Security Advisor

The Right To Remain Anonymous

Here are some tools to help you protect your privacy on the 'Net.

It's amazing how much information you can inadvertently reveal through everyday activities like browsing the Web and sending e-mail. While we've described numerous methods for securing your customers' data, what about your own personal privacy? Here are some tools and best practices for maintaining a modicum of privacy on the Internet.

Anonymous E-Mail
These days, more Web sites require that you sign up and provide your e-mail address before you can get to any information on the site. Once you sign up, they send a password or download a link to that address. This lets you finally access the information you need.

There's nothing inherently wrong with this model. There are times, though, when you don't want to give out your real e-mail address.

You can always create a Hotmail, Yahoo! or Gmail account for receiving a single e-mail and stop using it afterwards. However, this is extremely time-consuming and you'll have to remember yet another password. Services like Mailinator (www.mailinator.com) or PookMail (www.pookmail.com) let you create an e-mail address simply by entering it into a Web form. For example, without having to set up anything beforehand, I could provide the address [email protected] in a Web form and check for mail sent to this address simply by going to PookMail's Web site. There's no password, so anyone could read e-mail sent to a PookMail or Mailinator address, but these services are great when you're not expecting any confidential information and convenience is of the utmost importance.

Other services like Spamgourmet (www.spamgourmet.com) give you a disposable e-mail address, but also forward anything arriving there to your real e-mail address. This approach works better when you want to anonymously conduct an e-mail exchange that includes more than one or two messages. You do have to set up the disposable address in advance, though.

Anonymous Browsing
It may surprise you to learn what Web site operators can find out about you. After you've visited a Web site, the logs will contain a list of pages you've viewed and your computer's IP address. Your browser has also happily told the Web server about itself and your computer's operating system.

A Web site operator can find out whether you're using Internet Explorer or Firefox, which version, which OS you're running, which Windows Service Pack is installed, and which version of the .NET Framework you have. Your browser also shares your preferred language and which link you clicked to get to the Web site you've just visited.

The privacy impact of any cookies your browser may send to a Web server is much more worrisome. In reality, cookies are neither inherently good nor bad. Contrary to popular belief, they are not automatically dangerous.

Cookies can, however, gather information about you that you may not want to share. Session cookies, which are limited to a single browser session, are generally harmless. Persistent cookies may keep track of Web site visitors across multiple sessions. These can actually provide a better browsing experience, for example, when the Web server can provide personalized content.

On the other hand, cookies undermine your privacy if you don't want the Web site to track your activities. Third-party cookies, which may share your information with multiple Web sites, are especially problematic. These types of cookies are most often used by advertisers who want to track the ads you've seen, even when those ads are displayed on multiple Web sites. Companies that use third-party cookies may also track which Web sites you're visiting to tailor their advertising.

There are a number of techniques you can use to surf the Web anonymously. These can fully or partially prevent any information about you from being disclosed. Among the most efficient methods of anonymously surfing is to use a service that receives your Web page requests, and then sends out a separate request through one of their servers. Not only does this hide your IP address from the destination Web site, it also obscures all your browser's characteristics.

Anonymizer (www.anonymizer.com), one of the oldest services in this category, recently moved to a paid subscription model and locally installed software. There are other free Web-based services, though, like The Cloak (www.the-cloak.com). These let you type a Web address onto a form, and it retrieves the Web page for you. There may also be options to block cookies or advertising banners. A free Web-based service can be a better alternative than a paid subscription-based solution if you only occasionally need to surf anonymously.

Open proxies, which are easy to find on the Internet, technically work much like the anonymous forwarding services. There's an important difference, though. These open proxies are actually computers running software that accepts Web requests from anyone and forwards them on your behalf.

Be careful with these. Many of these computers run software that was installed by an attacker for their own nefarious reasons. Other open proxies are operated for the very purpose of capturing other people's Web requests, either to intercept credit card numbers, perform research or for a number of other shady purposes. Whenever you redirect your browsing through a third party, make sure that this third party is trustworthy. Open proxies are inherently suspicious.

Virtual technologies can also help you protect your privacy. Microsoft's Virtual PC and VMware Workstation let you create a virtual machine that reverts to its original state once you shut it down. This means any local traces of your earlier surfing -- including cookies, spyware and viruses -- evaporate once you close the virtual machine.

Your real computer remains safe, no matter what nasty things your virtual browser picks up on the Internet. Obviously, this doesn't hide your IP address or any information sent by your browser, but it does prevent Web sites from tracking you with cookies.

If your main concern is cookies, then you can configure your browser to either not process them or be selective about which ones to store. For example, the Privacy page of Internet Explorer's Options dialog box provides good descriptions of what each cookie blocking option does and why. Choose the cookie-management level that balances your need for privacy with your desire for browsing convenience and regularly clear the cookies from your computer. If you do that, you probably won't have to worry about cookies affecting your privacy and security.

Low-Tech Solutions
Despite widespread concerns about Internet privacy, most people willingly disclose personal information. Many people are happy to share information about themselves -- whether it's their e-mail address, their shoe size or any communicable diseases -- in return for a small incentive.

If a Web site you visit or service you use asks you to divulge something about yourself that you don't want to share, simply don't provide that information.

Other low-tech strategies include thoroughly reviewing the privacy policy of your ISP and every company whose Internet-based service you use. This can be a lot of work, but it may reveal some interesting and enlightening information. For example, did you know that Google's privacy policy for its Gmail service lets them do extensive data mining on their subscribers' e-mail messages? Fortunately, that policy doesn't include viewing individual messages.

Do you have any other low-tech (or high-tech) solutions for Internet privacy you want to share? If so, let me know -- preferably anonymously.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.

Featured

comments powered by Disqus

Subscribe on YouTube