Security and Privacy

Computer Security

Home Networks

E-mail Security

Credit Reports

Identity Theft

Mailing lists





Traceability of Internet Access


    Internet and Web Privacy

    When you visit a web site there may be personally identifiable information that is available to, stored by, shared by and used by the site you visit. It is important to understand how this information is collected, what may be done with it, and for the information that is particularly of concern to you, how to prevent its collection. Most of the information collected when you visit a web site is collected in five ways.

    Provided Directly to the Web Site

    A web site may collect information from its visitors through forms. Among the information commonly requested are name, contact information, email addresses, credit card information, preferences, and lots of other personally identifiable or non-identifiable information. When using a web site, you should decide for yourself which information you are willing to provide. Consult the sites privacy policy to see what they do with the information, but keep in mind that there is no assurance that the site will keep their word - decide this in part based on your confidence in the company behind the site. Keep in mind also that even reputable companies can suffer security breaches, and if you provided you information to them, it is on their server and available to those that breach the security of their system. Finally, through phishing schemes you might be tricked into thinking you are providing your information to a reputable company, while the site you are visiting is not actually there, but might have been set up solely to collect information from visitors.

    Personally, I have multiple email addresses that actually work and when I am asked for my email address I will usually provide an alternate address that I can disable if the address is compromised and used for spam. I am selective about the information I provide to sites, and will not provide information that is easily used for identity theft. When making purchases online using a credit card from a site with which I am not familiar I use the one time card number feature provided by some credit card companies to provide a card number that is valid for just that single purchase, so that the card information can not be used fraudulently later if the sites security is compromised.

    Cookies set and transmitted to a web site by your web browser

    A cooking is a piece of information that is sent to your computer by a web site, which will be returned to that web site (or to related web sites) the next time your browser visits that site. This means that if you provided information such as your name or an email address to the site on a previous visit, it may know this information the next time you visit, even if you didn't intend to provide such information. While a cookie from one site is not intended to be returned to another site (at least to another site outside the domain of the web site that set the cookie) this does not mean that information can not be correlated across sites. Often a page you visit will have embedded images or advertisements from advertising servers (like the ads on the right side of this page) or third party analysis tools (such as Google Analytics), and these ad servers and analysis engines can set and read cookies when their code is embedded in pages from multiple sites. This allows such servers to see your history of web surfing across many different sites.

    It is possible to block the acceptance of cookies in a web browser, and this is useful if you do not want such information tracked across sessions. This is usually accomplished through the privacy tab under options or settings sometimes under the tools menu on your browser. The specifics vary depending on your choice of browser. When you set the privacy options you can accept cookies, reject cookies, or accept them for a single session only (this latter setting means that when you close your browser, the cookies are cleared). You may also be able to select your option depending on the web site visited, sometimes blocking specific sites, or alternatively group sites into classes and choosing settings based on the classification you chose). Some sites, do not function properly if cookies are disabled because the programs on the site use the cookies to store session information necessary for the application running on the web server. In such cases, you can usually get by allowing cookies for the current session only (or you can leave cookies disabled and chose not to use such sites).

    Even if you disable cookies, other information sent by your web browser, or inherent from your connection to a server (such as your Internet IP address) might be used to correlate visits across sessions, and even across web sites. This information is described below.

    Information sent by your Browser other than cookies

    When you connect to a web site by following a link on another web page, or when a site is contacted automatically to display embedded content linked from another site, your web browser send a "referer" URL. This is the web address of the page that contained the link to the servers content, and it provides information to the new web server, or the third party server hosting image or ad content, about the site you are visiting. Even if you have disabled cookies, such information can be combined with your IP address to infer information about your click stream (the series of sites that you have visited). Most browsers do not provide an easy way to suppress this information, except by opening a new tab or window and typing the URL of the site into the address bar to visit the site, instead of clicking on a link from an existing page.

    In addition to the referrer URL, other information sent by your browser includes your browser choice (e.g. IE or Firefox, etc, and your operating system).

    Information Available to the Web Server about your Location

    When you connect to a web server, the web server receives your Internet address. This address is needed so that the server can return the requested content to your web browser. In most cases this address identifies your computer for the duration of your connection to the Internet, often longer, and sometimes permanently. If your computer is on a home network connected behind a router supporting NAT (Network Address Translation), then the address identifies you home network - though perhaps not the individual computer on your network. Your Internet Service Provider likely maintains log files that will allow them to convert the IP address at a particular time to a customer identity. See the section on this site about traceability of Internet access for additional information.

    Because many home Internet connections today are "always on" either through DSL or cable modems, the users IP address is likely to stay the same for weeks or months. When using computers from work, your IP address is likely permanent and even more easily mapped to the identity of a particular computer. This means that the web sites that you visit can track your usage across visits even if you don't allow them to set cookies. Further, groups of web sites could potentially choose to share their access logs and correlate visits across sites. This means that information provided to one site, might be available to other sites.

    The only way to hide your Internet address from a web site is to use a third party proxy to relay your request. Some proxies are available specifically to provide anonymization of web requests and these services are discussed in the section on traceability of Internet access. The use of such proxies can have a significant impact on Internet performance, and they are often difficult to configure correctly. If not correctly configured you might think you are hiding your Internet address when you really aren't.

    Information Made Available through Downloads

    If your set web preferences allow pages to run Java, ActiveX, or JavaScript, then these application might collect additional information and send it to the site you are visiting or elsewhere. These "scripts" or embedded programs are supposed to be run in an environment that prevents changes to your system or the collection of information that should not be accessed, but it is difficult to configure your system correctly to contain such programs. Of these, JavaScript is the least intrusive since it is limited in terms of its capability. Many sites do not function properly if you disable Javascript, so for most users disabling it is not particularly practical. Javascript is different than Java, which is more intrusive but has greater capability. ActiveX controls and Java programs are particularly troublesome and you need to be extremely careful when allowing these programs to run. You should not configure your browser to allow them to run automatically.

    If you download an application from a web site and install it on your system or execute it (which may be as easy as clicking on an link or icon), all bets are off. The software you install is capable of collecting any information from your system and transmitting it to others. In some cases such software will install malicious code on your system (viruses or worms), and may run when your system starts up. Some of this software collects future information you enter including password and credit card numbers, and sends it to sites on the network where this information is collected and used for identity theft, espionage, and other purposes. I am not saying that all downloaded software will do such things, but it is possible and that is why you need to be very careful about the origin of the software you install on your system. Even if the software is downloaded from a "reputable" web site, there are many cases where such reputable sites have be compromised, and seemingly legitimate software modified to include security and privacy compromises such as those described above.