet. Even when a website has a posted privacy statement, some consumers are still hesitant to trust. Others are so fearful of losing their privacy that they avoid e-commerce altogether.
So you've found that elusive item on an e-commerce site and you're ready to complete your purchase but a transaction requires a credit card number, and that is one of the things hackers may want to steal. Hundreds of millions of dollars in online sales have been lost to fraud in the past couple of years. In a survey done by GartnerG2, 52 of every 1,000 Web users had experienced credit-card fraud online. To guard against credit card theft, credit card companies have started offering solutions like Visa's Verified by Visa and MasterCard's Universal Cardholder Authentication Field (UCAF) standard and Secure Payment Application (SPA).
Verified by Visa enables consumers to add their own password to their existing Visa card, giving them added confidence that their personal information is safe when they buy online. Participating merchants also receive added protection from fraudulent charge back activity.
Mastercard's SPA delivers electronic evidence of accountholder authentication and purchase intent -- evidence analogous to the signature available in the physical world. The evidence takes the form of an Accountholder Authentication Value , or AAV. This 32-character value binds the accountholder to a particular merchant for a stated sale amount.
An alternative to credit cards, digital cash is ideal for what is known as micro-payments, or transactions of less than US$10 in value. Micro-payments are generally not economical with credit cards or electronic fund transfers, primarily because of the high overhead costs in processing those transactions. Digital cash makes small payments of just a few cents possible and profitable for both the merchant receiving the payment and the issuer of the digital cash.
One of the interesting features of digital cash is that it allows for relative degrees of privacy in monetary transactions. DigiCash's e-cash only provides privacy (anonymity) for the payer in the transaction. The payee reveals himself when he verifies the authenticity of the e-cash with the issuer.
The Federal Trade Commission investigated DoubleClick concerning its practice of collecting dossiers on consumers and private citizens filed numerous class-action lawsuits.
Typically when you purchase an item from an online merchant, you need to provide them with a shipping address in addition to your payment information. The first big furor surrounding online privacy and e-commerce sites occurred back in the year 2000, when DoubleClick, an advertising company, attempted to create a database of consumer profiles that would have included each user's name, address, retail, catalog and online purchase histories, and demographic data. Much of this information would be obtained from cookies passed out by the members of DoubleClick's ad network (more than 11,500 sites).
When one thinks of computer crime, more often than not you'll think of hackers breaking into government or corporate computers to steal their secrets. Those are the stories that grab the headlines and make for interesting movies. However, the fastest growing white-collar crime is something referred to as identity theft. Hundreds of thousands of people have had their identities stolen in the last few years and the numbers continue to grow annually.
Identity theft is the act of misusing another person's information for fraudulent or illegal activities. Most identity theft begins offline in low-tech ways, such as a criminal rummaging through garbage to find discarded bank statements or an unwanted pre-approved credit card. Once an identity theft is underway, using websites that sell fake ID's makes the work considerably easier. Fake ID in hand, the criminal can then begin to take out bank accounts or credit cards in your name. They will run up debts, write bad checks and commit other fraudulent acts. It can take victims years to clear up their financial history after an ID thief has gone to work. In an even worse scenario, ID thieves can use the stolen identity when arrested, leaving the victim with a criminal record that can be difficult to erase.
Both state and federal governments have been rushing to put public records online and make them searchable to the public. It is thought of as the new e-government model with improved access to services for the average citizen. In some states, anyone who types in your name into a county database can find out your address, value of your home or even court and arrest records. The federal courts put their records online with a project called PACER (Public Access to Court Electronic Records) and without realizing the ramifications made available data such as: Social Security numbers, financial assets and the names and ages of a person's children.
Privacy advocates say the government has done their job too well and that too much data is available without proper security checks in place. There are signs that the trends are starting to reverse and hopefully the government will find a balance between public access to records and privacy interests.
However, if a would-be identity thief can't find what he needs from any of the state or government websites, he might enlist the help of an online data broker. Data brokers, such as Docusearch.com, insist they exist to provide background information to employers and financial institutions. However, they will often sell information to whomever is willing to pay, including cyber-stalkers and identity thieves.
Finally, theft of personal information from e-commerce websites also occurs frequently. There have been numerous high profile sites that have had thousands of customer records downloaded. Often these records will contain both a home address and a credit card number to go along with a name, making the identity thief's work that much easier.
Mailing lists or "listserves" as they are sometimes referred to, allow e-mail messages to be sent to multiple recipients. Typically these messages are discussions on a very specific topic but can also be more general in nature. Many mailing lists also have publicly accessible archives, so the same rules apply here as they do for posting to newsgroups. Be sure that any information you don't want publicly known is not included in your message.
A message you post to a public
newsgroup or forum is available for anyone to view, copy and store. Additionally,
your name, e-mail address and information about your Internet Service
Provider are also part of the message. Most public newsgroup postings,
dating back several years, are available through Google's search engine
( http://groups.google.com ). Therefore, it is
wise to keep in mind that your postings can be accessed by anyone at anytime,
even years after the message was originally posted. Before you post a
message, ask yourself if you'd want a family member or future employer
to read that posting in the years to come. Be wary of including signature
information such as your full name, address or anything personally indentifiable.
Google groups showing USENET post from mid 80's.
Googling is a technique using the popular search engine Google.com to look up someone's name in an effort to find out more about them. You might Google your neighbor, your old college roommate, or someone you've recently met to see what information is available about them on the Internet. ID thieves can also use this technique to find out information on potential victims
There are a variety of white page
listing services available on the internet such as AnyWho.com, whitepages.com,
411.com and others. All of the listing information appears as it does
in the local telephone company directory assistance records. Non-published
directory assistance records are not provided and are not displayed. Should
you wish to not have your listing displayed, the best way to achieve this
is to obtain a non-published directory assistance listing from your local
telephone company. The listing will be removed with the next update to
these sites. Some of these sites have also implemented an automated system
that allows you to remove your residential phone number from their site
by filling out a form.
