an important part of United States culture and law.
According to the Merriam-Webster dictionary, privacy is (a)
the quality or state of being apart from company or observation;
(b) freedom from unauthorized intrusion. Privacy is also
an important part of United States culture and law.
Unfortunately, the Internet makes it easy to violate individual privacy. Every packet transferred through the Internet contains source and destination IP numbers that could be used to determine the users identity and what they are doing. Additionally, since all Internet requests must travel through the user's ISP (Internet service provider), it is quite easy to monitor user behavior at the ISP level.
This article series will examine the issues and technologies surrounding
the problem of personal privacy on the Internet. Resources and
tips will be included to assist users in managing their privacy risk.
Cookies
A cookie is a short text string that is written onto your computer whenever you visit a web site. The cookie can contain information about your previous visit to the web site, including any options you have selected or information you have entered.
Cookies were originally intended to provide some form of memory to stateless web connections. A traditional web connection is called 'stateless' because there is no memory of previous visits. By leaving a cookie on the users system, a web site will know that a user has been there before. Cookies can be coded to contain user preferences, logon ID's and passwords, and other information intended to improve user convenience.
This convenience factor is most obvious with online shopping. Amazon Books developed a method where items could be added to a users virtual 'shopping cart.' This cart (using cookies) would remember items that the user indicated for purchase, allowing the user to continue browsing through the online storefront. At 'checkout' time, the information from the cookies would allow very convenient purchase of the selected items.
However, there are potential problems with cookies that may violate the users privacy. One major example comes as a result of companies who provide targeted banner ad service. A 'banner ad' is a small graphic advertisement that is displayed on a web page. The economic benefit of banner ads is maximized when they are targeted to the consumer preferences of the user. However, doing this requires information about a user's browsing habits.
This information is gathered by placing cookies on the user's system. The banner ad provider examines the cookies on the user's system to determine if there are trends that may be exploited. For example, a person who frequents sports web sites may begin receiving banner ads about sports products or services.
This is all fine for business usehowever the user seldom realizes that this information is being gathered about them. Further, all it takes is for the user to indicate their e-mail address or real name on a single site, for that information to be linked to all of the cookies. Thus, providing private information to one site could potentially provide it to other sites without the user being aware.
To avoid problems related to cookies, the following suggestions are offered:
The cookie problem is exacerbated by the large number of databases containing user information. This information is often provided voluntarily, as sites ask for personal information in order to provide free access to their services. The major problem with this is that the companies are not obliged to keep this information private. In fact, there is a booming business in user data, and techniques such as 'data mining' are employed to develop trends and other information from these databases.
In addition to cookies and user information offered voluntarily, server logs gather a tremendous amount of information about every visitor to their site. This information, which typically includes IP address and referring page, can be aggregated and combined with logs from other sites, or with cookie data, to specifically identify and track users. This is fine when the user knows it is being done and gives their permission. Seldom do users have a clue when it is happening.
To allay user fears, some sites are 'certified' by organizations that claim to evaluate their privacy policies and behaviors with user data. One such organization is Trust-E (http://www.truste.org/), which certifies the privacy policies of other web sites. Of course, this requires a certain amount of trust in the certifying organization. In the absence of legal protection, the best approach may still be 'Caveat Emptor' (let the buyer beware).
To avoid problems related to online databases, the following suggestions are offered:
These services scramble your information as you pass through their portal and surf other locations. One example is the Anonymizer (see https://www.anonymizer.com/ on the Web).
However, it is important to note that true anonymous surfing is
not possible--at very least the scrambler ISP knows your identity.
Secure Servers
Electronic commerce on the Internet often requires the use of a credit card. However, the potential exists for a user's credit card information to be stolen and misused. Unless encryption has been enabled, the information flow between the user's browser and the web site is available to anyone with the software or hardware to examine the packet stream. This is a real threat, and can result in 'identity theft'--wherein a thief uses your personal information to open new accounts, obtain new credit cards, etc.
As a result, many servers offer secure connections that encrypt information before transferring it from browser to server and vice versa. In Netscape, a secure connection is indicated by a closed lock in the lower left-hand corner of the browser window. When this lock is open the connection is insecure.
To avoid problems related to online purchases, the following suggestions are offered:
Carnivore is a system, developed for the FBI, for monitoring electronic mail and web access at the ISP level. The Carnivore system is installed on an ISP's main system and controlled remotely by the FBI. Carnivore is still very controversial, and is under investigation by the U.S. Congress. Part of the problem is that the system contains no checks and balances to guarantee that it will not be misused. This fear is magnified by the Justice Department's apparent unwillingness to publish details about the operation and design of the system, as ordered by the courts.
You can learn more about Carnivore from the FBI's web site (at http://www.fbi.gov/programs/carnivore/carnivore.htm ).
Comments regarding Carnivore should be directed toward your local
Congressional representative.
Encryption
The only true way to ensure privacy of communication and computer files is to employ encryption technology. When you do this, the bits in the files (or e-mail) are scrambled so that they will not make sense to anyone who obtains them. The encryption will be done with a 'key' that may be used by the owner (or recipient) to decrypt the file to its original form.
One problem with encryption is that the programs that provide for it are fairly complicated, and thus beyond the reach of the average user. Some online services (such as secure servers) may employ encryption in their service. At least one public e-mail service (Yahoo) is planning encrypted e-mail in the coming year.
However, encryption is a touchy issue as far as public policy is concerned. Federal law still makes it a crime to export programs containing encryption algorithms. This reflects the fact that the Allies breaking of the German and Japanese encryption codes was important to the outcome of World War II.
Firewalls and Network Connections
Users with network connections have a special problem. This includes users on cable modems, ISDN and DSL lines. The problem is that their system, by virtue of being network connected, may be accessed by others without their knowledge. Hackers are known to exploit open TCP/IP ports on networked systems. Some software, such as many IRC clients, provide security holes that a knowledgeable hacker can access.
Unfortunately, with current multitasking operating systems, it is impossible to detect such activity by noting that the system appears to be running a program on its own. Such activity could be routine system maintenance or a program (such as a virus scanner) that is scheduled to run during system idle time.
The only way to protect your privacy in this case is by obtaining and installing a firewall. This is a program that acts as a filter, allowing access only to those domains and/or IP addresses that you specify. The firewall may also record information about attempted access, alerting you when someone is trying to snoop into your system.
To avoid problems related to network connection, the following suggestions are offered:
Internet privacy issues are covered in more depth in a paper presented by Dr. Santoro at the 2000 convention of the Speech Communication Association of Pennsylvania. This paper is located at the following URL: http://www.ist.psu.edu/faculty_pages/santoro/papers/internet-privacy.doc
Anonymity and Privacy on the Internet
http://www.stack.nl/%7Egalactus/remailers/
Cryptography policy
http://www.epic.org/crypto/
Privacy Alliance
http://www.privacyalliance.org/
Online Privacy Alliance
http://www.privacyalliance.org/
Internet Privacy Law
http://www.netatty.com/privacy/privacy.html
Surfer Beware -- Personal Privacy and the Internet
http://www.epic.org/reports/surfer-beware.html
EPIC Privacy Archive
http://www.epic.org/privacy/
Privacy Analysis of your Internet Connection
http://www.privacy.net/analyze/
Privacy-related Software
http://www.privacy.net/software/
The Privacy Page
http://www.privacy.org/
StopCarnivore.org
http://www.stopcarnivore.org/
Internet Privacy Home Page - OSU
http://www.osu.edu/units/law/swire1/pspriv.htm
