3. How to Protect Your Privacy When Using the Internet

Privacy is the ability to control when, how, and to whom your personal information is given. Privacy is power. Losing your privacy means losing personal power. This section offers tips and technical advice to help you protect your privacy when using the Internet. It applies whether you use Windows or some other operating system, like Linux or Apple's Mac OS. Web privacy is a fast-moving area in which technologies and laws are in flux. This guide can no more guarantee you absolute privacy than it can guarantee you a completely secure Windows. But if you follow our tips you'll minimize your privacy exposure.

3.1 Limit the Personal Information You Give Out

Before entering personal information into a web site form, a social network, or a forum, read the site's Privacy Policy and Terms of Use. If they're legalistic and hard-to-read, chances are they have more to do with harvesting your personal data than protecting it. Many agreements are written so that they can be changed at any time. This makes any assurance of protection for your personal data worthless because the web site could simply change the agreement after you've provided the information. Some agreements even include fine print by which you agree to the installation of malware on your computer!

Few privacy policies guarantee that information will be destroyed as it ages. Once given out, information tends to live forever. Few privacy policies give you any legal rights if your information is lost or stolen. In 2007 alone, over 162 million personal records were reported lost or stolen in the United States. (Yet it remains legal for companies to buy and sell your social security number and personal data.)

Once you post personal information on the web, you lose control over how that information is used. Changes to the "context" in which that data is used can harm you. An example is the information students enter into social web sites like MySpace or Facebook for their friends' amusement, only to find it resurfacing later to harm their employment opportunities or their careers. Both sites offer privacy controls that easily allow individuals to avoid such consequences -- but most users don't apply them.

The selling of personal data is a multibillion dollar, largely-unregulated business in the United States. It's an entire industry called information brokering.

People who give out their personal data expose themselves to manipulation or worse. Even the U.S. government is researching the harvesting of personal data from social networking sites for public surveillance. And why not? People voluntarily post the information. Fans of social networking will consider these cautions anachronistic. Please read how people expose themselves to manipulation or harm by posting personal data, found in authoritative books such as The The Digital Person, The Soft Cage, or The Future of Reputation: Gossip, Rumor, and Privacy on the Internet.

We need government regulation to enforce minimal rights for social network users, much the way we have consumer-protection legislation for credit cards. Meanwhile, protect yourself by educating yourself. Tiny bits of information can be collected and compiled by web computers into comprehensive profiles. If an organization can collect enough small bits of information --for example, just the names of all the web sites you visit -- they can eventually develop a complete picture of who you are, what you do, how you live, and what you believe. Privacy is power. You give away your personal power when you give out personal information. You assume risk you can not measure at the time you assume it.

3.2 Don't Let Web Sites Track You

Cookies are small files that web sites store on your computer's disk. They allow web sites to store information about your interaction with them. For example, they might store the data required for you to purchase items across the several web pages this involves. However, cookies --originally called tracking cookies --can also be used to track your movement across the web. Depending on the software using them, this data could be used to create a detailed record of your behavior as you surf. The resulting profile might be used for innocuous purposes, such as targeted marketing, or for malicious reasons, like spying.

Most browsers accept cookies by default. To retain your privacy, set the browser not to accept any cookies other than exceptions you specify. Then only web sites you approve can set cookies on your computer. A few web sites won't let you interact with them unless you accept their cookies -- but most will. You can also set most browsers to automatically delete all cookies when you exit. This allows web sites to set the cookies required for transactions like purchasing through the web but prevents tracking you across sessions. To manage cookie settings in your browser, access these panels:

To turn cookies on or off --

Internet Explorer				Tools | Internet Options | Privacy | Advanced
Firefox				(version 2 on) Tools | Options | Privacy | Cookies
Opera				Tools | Quick Preferences | Enable Cookies
K-Meleon				Tools | Privacy | Block Cookies
SeaMonkey				Edit | Preferences | Privacy & Security | Cookies

To allow specific web sites to set cookies --

Internet Explorer				Tools | Internet Options | Privacy | Edit
Firefox				Tools | Options | Privacy | Cookies | Exceptions
Opera				Tools | Preferences | Advanced | Cookies | Manage cookies
K-Meleon				Edit | Preferences | Privacy
SeaMonkey				Tools | Cookie Manager

To "clear" (erase) all cookies currently on your computer for the specified browser --

Internet Explorer				Tools | Internet Options | General | Delete Cookies
Firefox				Tools | Clear Private Data
Opera				Tools | Preferences | Advanced | Cookies
K-Meleon				Tools | Privacy | Clear Cookies
SeaMonkey				Tools | Cookie Manager | Manage Stored Cookies | Remove All Cookies

To automatically clear all cookies whenever you exit the browser --

Internet Explorer				Not available
Firefox				Tools | Options | Privacy | Cookies | Settings. . .
Opera				Tools | Preferences | Advanced | Cookies
K-Meleon				Tools | Privacy | Settings. . .
SeaMonkey				Not available

CookieCentral has more information about cookies and how to manage them. Other tracking mechanisms include web bugs, Flash cookies, third-party local shared objects. These are less common than cookies and rather technical so follow the links and see the Appendix if they concern you.

3.3 Email Privacy

Sending an email over the Internet is like sending a postcard through the mail. Anyone with the ability to intercept it can read it. There is evidence that the United States government either scans or compiles data about every email sent in the country.