Microsoft Passport (Identity Manager)
Microsoft is also developing a Kids Passport, which is designed to help parents protect their children's privacy while on the Internet. This service helps parents control what type of information their children can give to websites and what those sites can do with that information. To use the Kids Passport, a child is given a password, which allows them access to participating sites. If the participating site requests any personally identifiable information, the child must request consent from a parent or guardian through the Passport service. The parent or guardian can then decide what level of consent they will give for that specific site.
Microsoft Passport Sign-In
Instant messaging (IM) is a form of Internet communication that combines the live nature of chat with the personal contact of email. IM is a great way to talk in real time with family and friends but there are drawbacks to instant messaging.
Most IM software allows users to create a personal profile of themselves, with information such as name, age, email address, home address, phone number, school and hobbies. When you register for instant messaging software, avoid putting too many details in the "personal profile". This information is made available to any user on the Internet who has access to the same IM service.
You should also consider disabling any file-sharing options. Most IM programs offer a file sharing option that allows users to download files to your computer's hard drive. However, serious viruses or Trojan programs that open backdoors into your computer can be sent to your computer this way.
Social engineering is the attempt to manipulate or trick a person into providing information or access to a system's information, by bypassing network security. A social engineering compromise can provide information on background, credit rating, medical history, and driving record, most of which is confidential. Colleges and universities are sometimes targeted for social engineering compromises due to inexperience of large numbers of students serving as part-time employees. System security, once thought of as a technical issue, now has human vulnerabilities. Personal and social weaknesses are at the heart of social engineering, a significant source of compromise.
Shoulder surfing is the practice of looking over one's shoulder as the user is working. Personal records can be viewed if monitors are not appropriately placed in offices. Open-area labs on campuses and public terminals in libraries are also susceptible to this problem. It's easy to see over a someone's shoulder as you are walking by a workstation, so keep your environment in mind when using the computer. Any sensitive information you need to access might be better done at another time.
"Dumpster diving", the old hacker technique of rummaging through garbage bins is another way information about you can be found. This is a prime technique for an identity thief to attain bank or credit records, your name, address, Social Security number or any number of other things he wants to know.
In another scenario of social engineering, a thief can call a victim's credit card issuer and, pretending to be the victim, change the mailing address on the victim's credit card account. Then, they will run charges up on the victim's account. Because bills are being sent to the new address, the victim may not immediately realize there's a problem. In yet another scenario cellular phone service may be established or a bank account is opened in the victim's name and bad checks written to that account.
Your information is only as safe as your password. If an ID thief gains access to your e-mail or other online account, they could begin posing as your or intercepting communication that contains personal information. ID thieves and hackers won't have much trouble cracking into an e-mail account if your password is something simplistic, like rover or another common word. There are programs readily available that will crack passwords based on any dictionary word, even if you tack numbers onto the end. Your best bet is to use a strong password, a random string of letters, numbers and even symbols (if the systems allows it). A password of hY7%p0s is going to be very difficult to crack.
Be sure to change your password often and do not use the same or variations of the same password for multiple applications. Another important thing to keep in mind is that you should not write your password down. Writing your password down and placing it where anyone could walk by and read it defeats the purpose of having a password. If you do need to write down your password, store it somewhere secure, like a desk drawer that locks or in a hidden file on your computer.
It's important to remember that your financial and personal data are only as secure as the websites you are sharing them with. There are a number of precautions, both when online and not, that you can take to avoid your identity from being stolen and your privacy from being violated.
Although many merchants are taking added precautions to protect their customers from having credit card information stolen from discarded sales receipts, your best bet is to hold onto those receipts and file them away securely at home. Not only will your data be safe but you might be able to better track your spending habits and save money over the long term.
Many people are big into recycling every last scrap of paper while others just don't want to be bothered keeping detailed records. This can even include credit card statements and utility bills. Before you throw out or recycle that statement be sure to shred the pages so that no one else has access to your confidential information.
Did you notice anything strange on your credit card statement this month? Each month you should check to make sure the charges that appear are the ones that you made. Saving your sales receipts will make this task easier. If any strange charges appear, call your credit card company immediately, as the charges may be a sign that your card number has been stolen. Most major credit cards offer protection from fraudulent charges or limit your liability resulting from unauthorized use of your card.
One of the most critical pieces of ID for anyone is the Social Security number but so many people are careless with that information. Do not give it out over the phone, on job applications (you can supply it once hired) and try to use other forms of identification other than your SSN.
An increasing number of employers are monitoring e-mail and Web usage of their employees. If you need to make an online purchase or reserve a flight or car rental, think about doing it from your home computer instead.
When possible, avoid using your real name or primary e-mail account when taking part in online discussions. Online dating has become popular but unless it is someone you know very well, you should never reveal personal information online. You should choose an online "alias" or "nick" and setup a secondary e-mail account in that name. This will not only protect your identity but is a good way to defeat junk mailers.
Before signing up for a new online service, search through newsgroups and other websites to find postings about the service that you are considering using. Bad reputations get around quickly on the Internet so if others have had a negative experience with a service, you should be able to find some messages explaining their viewpoint.
If you publish information on a personal web page, others may collect that information for their own use. Marketers may harvest your e-mail address, home address, phone number or other information that you provide. If you are concerned about your personal privacy, be discreet in what you post to your personal web site.