You can keep the contents of your personal communications private by encrypting your email. This web page provides information and free downloads. It also lists programs that will encrypt your online interactive Chat. This article illustrates how to set up secure email step by step. The trouble with encrypted email is that both the sender and the recipient must participate. It's impractical to send encrypted email to people you don't know. Or to anyone using a different encryption system. The major email programs could easily support standardized, universally-compatible encryption in their clients -- but don't.

Remember that emails are often the basis for phishing scams --attempts to get you to reveal your personal information for nefarious purposes. Don't respond to email that may not be from a legitimate source. Don't even open it. Examples include claims you've won the lottery, pleas for help in handling large sums of money, sales pitches for outrageous deals, and the like.

Email may also be spoofed --masquerading as from a legitimate source when it is not. Examples are emails that ask you to click on a link to update your credit card account or those that ask for account information or passwords.

Legitimate businesses are well aware of criminal misuse of email and don't conduct serious business transactions through mass emailings!

Many people use two email addresses to avoid spam and retain their privacy. They use one account as a "junk" email address for filling out web site forms, joining forums, and the like. This email address doesn't disclose the person's identity and it collects the spam. They reserve a second email account for personal communications. They never give this one out except to personal friends, so it remains spam-free.

3.4 Web Surfing Privacy

If you tested your computer as suggested earlier using ShieldsUp!, you saw that it gives out information to every web site you visit. This data includes your Internet protocol address, operating system, browser version, and more. Your Internet protocol address or IP address is a unique identifier assigned to your computer when you access the Internet. Web sites can use it to track you. Your Internet Service Provider or ISP assigns your computer its IP address using one of several different techniques. How traceable you are on the web varies according to the technique your ISP employs along with several other factors, such as whether you allow web sites to set cookies and whether your computer is compromised by malware.

One way to mask who you are when web surfing is to change your IP address. Anonymizing services hide your IP address and location from the web sites you visit by stripping it out as your data passes through them on the way to your destination web site. Anonymizers help hide your identity and prevent web sites from tracking you but they are not a perfect privacy solution (because the anonymizer itself could be compromised). Anonymizer.com is a very popular free anonymizing service. Find other free services here and here.

A more robust approach to anonymity is offered by free software from JAP and TOR. Both route your data through intermediary servers called proxies so that the destination web site can't identify you. Your data is encrypted in transit, so it can not be intercepted or read by anyone who scans passing data. Services like JAP and TOR present two downsides. First, your data is sent through intermediary computers on the way to its destination, so response time slows. Whether you still find it acceptable depends on many factors; the best way to find out is simply to try the software for yourself.

These systems still leave you exposed to privacy violations by your Internet Service Provider. Your ISP is the your computer's entry point into the Internet, so your ISP can track all your actions online. For this reason, when the Bush administration decided to monitor American citizens through the Internet, they proposed legislation that would force all ISPs to keep two years of data about all their customers' activities. The government's current web surveillance program made it necessary for major ISPs like AT&T/Yahoo to change its privacy policy in June 2006 to say that AT&T --not its customers --owns all the customers' Internet records and can use them however it likes. Repeated congressional proposals to immunize ISPs from all legal challenges only make sense if the ISPs colluded with the government in illegally monitoring Internet activities.

3.5 Search Privacy

Web sites that help you search the web are called search engines. Popular search engines like Google, Yahoo!, and MSN Search retain records of all your web searches. Individually, the keywords you type into search engines show little. But aggregated, they may expose your identity. They may also expose your innermost thoughts --or be misinterpreted as doing so. Here's an example. Say the search engine captures you entering this list of searches --

• kill wife
• how to kill wife
• killing with untraceable substance
• kill with unknown substance

Someone might interpret these searches as indicating that you should be reported to the authorities because you're planning a murder. But what if you were simply doing research for that murder mystery you always wanted to write? You can see need for search privacy. Do you have it? The federal government has demanded search records from major search engines like Google, AOL, Yahoo, and MSN.

While the government claims these requests are to combat sexual predators, most analysts believe they are for public surveillance and data mining. America Online (AOL) accidentally posted online 20 million personal queries from over 650,000 users. The data was immediately gobbled up and saved in other web servers. Although AOL apologized and quickly took down their posting, this data will probably remain available forever somewhere. Some people can be identified by their "anonymous" searches and have been harmed as a result of this violation of their privacy.

The AOL incident is a wake-up call to those who don't understand how small pieces of information about people can be collected by Internet servers, then compiled into revealing dossiers about our individual behaviors. This principle doesn't just apply to search engines. It extends to the web sites you visit, the books you buy online, the comments you enter into forums, the political web sites you read, and all your other web activities. The AOL debacle demonstrates that web activities many assume to be anonymous can sometimes be traceable to specific individuals.

The Electronic Frontier Foundation's excellent white paper Six Tips to Protect Your Search Privacy offers these recommendations to ensure your search privacy --

• Don't include words in your searches that identify you personally (such as your name or social security number)
• Don't use your ISP's search engine (since they know who you are)
• Don't "log in" to search engine web sites
• Don't let the search engine set cookies
• Don't use the same IP address all the time
• Use anonymizers like JAP or TOR to thwart traceability